This PR was created byGitStart to address the requirements from this ticket:FUZ-22.
Description:
This PR adds tool-specific segmentation to users to enhance security in FuzzManager. Currently, API tokens (and thus users given the 1:1 mapping) have unrestricted access across all tools, creating potential security risks if compromised.
The changes:
- Restrict users to specific tools
- Add Django commandsadd_tool_to_user andremove_tool_from_user for user-tool management
- Implement user restrictions based on tool access
- Prevent unauthorized tool access
This segmentation limits the impact of potential token leaks and provides better access control for crash/coverage reporting.
Demo
https://www.loom.com/share/bcde5c97bec54761a8a11b0f72a54850?sid=0b52a794-a0ad-478b-af24-5c254827e80b
Test Plan
1.Assign Tool to User:
2.Verify User Restrictions:
Usecurl to submit crash reports using tokens from the user for the assigned tool.
Example:
curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "<tool_name>", "crash_data": "..." }'
Attempt to submit a crash report for a toolnot assigned to the user and verify that the request is denied with an appropriate error message.
3.Ensure User Restrictions:
Verify that the user is marked as restricted after they are assigned a tool.
Check that restricted users can only submit crash/coverage report for their assigned tools.
Attempt to access data for tools outside the user's permissions and confirm access is denied.
4.Tool Assignment:
Additional Notes:
As part of implementing the tool segmentation security feature, the test suite has been updated to correctly reflect the new security model. In particular:
- Test fixtures were added to properly assign tools to restricted users before testing
- Previously, the tests assumed restricted users could report crashes for any tool, which contradicted the new security model
- The updated tests now correctly verify that restricted users can only report crashes for tools they have permission to use
This change ensures that our tests accurately validate the security constraints we're implementing, confirming that unauthorized tool access is properly prevented.
Uh oh!
There was an error while loading.Please reload this page.
This PR was created byGitStart to address the requirements from this ticket:FUZ-22.
Description:
This PR adds tool-specific segmentation to users to enhance security in FuzzManager. Currently, API tokens (and thus users given the 1:1 mapping) have unrestricted access across all tools, creating potential security risks if compromised.
The changes:
- Restrict users to specific tools
- Add Django commands
add_tool_to_userandremove_tool_from_userfor user-tool management- Implement user restrictions based on tool access
- Prevent unauthorized tool access
This segmentation limits the impact of potential token leaks and provides better access control for crash/coverage reporting.
Demo
https://www.loom.com/share/bcde5c97bec54761a8a11b0f72a54850?sid=0b52a794-a0ad-478b-af24-5c254827e80b
Test Plan
1.Assign Tool to User:
Run the
add_tool_to_usermanagement command to assign a specific tool to a user.Example:
python manage.py add_tool_to_user <username> <tool_name>2.Verify User Restrictions:
Use
curlto submit crash reports using tokens from the user for the assigned tool.Example:
curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "<tool_name>", "crash_data": "..." }'Attempt to submit a crash report for a toolnot assigned to the user and verify that the request is denied with an appropriate error message.
Example:
curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "unauthorized_tool", "crash_data": "..." }'Expected Response:
403 Forbiddenwith a message indicating lack of permission.3.Ensure User Restrictions:
Verify that the user is marked as restricted after they are assigned a tool.
Check that restricted users can only submit crash/coverage report for their assigned tools.
Attempt to access data for tools outside the user's permissions and confirm access is denied.
4.Tool Assignment:
Use management command below to add tool to user:
python manage.py add_tool_to_user <username> <tool_name>Use management command below to remove tool from user:
python manage.py remove_tool_from_user <username> <tool_name>Additional Notes:
As part of implementing the tool segmentation security feature, the test suite has been updated to correctly reflect the new security model. In particular:
- Test fixtures were added to properly assign tools to restricted users before testing
- Previously, the tests assumed restricted users could report crashes for any tool, which contradicted the new security model
- The updated tests now correctly verify that restricted users can only report crashes for tools they have permission to use
This change ensures that our tests accurately validate the security constraints we're implementing, confirming that unauthorized tool access is properly prevented.