bito-code-review[bot] commented on code in PR #40671:
URL: https://github.com/apache/superset/pull/40671#discussion_r3383925420
##########
superset/security/manager.py:
##########
@@ -3673,6 +3692,8 @@ def get_guest_user_from_request(self, req: Request) ->
Optional[GuestUser]:
raise ValueError("Guest token does not contain an rls_rules
claim")
if token.get("type") != "guest":
raise ValueError("This is not a guest token.")
+ if self._is_guest_token_revoked(token):
+ raise ValueError("This guest token has been revoked.")
except Exception: # pylint: disable=broad-except
# The login manager will handle sending 401s.
# We don't need to send a special error message.
Review Comment:
<!-- Bito Reply -->
The added test case appropriately addresses the concern regarding
integration-level coverage for the revocation flow. By exercising the full
request-to-revocation path, it verifies that the system correctly rejects
revoked tokens while maintaining the requested unit-level testing structure.
##########
superset/cli/guest_token.py:
##########
@@ -0,0 +1,54 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+import logging
+
+import click
+from flask import current_app
+from flask.cli import with_appcontext
+
+logger = logging.getLogger(__name__)
+
+
[email protected]()
+@with_appcontext
+def revoke_guest_tokens() -> None:
+ """
+ Revoke all outstanding embedded guest tokens.
+
+ Bumps the guest-token revocation version stored in the metadata database,
+ which invalidates every guest token minted with a lower version. New tokens
+ minted after this command will carry the bumped version and remain valid.
+
+ Requires ``GUEST_TOKEN_REVOCATION_ENABLED = True``; otherwise the bumped
+ version is not enforced at validation time.
+ """
+ # pylint: disable=import-outside-toplevel
+ from superset.security.guest_token import
bump_guest_token_revocation_version
+
+ if not current_app.config["GUEST_TOKEN_REVOCATION_ENABLED"]:
+ click.secho(
+ "Warning: GUEST_TOKEN_REVOCATION_ENABLED is False. The version
will "
+ "be bumped but is NOT enforced at validation time until you enable
"
+ "the feature.",
+ fg="yellow",
+ )
+
+ new_version = bump_guest_token_revocation_version()
+ click.secho(
+ f"Revoked outstanding guest tokens. Revocation version is now
{new_version}.",
+ fg="green",
+ )
Review Comment:
<!-- Bito Reply -->
The addition of the CLI test module
`tests/unit_tests/cli/guest_token_test.py` is a positive step that addresses
the earlier review feedback regarding missing unit tests for the CLI command.
This module covers both the success path and the feature-disabled path,
ensuring the command behaves as expected in different configurations.
##########
superset/security/guest_token.py:
##########
@@ -14,13 +14,70 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
+import logging
from typing import Optional, TypedDict, Union
from flask_appbuilder.security.sqla.models import Group, Role
from flask_login import AnonymousUserMixin
from superset.utils.backports import StrEnum
+logger = logging.getLogger(__name__)
+
+# JWT claim that carries the revocation version a token was minted with.
+GUEST_TOKEN_REVOCATION_CLAIM = "rev" # noqa: S105
+
+# Tokens minted before the revocation feature existed carry no version claim.
+# They are treated as version 0, which is only rejected once an admin has
+# explicitly bumped the expected version above 0.
+DEFAULT_GUEST_TOKEN_REVOCATION_VERSION = 0
+
+
+def get_current_guest_token_revocation_version() -> int:
+ """
+ Return the minimum guest-token revocation version accepted at validation
time.
+
+ The value is stored in the metadata database via the ``key_value`` store
so it
+ can be bumped at runtime (e.g. via the ``revoke-guest-tokens`` CLI command)
+ without a code deploy. A missing entry means revocation has never been
+ triggered, so the default version is returned.
+ """
+ # pylint: disable=import-outside-toplevel
+ from superset.key_value.shared_entries import get_shared_value
+ from superset.key_value.types import SharedKey
+
+ try:
+ value = get_shared_value(SharedKey.GUEST_TOKEN_REVOCATION_VERSION)
+ except Exception: # pylint: disable=broad-except
Review Comment:
<!-- Bito Reply -->
The addition of these tests is a positive step, as they verify the fallback
behavior of the `get_current_guest_token_revocation_version` function. By
explicitly testing both the exception-handling path and the malformed-value
path, you ensure that the system behaves predictably when the metadata store is
unreachable or returns unexpected data. This effectively addresses the concern
regarding untested exception branches in the revocation logic.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
