-
Notifications
You must be signed in to change notification settings - Fork 0
[codex] fix notary audit scopes #179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3291,6 +3291,7 @@ pub(crate) fn pre_auth_audit_event( | |
| event_id: Ulid::new().to_string(), | ||
| occurred_at, | ||
| principal_id_hash: fields.principal_id_hash, | ||
| scopes_used: Vec::new(), | ||
| decision: decision.to_string(), | ||
| method: method.to_string(), | ||
| path: path.to_string(), | ||
|
|
@@ -4629,6 +4630,7 @@ fn build_audit_event( | |
| principal_id_hash: principal.map(|principal| { | ||
| Hashed::<PrincipalIdentifier>::from_hash(hasher.hash(&principal.principal_id)) | ||
| }), | ||
| scopes_used: principal.map_or_else(Vec::new, |principal| principal.scopes.clone()), | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
When a credential or OIDC token carries extra scopes beyond the one this route actually checks, this copies every granted scope into Useful? React with 👍 / 👎. |
||
| decision, | ||
| method: method.to_string(), | ||
| path: path.to_string(), | ||
|
|
@@ -7993,6 +7995,7 @@ credential_profiles: | |
| event_id: "01HX0000000000000000000000".to_string(), | ||
| occurred_at: "2026-05-22T00:00:00Z".to_string(), | ||
| principal_id_hash: Some(Hashed::from_hash("sha256:caseworker")), | ||
| scopes_used: vec!["registry_notary:admin".to_string()], | ||
| decision: "allowed".to_string(), | ||
| method: "GET".to_string(), | ||
| path: "/v1/claims".to_string(), | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For successful
/federation/v1/evaluationscalls, the handler builds anEvidencePrincipalfrompeer.config.source_scopesand uses those scopes to evaluate and return claim results, but this audit constructor always emits an emptyscopes_usedlist. That makes every successful federated evaluation look unscoped in the audit trail even though source scopes were exercised, undermining the required reconstruction of which permission authorized the claim result.Useful? React with 👍 / 👎.