GuestToken and dashboard embed access check failure, causing 403 HTTP responses

[hao-zhuventures]

Bug description

When security manager tries to use guest_token claims (parsed here) to check for dashboard access permissions here, because of the Enum type, incorrect result is returned.

>>> 'dashboard' == GuestTokenResourceType.DASHBOARD
False

How to reproduce the bug

Abbreviated steps as I believe it's root-caused

1. set up a dashboard for embedding
2. when embedded dashboard is loading within iFrame, watch for 403 HTTP errors:

• jwt token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoiZW1iZWQiLCJmaXJzdF9uYW1lIjoiU3VwZXJzZXQiLCJsYXN0X25hbWUiOiJBZG1pbiJ9LCJyZXNvdXJjZXMiOlt7InR5cGUiOiJkYXNoYm9hcmQiLCJpZCI6IjkifV0sInJsc19ydWxlcyI6W10sImlhdCI6MTcyNDg3NDYxMi4xNTA5OCwiZXhwIjoxNzI0ODc0OTEyLjE1MDk4LCJhdWQiOiJodHRwOi8vc3VwZXJzZXQ6ODA4OC8iLCJ0eXBlIjoiZ3Vlc3QifQ.5YcCi9vqQDGOsh6M2XCzf8R67GkvJl4BBfb4uMwvJug

Screenshots/recordings

No response

Superset version

master / latest-dev

Python version

3.10

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• I have searched Superset docs and Slack and didn't find a solution to my problem.
• I have searched the GitHub issue tracker and didn't find a similar bug report.
• I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot]

Hey @hao-zhuventures! I'm here to help with your Superset issue. I can assist with bugs, questions, and becoming a contributor. Let's tackle this together while we wait for a human maintainer.

I found a similar open issue that might be relevant to your problem: Superset Login Redirect After Guest Token Usage in Angular Iframe. This issue discusses handling guest tokens and preventing redirection to the login page. The suggested solution involves ensuring the guest token is correctly set up and handled, including refreshing the guest token periodically and setting up the guest client properly.

To address the specific issue you're encountering with the GuestTokenResourceType Enum causing 403 HTTP responses, you need to ensure that the comparison between the resource type in the token and the GuestTokenResourceType Enum is done correctly. The issue arises because the comparison between a string and an Enum type returns False.

Here's a potential fix for the issue:

1. Update the Comparison Logic: Modify the comparison logic to compare the string value of the Enum type.

for resource in resources:
    if resource["type"] == GuestTokenResourceType.DASHBOARD.value:
        # TODO (embedded): remove this check once uuids are rolled out
        dashboard = Dashboard.get(str(resource["id"]))
        if not dashboard:
            embedded = EmbeddedDashboardDAO.find_by_id(str(resource["id"]))
            if not embedded:
                raise EmbeddedDashboardNotFoundError()

By using GuestTokenResourceType.DASHBOARD.value, you ensure that the comparison is made between two strings, which should return True if they match.

Additionally, ensure that the guest token contains the necessary claims and is correctly parsed and validated. The get_guest_user_from_request method checks for the presence of a guest token in the request and validates its claims. If any required claim is missing or invalid, it will result in a 403 error.

Here is the relevant code snippet for reference:

def get_guest_user_from_request(self, req: Request) -> Optional[GuestUser]:
    raw_token = req.headers.get(
        current_app.config["GUEST_TOKEN_HEADER_NAME"]
    ) or req.form.get("guest_token")
    if raw_token is None:
        return None
    try:
        token = self.parse_jwt_guest_token(raw_token)
        if token.get("user") is None:
            raise ValueError("Guest token does not contain a user claim")
        if token.get("resources") is None:
            raise ValueError("Guest token does not contain a resources claim")
        if token.get("rls_rules") is None:
            raise ValueError("Guest token does not contain an rls_rules claim")
        if token.get("type") != "guest":
            raise ValueError("This is not a guest token.")
    except Exception:
        logger.warning("Invalid guest token", exc_info=True)
        return None

    return self.get_guest_user_from_token(cast(GuestToken, token))

Ensure that the guest token includes the user, resources, rls_rules, and type claims. If any of these claims are missing, the token will be considered invalid, resulting in a 403 error ^[1].

By addressing the comparison logic and ensuring the guest token is correctly formed and validated, you should be able to resolve the 403 HTTP response issue.

To continue talking to Dosu, mention @dosu.

[hao-zhuventures]

attempt to fix it here: #30042