airship
/
shipyard
Code Issues Proposed changes

Updates cleartext-secrets RBAC Permissions 

- Adds an RBAC check when returning raw configdocs.

Change-Id: Ia4967ba4e1dfc49d44a3914cfa151177a49c3799
This commit is contained in:
Aaron Sheffield 2018-11-13 10:04:10 -06:00
parent 03d7269b6a
commit 0cac1cbe2f
4 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
charts/shipyard/values.yaml
View File

@ -368,9 +368,10 @@ conf:
workflow_orchestrator:get_configdocs_status: rule:admin_read_access workflow_orchestrator:get_configdocs_status: rule:admin_read_access
workflow_orchestrator:create_configdocs: rule:admin_create workflow_orchestrator:create_configdocs: rule:admin_create
workflow_orchestrator:get_configdocs: rule:admin_read_access workflow_orchestrator:get_configdocs: rule:admin_read_access
workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
workflow_orchestrator:commit_configdocs: rule:admin_create workflow_orchestrator:commit_configdocs: rule:admin_create
workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
workflow_orchestrator:list_workflows: rule:admin_read_access workflow_orchestrator:list_workflows: rule:admin_read_access
workflow_orchestrator:get_workflow: rule:admin_read_access workflow_orchestrator:get_workflow: rule:admin_read_access
workflow_orchestrator:get_notedetails: rule:admin_read_access workflow_orchestrator:get_notedetails: rule:admin_read_access

12
doc/source/CLI.rst
View File

@ -677,8 +677,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
collection, this will return an empty response (default) collection, this will return an empty response (default)
\--cleartext-secrets \--cleartext-secrets
Returns cleartext secrets in encrypted documents, otherwise those values Returns secrets as cleartext for encrypted documents if the user has the
are redacted. Only impacts returned documents, not lists of documents. appropriate permissions in the target environment. If the user does not
have the appropriate permissions and sets this flag to true an error is
returned. Only impacts returned documents, not lists of documents.
Sample Sample
^^^^^^ ^^^^^^
@ -745,8 +747,10 @@ applying Deckhand layering and substitution.
prior commit. (default) prior commit. (default)
\--cleartext-secrets \--cleartext-secrets
Returns secrets as cleartext for encrypted documents if the user has the appropriate Returns secrets as cleartext for encrypted documents if the user has the
permissions in the target environment. appropriate permissions in the target environment. If the user does not
have the appropriate permissions and sets this flag to true an error is
returned.
Sample Sample
^^^^^^ ^^^^^^

5
src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
View File

@ -101,6 +101,11 @@ class ConfigDocsResource(BaseResource):
cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
self._validate_version_parameter(version) self._validate_version_parameter(version)
helper = ConfigdocsHelper(req.context) helper = ConfigdocsHelper(req.context)
# Check access to cleartext_secrets
if cleartext_secrets:
policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
# Not reformatting to JSON or YAML since just passing through # Not reformatting to JSON or YAML since just passing through
resp.body = self.get_collection( resp.body = self.get_collection(
helper=helper, collection_id=collection_id, version=version, helper=helper, collection_id=collection_id, version=version,

14
src/bin/shipyard_airflow/shipyard_airflow/policy.py
View File

@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status' GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs' CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs' GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs' COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs' GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa
@ -162,7 +163,18 @@ class ShipyardPolicy(object):
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
GET_CONFIGDOCS, GET_CONFIGDOCS,
RULE_ADMIN_REQUIRED, RULE_ADMIN_REQUIRED,
'Retrieve a collection of configuration documents', ('Retrieve a collection of configuration documents with redacted '
'secrets'),
[{
'path': '/api/v1.0/configdocs/{collection_id}',
'method': 'GET'
}]
),
policy.DocumentedRuleDefault(
GET_CONFIGDOCS_CLRTXT,
RULE_ADMIN_REQUIRED,
('Retrieve a collection of configuration documents with cleartext '
'secrets.'),
[{ [{
'path': '/api/v1.0/configdocs/{collection_id}', 'path': '/api/v1.0/configdocs/{collection_id}',
'method': 'GET' 'method': 'GET'