From 0cac1cbe2fa8cba071cdee3a00caa8bf57d9e9a6 Mon Sep 17 00:00:00 2001
From: Aaron Sheffield <ajs@sheffieldfamily.net>
Date: Tue, 13 Nov 2018 10:04:10 -0600
Subject: [PATCH] Updates cleartext-secrets RBAC Permissions

- Adds an RBAC check when returning raw configdocs.

Change-Id: Ia4967ba4e1dfc49d44a3914cfa151177a49c3799
---
 charts/shipyard/values.yaml                        |  3 ++-
 doc/source/CLI.rst                                 | 12 ++++++++----
 .../control/configdocs/configdocs_api.py           |  5 +++++
 .../shipyard_airflow/shipyard_airflow/policy.py    | 14 +++++++++++++-
 4 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 60233b13..5a7ac1d7 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -368,9 +368,10 @@ conf:
     workflow_orchestrator:get_configdocs_status: rule:admin_read_access
     workflow_orchestrator:create_configdocs: rule:admin_create
     workflow_orchestrator:get_configdocs: rule:admin_read_access
+    workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
     workflow_orchestrator:commit_configdocs: rule:admin_create
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
-    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
+    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
     workflow_orchestrator:list_workflows: rule:admin_read_access
     workflow_orchestrator:get_workflow: rule:admin_read_access
     workflow_orchestrator:get_notedetails: rule:admin_read_access
diff --git a/doc/source/CLI.rst b/doc/source/CLI.rst
index bca045f9..57807fb1 100644
--- a/doc/source/CLI.rst
+++ b/doc/source/CLI.rst
@@ -677,8 +677,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
   collection, this will return an empty response (default)
 
 \--cleartext-secrets
-  Returns cleartext secrets in encrypted documents, otherwise those values
-  are redacted. Only impacts returned documents, not lists of documents.
+  Returns secrets as cleartext for encrypted documents if the user has the
+  appropriate permissions in the target environment.  If the user does not
+  have the appropriate permissions and sets this flag to true an error is
+  returned.  Only impacts returned documents, not lists of documents.
 
 Sample
 ^^^^^^
@@ -745,8 +747,10 @@ applying Deckhand layering and substitution.
   prior commit. (default)
 
 \--cleartext-secrets
-  Returns secrets as cleartext for encrypted documents if the user has the appropriate
-  permissions in the target environment.
+  Returns secrets as cleartext for encrypted documents if the user has the
+  appropriate permissions in the target environment.  If the user does not
+  have the appropriate permissions and sets this flag to true an error is
+  returned.
 
 Sample
 ^^^^^^
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
index 2b2f61e5..2014aac9 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
@@ -101,6 +101,11 @@ class ConfigDocsResource(BaseResource):
         cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
         self._validate_version_parameter(version)
         helper = ConfigdocsHelper(req.context)
+
+        # Check access to cleartext_secrets
+        if cleartext_secrets:
+            policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
+
         # Not reformatting to JSON or YAML since just passing through
         resp.body = self.get_collection(
             helper=helper, collection_id=collection_id, version=version,
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
index fe506c3c..4b8bc429 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
@@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
 GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
 CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
 GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
+GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
 COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
 GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
 GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext'  # noqa
@@ -162,7 +163,18 @@ class ShipyardPolicy(object):
         policy.DocumentedRuleDefault(
             GET_CONFIGDOCS,
             RULE_ADMIN_REQUIRED,
-            'Retrieve a collection of configuration documents',
+            ('Retrieve a collection of configuration documents with redacted '
+             'secrets'),
+            [{
+                'path': '/api/v1.0/configdocs/{collection_id}',
+                'method': 'GET'
+            }]
+        ),
+        policy.DocumentedRuleDefault(
+            GET_CONFIGDOCS_CLRTXT,
+            RULE_ADMIN_REQUIRED,
+            ('Retrieve a collection of configuration documents with cleartext '
+             'secrets.'),
             [{
                 'path': '/api/v1.0/configdocs/{collection_id}',
                 'method': 'GET'