This is an automated email from the ASF dual-hosted git repository. rshah pushed a commit to branch 8.0.x in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
commit 877246e87ebc6105acf18a8396ad1c3cb2ba0e25 Author: Rima Shah <[email protected]> AuthorDate: Wed Dec 20 16:30:30 2023 -0700 Fixed job route permission (#7891) * Created clause to distinguish api versions < 5 when handling 403 in middleware wrappers * Removed required permission `DELIVERY-SERVICE:READ` from the job routes in v4 and v5. --------- Co-authored-by: Michie, Kurtis <[email protected]> (cherry picked from commit c0ebe87ad90c2ba2a215f4c47d9b1080c2a59e5e) --- CHANGELOG.md | 3 ++- .../traffic_ops_golang/routing/middleware/wrappers.go | 8 +++++--- traffic_ops/traffic_ops_golang/routing/routes.go | 12 ++++++------ 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd745c9daa..a6d646034c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ### Fixed - [#7846](https://github.com/apache/trafficcontrol/pull/7846) *Traffic Portal* Increase State character limit -- [#7887](https://github.com/apache/trafficcontrol/pull/7887) *Traffic Ops* Limit Delivery Services returned for GET /servers/{id}/deliveryservices to ones in the same CDN ## [8.0.0] - 2023-09-20 ### Added @@ -98,7 +97,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - [#7814](https://github.com/apache/trafficcontrol/issues/7814) All Go components: Updated the module path to [`github.com/apache/trafficcontrol/v8`](https://pkg.go.dev/github.com/apache/trafficcontrol/v8). Module https://pkg.go.dev/github.com/apache/trafficcontrol will not receive further updates. ### Fixed +- [#7891](https://github.com/apache/trafficcontrol/pull/7891) *Traffic Ops*: Created clause to distinguish api versions < 5 when handling 403 in middleware wrappers and updated job routes for v4 and v5 - [#7890](https://github.com/apache/trafficcontrol/pull/7890) *Traffic Ops*: Fixed missing changelog entries to v5 routes. +- [#7887](https://github.com/apache/trafficcontrol/pull/7887) *Traffic Ops*: Limit Delivery Services returned for GET /servers/{id}/deliveryservices to ones in the same CDN - [#7885](https://github.com/apache/trafficcontrol/pull/7885) *Traffic Portal*: Fixed the issue where Compare Profiles page was not being displayed. - [#7879](https://github.com/apache/trafficcontrol/7879) *Traffic Ops, Traffic Portal*: Fixed broken capability links for delivery service and added required capability as a column in DS table. - [#7878](https://github.com/apache/trafficcontrol/pull/7878) *Traffic Ops, Traffic Portal*: Fixed the case where TO was failing to assign delivery services to a server, due to a bug in the way the list of preexisting delivery services was being returned. diff --git a/traffic_ops/traffic_ops_golang/routing/middleware/wrappers.go b/traffic_ops/traffic_ops_golang/routing/middleware/wrappers.go index 4785916036..6f1fc71c1c 100644 --- a/traffic_ops/traffic_ops_golang/routing/middleware/wrappers.go +++ b/traffic_ops/traffic_ops_golang/routing/middleware/wrappers.go @@ -120,9 +120,11 @@ func (a AuthBase) GetWrapper(privLevelRequired int) Middleware { return } } else { - if !cfg.RoleBasedPermissions && user.PrivLevel < privLevelRequired { - api.HandleErr(w, r, nil, http.StatusForbidden, errors.New("Forbidden."), nil) - return + if v.Major < 5 { + if !cfg.RoleBasedPermissions && user.PrivLevel < privLevelRequired { + api.HandleErr(w, r, nil, http.StatusForbidden, errors.New("Forbidden."), nil) + return + } } } api.AddUserToReq(r, user) diff --git a/traffic_ops/traffic_ops_golang/routing/routes.go b/traffic_ops/traffic_ops_golang/routing/routes.go index 6dfbbfd2c8..548c16b548 100644 --- a/traffic_ops/traffic_ops_golang/routing/routes.go +++ b/traffic_ops/traffic_ops_golang/routing/routes.go @@ -224,9 +224,9 @@ func Routes(d ServerData) ([]Route, http.Handler, error) { //Content invalidation jobs {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodGet, Path: `jobs/?$`, Handler: api.ReadHandler(&invalidationjobs.InvalidationJobV4{}), RequiredPrivLevel: auth.PrivLevelReadOnly, RequiredPermissions: []string{"JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 496678204131}, - {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:UPDATE", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 41678077631}, - {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "DELIVERY-SERVICE:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 48613422631}, - {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ", "DELIVERY-SERVICE:UPDATE"}, Authenticated: Authenticated, Middlewares: nil, ID: 4045095531}, + {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 41678077631}, + {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 48613422631}, + {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4045095531}, //Login {Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPost, Path: `user/login/?$`, Handler: login.LoginHandler(d.DB, d.Config), RequiredPrivLevel: auth.PrivLevelUnauthenticated, RequiredPermissions: nil, Authenticated: NoAuth, Middlewares: nil, ID: 439267082131}, @@ -629,9 +629,9 @@ func Routes(d ServerData) ([]Route, http.Handler, error) { //Content invalidation jobs {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodGet, Path: `jobs/?$`, Handler: api.ReadHandler(&invalidationjobs.InvalidationJobV4{}), RequiredPrivLevel: auth.PrivLevelReadOnly, RequiredPermissions: []string{"JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 49667820413}, - {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:UPDATE", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4167807763}, - {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "DELIVERY-SERVICE:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4861342263}, - {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ", "DELIVERY-SERVICE:UPDATE"}, Authenticated: Authenticated, Middlewares: nil, ID: 404509553}, + {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4167807763}, + {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4861342263}, + {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 404509553}, //Login {Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPost, Path: `user/login/?$`, Handler: login.LoginHandler(d.DB, d.Config), RequiredPrivLevel: auth.PrivLevelUnauthenticated, RequiredPermissions: nil, Authenticated: NoAuth, Middlewares: nil, ID: 43926708213},
