Repository: incubator-trafficcontrol Updated Branches: refs/heads/2.1.x a581e82a6 -> bad7062d2
ssl_keys - tenancy checks (cherry picked from commit 01452c99a0fc4d459742a67bad3bab9f20fcf4e6) Project: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/commit/4350faf9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/tree/4350faf9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/diff/4350faf9 Branch: refs/heads/2.1.x Commit: 4350faf99e5df17bc29ec3807885f3ec02ffbe48 Parents: a581e82 Author: nir-sopher <n...@qwilt.com> Authored: Sun Aug 13 19:01:38 2017 +0300 Committer: hbeatty <hbea...@users.noreply.github.com> Committed: Fri Aug 18 14:34:18 2017 -0400 ---------------------------------------------------------------------- .../app/lib/API/DeliveryService/SslKeys.pm | 88 ++++++++++++++++---- .../app/t/api/1.1/deliveryservice/ssl_keys.t | 10 +++ 2 files changed, 84 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/4350faf9/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm ---------------------------------------------------------------------- diff --git a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm index 2c5adb6..8550a41 100644 --- a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm +++ b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm @@ -18,6 +18,7 @@ package API::DeliveryService::SslKeys; # JvD Note: you always want to put Utils as the first use. Sh*t don't work if it's after the Mojo lines. use UI::Utils; +use Utils::Tenant; use Mojo::Base 'Mojolicious::Controller'; use MojoPlugins::Response; use JSON; @@ -40,6 +41,17 @@ sub add { if ( !&is_admin($self) ) { return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); } + + my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $deliveryservice })->single(); + if (!$ds) { + return $self->not_found("Could not found delivery service with xml_id=$deliveryservice" ); + } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + my $record = { key => $key, version => $version, @@ -83,6 +95,17 @@ sub generate { if ( !&is_admin($self) ) { return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); } + if (defined($deliveryservice)) { + my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $deliveryservice })->single(); + if (!$ds) { + return $self->not_found("Could not found delivery service with xml_id=$deliveryservice" ); + } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + } #generate the cert: my $record = { @@ -111,7 +134,7 @@ sub generate { sub view_by_xml_id { my $self = shift; - my $key = $self->param('xmlid'); + my $xml_id = $self->param('xmlid'); my $version = $self->param('version'); if ( !&is_admin($self) ) { return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); @@ -120,12 +143,28 @@ sub view_by_xml_id { if ( !$version ) { $version = 'latest'; } - $key = "$key-$version"; + my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $xml_id })->single(); + if (!$ds) { + return $self->alert( { Error => " - Could not found delivery service with xml_id=$xml_id!" } ); + } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + my $ds_id = $ds->id; + my $key = "ds_$ds_id-$version"; my $response_container = $self->riak_get( "ssl", $key ); my $response = $response_container->{"response"}; - $response->is_success() - ? $self->success( decode_json( $response->content ) ) - : $self->alert( { Error => " - A record for ssl key $key could not be found. Response was: " . $response->content } ); + if ($response->is_success()) { + my $ssl_keys = decode_json( $response->content ); + $ssl_keys->{certificate}->{csr} = decode_base64($ssl_keys->{certificate}->{csr}), + $ssl_keys->{certificate}->{crt} = decode_base64($ssl_keys->{certificate}->{crt}), + $ssl_keys->{certificate}->{key} = decode_base64($ssl_keys->{certificate}->{key}), + $self->success( $ssl_keys ) + } else { + $self->alert( { Error => " - A record for ssl key $key could not be found. Response was: " . $response->content } ); + } } } @@ -160,24 +199,34 @@ sub view_by_hostname { if (!$ds) { return $self->alert( { Error => " - A delivery service does not exist for a host with hostanme of $key" } ); } - - my $xml_id = $ds->xml_id; + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + my $ds_id = $ds->id; if ( !$version ) { $version = 'latest'; } - $key = "$xml_id-$version"; + $key = "ds_$ds_id-$version"; my $response_container = $self->riak_get( "ssl", $key ); my $response = $response_container->{"response"}; - $response->is_success() - ? $self->success( decode_json( $response->content ) ) - : $self->alert( { Error => " - A record for ssl key $key could not be found. Response was: " . $response->content } ); + if ($response->is_success()) { + my $ssl_keys = decode_json( $response->content ); + $ssl_keys->{certificate}->{csr} = decode_base64($ssl_keys->{certificate}->{csr}), + $ssl_keys->{certificate}->{crt} = decode_base64($ssl_keys->{certificate}->{crt}), + $ssl_keys->{certificate}->{key} = decode_base64($ssl_keys->{certificate}->{key}), + $self->success( $ssl_keys ) + } else { + $self->alert( { Error => " - A record for ssl key $key could not be found. Response was: " . $response->content } ); + } } } sub delete { my $self = shift; - my $key = $self->param('xmlid'); + my $xml_id = $self->param('xmlid'); my $version = $self->param('version'); my $response_container; my $response; @@ -185,6 +234,17 @@ sub delete { return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); } else { + my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $xml_id })->single(); + if (!$ds) { + return $self->alert( { Error => " - Could not found delivery service with xml_id=$xml_id!" } ); + } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + my $ds_id = $ds->id; + my $key = "ds_$ds_id"; if ($version) { $key = $key . "-" . $version; $self->app->log->info("deleting key_type = ssl, key = $key"); @@ -201,8 +261,8 @@ sub delete { # $self->app->log->info("delete rc = $rc"); if ( $response->is_success() ) { - &log( $self, "Deleted ssl keys for Delivery Service $key", "APICHANGE" ); - return $self->success("Successfully deleted ssl keys for $key"); + &log( $self, "Deleted ssl keys for Delivery Service $xml_id", "APICHANGE" ); + return $self->success("Successfully deleted ssl keys for $xml_id"); } else { return $self->alert( $response->content ); http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/4350faf9/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t ---------------------------------------------------------------------- diff --git a/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t b/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t index 3e94c35..5fb790a 100644 --- a/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t +++ b/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t @@ -153,6 +153,16 @@ ok $t->get_ok("/api/1.1/deliveryservices/hostname/$gen_hostname/sslkeys.json")-> ->json_is( "/response/version" => $version )->json_is( "/response/country" => $country )->json_is( "/response/hostname" => $hostname )->status_is(200) ->or( sub { diag $t->tx->res->content->asset->{content}; } ); + +#tenancy checks +#get_object +ok $t->get_ok("/api/1.1/deliveryservices/xmlId/test-ds1-root/sslkeys.json")->status_is(403) + ->json_has("Forbidden. Delivery-service tenant is not available to the user.!")->or( sub { diag $t->tx->res->content->asset->{content}; } ); + +#delete +ok $t->get_ok("/api/1.1/deliveryservices/xmlId/test-ds1-root/sslkeys/delete.json")->status_is(403) + ->json_has("Forbidden. Delivery-service tenant is not available to the user.!")->or( sub { diag $t->tx->res->content->asset->{content}; } ); + # #delete ssl key # #delete version ok $t->get_ok("/api/1.1/deliveryservices/xmlId/$key/sslkeys/delete.json?version=$version")