This is an automated email from the ASF dual-hosted git repository.
dewrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-trafficcontrol.git
commit b68d335ae57e10c44d165e9847d1a5b2dff67129
Author: Jeremy Mitchell <mitchell...@gmail.com>
AuthorDate: Fri Feb 2 08:28:21 2018 -0700
loosens permissions on ds ssl key management. relies on tenancy.
---
traffic_ops/app/lib/API/DeliveryService/SslKeys.pm | 67 +++++++++++-----------
traffic_ops/app/lib/UI/Utils.pm | 8 +++
2 files changed, 42 insertions(+), 33 deletions(-)
diff --git a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
index 716a3f5..d2d494a 100644
--- a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
+++ b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
@@ -38,8 +38,8 @@ sub add {
my $cdn = $self->req->json->{cdn};
my $deliveryservice = $self->req->json->{deliveryservice};
- if ( !&is_admin($self) ) {
- return $self->alert( { Error => " - You must be an ADMIN to
perform this operation!" } );
+ if ( !&is_portal($self) ) {
+ return $self->forbidden();
}
my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id =>
$deliveryservice })->single();
@@ -92,9 +92,10 @@ sub generate {
my $deliveryservice = $self->req->json->{deliveryservice};
my $tmp_location = "/var/tmp";
- if ( !&is_admin($self) ) {
- return $self->alert( { Error => " - You must be an ADMIN to
perform this operation!" } );
+ if ( !&is_portal($self) ) {
+ return $self->forbidden();
}
+
if (defined($deliveryservice)) {
my $ds = $self->db->resultset('Deliveryservice')->search( {
xml_id => $deliveryservice })->single();
if (!$ds) {
@@ -142,42 +143,42 @@ sub view_by_xml_id {
$decode = 0;
}
- if ( !&is_admin($self) ) {
- return $self->alert( { Error => " - You must be an ADMIN to
perform this operation!" } );
+ if ( !$version ) {
+ $version = 'latest';
}
- else {
- if ( !$version ) {
- $version = 'latest';
- }
- my $key = "$xml_id-$version";
- my $ds = $self->db->resultset('Deliveryservice')->search( {
xml_id => $xml_id })->single();
- if (!$ds) {
- return $self->alert( { Error => " - Could not found
delivery service with xml_id=$xml_id!" } );
- }
- my $tenant_utils = Utils::Tenant->new($self);
- my $tenants_data = $tenant_utils->create_tenants_data_from_db();
- if (!$tenant_utils->is_ds_resource_accessible($tenants_data,
$ds->tenant_id)) {
- return $self->forbidden("Forbidden. Delivery-service
tenant is not available to the user.");
- }
- my $response_container = $self->riak_get( "ssl", $key );
- my $response = $response_container->{"response"};
+ if ( !&is_portal($self) ) {
+ return $self->forbidden();
+ }
- if ( $response->is_success() ){
- my $toSend = decode_json( $response->content );
+ my $key = "$xml_id-$version";
+ my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id =>
$xml_id })->single();
+ if (!$ds) {
+ return $self->not_found();
+ }
+ my $tenant_utils = Utils::Tenant->new($self);
+ my $tenants_data = $tenant_utils->create_tenants_data_from_db();
+ if (!$tenant_utils->is_ds_resource_accessible($tenants_data,
$ds->tenant_id)) {
+ return $self->forbidden("Forbidden. Delivery-service tenant is
not available to the user.");
+ }
+ my $response_container = $self->riak_get( "ssl", $key );
+ my $response = $response_container->{"response"};
- if ( $decode ){
- $toSend->{certificate}->{csr} =
decode_base64($toSend->{certificate}->{csr});
- $toSend->{certificate}->{crt} =
decode_base64($toSend->{certificate}->{crt});
- $toSend->{certificate}->{key} =
decode_base64($toSend->{certificate}->{key});
- }
-
- $self->success( $toSend )
+ if ( $response->is_success() ){
+ my $toSend = decode_json( $response->content );
- } else {
- $self->success({}, " - A record for ssl key $key could
not be found. ");
+ if ( $decode ){
+ $toSend->{certificate}->{csr} =
decode_base64($toSend->{certificate}->{csr});
+ $toSend->{certificate}->{crt} =
decode_base64($toSend->{certificate}->{crt});
+ $toSend->{certificate}->{key} =
decode_base64($toSend->{certificate}->{key});
}
+
+
+ $self->success( $toSend )
+
+ } else {
+ $self->success({}, " - A record for ssl key $key could not be
found. ");
}
}
diff --git a/traffic_ops/app/lib/UI/Utils.pm b/traffic_ops/app/lib/UI/Utils.pm
index 30fff2c..4170abb 100644
--- a/traffic_ops/app/lib/UI/Utils.pm
+++ b/traffic_ops/app/lib/UI/Utils.pm
@@ -36,6 +36,7 @@ our @ISA = qw(Exporter);
use constant READ => 10;
use constant FEDERATION => 15;
+use constant PORTAL => 15;
use constant OPER => 20;
use constant ADMIN => 30;
@@ -253,6 +254,13 @@ sub is_admin() {
return &has_priv( $self, ADMIN );
}
+sub is_portal() {
+ my $self = shift;
+
+ return &has_priv( $self, PORTAL );
+}
+
+
# returns true if the user is logged in via LDAP.
sub is_ldap() {
my $self = shift;
--
To stop receiving notification emails like this one, please contact
dewr...@apache.org.
