[GitHub] [trafficcontrol] zrhoffman commented on a diff in pull request #7819: TO API v5 routes should not use priv levels anymore

via GitHub Wed, 27 Sep 2023 15:42:18 -0700


zrhoffman commented on code in PR #7819:
URL: https://github.com/apache/trafficcontrol/pull/7819#discussion_r1339291126



##########
traffic_ops/traffic_ops_golang/systeminfo/system_info.go:
##########
@@ -38,10 +38,19 @@ func Get(w http.ResponseWriter, r *http.Request) {
                return
        }
        defer inf.Close()
-       api.RespWriter(w, r, inf.Tx.Tx)(getSystemInfo(inf.Tx, 
inf.User.PrivLevel, 
time.Duration(inf.Config.DBQueryTimeoutSeconds)*time.Second))
+
+       canReadSecureValue := false
+       if (inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
inf.Config.RoleBasedPermissions) || 
inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+               if inf.User.Can("PARAMETER:SECURE-READ") {

Review Comment:
   Make a `tc` constant for `PARAMETER:SECURE-READ`? I know we aren't doing 
this for other perms yet, but we have to start somewhere, and hard-coding 
strings like this makes it harder than it should be to find where perms are 
used.



##########
traffic_ops/traffic_ops_golang/profile/profiles.go:
##########
@@ -189,10 +189,20 @@ func (prof *TOProfile) Read(h http.Header, useIMS bool) 
([]interface{}, error, e
        }
        rows.Close()
        profileInterfaces := []interface{}{}
+       canReadSecureValue := false
+       if prof.APIInfo() != nil && prof.APIInfo().Version != nil {
+               if 
(prof.APIInfo().Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
prof.APIInfo().Config.RoleBasedPermissions) || 
prof.APIInfo().Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+                       if prof.APIInfo().User.Can("PARAMETER:SECURE-READ") {
+                               canReadSecureValue = true
+                       }

Review Comment:
   ```go
   canReadSecureValue = apiInfo.User.Can(tc.PermParameterSecureRead)
   ```



##########
traffic_ops/traffic_ops_golang/deliveryservice/servers/servers.go:
##########
@@ -883,7 +884,16 @@ WHERE s.id in (select server from deliveryservice_server 
where deliveryservice =
                        }
                }
 
-               if user.PrivLevel < auth.PrivLevelAdmin {
+               canViewILOPswd := false
+               if (inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
inf.Config.RoleBasedPermissions) || 
inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+                       if inf.User.Can("SERVER:READ-ILO-PSWD") {
+                               canViewILOPswd = true
+                       }

Review Comment:
   ```go
   canViewILOPswd = tc.PermServerReadILOPassword
   ```



##########
traffic_ops/traffic_ops_golang/profile/profiles.go:
##########
@@ -189,10 +189,20 @@ func (prof *TOProfile) Read(h http.Header, useIMS bool) 
([]interface{}, error, e
        }
        rows.Close()
        profileInterfaces := []interface{}{}
+       canReadSecureValue := false
+       if prof.APIInfo() != nil && prof.APIInfo().Version != nil {

Review Comment:
   Assign `prof.APIInfo()` to a variable to avoid getting `prof.APIInfo()` so 
many times.
   
   ```go
   if apiInfo := prof.APIInfo(); apiInfo != nil && apiInfo.Version != nil {
   ```



##########
traffic_ops/traffic_ops_golang/systeminfo/system_info.go:
##########
@@ -38,10 +38,19 @@ func Get(w http.ResponseWriter, r *http.Request) {
                return
        }
        defer inf.Close()
-       api.RespWriter(w, r, inf.Tx.Tx)(getSystemInfo(inf.Tx, 
inf.User.PrivLevel, 
time.Duration(inf.Config.DBQueryTimeoutSeconds)*time.Second))
+
+       canReadSecureValue := false
+       if (inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
inf.Config.RoleBasedPermissions) || 
inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+               if inf.User.Can("PARAMETER:SECURE-READ") {
+                       canReadSecureValue = true
+               }

Review Comment:
   ```go
   canReadSecureValue = apiInfo.User.Can(tc.PermParameterSecureRead)
   ```



##########
traffic_ops/traffic_ops_golang/systeminfo/system_info.go:
##########
@@ -38,10 +38,19 @@ func Get(w http.ResponseWriter, r *http.Request) {
                return
        }
        defer inf.Close()
-       api.RespWriter(w, r, inf.Tx.Tx)(getSystemInfo(inf.Tx, 
inf.User.PrivLevel, 
time.Duration(inf.Config.DBQueryTimeoutSeconds)*time.Second))
+
+       canReadSecureValue := false
+       if (inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
inf.Config.RoleBasedPermissions) || 
inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+               if inf.User.Can("PARAMETER:SECURE-READ") {
+                       canReadSecureValue = true
+               }
+       } else if inf.User.PrivLevel == auth.PrivLevelAdmin {
+               canReadSecureValue = true

Review Comment:
   ```go
   } else {
       canReadSecureValue = apiInfo.User.PrivLevel == auth.PrivLevelAdmin
   ```



##########
traffic_ops/traffic_ops_golang/profile/profiles.go:
##########
@@ -429,10 +438,17 @@ func Read(w http.ResponseWriter, r *http.Request) {
        }
        rows.Close()
        profileInterfaces := []interface{}{}
+
+       canReadSecureValue := false
+       if inf.Config.RoleBasedPermissions &&
+               inf.User.Can("PARAMETER-SECURE:READ") {
+               canReadSecureValue = true
+       }

Review Comment:
   ```go
   canReadSecureValue := inf.Config.RoleBasedPermissions && 
inf.User.Can("PARAMETER-SECURE:READ")
   ```



##########
traffic_ops/traffic_ops_golang/deliveryservice/servers/servers.go:
##########
@@ -883,7 +884,16 @@ WHERE s.id in (select server from deliveryservice_server 
where deliveryservice =
                        }
                }
 
-               if user.PrivLevel < auth.PrivLevelAdmin {
+               canViewILOPswd := false
+               if (inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
inf.Config.RoleBasedPermissions) || 
inf.Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+                       if inf.User.Can("SERVER:READ-ILO-PSWD") {
+                               canViewILOPswd = true
+                       }
+               } else if inf.User.PrivLevel == auth.PrivLevelAdmin {
+                       canViewILOPswd = true

Review Comment:
   ```go
   else  {
        canViewILOPswd = inf.User.PrivLevel == auth.PrivLevelAdmin
   ```



##########
traffic_ops/traffic_ops_golang/profile/profiles.go:
##########
@@ -189,10 +189,20 @@ func (prof *TOProfile) Read(h http.Header, useIMS bool) 
([]interface{}, error, e
        }
        rows.Close()
        profileInterfaces := []interface{}{}
+       canReadSecureValue := false
+       if prof.APIInfo() != nil && prof.APIInfo().Version != nil {
+               if 
(prof.APIInfo().Version.GreaterThanOrEqualTo(&api.Version{Major: 4}) && 
prof.APIInfo().Config.RoleBasedPermissions) || 
prof.APIInfo().Version.GreaterThanOrEqualTo(&api.Version{Major: 5}) {
+                       if prof.APIInfo().User.Can("PARAMETER:SECURE-READ") {
+                               canReadSecureValue = true
+                       }
+               } else if prof.APIInfo().User.PrivLevel == auth.PrivLevelAdmin {
+                       canReadSecureValue = true

Review Comment:
   ```go
   } else {
       canReadSecureValue = apiInfo.User.PrivLevel == auth.PrivLevelAdmin
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [trafficcontrol] zrhoffman commented on a diff in pull request #7819: TO API v5 routes should not use priv levels anymore

Reply via email to