dewrich closed pull request #1929: [Issue-1841] - managing sslkeys and urlsig
keys requires at least the operations rol?
URL: https://github.com/apache/incubator-trafficcontrol/pull/1929
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/docs/source/development/traffic_ops_api/v11/deliveryservice.rst
b/docs/source/development/traffic_ops_api/v11/deliveryservice.rst
index 2c13e6d351..1d01d61745 100644
--- a/docs/source/development/traffic_ops_api/v11/deliveryservice.rst
+++ b/docs/source/development/traffic_ops_api/v11/deliveryservice.rst
@@ -851,7 +851,7 @@ SSL Keys
Authentication Required: Yes
- Role(s) Required: Portal
+ Role(s) Required: None
**Request Route Parameters**
@@ -989,7 +989,7 @@ SSL Keys
Authentication Required: Yes
- Role Required: PORTAL
+ Role Required: Operations
**Request Route Parameters**
@@ -1029,7 +1029,7 @@ SSL Keys
Authentication Required: Yes
- Role(s) Required: Portal
+ Role(s) Required: Operations
**Request Properties**
@@ -1097,7 +1097,7 @@ SSL Keys
Authentication Required: Yes
- Role(s) Required: Portal
+ Role(s) Required: Operations
**Request Properties**
diff --git a/docs/source/development/traffic_ops_api/v12/deliveryservice.rst
b/docs/source/development/traffic_ops_api/v12/deliveryservice.rst
index 6dee5784fc..aac6dae54b 100644
--- a/docs/source/development/traffic_ops_api/v12/deliveryservice.rst
+++ b/docs/source/development/traffic_ops_api/v12/deliveryservice.rst
@@ -1457,7 +1457,7 @@ SSL Keys
Authentication Required: Yes
- Role(s) Required: Admin
+ Role(s) Required: None
**Request Route Parameters**
@@ -1615,7 +1615,7 @@ SSL Keys
Authentication Required: Yes
- Role Required: Admin
+ Role Required: Operations
**Request Route Parameters**
@@ -1655,7 +1655,7 @@ SSL Keys
Authentication Required: Yes
- Role(s) Required: Admin
+ Role(s) Required: Operations
**Request Properties**
@@ -1729,7 +1729,7 @@ SSL Keys
Authentication Required: Yes
- Role(s) Required: Admin
+ Role(s) Required: Operations
**Request Properties**
@@ -1845,7 +1845,7 @@ URL Sig Keys
Authentication Required: Yes
- Role(s) Required: Admin OR assigned DS
+ Role(s) Required: Operations
**Request Route Parameters**
@@ -1881,7 +1881,7 @@ URL Sig Keys
Authentication Required: Yes
- Role(s) Required: Admin or assigned DS
+ Role(s) Required: Operations
**Request Route Parameters**
diff --git a/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm
b/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm
index 1eb03d7439..c38ce9f51d 100644
--- a/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm
+++ b/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm
@@ -101,8 +101,12 @@ sub copy_url_sig_keys {
my $xml_id = $self->param('xmlId'); #copying to this
service
my $copy_from_xml_id = $self->param('copyFromXmlId'); # copying from
this service
+ if ( !&is_oper($self) ) {
+ return $self->forbidden();
+ }
+
my $current_user = $self->current_user()->{username};
- my $is_admin = &is_admin($self);
+ my $is_oper = &is_oper($self);
#check ds and generate config file name
my $rs = $self->db->resultset("Deliveryservice")->find( { xml_id =>
$xml_id } );
my $ds_id;
@@ -138,7 +142,7 @@ sub copy_url_sig_keys {
#verify we can copy keys out
if ( $helper->is_valid_delivery_service($copy_ds_id) ) {
- if ( $is_admin ||
$helper->is_delivery_service_assigned($copy_ds_id) ||
$tenant_utils->use_tenancy()) {
+ if ( $is_oper ||
$helper->is_delivery_service_assigned($copy_ds_id) ||
$tenant_utils->use_tenancy()) {
my $response_container = $self->riak_get(
URL_SIG_KEYS_BUCKET, $copy_config_file ); # verify this
my $rc =
$response_container->{"response"}->{_rc};
if ( $rc eq '200' ) {
@@ -158,9 +162,9 @@ sub copy_url_sig_keys {
}
if ( defined($url_sig_key_values_json) ) { # verify we got keys copied
- # Admins can always do this, otherwise verify the user
+ # Ops can always do this, otherwise verify the user
if ( $helper->is_valid_delivery_service($ds_id) ) {
- if ( $is_admin ||
$helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) {
+ if ( $is_oper ||
$helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) {
$self->app->log->debug(
"url_sig_key_values_json #-> " . $url_sig_key_values_json );
my $response_container = $self->riak_put(
URL_SIG_KEYS_BUCKET, $config_file, $url_sig_key_values_json );
my $response =
$response_container->{"response"};
@@ -194,6 +198,10 @@ sub generate {
my $config_file = $self->url_sig_config_file_name($xml_id);
$self->app->log->info( "Generating New keys for config_file: " .
$config_file );
+ if ( !&is_oper($self) ) {
+ return $self->forbidden();
+ }
+
my $current_user = $self->current_user()->{username};
my $tenant_utils = Utils::Tenant->new($self);
@@ -209,9 +217,9 @@ sub generate {
my $helper = new Utils::Helper( { mojo => $self } );
- # Admins can always do this, otherwise verify the user
+ # Ops can always do this, otherwise verify the user
if ( ( defined($rs) && $helper->is_valid_delivery_service($ds_id) ) ) {
- if ( &is_admin($self) ||
$helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) {
+ if ( &is_oper($self) ||
$helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) {
my $url_sig_key_values_json =
$self->generate_random_sigs_for_ds();
if ( defined($rs) ) {
diff --git a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
index 59d86beea7..b75d71d29c 100644
--- a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
+++ b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm
@@ -38,7 +38,7 @@ sub add {
my $cdn = $self->req->json->{cdn};
my $deliveryservice = $self->req->json->{deliveryservice};
- if ( !&is_portal($self) ) {
+ if ( !&is_oper($self) ) {
return $self->forbidden();
}
@@ -92,7 +92,7 @@ sub generate {
my $deliveryservice = $self->req->json->{deliveryservice};
my $tmp_location = "/var/tmp";
- if ( !&is_portal($self) ) {
+ if ( !&is_oper($self) ) {
return $self->forbidden();
}
@@ -147,10 +147,6 @@ sub view_by_xml_id {
$version = 'latest';
}
- if ( !&is_portal($self) ) {
- return $self->forbidden();
- }
-
my $key = "$xml_id-$version";
my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id =>
$xml_id })->single();
if (!$ds) {
@@ -262,7 +258,7 @@ sub delete {
my $response_container;
my $response;
- if ( !&is_portal($self) ) {
+ if ( !&is_oper($self) ) {
return $self->forbidden();
}
diff --git a/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t
b/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t
index 5630d0243f..ab1b8d4a01 100644
--- a/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t
+++ b/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t
@@ -64,14 +64,6 @@ my $version = "1.1";
ok $t->post_ok( '/api/1.1/user/login', json => { u =>
Test::TestHelper::PORTAL_USER, p => Test::TestHelper::PORTAL_USER_PASSWORD }
)->status_is(200),
'Log into the portal user?';
-ok
$t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys/generate')->status_is(200)
- ->or( sub { diag $t->tx->res->content->asset->{content}; } ),
- 'Can an assigned DeliveryService url keys for the portal user be
regenerated?';
-
-ok
$t->post_ok('/api/1.1/deliveryservices/xmlId/XXX/urlkeys/generate')->status_is(400)
- ->json_is( "/alerts/0/text/", "Delivery Service 'XXX' does not exist."
)->or( sub { diag $t->tx->res->content->asset->{content}; } ),
- 'Can a non existent DeliveryService url keys for the portal user be
regenerated?';
-
ok
$t->get_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys.json')->status_is(200)->or(
sub { diag $t->tx->res->content->asset->{content}; } ),
'Can assigned DeliveryService url keys can be viewed?';
@@ -83,6 +75,11 @@ ok $t->get_ok('/logout')->status_is(302)->or( sub { diag
$t->tx->res->content->a
# Admin User checks
ok $t->post_ok( '/api/1.1/user/login', json => { u =>
Test::TestHelper::ADMIN_USER, p => Test::TestHelper::ADMIN_USER_PASSWORD }
)->status_is(200),
'Log into the admin user?';
+
+ok
$t->post_ok('/api/1.1/deliveryservices/xmlId/XXX/urlkeys/generate')->status_is(400)
+ ->json_is( "/alerts/0/text/", "Delivery Service 'XXX' does not
exist." )->or( sub { diag $t->tx->res->content->asset->{content}; } ),
+ 'Can a non existent DeliveryService url keys for the portal user be
regenerated?';
+
ok
$t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys/generate')->status_is(200)
->or( sub { diag $t->tx->res->content->asset->{content}; } ),
'Can an assigned DeliveryService url keys for the portal user be
regenerated?';
diff --git a/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t
b/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t
index da709833d0..77e5111961 100644
--- a/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t
+++ b/traffic_ops/app/t/api/1.1/deliveryservice/ssl_keys.t
@@ -62,7 +62,7 @@ ok $t->post_ok(
->or( sub { diag $t->tx->res->content->asset->{content}; } );
#get_object
-ok
$t->get_ok("/api/1.1/deliveryservices/xmlId/$key/sslkeys.json")->status_is(403)
+ok
$t->get_ok("/api/1.1/deliveryservices/xmlId/$key/sslkeys.json")->status_is(200)
->or( sub { diag $t->tx->res->content->asset->{content}; } );
# #delete
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
