url sig - tenancy checks
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/commit/a70ba7d4 Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/tree/a70ba7d4 Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/diff/a70ba7d4 Branch: refs/heads/master Commit: a70ba7d49f44ff7dbff81d38ba76913032b2916e Parents: 86d098d Author: nir-sopher <n...@qwilt.com> Authored: Sun Aug 13 18:25:37 2017 +0300 Committer: Jeremy Mitchell <mitchell...@gmail.com> Committed: Wed Aug 23 10:59:09 2017 -0600 ---------------------------------------------------------------------- .../app/lib/API/DeliveryService/KeysUrlSig.pm | 31 ++++++++++++-- .../t/api/1.1/deliveryservice/keys_url_sig.t | 43 ++++++++++++++++++++ 2 files changed, 71 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/a70ba7d4/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm ---------------------------------------------------------------------- diff --git a/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm b/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm index 6364154..2673710 100644 --- a/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm +++ b/traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm @@ -20,6 +20,7 @@ use Mojo::Base 'Mojolicious::Controller'; use Data::Dumper; use API::Keys; use Utils::Helper; +use Utils::Tenant; use JSON; use UI::Utils; use constant URL_SIG_KEYS_BUCKET => "url_sig_keys"; @@ -29,6 +30,17 @@ our @EXPORT_OK = qw(URL_SIG_KEYS_BUCKET); sub view_by_xmlid { my $self = shift; my $xml_id = $self->param('xmlId'); + + my $rs = $self->db->resultset("Deliveryservice")->find( { xml_id => $xml_id } ); + if ( !defined($rs) ) { + return $self->not_found("Delivery Service '$xml_id' does not exist."); + } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $rs->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + my $config_file = $self->url_sig_config_file_name($xml_id); my $response_container = $self->riak_get( URL_SIG_KEYS_BUCKET, $config_file ); my $rc = $response_container->{"response"}->{_rc}; @@ -58,6 +70,11 @@ sub copy_url_sig_keys { else { return $self->alert("Delivery Service '$xml_id' does not exist."); } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $rs->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } my $config_file = $self->url_sig_config_file_name($xml_id); #check ds to copy from and generate config file name @@ -69,6 +86,9 @@ sub copy_url_sig_keys { else { return $self->alert("Delivery Service to copy from '$copy_from_xml_id' does not exist."); } + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $copy_rs->tenant_id)) { + return $self->forbidden("Forbidden. Source delivery-service tenant is not available to the user."); + } my $copy_config_file = $self->url_sig_config_file_name($copy_from_xml_id); my $helper = new Utils::Helper( { mojo => $self } ); @@ -76,7 +96,7 @@ sub copy_url_sig_keys { #verify we can copy keys out if ( $helper->is_valid_delivery_service($copy_ds_id) ) { - if ( $is_admin || $helper->is_delivery_service_assigned($copy_ds_id) ) { + if ( $is_admin || $helper->is_delivery_service_assigned($copy_ds_id) || $tenant_utils->use_tenancy()) { my $response_container = $self->riak_get( URL_SIG_KEYS_BUCKET, $copy_config_file ); # verify this my $rc = $response_container->{"response"}->{_rc}; if ( $rc eq '200' ) { @@ -98,7 +118,7 @@ sub copy_url_sig_keys { if ( defined($url_sig_key_values_json) ) { # verify we got keys copied # Admins can always do this, otherwise verify the user if ( $helper->is_valid_delivery_service($ds_id) ) { - if ( $is_admin || $helper->is_delivery_service_assigned($ds_id) ) { + if ( $is_admin || $helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) { $self->app->log->debug( "url_sig_key_values_json #-> " . $url_sig_key_values_json ); my $response_container = $self->riak_put( URL_SIG_KEYS_BUCKET, $config_file, $url_sig_key_values_json ); my $response = $response_container->{"response"}; @@ -134,17 +154,22 @@ sub generate { my $current_user = $self->current_user()->{username}; &log( $self, "Generated new url_sig_keys for " . $xml_id, "APICHANGE" ); + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); my $rs = $self->db->resultset("Deliveryservice")->find( { xml_id => $xml_id } ); my $ds_id; if ( defined($rs) ) { $ds_id = $rs->id; + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $rs->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } } my $helper = new Utils::Helper( { mojo => $self } ); # Admins can always do this, otherwise verify the user if ( ( defined($rs) && $helper->is_valid_delivery_service($ds_id) ) ) { - if ( &is_admin($self) || $helper->is_delivery_service_assigned($ds_id) ) { + if ( &is_admin($self) || $helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) { my $url_sig_key_values_json = $self->generate_random_sigs_for_ds(); if ( defined($rs) ) { http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/a70ba7d4/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t ---------------------------------------------------------------------- diff --git a/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t b/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t index 304c5b4..12ce94d 100644 --- a/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t +++ b/traffic_ops/app/t/api/1.1/deliveryservice/keys_url_sig.t @@ -68,9 +68,11 @@ ok $t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys/generate')->sta ->or( sub { diag $t->tx->res->content->asset->{content}; } ), 'Can an assigned DeliveryService url keys for the portal user be regenerated?'; +set_param_value("use_tenancy", "0"); ok $t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds2/urlkeys/generate')->status_is(403) ->or( sub { diag $t->tx->res->content->asset->{content}; } ), 'Can an unassigned DeliveryService url keys for the portal user be regenerated?'; +set_param_value("use_tenancy", "1"); ok $t->post_ok('/api/1.1/deliveryservices/xmlId/XXX/urlkeys/generate')->status_is(400) ->json_is( "/alerts/0/text/", "Delivery Service 'XXX' does not exist." )->or( sub { diag $t->tx->res->content->asset->{content}; } ), @@ -81,6 +83,7 @@ ok $t->get_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys.json')->status_i ok $t->get_ok('/api/1.1/deliveryservices/xmlId/test-ds2/urlkeys.json')->status_is(200)->or( sub { diag $t->tx->res->content->asset->{content}; } ), 'Can unassigned DeliveryService url keys can be viewed?'; + ok $t->get_ok('/logout')->status_is(302)->or( sub { diag $t->tx->res->content->asset->{content}; } ); # Admin User checks @@ -120,6 +123,33 @@ ok $t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys/copyFromXmlId/t ok $t->get_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys.json')->status_is(200)->json_is($jsonKeys)->or( sub { diag $t->tx->res->content->asset->{content}; } ), 'Are the url sig keys equal after the copy?'; + +# Out of tenant tests +ok $t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1-root/urlkeys/generate')->status_is(403) + ->json_is( "/alerts/0/text" => "Forbidden. Delivery-service tenant is not available to the user.") + ->or( sub { diag $t->tx->res->content->asset->{content}; } ), + 'Cannot generate delivery-service url keys when tenancy not allow?'; + +ok $t->get_ok('/api/1.1/deliveryservices/xmlId/test-ds1-root/urlkeys.json')->status_is(403) + ->json_is( "/alerts/0/text" => "Forbidden. Delivery-service tenant is not available to the user.") + ->or( sub { diag $t->tx->res->content->asset->{content}; } ), + 'DeliveryService Url Keys cannot be viewed out of tenancy?'; + +ok $t->get_ok('/api/1.1/deliveryservices/xmlId/test-ds1-not-there/urlkeys.json')->status_is(404) + ->or( sub { diag $t->tx->res->content->asset->{content}; } ), + 'DeliveryService Url Keys cannot be viewed out of tenancy?'; + +ok $t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1-root/urlkeys/copyFromXmlId/test-ds1')->status_is(403) + ->json_is( "/alerts/0/text" => "Forbidden. Delivery-service tenant is not available to the user.") + ->or( sub { diag $t->tx->res->content->asset->{content}; } ), + 'Can an unassigned DeliveryService url keys be copied to an assigned DeliveryService url keys?'; + +ok $t->post_ok('/api/1.1/deliveryservices/xmlId/test-ds1/urlkeys/copyFromXmlId/test-ds1-root')->status_is(403) + ->json_is( "/alerts/0/text" => "Forbidden. Source delivery-service tenant is not available to the user.") + ->or( sub { diag $t->tx->res->content->asset->{content}; } ), + 'Can an unassigned DeliveryService url keys be copied to an assigned DeliveryService url keys?'; + + # Negative Testing # With error content my $fake_put_300 = HTTP::Response->new( 300, undef, HTTP::Headers->new, "You messed it up!" ); @@ -159,3 +189,16 @@ ok $t->post_ok( # logout ok $t->get_ok('/logout')->status_is(302)->or( sub { diag $t->tx->res->content->asset->{content}; } ); done_testing(); + + +sub set_param_value { + my $name = shift; + my $value = shift; + my $q = "UPDATE parameter SET value=\'$value\' where name = \'$name\'"; + my $get_svr = $dbh->prepare($q); + $get_svr->execute(); + my $p = $get_svr->fetchall_arrayref( {} ); + $get_svr->finish(); + my $id = $p->[0]->{id}; + return $id; +}