This is an automated email from the ASF dual-hosted git repository. dewrich pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-trafficcontrol.git
commit b68d335ae57e10c44d165e9847d1a5b2dff67129 Author: Jeremy Mitchell <mitchell...@gmail.com> AuthorDate: Fri Feb 2 08:28:21 2018 -0700 loosens permissions on ds ssl key management. relies on tenancy. --- traffic_ops/app/lib/API/DeliveryService/SslKeys.pm | 67 +++++++++++----------- traffic_ops/app/lib/UI/Utils.pm | 8 +++ 2 files changed, 42 insertions(+), 33 deletions(-) diff --git a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm index 716a3f5..d2d494a 100644 --- a/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm +++ b/traffic_ops/app/lib/API/DeliveryService/SslKeys.pm @@ -38,8 +38,8 @@ sub add { my $cdn = $self->req->json->{cdn}; my $deliveryservice = $self->req->json->{deliveryservice}; - if ( !&is_admin($self) ) { - return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); + if ( !&is_portal($self) ) { + return $self->forbidden(); } my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $deliveryservice })->single(); @@ -92,9 +92,10 @@ sub generate { my $deliveryservice = $self->req->json->{deliveryservice}; my $tmp_location = "/var/tmp"; - if ( !&is_admin($self) ) { - return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); + if ( !&is_portal($self) ) { + return $self->forbidden(); } + if (defined($deliveryservice)) { my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $deliveryservice })->single(); if (!$ds) { @@ -142,42 +143,42 @@ sub view_by_xml_id { $decode = 0; } - if ( !&is_admin($self) ) { - return $self->alert( { Error => " - You must be an ADMIN to perform this operation!" } ); + if ( !$version ) { + $version = 'latest'; } - else { - if ( !$version ) { - $version = 'latest'; - } - my $key = "$xml_id-$version"; - my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $xml_id })->single(); - if (!$ds) { - return $self->alert( { Error => " - Could not found delivery service with xml_id=$xml_id!" } ); - } - my $tenant_utils = Utils::Tenant->new($self); - my $tenants_data = $tenant_utils->create_tenants_data_from_db(); - if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { - return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); - } - my $response_container = $self->riak_get( "ssl", $key ); - my $response = $response_container->{"response"}; + if ( !&is_portal($self) ) { + return $self->forbidden(); + } - if ( $response->is_success() ){ - my $toSend = decode_json( $response->content ); + my $key = "$xml_id-$version"; + my $ds = $self->db->resultset('Deliveryservice')->search( { xml_id => $xml_id })->single(); + if (!$ds) { + return $self->not_found(); + } + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $ds->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } + my $response_container = $self->riak_get( "ssl", $key ); + my $response = $response_container->{"response"}; - if ( $decode ){ - $toSend->{certificate}->{csr} = decode_base64($toSend->{certificate}->{csr}); - $toSend->{certificate}->{crt} = decode_base64($toSend->{certificate}->{crt}); - $toSend->{certificate}->{key} = decode_base64($toSend->{certificate}->{key}); - } - - $self->success( $toSend ) + if ( $response->is_success() ){ + my $toSend = decode_json( $response->content ); - } else { - $self->success({}, " - A record for ssl key $key could not be found. "); + if ( $decode ){ + $toSend->{certificate}->{csr} = decode_base64($toSend->{certificate}->{csr}); + $toSend->{certificate}->{crt} = decode_base64($toSend->{certificate}->{crt}); + $toSend->{certificate}->{key} = decode_base64($toSend->{certificate}->{key}); } + + + $self->success( $toSend ) + + } else { + $self->success({}, " - A record for ssl key $key could not be found. "); } } diff --git a/traffic_ops/app/lib/UI/Utils.pm b/traffic_ops/app/lib/UI/Utils.pm index 30fff2c..4170abb 100644 --- a/traffic_ops/app/lib/UI/Utils.pm +++ b/traffic_ops/app/lib/UI/Utils.pm @@ -36,6 +36,7 @@ our @ISA = qw(Exporter); use constant READ => 10; use constant FEDERATION => 15; +use constant PORTAL => 15; use constant OPER => 20; use constant ADMIN => 30; @@ -253,6 +254,13 @@ sub is_admin() { return &has_priv( $self, ADMIN ); } +sub is_portal() { + my $self = shift; + + return &has_priv( $self, PORTAL ); +} + + # returns true if the user is logged in via LDAP. sub is_ldap() { my $self = shift; -- To stop receiving notification emails like this one, please contact dewr...@apache.org.