Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

don't add bind and dial permissions to services for admins #1782

Closed
wants to merge 8 commits into from
Closed

don't add bind and dial permissions to services for admins #1782

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
0e4ef2b
respect service policies for admin identities. fixes #1781.
scareything Feb 28, 2024
512be08
fix service tests
scareything Feb 28, 2024
ba995a6
combine ReadForNonAdminIdentityInTx into ReadForIdentityInTx
scareything Feb 28, 2024
ecce28c
more tests fixes
scareything Feb 28, 2024
0c628ae
update changelog
scareything Mar 8, 2024
4bd062b
update versions in changelog
scareything Apr 9, 2024
797fd79
update versions in changelog
scareything Apr 9, 2024
6ed63f4
Merge remote-tracking branch 'origin/fix.1781' into fix.1781
scareything Apr 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 14 additions & 22 deletions controller/model/edge_service_manager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,21 +119,11 @@ func (self *EdgeServiceManager) ReadForIdentity(id string, identityId string, co
}

func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, identityId string, configTypes map[string]struct{}) (*ServiceDetail, error) {
identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId)
if err != nil {
return nil, err
}

var err error
var service *ServiceDetail

if identity.IsAdmin {
service, err = self.readInTx(tx, id)
if err == nil && service != nil {
service.Permissions = []string{db.PolicyTypeBindName, db.PolicyTypeDialName}
}
} else {
service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId)
}
// service permissions for admin & non-admin identities will be set according to policies
service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId)
if err == nil && len(configTypes) > 0 {
identityServiceConfigs := self.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, identityId, configTypes)
self.mergeConfigs(tx, configTypes, service, identityServiceConfigs)
Expand All @@ -143,10 +133,14 @@ func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, ide

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we merge ReadForNonAdminIdentityInTx into ReadForIdentityInTx, as the 'NonAdmin' name is no longer accurate and the first method is now pretty short?

func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id string, identityId string) (*ServiceDetail, error) {
edgeServiceStore := self.env.GetStores().EdgeService
identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId)
if err != nil {
return nil, err
}
isBindable := edgeServiceStore.IsBindableByIdentity(tx, id, identityId)
isDialable := edgeServiceStore.IsDialableByIdentity(tx, id, identityId)

if !isBindable && !isDialable {
if !isBindable && !isDialable && !identity.IsAdmin { // admin can view services even if policies don't permit bind/dial
return nil, boltz.NewNotFoundError(self.GetStore().GetSingularEntityType(), "id", id)
}

Expand All @@ -163,6 +157,10 @@ func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id str
if isDialable {
result.Permissions = append(result.Permissions, db.PolicyTypeDialName)
}
if result.Permissions == nil {
// don't return results with no permissions, since some SDKs assume non-nil permissions
result.Permissions = []string{db.PolicyTypeInvalidName}
}
return result, nil
}

Expand Down Expand Up @@ -259,14 +257,8 @@ func (result *ServiceListResult) collect(tx *bbolt.Tx, ids []string, queryMetaDa
identityServiceConfigs := result.manager.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, result.identityId, result.configTypes)

for _, key := range ids {
if !result.isAdmin && result.identityId != "" {
service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId)
} else {
service, err = result.manager.readInTx(tx, key)
if service != nil && result.isAdmin {
service.Permissions = []string{db.PolicyTypeBindName, db.PolicyTypeDialName}
}
}
// service permissions for admin & non-admin identities will be set according to policies
service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this is valid when result.identityId == "" ?

if err != nil {
return err
}
Expand Down
Loading