Browse Source

Updates cleartext-secrets RBAC Permissions

- Adds an RBAC check when returning raw configdocs.

Change-Id: Ia4967ba4e1dfc49d44a3914cfa151177a49c3799
changes/22/617722/8
Aaron Sheffield 8 months ago
parent
commit
0cac1cbe2f

+ 2
- 1
charts/shipyard/values.yaml View File

@@ -368,9 +368,10 @@ conf:
368 368
     workflow_orchestrator:get_configdocs_status: rule:admin_read_access
369 369
     workflow_orchestrator:create_configdocs: rule:admin_create
370 370
     workflow_orchestrator:get_configdocs: rule:admin_read_access
371
+    workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
371 372
     workflow_orchestrator:commit_configdocs: rule:admin_create
372 373
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
373
-    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
374
+    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
374 375
     workflow_orchestrator:list_workflows: rule:admin_read_access
375 376
     workflow_orchestrator:get_workflow: rule:admin_read_access
376 377
     workflow_orchestrator:get_notedetails: rule:admin_read_access

+ 8
- 4
doc/source/CLI.rst View File

@@ -677,8 +677,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
677 677
   collection, this will return an empty response (default)
678 678
 
679 679
 \--cleartext-secrets
680
-  Returns cleartext secrets in encrypted documents, otherwise those values
681
-  are redacted. Only impacts returned documents, not lists of documents.
680
+  Returns secrets as cleartext for encrypted documents if the user has the
681
+  appropriate permissions in the target environment.  If the user does not
682
+  have the appropriate permissions and sets this flag to true an error is
683
+  returned.  Only impacts returned documents, not lists of documents.
682 684
 
683 685
 Sample
684 686
 ^^^^^^
@@ -745,8 +747,10 @@ applying Deckhand layering and substitution.
745 747
   prior commit. (default)
746 748
 
747 749
 \--cleartext-secrets
748
-  Returns secrets as cleartext for encrypted documents if the user has the appropriate
749
-  permissions in the target environment.
750
+  Returns secrets as cleartext for encrypted documents if the user has the
751
+  appropriate permissions in the target environment.  If the user does not
752
+  have the appropriate permissions and sets this flag to true an error is
753
+  returned.
750 754
 
751 755
 Sample
752 756
 ^^^^^^

+ 5
- 0
src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py View File

@@ -101,6 +101,11 @@ class ConfigDocsResource(BaseResource):
101 101
         cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
102 102
         self._validate_version_parameter(version)
103 103
         helper = ConfigdocsHelper(req.context)
104
+
105
+        # Check access to cleartext_secrets
106
+        if cleartext_secrets:
107
+            policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
108
+
104 109
         # Not reformatting to JSON or YAML since just passing through
105 110
         resp.body = self.get_collection(
106 111
             helper=helper, collection_id=collection_id, version=version,

+ 13
- 1
src/bin/shipyard_airflow/shipyard_airflow/policy.py View File

@@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
36 36
 GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
37 37
 CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
38 38
 GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
39
+GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
39 40
 COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
40 41
 GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
41 42
 GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext'  # noqa
@@ -162,7 +163,18 @@ class ShipyardPolicy(object):
162 163
         policy.DocumentedRuleDefault(
163 164
             GET_CONFIGDOCS,
164 165
             RULE_ADMIN_REQUIRED,
165
-            'Retrieve a collection of configuration documents',
166
+            ('Retrieve a collection of configuration documents with redacted '
167
+             'secrets'),
168
+            [{
169
+                'path': '/api/v1.0/configdocs/{collection_id}',
170
+                'method': 'GET'
171
+            }]
172
+        ),
173
+        policy.DocumentedRuleDefault(
174
+            GET_CONFIGDOCS_CLRTXT,
175
+            RULE_ADMIN_REQUIRED,
176
+            ('Retrieve a collection of configuration documents with cleartext '
177
+             'secrets.'),
166 178
             [{
167 179
                 'path': '/api/v1.0/configdocs/{collection_id}',
168 180
                 'method': 'GET'

Loading…
Cancel
Save