mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 17:53:28 +00:00
Merge pull request #1278 from gravitational/rjones/readnosecrets
Read No Secrets
This commit is contained in:
commit
6d345b5ad4
|
@ -113,23 +113,24 @@ func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKey
|
|||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbList); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbReadNoSecrets); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if loadKeys {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbUpdate); err != nil {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
}
|
||||
|
||||
return a.authServer.GetCertAuthorities(caType, loadKeys)
|
||||
}
|
||||
|
||||
func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error) {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbReadNoSecrets); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if loadKeys {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbUpdate); err != nil {
|
||||
if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
}
|
||||
|
@ -524,11 +525,11 @@ func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) er
|
|||
}
|
||||
|
||||
func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error) {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbReadNoSecrets); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if withSecrets {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbUpdate); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
}
|
||||
|
@ -539,11 +540,11 @@ func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConn
|
|||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbList); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbReadNoSecrets); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if withSecrets {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbUpdate); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
}
|
||||
|
@ -587,11 +588,11 @@ func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) er
|
|||
}
|
||||
|
||||
func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error) {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbReadNoSecrets); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if withSecrets {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbUpdate); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
}
|
||||
|
@ -602,13 +603,12 @@ func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConn
|
|||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbList); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbReadNoSecrets); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
if withSecrets {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbUpdate); err != nil {
|
||||
if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
|
||||
}
|
||||
}
|
||||
return a.authServer.Identity.GetSAMLConnectors(withSecrets)
|
||||
|
|
|
@ -170,7 +170,7 @@ func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error
|
|||
services.NewRule(services.KindSSHSession, services.RW()),
|
||||
services.NewRule(services.KindEvent, services.RW()),
|
||||
services.NewRule(services.KindProxy, services.RO()),
|
||||
services.NewRule(services.KindCertAuthority, services.RO()),
|
||||
services.NewRule(services.KindCertAuthority, services.ReadNoSecrets()),
|
||||
services.NewRule(services.KindUser, services.RO()),
|
||||
services.NewRule(services.KindNamespace, services.RO()),
|
||||
services.NewRule(services.KindRole, services.RO()),
|
||||
|
@ -192,13 +192,13 @@ func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error
|
|||
services.NewRule(services.KindSession, services.RO()),
|
||||
services.NewRule(services.KindEvent, services.RW()),
|
||||
services.NewRule(services.KindSAMLRequest, services.RW()),
|
||||
services.NewRule(services.KindOIDC, services.RO()),
|
||||
services.NewRule(services.KindSAML, services.RO()),
|
||||
services.NewRule(services.KindOIDC, services.ReadNoSecrets()),
|
||||
services.NewRule(services.KindSAML, services.ReadNoSecrets()),
|
||||
services.NewRule(services.KindNamespace, services.RO()),
|
||||
services.NewRule(services.KindNode, services.RO()),
|
||||
services.NewRule(services.KindAuthServer, services.RO()),
|
||||
services.NewRule(services.KindReverseTunnel, services.RO()),
|
||||
services.NewRule(services.KindCertAuthority, services.RO()),
|
||||
services.NewRule(services.KindCertAuthority, services.ReadNoSecrets()),
|
||||
services.NewRule(services.KindUser, services.RO()),
|
||||
services.NewRule(services.KindRole, services.RO()),
|
||||
services.NewRule(services.KindClusterAuthPreference, services.RO()),
|
||||
|
|
|
@ -155,6 +155,9 @@ const (
|
|||
// VerbRead is used to read a single object.
|
||||
VerbRead = "read"
|
||||
|
||||
// VerbReadNoSecrets is used to read a single object without secrets.
|
||||
VerbReadNoSecrets = "readnosecrets"
|
||||
|
||||
// VerbUpdate is used to update an object.
|
||||
VerbUpdate = "update"
|
||||
|
||||
|
|
|
@ -746,6 +746,14 @@ func (r *Rule) ProcessActions(parser predicate.Parser) error {
|
|||
// this method also matches wildcard
|
||||
func (r *Rule) HasVerb(verb string) bool {
|
||||
for _, v := range r.Verbs {
|
||||
// readnosecrets can be satisfied by having readnosecrets or read
|
||||
if verb == VerbReadNoSecrets {
|
||||
if v == VerbReadNoSecrets || v == VerbRead {
|
||||
return true
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
if v == verb {
|
||||
return true
|
||||
}
|
||||
|
@ -1060,7 +1068,7 @@ func (r *RoleV2) V3() *RoleV3 {
|
|||
verbs = RO()
|
||||
} else if containsWrite {
|
||||
// in RoleV2 ActionWrite implied the ability to read secrets.
|
||||
verbs = []string{VerbCreate, VerbUpdate, VerbDelete}
|
||||
verbs = []string{VerbCreate, VerbRead, VerbUpdate, VerbDelete}
|
||||
}
|
||||
|
||||
rules = append(rules, NewRule(resource, verbs))
|
||||
|
@ -1136,11 +1144,17 @@ func RW() []string {
|
|||
return []string{VerbConnect, VerbList, VerbCreate, VerbRead, VerbUpdate, VerbDelete}
|
||||
}
|
||||
|
||||
// RO is a shortcut that returns read only verbs.
|
||||
// RO is a shortcut that returns read only verbs that provide access to secrets.
|
||||
func RO() []string {
|
||||
return []string{VerbList, VerbRead}
|
||||
}
|
||||
|
||||
// ReadNoSecrets is a shortcut that returns read only verbs that do not
|
||||
// provide access to secrets.
|
||||
func ReadNoSecrets() []string {
|
||||
return []string{VerbList, VerbReadNoSecrets}
|
||||
}
|
||||
|
||||
// NewRole constructs new standard role
|
||||
func NewRole(name string, spec RoleSpecV3) (Role, error) {
|
||||
role := RoleV3{
|
||||
|
|
Loading…
Reference in a new issue