From e13489062d8989d078dba88cc5c6b457b31a886b Mon Sep 17 00:00:00 2001 From: Meng Han Date: Thu, 7 Nov 2024 14:30:16 -0800 Subject: [PATCH 1/3] loosen rbac for get cert --- confidant/authnz/rbac.py | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/confidant/authnz/rbac.py b/confidant/authnz/rbac.py index 707844c8..122a1a98 100644 --- a/confidant/authnz/rbac.py +++ b/confidant/authnz/rbac.py @@ -44,19 +44,15 @@ def default_acl(*args, **kwargs): if not ca_object.settings['name_regex']: return False cert_pattern = re.compile(ca_object.settings['name_regex']) - domains = [resource_id] - domains.extend(resource_kwargs.get('san', [])) - # Ensure the CN and every value in the SAN is allowed for this - # user. - for domain in domains: - match = cert_pattern.match(domain) - if not match: - return False - service_name = match.group('service_name') - if not service_name: - return False - if not authnz.user_is_service(service_name): - return False + domain = resource_id + match = cert_pattern.match(domain) + if not match: + return False + service_name = match.group('service_name') + if not service_name: + return False + if not authnz.user_is_service(service_name): + return False return True return False else: From ae84fdc0303e5c087d9bab025f33acf3af4aaac4 Mon Sep 17 00:00:00 2001 From: Meng Han Date: Thu, 7 Nov 2024 14:40:59 -0800 Subject: [PATCH 2/3] loosen rbac for get cert --- tests/unit/confidant/authnz/rbac_test.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/unit/confidant/authnz/rbac_test.py b/tests/unit/confidant/authnz/rbac_test.py index 5b1c6256..de1fdf26 100644 --- a/tests/unit/confidant/authnz/rbac_test.py +++ b/tests/unit/confidant/authnz/rbac_test.py @@ -85,16 +85,16 @@ def test_default_acl(mocker: MockerFixture): kwargs={'ca': 'development'}, ) is False # Test for user type is service, with certificate resource and get - # action, with a valid CN, but an invalid SAN + # action, with a valid CN assert rbac.default_acl( resource_type='certificate', action='get', resource_id='test-service.example.com', kwargs={ 'ca': 'development', - 'san': ['bad-service.example.com'], + 'san': ['test-service.sub.example.com'], }, - ) is False + ) is True # Test for user type is service, with certificate resource and get # action, with a valid CN, but a mix of valid and invalid SAN values assert rbac.default_acl( From 134aadbc3d611c5656d5dd18dfe7a5e15961dcf7 Mon Sep 17 00:00:00 2001 From: Meng Han Date: Thu, 7 Nov 2024 14:46:12 -0800 Subject: [PATCH 3/3] loosen rbac for get cert --- tests/unit/confidant/authnz/rbac_test.py | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tests/unit/confidant/authnz/rbac_test.py b/tests/unit/confidant/authnz/rbac_test.py index de1fdf26..63160682 100644 --- a/tests/unit/confidant/authnz/rbac_test.py +++ b/tests/unit/confidant/authnz/rbac_test.py @@ -95,20 +95,6 @@ def test_default_acl(mocker: MockerFixture): 'san': ['test-service.sub.example.com'], }, ) is True - # Test for user type is service, with certificate resource and get - # action, with a valid CN, but a mix of valid and invalid SAN values - assert rbac.default_acl( - resource_type='certificate', - action='get', - resource_id='test-service.example.com', - kwargs={ - 'ca': 'development', - 'san': [ - 'bad-service.example.com', - 'test-service.example.com', - ], - }, - ) is False # Test for user type is service, and an allowed resource, with # disallowed fake action assert rbac.default_acl(resource_type='service', action='fake') is False