Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

loosen rbac for get cert - avoid checking every DNS in SAN #444

Merged
merged 3 commits into from
Nov 7, 2024
Merged

loosen rbac for get cert - avoid checking every DNS in SAN #444

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e134890
loosen rbac for get cert
meng-han Nov 7, 2024
ae84fdc
loosen rbac for get cert
meng-han Nov 7, 2024
134aadb
loosen rbac for get cert
meng-han Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 9 additions & 13 deletions confidant/authnz/rbac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,19 +44,15 @@ def default_acl(*args, **kwargs):
if not ca_object.settings['name_regex']:
return False
cert_pattern = re.compile(ca_object.settings['name_regex'])
domains = [resource_id]
domains.extend(resource_kwargs.get('san', []))
# Ensure the CN and every value in the SAN is allowed for this
# user.
for domain in domains:
match = cert_pattern.match(domain)
if not match:
return False
service_name = match.group('service_name')
if not service_name:
return False
if not authnz.user_is_service(service_name):
return False
domain = resource_id
match = cert_pattern.match(domain)
if not match:
return False
service_name = match.group('service_name')
if not service_name:
return False
if not authnz.user_is_service(service_name):
return False
return True
return False
else:
Expand Down
20 changes: 3 additions & 17 deletions tests/unit/confidant/authnz/rbac_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,30 +85,16 @@ def test_default_acl(mocker: MockerFixture):
kwargs={'ca': 'development'},
) is False
# Test for user type is service, with certificate resource and get
# action, with a valid CN, but an invalid SAN
assert rbac.default_acl(
resource_type='certificate',
action='get',
resource_id='test-service.example.com',
kwargs={
'ca': 'development',
'san': ['bad-service.example.com'],
},
) is False
# Test for user type is service, with certificate resource and get
# action, with a valid CN, but a mix of valid and invalid SAN values
# action, with a valid CN
assert rbac.default_acl(
resource_type='certificate',
action='get',
resource_id='test-service.example.com',
kwargs={
'ca': 'development',
'san': [
'bad-service.example.com',
'test-service.example.com',
],
'san': ['test-service.sub.example.com'],
},
) is False
) is True
# Test for user type is service, and an allowed resource, with
# disallowed fake action
assert rbac.default_acl(resource_type='service', action='fake') is False
Expand Down
Loading