Merge pull request #2757 from cyberark/account-admin-resource

Create a resource for the account admin user

CHANGELOG.md

@@ -27,6 +27,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   successfully reading it. Conjur also now logs at the DEBUG level when it
   detects that either the directory or file do not exist.
   [cyberark/conjur#2715](https://github.com/cyberark/conjur/pull/2715)
+- Account admin roles now have a corresponding resource. This ensures that
+  access controls work as expected for this role to access itself.
+  [cyberark/conjur#2757](https://github.com/cyberark/conjur/pull/2757)
 
 ### Fixed
 - Fixed a thread-safety bug in secret retrieval when multiple threads attempt

app/models/account.rb

@@ -7,7 +7,7 @@ def find_or_create_accounts_resource
         pkey = Slosilo::Key.new
         Slosilo["authn:!"] = pkey
       end
-  
+
       role_id     = "!:!:root"
       resource_id = "!:webservice:accounts"
       (role = Role[role_id]) || Role.create(role_id: role_id)
@@ -26,17 +26,15 @@ def create(id, owner_id = nil)
 
       Role.db.transaction do
         Slosilo["authn:#{id}"] = Slosilo::Key.new
-        
+
         role_id = "#{id}:user:admin"
         admin_user = Role.create(role_id: role_id)
 
-        # Create an owner resource that will allow another user to rotate this
-        # account's API key. This is used by the CPanel to enable the accounts
-        # admin credentials to be used for API key rotation.
-        unless owner_id.nil?
-          Resource.create(resource_id: role_id, owner_id: owner_id)
-        end
-
+        # Ensure a resource record exists for the admin role so that permissions
+        # work as expected. If one isn't given, the admin will own itself.
+        owner_id ||= role_id
+        Resource.create(resource_id: role_id, owner_id: owner_id)
+
         admin_user.api_key
       end
     end

spec/controllers/roles_controller_spec.rb

@@ -6,6 +6,8 @@
 
 NONEXISTING_GROUP_URL = '/roles/rspec/group/none'
 UNPERMITTED_HOST_ID = 'rspec:host:none'
+ADMIN_HOST_ID = 'rspec:user:admin'
+ADMIN_HOST_URL = '/roles/rspec/user/admin'
 
 describe RolesController, type: :request do
   before do
@@ -76,7 +78,12 @@
     # read privilege on.
     [
       {
-        user_id: 'rspec:host:none',
+        user_id: ADMIN_HOST_ID,
+        role_url: ADMIN_HOST_URL,
+        expected_response: :not_found
+      },
+      {
+        user_id: UNPERMITTED_HOST_ID,
         role_url: '/roles/rspec/group/a',
         expected_response: :not_found
       },
@@ -109,6 +116,11 @@
   describe '#all_memberships' do
     # Test cases
     [
+      {
+        user_id: ADMIN_HOST_ID,
+        role_url: ADMIN_HOST_URL,
+        expected_response: :not_found
+      },
       {
         user_id: UNPERMITTED_HOST_ID,
         role_url: '/roles/rspec/group/d',
@@ -143,6 +155,11 @@
   describe '#direct_memberships' do
     # Test cases
     [
+      {
+        user_id: ADMIN_HOST_ID,
+        role_url: ADMIN_HOST_URL,
+        expected_response: :not_found
+      },
       {
         user_id: UNPERMITTED_HOST_ID,
         role_url: '/roles/rspec/group/d',
@@ -177,6 +194,11 @@
   describe '#members' do
     # Test cases
     [
+      {
+        user_id: ADMIN_HOST_ID,
+        role_url: ADMIN_HOST_URL,
+        expected_response: :not_found
+      },
       {
         user_id: UNPERMITTED_HOST_ID,
         role_url: '/roles/rspec/group/a',
@@ -211,6 +233,11 @@
   describe '#graph' do
     # Test cases
     [
+      {
+        user_id: ADMIN_HOST_ID,
+        role_url: ADMIN_HOST_URL,
+        expected_response: :not_found
+      },
       {
         user_id: UNPERMITTED_HOST_ID,
         role_url: '/roles/rspec/group/c',