From 26e689d9f1b7162906fa70c5ba342bc4b35e37c0 Mon Sep 17 00:00:00 2001 From: Micah Lee Date: Thu, 23 Mar 2023 16:17:18 -0400 Subject: [PATCH] Create a resource for the admin user An owner may be assigned, or it may be self-owned. --- CHANGELOG.md | 3 +++ app/models/account.rb | 16 ++++++------- spec/controllers/roles_controller_spec.rb | 29 ++++++++++++++++++++++- 3 files changed, 38 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5c31feb68..1410f7e347 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. successfully reading it. Conjur also now logs at the DEBUG level when it detects that either the directory or file do not exist. [cyberark/conjur#2715](https://github.com/cyberark/conjur/pull/2715) +- Account admin roles now have a corresponding resource. This ensures that + access controls work as expected for this role to access itself. + [cyberark/conjur#2757](https://github.com/cyberark/conjur/pull/2757) ### Fixed - Fixed a thread-safety bug in secret retrieval when multiple threads attempt diff --git a/app/models/account.rb b/app/models/account.rb index 9eaffab070..7daf1ddb11 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -7,7 +7,7 @@ def find_or_create_accounts_resource pkey = Slosilo::Key.new Slosilo["authn:!"] = pkey end - + role_id = "!:!:root" resource_id = "!:webservice:accounts" (role = Role[role_id]) || Role.create(role_id: role_id) @@ -26,17 +26,15 @@ def create(id, owner_id = nil) Role.db.transaction do Slosilo["authn:#{id}"] = Slosilo::Key.new - + role_id = "#{id}:user:admin" admin_user = Role.create(role_id: role_id) - # Create an owner resource that will allow another user to rotate this - # account's API key. This is used by the CPanel to enable the accounts - # admin credentials to be used for API key rotation. - unless owner_id.nil? - Resource.create(resource_id: role_id, owner_id: owner_id) - end - + # Ensure a resource record exists for the admin role so that permissions + # work as expected. If one isn't given, the admin will own itself. + owner_id ||= role_id + Resource.create(resource_id: role_id, owner_id: owner_id) + admin_user.api_key end end diff --git a/spec/controllers/roles_controller_spec.rb b/spec/controllers/roles_controller_spec.rb index 6e972e9d9a..17bbce994f 100644 --- a/spec/controllers/roles_controller_spec.rb +++ b/spec/controllers/roles_controller_spec.rb @@ -6,6 +6,8 @@ NONEXISTING_GROUP_URL = '/roles/rspec/group/none' UNPERMITTED_HOST_ID = 'rspec:host:none' +ADMIN_HOST_ID = 'rspec:user:admin' +ADMIN_HOST_URL = '/roles/rspec/user/admin' describe RolesController, type: :request do before do @@ -76,7 +78,12 @@ # read privilege on. [ { - user_id: 'rspec:host:none', + user_id: ADMIN_HOST_ID, + role_url: ADMIN_HOST_URL, + expected_response: :not_found + }, + { + user_id: UNPERMITTED_HOST_ID, role_url: '/roles/rspec/group/a', expected_response: :not_found }, @@ -109,6 +116,11 @@ describe '#all_memberships' do # Test cases [ + { + user_id: ADMIN_HOST_ID, + role_url: ADMIN_HOST_URL, + expected_response: :not_found + }, { user_id: UNPERMITTED_HOST_ID, role_url: '/roles/rspec/group/d', @@ -143,6 +155,11 @@ describe '#direct_memberships' do # Test cases [ + { + user_id: ADMIN_HOST_ID, + role_url: ADMIN_HOST_URL, + expected_response: :not_found + }, { user_id: UNPERMITTED_HOST_ID, role_url: '/roles/rspec/group/d', @@ -177,6 +194,11 @@ describe '#members' do # Test cases [ + { + user_id: ADMIN_HOST_ID, + role_url: ADMIN_HOST_URL, + expected_response: :not_found + }, { user_id: UNPERMITTED_HOST_ID, role_url: '/roles/rspec/group/a', @@ -211,6 +233,11 @@ describe '#graph' do # Test cases [ + { + user_id: ADMIN_HOST_ID, + role_url: ADMIN_HOST_URL, + expected_response: :not_found + }, { user_id: UNPERMITTED_HOST_ID, role_url: '/roles/rspec/group/c',