auth: give sys admin same rights as default admin

we currently give the sys admin less rights as the default admin, this causes the sys admin not to be able to distinguish between a resource not existing and not having access to it Change-Id: Idee45cd858fb95421eedbc1d61d0226a3b37d350
vmware-archive · Jan 26, 2017 · eeb2ebb · eeb2ebb
1 parent a05f3dc
commit eeb2ebb
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 9 deletions.
diff --git a/...tend/src/main/java/com/vmware/photon/controller/api/frontend/auth/AuthPolicyProvider.java b/...tend/src/main/java/com/vmware/photon/controller/api/frontend/auth/AuthPolicyProvider.java
@@ -16,11 +16,13 @@
 import com.vmware.identity.openidconnect.client.ResourceServerAccessToken;
 import com.vmware.photon.controller.api.frontend.auth.fetcher.Multiplexed;
 import com.vmware.photon.controller.api.frontend.auth.fetcher.SecurityGroupFetcher;
+import com.vmware.photon.controller.api.frontend.clients.DeploymentFeClient;
 import com.vmware.photon.controller.api.frontend.config.AuthConfig;
 import com.vmware.photon.controller.api.frontend.exceptions.external.ErrorCode;
 import com.vmware.photon.controller.api.frontend.exceptions.external.ExternalException;
 import com.vmware.photon.controller.api.frontend.resources.routes.AuthRoutes;
 import com.vmware.photon.controller.api.frontend.resources.routes.AvailableRoutes;
+import com.vmware.photon.controller.api.model.Deployment;
 
 import com.google.inject.Inject;
 import org.glassfish.jersey.server.ContainerRequest;
@@ -63,12 +65,16 @@ public class AuthPolicyProvider implements PolicyProvider {
 
   private final String defaultAdminGroup;
 
+  private final DeploymentFeClient deployerClient;
+
   @Inject
   public AuthPolicyProvider(TransactionAuthorizationObjectResolver resolver,
                             @Multiplexed SecurityGroupFetcher fetcher,
-                            AuthConfig config) {
+                            AuthConfig config,
+                            DeploymentFeClient deploymentClient) {
     this.resolver = resolver;
     this.fetcher = fetcher;
+    this.deployerClient = deploymentClient;
     this.defaultAdminGroup = config.getAuthDomain() + DEFAULT_ADMIN_GROUP_NAME;
   }
 
@@ -130,6 +136,15 @@ public void checkAccessPermissions(ContainerRequest request, ResourceServerAcces
     Set<String> intersectionGroup = new HashSet<>(groups);
     intersectionGroup.add(this.defaultAdminGroup);
 
+    // This will give the system admin the same privileges as the default
+    // admin group, otherwise the system admin will get ACCESS_FORBIDDEN
+    // if a resource does not exist.
+    for (Deployment deployment : deployerClient.getAll()) {
+      if (deployment.getAuth() != null && deployment.getAuth().getSecurityGroups() != null) {
+        intersectionGroup.addAll(deployment.getAuth().getSecurityGroups());
+      }
+    }
+
     // Perform request and token group intersection, deny if empty.
     intersectionGroup.retainAll(tokenGroups);
     if (intersectionGroup.isEmpty()) {

diff --git a/...frontend/src/test/java/com/vmware/photon/controller/api/frontend/auth/AuthFilterTest.java b/...frontend/src/test/java/com/vmware/photon/controller/api/frontend/auth/AuthFilterTest.java
@@ -15,6 +15,7 @@
 
 import com.vmware.identity.openidconnect.client.ResourceServerAccessToken;
 import com.vmware.photon.controller.api.frontend.auth.fetcher.MultiplexedSecurityGroupFetcher;
+import com.vmware.photon.controller.api.frontend.clients.DeploymentFeClient;
 import com.vmware.photon.controller.api.frontend.config.AuthConfig;
 import com.vmware.photon.controller.api.frontend.exceptions.external.ErrorCode;
 import com.vmware.photon.controller.api.frontend.exceptions.external.ExternalException;
@@ -71,7 +72,8 @@ private void setUp() {
     AuthPolicyProvider provider = new AuthPolicyProvider(
         mock(TransactionAuthorizationObjectResolver.class),
         mock(MultiplexedSecurityGroupFetcher.class),
-        new AuthConfig());
+        new AuthConfig(),
+        mock(DeploymentFeClient.class));
     subject = new AuthFilter(config, provider);
   }
 

diff --git a/.../src/test/java/com/vmware/photon/controller/api/frontend/auth/AuthPolicyProviderTest.java b/.../src/test/java/com/vmware/photon/controller/api/frontend/auth/AuthPolicyProviderTest.java
@@ -16,6 +16,7 @@
 import com.vmware.identity.openidconnect.client.ResourceServerAccessToken;
 import com.vmware.photon.controller.api.frontend.auth.fetcher.MultiplexedSecurityGroupFetcher;
 import com.vmware.photon.controller.api.frontend.auth.fetcher.SecurityGroupFetcher;
+import com.vmware.photon.controller.api.frontend.clients.DeploymentFeClient;
 import com.vmware.photon.controller.api.frontend.config.AuthConfig;
 import com.vmware.photon.controller.api.frontend.exceptions.external.ExternalException;
 import com.vmware.photon.controller.api.frontend.helpers.JerseyPropertiesDelegate;
@@ -69,7 +70,8 @@ public void setUpCommon() {
 
     config = new AuthConfig();
     config.setAuthDomain("esxcloud");
-    policyProvider = new AuthPolicyProvider(resolver, fetcher, config);
+    policyProvider = new AuthPolicyProvider(resolver, fetcher, config,
+        mock(DeploymentFeClient.class));
   }
 
   /**

diff --git a/tests/integration_tests/spec/support/api_routes_helper.rb b/tests/integration_tests/spec/support/api_routes_helper.rb
@@ -79,10 +79,10 @@ def self.auth_routes
 
     def self.clusters_routes(id = SecureRandom.uuid)
       [
-        EsxCloud::ApiRoute.new(:get, "/clusters/#{id}", 404, 403, 403, 403, 403),
-        EsxCloud::ApiRoute.new(:post, "/clusters/#{id}/resize", 400, 403, 403, 403, 403),
-        EsxCloud::ApiRoute.new(:get, "/clusters/#{id}/vms", 404, 403, 403, 403, 403),
-        EsxCloud::ApiRoute.new(:delete, "/clusters/#{id}", 404, 403, 403, 403, 403)
+        EsxCloud::ApiRoute.new(:get, "/clusters/#{id}", 404, 404, 403, 403, 403),
+        EsxCloud::ApiRoute.new(:post, "/clusters/#{id}/resize", 400, 400, 403, 403, 403),
+        EsxCloud::ApiRoute.new(:get, "/clusters/#{id}/vms", 404, 404, 403, 403, 403),
+        EsxCloud::ApiRoute.new(:delete, "/clusters/#{id}", 404, 404, 403, 403, 403)
       ]
     end
 
@@ -193,8 +193,8 @@ def self.projects_routes_with_virtual_networks_routes(id = SecureRandom.uuid)
 
     def self.resource_tickets_routes(id = SecureRandom.uuid)
       [
-        EsxCloud::ApiRoute.new(:get, "/resource-tickets/#{id}", 404, 403, 403, 403, 403),
-        EsxCloud::ApiRoute.new(:get, "/resource-tickets/#{id}/tasks", 404, 403, 403, 403, 403)
+        EsxCloud::ApiRoute.new(:get, "/resource-tickets/#{id}", 404, 404, 403, 403, 403),
+        EsxCloud::ApiRoute.new(:get, "/resource-tickets/#{id}/tasks", 404, 404, 403, 403, 403)
       ]
     end