Skip to content

Commit

Permalink
[v17] temporarily remove app label checker for `saml_idp_service_prov…
Browse files Browse the repository at this point in the history 
…ider` resources (#48023)

* temporarily remove app label checker for saml_idp_service_provider resources

* add todo for role V8, update test to accomodate default implicit RO rule
  • Loading branch information
@flyinghermit @rosstimothy
flyinghermit authored and rosstimothy committed Nov 4, 2024
1 parent 339d7c7 commit d5299e7
Show file tree
Hide file tree
Showing 2 changed files with 248 additions and 313 deletions.
80 changes: 8 additions & 72 deletions lib/auth/auth_with_roles.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1263,6 +1263,12 @@ func (c *resourceAccess) checkAccess(resource types.ResourceWithLabels, filter s
return false, nil
}

// KindSAMLIdPServiceProvider does not support label matcher
// TODO(sshah): remove this exclusion once we introduce role V8.
if resourceKind == types.KindSAMLIdPServiceProvider {
return true, nil
}

// check access normally if base checker doesnt exist
if c.baseAuthChecker == nil {
if err := c.accessChecker.CanAccess(resource); err != nil {
Expand Down Expand Up @@ -6773,38 +6779,13 @@ func (a *ServerWithRoles) ListReleases(ctx context.Context) ([]*types.Release, e
return a.authServer.releaseService.ListReleases(ctx)
}

// TODO(sshah): set MFARequired for SAML IdP admin actions?
func (a *ServerWithRoles) checkAccessToSAMLIdPServiceProvider(sp types.SAMLIdPServiceProvider) error {
return a.context.Checker.CheckAccess(
sp,
// MFA is not required for operations on SAML resources but
// will be enforced at the connection time.
services.AccessState{})
}

// ListSAMLIdPServiceProviders returns a paginated list of SAML IdP service provider resources.
func (a *ServerWithRoles) ListSAMLIdPServiceProviders(ctx context.Context, pageSize int, nextToken string) ([]types.SAMLIdPServiceProvider, string, error) {
if err := a.action(apidefaults.Namespace, types.KindSAMLIdPServiceProvider, types.VerbList); err != nil {
return nil, "", trace.Wrap(err)
}

sps, nextKey, err := a.authServer.ListSAMLIdPServiceProviders(ctx, pageSize, nextToken)
if err != nil {
return nil, "", trace.Wrap(err)
}

// Filter out service providers the caller doesn't have access to.
var filtered []types.SAMLIdPServiceProvider
for _, sp := range sps {
err := a.checkAccessToSAMLIdPServiceProvider(sp)
if err != nil && !trace.IsAccessDenied(err) {
return nil, "", trace.Wrap(err)
} else if err == nil {
filtered = append(filtered, sp)
}

}
return filtered, nextKey, nil
return a.authServer.ListSAMLIdPServiceProviders(ctx, pageSize, nextToken)
}

// GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.
Expand All @@ -6813,16 +6794,7 @@ func (a *ServerWithRoles) GetSAMLIdPServiceProvider(ctx context.Context, name st
return nil, trace.Wrap(err)
}

sp, err := a.authServer.GetSAMLIdPServiceProvider(ctx, name)
if err != nil {
return nil, trace.Wrap(err)
}

if err = a.checkAccessToSAMLIdPServiceProvider(sp); err != nil {
return nil, trace.Wrap(err)
}

return sp, nil
return a.authServer.GetSAMLIdPServiceProvider(ctx, name)
}

// CreateSAMLIdPServiceProvider creates a new SAML IdP service provider resource.
Expand Down Expand Up @@ -6860,10 +6832,6 @@ func (a *ServerWithRoles) CreateSAMLIdPServiceProvider(ctx context.Context, sp t
return trace.Wrap(err)
}

if err = a.checkAccessToSAMLIdPServiceProvider(sp); err != nil {
return trace.Wrap(err)
}

if err := services.ValidateSAMLIdPACSURLAndRelayStateInputs(sp); err != nil {
return trace.Wrap(err)
}
Expand Down Expand Up @@ -6913,17 +6881,6 @@ func (a *ServerWithRoles) UpdateSAMLIdPServiceProvider(ctx context.Context, sp t
return trace.Wrap(err)
}

existingSP, err := a.authServer.GetSAMLIdPServiceProvider(ctx, sp.GetName())
if err != nil {
return trace.Wrap(err)
}
if err = a.checkAccessToSAMLIdPServiceProvider(existingSP); err != nil {
return trace.Wrap(err)
}
if err = a.checkAccessToSAMLIdPServiceProvider(sp); err != nil {
return trace.Wrap(err)
}

if err := services.ValidateSAMLIdPACSURLAndRelayStateInputs(sp); err != nil {
return trace.Wrap(err)
}
Expand Down Expand Up @@ -6984,10 +6941,6 @@ func (a *ServerWithRoles) DeleteSAMLIdPServiceProvider(ctx context.Context, name
return trace.Wrap(err)
}

if err = a.checkAccessToSAMLIdPServiceProvider(sp); err != nil {
return trace.Wrap(err)
}

name = sp.GetName()
entityID = sp.GetEntityID()

Expand Down Expand Up @@ -7026,23 +6979,6 @@ func (a *ServerWithRoles) DeleteAllSAMLIdPServiceProviders(ctx context.Context)
return trace.Wrap(err)
}

var startKey string
for {
sps, nextKey, err := a.authServer.ListSAMLIdPServiceProviders(ctx, apidefaults.DefaultChunkSize, startKey)
if err != nil {
return trace.Wrap(err)
}
for _, sp := range sps {
if err := a.checkAccessToSAMLIdPServiceProvider(sp); err != nil {
return trace.Wrap(err)
}
}
if nextKey == "" {
break
}
startKey = nextKey
}

err = a.authServer.DeleteAllSAMLIdPServiceProviders(ctx)
return trace.Wrap(err)
}
Expand Down
Loading

0 comments on commit d5299e7

Please sign in to comment.