Merge pull request gravitational#1278 from gravitational/rjones/readn…

…osecrets Read No Secrets
klizhentas · Sep 8, 2017 · 6d345b5 · 6d345b5
2 parents 01295fe + 294f835
commit 6d345b5
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 19 deletions.
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -113,23 +113,24 @@ func (a *AuthWithRoles) GetCertAuthorities(caType services.CertAuthType, loadKey
 	if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbList); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
+	if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbReadNoSecrets); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if loadKeys {
-		if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbUpdate); err != nil {
+		if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
 			return nil, trace.Wrap(err)
 		}
 	}
+
 	return a.authServer.GetCertAuthorities(caType, loadKeys)
 }
 
 func (a *AuthWithRoles) GetCertAuthority(id services.CertAuthID, loadKeys bool) (services.CertAuthority, error) {
-	if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
+	if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbReadNoSecrets); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if loadKeys {
-		if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbUpdate); err != nil {
+		if err := a.action(defaults.Namespace, services.KindCertAuthority, services.VerbRead); err != nil {
 			return nil, trace.Wrap(err)
 		}
 	}
@@ -524,11 +525,11 @@ func (a *AuthWithRoles) UpsertOIDCConnector(connector services.OIDCConnector) er
 }
 
 func (a *AuthWithRoles) GetOIDCConnector(id string, withSecrets bool) (services.OIDCConnector, error) {
-	if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
+	if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbReadNoSecrets); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if withSecrets {
-		if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbUpdate); err != nil {
+		if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
 			return nil, trace.Wrap(err)
 		}
 	}
@@ -539,11 +540,11 @@ func (a *AuthWithRoles) GetOIDCConnectors(withSecrets bool) ([]services.OIDCConn
 	if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbList); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
+	if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbReadNoSecrets); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if withSecrets {
-		if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbUpdate); err != nil {
+		if err := a.authConnectorAction(defaults.Namespace, services.KindOIDC, services.VerbRead); err != nil {
 			return nil, trace.Wrap(err)
 		}
 	}
@@ -587,11 +588,11 @@ func (a *AuthWithRoles) UpsertSAMLConnector(connector services.SAMLConnector) er
 }
 
 func (a *AuthWithRoles) GetSAMLConnector(id string, withSecrets bool) (services.SAMLConnector, error) {
-	if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
+	if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbReadNoSecrets); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if withSecrets {
-		if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbUpdate); err != nil {
+		if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
 			return nil, trace.Wrap(err)
 		}
 	}
@@ -602,13 +603,12 @@ func (a *AuthWithRoles) GetSAMLConnectors(withSecrets bool) ([]services.SAMLConn
 	if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbList); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
+	if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbReadNoSecrets); err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if withSecrets {
-		if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbUpdate); err != nil {
+		if err := a.authConnectorAction(defaults.Namespace, services.KindSAML, services.VerbRead); err != nil {
 			return nil, trace.Wrap(err)
-
 		}
 	}
 	return a.authServer.Identity.GetSAMLConnectors(withSecrets)

diff --git a/lib/auth/permissions.go b/lib/auth/permissions.go
@@ -170,7 +170,7 @@ func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error
 						services.NewRule(services.KindSSHSession, services.RW()),
 						services.NewRule(services.KindEvent, services.RW()),
 						services.NewRule(services.KindProxy, services.RO()),
-						services.NewRule(services.KindCertAuthority, services.RO()),
+						services.NewRule(services.KindCertAuthority, services.ReadNoSecrets()),
 						services.NewRule(services.KindUser, services.RO()),
 						services.NewRule(services.KindNamespace, services.RO()),
 						services.NewRule(services.KindRole, services.RO()),
@@ -192,13 +192,13 @@ func GetCheckerForBuiltinRole(role teleport.Role) (services.AccessChecker, error
 						services.NewRule(services.KindSession, services.RO()),
 						services.NewRule(services.KindEvent, services.RW()),
 						services.NewRule(services.KindSAMLRequest, services.RW()),
-						services.NewRule(services.KindOIDC, services.RO()),
-						services.NewRule(services.KindSAML, services.RO()),
+						services.NewRule(services.KindOIDC, services.ReadNoSecrets()),
+						services.NewRule(services.KindSAML, services.ReadNoSecrets()),
 						services.NewRule(services.KindNamespace, services.RO()),
 						services.NewRule(services.KindNode, services.RO()),
 						services.NewRule(services.KindAuthServer, services.RO()),
 						services.NewRule(services.KindReverseTunnel, services.RO()),
-						services.NewRule(services.KindCertAuthority, services.RO()),
+						services.NewRule(services.KindCertAuthority, services.ReadNoSecrets()),
 						services.NewRule(services.KindUser, services.RO()),
 						services.NewRule(services.KindRole, services.RO()),
 						services.NewRule(services.KindClusterAuthPreference, services.RO()),

diff --git a/lib/services/resource.go b/lib/services/resource.go
@@ -155,6 +155,9 @@ const (
 	// VerbRead is used to read a single object.
 	VerbRead = "read"
 
+	// VerbReadNoSecrets is used to read a single object without secrets.
+	VerbReadNoSecrets = "readnosecrets"
+
 	// VerbUpdate is used to update an object.
 	VerbUpdate = "update"
 

diff --git a/lib/services/role.go b/lib/services/role.go
@@ -746,6 +746,14 @@ func (r *Rule) ProcessActions(parser predicate.Parser) error {
 // this method also matches wildcard
 func (r *Rule) HasVerb(verb string) bool {
 	for _, v := range r.Verbs {
+		// readnosecrets can be satisfied by having readnosecrets or read
+		if verb == VerbReadNoSecrets {
+			if v == VerbReadNoSecrets || v == VerbRead {
+				return true
+			}
+			continue
+		}
+
 		if v == verb {
 			return true
 		}
@@ -1060,7 +1068,7 @@ func (r *RoleV2) V3() *RoleV3 {
 			verbs = RO()
 		} else if containsWrite {
 			// in RoleV2 ActionWrite implied the ability to read secrets.
-			verbs = []string{VerbCreate, VerbUpdate, VerbDelete}
+			verbs = []string{VerbCreate, VerbRead, VerbUpdate, VerbDelete}
 		}
 
 		rules = append(rules, NewRule(resource, verbs))
@@ -1136,11 +1144,17 @@ func RW() []string {
 	return []string{VerbConnect, VerbList, VerbCreate, VerbRead, VerbUpdate, VerbDelete}
 }
 
-// RO is a shortcut that returns read only verbs.
+// RO is a shortcut that returns read only verbs that provide access to secrets.
 func RO() []string {
 	return []string{VerbList, VerbRead}
 }
 
+// ReadNoSecrets is a shortcut that returns read only verbs that do not
+// provide access to secrets.
+func ReadNoSecrets() []string {
+	return []string{VerbList, VerbReadNoSecrets}
+}
+
 // NewRole constructs new standard role
 func NewRole(name string, spec RoleSpecV3) (Role, error) {
 	role := RoleV3{