Skip to content

Commit

Permalink
Related-Bug: #1544947
Browse files Browse the repository at this point in the history 
Currently Contrail WebUI checks for admin only role for all
projects assigned to a user at login time.

Instead of checking all projects at login time, only check the assigned project for admin only
role and disallow login if user doesn't have admin only role in the assigned project.

RBAC is not supported by Contrail WebUI, member only projects cannot be used with Contrail UI.

At time of login, catalog response may contain high number of endpoints. Discard this data.

Change-Id: I33c7370c4918f4bf1238bdb8c81ac3ddf8d4790b
  • Loading branch information
@biswajit-mandal
biswajit-mandal committed Feb 12, 2016
1 parent 1135951 commit 7c4809b
Show file tree
Hide file tree
Showing 13 changed files with 474 additions and 138 deletions.
27 changes: 25 additions & 2 deletions src/serverroot/common/auth.api.js
View file
Expand Up @@ -139,9 +139,22 @@ function getServiceCatalog (req, callback)
});
}

function getUIUserRoleByTenant (userObj, callback)
{
var req = userObj['req'];
return getAuthMethod[req.session.loggedInOrchestrationMode].getUIUserRoleByTenant(userObj,
callback);
}

function getUIRolesByExtRoles (req, extRoles)
{
return getAuthMethod[req.session.loggedInOrchestrationMode].getUserRoleByAuthResponse(extRoles);
return getAuthMethod[req.session.loggedInOrchestrationMode].getUIRolesByExtRoles(extRoles);
}

function getExtUserRoleByTenant (userObj, callback)
{
var req = userObj['req'];
return getAuthMethod[req.session.loggedInOrchestrationMode].getExtUserRoleByTenant(userObj, callback);
}

function getCookieObjs (req, appData, callback)
Expand All @@ -166,6 +179,13 @@ function getUserAuthDataByConfigAuthObj (loggedInOrchestrationMode, authObj, cal
callback);
}

function getDomainNameByUUID (request, uuid, domList)
{
return getAuthMethod[request.session.loggedInOrchestrationMode].getDomainNameByUUID(request,
uuid,
domList);
}

exports.doAuthenticate = doAuthenticate;
exports.getTenantList = getTenantList;
exports.getTokenObj = getTokenObj;
Expand All @@ -178,9 +198,12 @@ exports.getDomainList = getDomainList;
exports.getProjectList = getProjectList;
exports.isDefaultDomain = isDefaultDomain;
exports.getNewTokenObjByToken = getNewTokenObjByToken;
exports.getUIRolesByExtRoles = getUIRolesByExtRoles;
exports.getDefaultDomain = getDefaultDomain;
exports.getCookieObjs = getCookieObjs;
exports.getSessionExpiryTime = getSessionExpiryTime;
exports.getUserAuthDataByConfigAuthObj = getUserAuthDataByConfigAuthObj;
exports.getExtUserRoleByTenant = getExtUserRoleByTenant;
exports.getDomainNameByUUID = getDomainNameByUUID;
exports.getUIUserRoleByTenant = getUIUserRoleByTenant;
exports.getUIRolesByExtRoles = getUIRolesByExtRoles;

57 changes: 42 additions & 15 deletions src/serverroot/common/configServer.utils.js
View file
Expand Up @@ -96,21 +96,14 @@ function getTenantListAndSyncDomain (request, appData, callback)
if ((null != domId) && (false == authApi.isDefaultDomain(request, domId))) {
domId =
commonUtils.convertUUIDToString(tenantList['tenants'][i]['domain_id']);
if ((null != domain) && (domId != domain)) {
tenantList['tenants'].splice(i, 1);
i--;
projCnt--;
continue;
}
}
if ((null != domId) && (null == tmpDomainObjs[domId])) {
domainObjs['domains'].push({'fq_name': [domId], 'uuid': domId});
tmpDomainObjs[domId] = domId;
if (false == authApi.isDefaultDomain(request, domId)) {
var domUrl = '/domain/' + domId;
commonUtils.createReqObj(domArr, domUrl,
global.HTTP_REQUEST_GET, null,
null, null, appData);
if (null == tmpDomainObjs[domId]) {
tmpDomainObjs[domId] = domId;
if (false == authApi.isDefaultDomain(request, domId)) {
var domUrl = '/domain/' + domId;
commonUtils.createReqObj(domArr, domUrl,
global.HTTP_REQUEST_GET, null,
null, null, appData);
}
}
}
}
Expand All @@ -120,9 +113,43 @@ function getTenantListAndSyncDomain (request, appData, callback)
function(err, confData) {
getDomainsFromApiServer(appData, function(err, domList) {
if ((null != err) || (null == domList) || (null == domList['domains'])) {
/* We did not find any domain in API Server */
if ('v3' == request.session.authApiVersion) {
/* In v2, we have default-domain for all projects */
tenantList['tenants'] = [];
}
callback(null, domainObjs, tenantList, domList);
return;
}
tmpDomainObjs = {};
for (var i = 0; i < projCnt; i++) {
var domId = tenantList['tenants'][i]['domain_id'];
if ((null != domId) &&
(false == authApi.isDefaultDomain(request, domId))) {
domId =
commonUtils.convertUUIDToString(tenantList['tenants'][i]['domain_id']);
var domFqn = authApi.getDomainNameByUUID(request, domId,
domList['domains']);
if ((null == tmpDomainObjs[domId]) && (null != domFqn)) {
domainObjs['domains'].push({'fq_name': [domFqn], 'uuid': domId});
tmpDomainObjs[domId] = domId;
}
if ((null != domain) && (domFqn != domain)) {
tenantList['tenants'].splice(i, 1);
i--;
projCnt--;
} else {
tenantList['tenants'][i]['domain_name'] = domFqn;
}
} else {
var defDomain = authApi.getDefaultDomain(request);
if (null == tmpDomainObjs[domId]) {
domainObjs['domains'].push({'fq_name': [defDomain], 'uuid': domId});
tmpDomainObjs[domId] = domId;
}
tenantList['tenants'][i]['domain_name'] = defDomain;
}
}
var allDomList = domList['domains'];
var allDomCnt = allDomList.length;
var domCnt = domainObjs['domains'].length;
Expand Down
48 changes: 46 additions & 2 deletions src/serverroot/orchestration/plugins/cloudstack/cloudstack.authApi.js
View file
Expand Up @@ -51,12 +51,53 @@ function getUserRoleByAuthResponse (cloudStackUserLoginResp)
{
var userType = cloudStackUserLoginResp['loginresponse']['type'];
if (CLOUDSTACK_USER_TYPE_ADMIN == userType) {
return global.STR_ROLE_ADMIN;
return [global.STR_ROLE_ADMIN];
} else {
global.STR_ROLE_USER;
return [global.STR_ROLE_USER];
}
}

function getUIUserRoleByTenant (userObj, callback)
{
var userRoles = [global.STR_ROLE_USER];
if ((null == userObj) || (null == userObj.req)) {
callback(null, userRoles);
return;
}
userRoles =
commonUtils.getValueByJsonPath(userObj.req,
'session;userRole',
[global.STR_ROLE_USER]);
callback(null, userRoles);
}

function getUIRolesByExtRoles (extRoles)
{
var roles = [];
if ((null == extRoles) || (!extRoles.length)) {
return [global.STR_ROLE_USER];
}
var roleCnt = extRoles.length;
for (var i = 0; i < roleCnt; i++) {
roles.push(extRoles[i]['name']);
}
if (-1 != roles.indexOf('admin')) {
return [global.STR_ROLE_ADMIN];
}
return [global.STR_ROLE_USER];
}

function getExtUserRoleByTenant (userObj, callback)
{
getUIUserRoleByTenant(userObj, function(uiRoles) {
if (-1 != uiRoles.indexOf(global.STR_ROLE_ADMIN)) {
callback(null, {'roles': [{'name': 'admin'}]});
return;
}
callback(null, {'roles': [{'name': 'Member'}]});
});
}

function getUsers (req, callback)
{
var postData = {};
Expand Down Expand Up @@ -203,4 +244,7 @@ exports.formatTenantList = formatTenantList;
exports.getProjectList = getProjectList;
exports.getSessionExpiryTime = getSessionExpiryTime;
exports.getUserAuthDataByConfigAuthObj = getUserAuthDataByConfigAuthObj;
exports.getUIUserRoleByTenant = getUIUserRoleByTenant;
exports.getExtUserRoleByTenant = getExtUserRoleByTenant;
exports.getUIRolesByExtRoles = getUIRolesByExtRoles;

45 changes: 45 additions & 0 deletions src/serverroot/orchestration/plugins/no-orch/noOrchestration.api.js
View file
Expand Up @@ -12,6 +12,7 @@ var config = process.mainModule.exports['config'];
var commonUtils = require('../../../utils/common.utils');
var messages = require('../../../common/messages');
var configUtils = require('../../../common/configServer.utils');
var roleMap = require('../../../web/core/rolemap.api');

function authenticate (req, res, appData, callback)
{
Expand Down Expand Up @@ -114,6 +115,47 @@ function getFlavors (req, callback)
callback(null, list);
}

function getUIUserRoleByTenant (userObj, callback)
{
var userRoles = [global.STR_ROLE_USER];
if ((null == userObj) || (null == userObj.req)) {
callback(null, userRoles);
return;
}
userRoles =
commonUtils.getValueByJsonPath(userObj.req,
'session;userRole',
[global.STR_ROLE_USER]);
callback(null, userRoles);
}

function getExtUserRoleByTenant (userObj, callback)
{
getUIUserRoleByTenant(userObj, function(uiRoles) {
if (-1 != uiRoles.indexOf(global.STR_ROLE_ADMIN)) {
callback(null, {'roles': [{'name': 'admin'}]});
return;
}
callback(null, {'roles': [{'name': 'Member'}]});
});
}

function getUIRolesByExtRoles (extRoles)
{
var roles = [];
if ((null == extRoles) || (!extRoles.length)) {
return [global.STR_ROLE_USER];
}
var roleCnt = extRoles.length;
for (var i = 0; i < roleCnt; i++) {
roles.push(extRoles[i]['name']);
}
if (-1 != roles.indexOf('admin')) {
return [global.STR_ROLE_ADMIN];
}
return [global.STR_ROLE_USER];
}

function getOSHostList (req, callback)
{
var list = {"hosts": []};
Expand Down Expand Up @@ -173,4 +215,7 @@ exports.getCookieObjs = getCookieObjs;
exports.getSessionExpiryTime = getSessionExpiryTime;
exports.getToken = getToken;
exports.getUserAuthDataByConfigAuthObj = getUserAuthDataByConfigAuthObj;
exports.getUIUserRoleByTenant = getUIUserRoleByTenant;
exports.getExtUserRoleByTenant = getExtUserRoleByTenant;
exports.getUIRolesByExtRoles = getUIRolesByExtRoles;

0 comments on commit 7c4809b

Please sign in to comment.