alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Add policy precheck for all admins

Browse source
This commit is contained in:
Herman Slatman 2022-03-30 15:39:03 +02:00
parent 628d7448de
commit 6da243c34d
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
1 changed files with 21 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
authority/policy.go
View file

@ -100,13 +100,32 @@ func (a *Authority) checkPolicy(ctx context.Context, adm *linkedca.Admin, p *lin
// TODO(hs): Provide option to force the policy, even when the admin subject would be locked out? // TODO(hs): Provide option to force the policy, even when the admin subject would be locked out?
// check if the admin user that instructed the authority policy to be
// created or updated, would still be allowed when the provided policy
// would be applied to the authority.
sans := []string{adm.GetSubject()} sans := []string{adm.GetSubject()}
if err := isAllowed(engine, sans); err != nil { if err := isAllowed(engine, sans); err != nil {
return err return err
} }
// TODO(hs): perform the check for other admin subjects too? // get all current admins from the database
// What logic to use for that: do all admins need access? Only super admins? At least one? admins, err := a.adminDB.GetAdmins(ctx)
if err != nil {
return err
}
// loop through admins to verify that none of them would be
// locked out when the new policy were to be applied. Returns
// an error with a message that includes the admin subject that
// would be locked out
for _, adm := range admins {
sans = []string{adm.GetSubject()}
if err := isAllowed(engine, sans); err != nil {
return err
}
}
// TODO(hs): mask the error message for non-super admins?
return nil return nil
} }