Merge pull request #486 from tumblr/will-write-encrypted-tags-permission

Write encrypted tags permission
tumblr · Nov 10, 2016 · ef74c4b · ef74c4b
2 parents 866e1f5 + 88dface
commit ef74c4b
Show file tree

Hide file tree

Showing 10 changed files with 61 additions and 12 deletions.
diff --git a/app/collins/controllers/Permissions.scala b/app/collins/controllers/Permissions.scala
@@ -26,6 +26,8 @@ object Permissions {
 
   object Feature extends PermSpec("feature") {
     def CanSeePasswords = spec("canSeePasswords", AdminSpec)
+    def CanSeeEncryptedTags = spec("canSeeEncryptedTags", AdminSpec)
+    def CanWriteEncryptedTags = spec("canWriteEncryptedTags", AdminSpec)
     def NoRateLimit = spec("noRateLimit", AdminSpec)
   }
 

diff --git a/app/collins/controllers/actions/AssetAction.scala b/app/collins/controllers/actions/AssetAction.scala
@@ -86,7 +86,7 @@ trait AssetResultsAction {
   protected def handleApiSuccess(p: Page[AssetView], details: Boolean): Result = {
     val items = p.items.map {
       case a: Asset => if (details){
-        a.getAllAttributes.exposeCredentials(user.canSeePasswords).toJsValue
+        a.getAllAttributes.exposeCredentials(user.canSeeEncryptedTags).toJsValue
       } else {
         a.toJsValue
       }

diff --git a/app/collins/controllers/actions/asset/GetAction.scala b/app/collins/controllers/actions/asset/GetAction.scala
@@ -68,7 +68,7 @@ case class GetAction(
   }
 
   protected def handleSuccess(asset: Asset): Result = {
-    val display = asset.getAllAttributes.exposeCredentials(user.canSeePasswords)
+    val display = asset.getAllAttributes.exposeCredentials(user.canSeeEncryptedTags)
     isHtml match {
       case true =>
         Status.Ok(html.asset.show(display, user)(flash, request))
@@ -78,4 +78,3 @@ case class GetAction(
   }
 
 }
-
diff --git a/app/collins/models/AssetLifecycle.scala b/app/collins/models/AssetLifecycle.scala
@@ -6,6 +6,8 @@ import scala.util.control.Exception.allCatch
 
 import play.api.Logger
 
+import collins.controllers.Permissions
+
 import collins.models.conversions.dateToTimestamp
 import collins.models.logs.LogFormat
 import collins.models.logs.LogSource
@@ -123,6 +125,13 @@ class AssetLifecycle(user: Option[User], tattler: Tattler) {
         opts.find(kv => restricted(kv._1)).map(kv =>
           return Left(new Exception("Attribute %s is restricted".format(kv._1))))
       }
+
+      opts.find(kv => Feature.encryptedTags.contains(kv._1)).map(kv =>
+        if (user.isDefined &&  !user.get.canWriteEncryptedTags) {
+          return Left(new Exception("You do not have permission to write encrypted tags"))
+        }
+      )
+
       Asset.inTransaction {
         MetaWrapper.createMeta(asset, opts, groupId)
         Asset.partialUpdate(asset, Some(new Date().asTimestamp), status, state)
@@ -190,6 +199,12 @@ class AssetLifecycle(user: Option[User], tattler: Tattler) {
     filtered.find(kv => AssetLifecycleConfig.isRestricted(kv._1)).map(kv =>
       return Left(new Exception("Attribute %s is restricted".format(kv._1))))
 
+    filtered.find(kv => Feature.encryptedTags.contains(kv._1)).map(kv =>
+      if (user.isDefined && !user.get.canWriteEncryptedTags) {
+        return Left(new Exception("You do not have permission to write encrypted tags"))
+      }
+    )
+
     allCatch[Boolean].either {
       val values = Seq(AssetMetaValue(asset, RackPosition, rackpos)) ++
         PowerUnits.toMetaValues(units, asset, options)
@@ -221,6 +236,13 @@ class AssetLifecycle(user: Option[User], tattler: Tattler) {
     val filtered = options.filter(kv => !requiredKeys(kv._1))
     filtered.find(kv => AssetLifecycleConfig.isRestricted(kv._1)).map(kv =>
       return Left(new Exception("Attribute %s is restricted".format(kv._1))))
+
+    filtered.find(kv => Feature.encryptedTags.contains(kv._1)).map(kv =>
+      if (user.isDefined && !user.get.canWriteEncryptedTags) {
+        return Left(new Exception("You do not have permission to write encrypted tags"))
+      }
+    )
+
     val lshwParser = new LshwParser(lshw)
     val lldpParser = new LldpParser(lldp)
 

diff --git a/app/collins/models/User.scala b/app/collins/models/User.scala
@@ -20,7 +20,30 @@ abstract class User(val username: String, val password: String) {
     case false => None
   }
   def isEmpty(): Boolean = username.isEmpty && password.isEmpty && roles.isEmpty
-  def canSeePasswords(): Boolean = Permissions.please(this, Permissions.Feature.CanSeePasswords)
+  def canSeeEncryptedTags(): Boolean = {
+    // We want to rename canSeePasswords to canSeeEncryptedTags
+    // but want to keep backwards compatibility
+    // Try to use canSeePasswords if it is set, else fall back to canSeePasswords
+    //
+    // All permissions default to true, so we need to test if the permission is configured,
+    // and only use it if it is.
+    val canSeePasswords = AuthenticationProvider.permissions("feature.canSeePasswords") match {
+      case None => false
+      case _ => Permissions.please(this, Permissions.Feature.CanSeePasswords)
+    }
+    val canSeeEncryptedTags = AuthenticationProvider.permissions("feature.canSeeEncryptedTags") match {
+      case None => false
+      case _ => Permissions.please(this, Permissions.Feature.CanSeeEncryptedTags)
+    }
+    canSeeEncryptedTags || canSeePasswords
+  }
+  def canWriteEncryptedTags(): Boolean = {
+    AuthenticationProvider.permissions("feature.canWriteEncryptedTags") match {
+      case None => false
+      case _ => Permissions.please(this, Permissions.Feature.CanWriteEncryptedTags)
+    }
+  }
+
   def isAdmin(): Boolean = hasRole("infra")
   def toMap(): Map[String, String] = Map(
     User.ID -> id().toString(),

diff --git a/app/views/asset/show_overview.scala.html b/app/views/asset/show_overview.scala.html
@@ -100,7 +100,7 @@ <h3>Asset Overview <small>System and user attributes</small></h3>
             mv.getName match {
               case "CANCEL_TICKET" => optionDisplay(0, SoftLayerHelper.ticketLink(mv.getValue), mv.getValue)
               case "DISK_STORAGE_TOTAL" => optionDisplay(1, Some(mv.getValue), mv.getValue)
-              case encrypted if Feature.encryptedTags.contains(encrypted) => if(user.canSeePasswords) { TagDecorator.decorate(mv) } else { "********" }
+              case encrypted if Feature.encryptedTags.contains(encrypted) => if(user.canSeeEncryptedTags) { TagDecorator.decorate(mv) } else { "********" }
               case _ => TagDecorator.decorate(mv)
             }
           }
@@ -196,7 +196,7 @@ <h3>Hardware Summary <small>Summary of system components reported by LSHW</small
           <td>Hyperthreading Enabled</td>
           <td>@{if (aa.lshw.hasHyperthreadingEnabled) "Yes" else "No"}</td>
         </tr>
-  
+
         <tr>
           <th colspan="3">Memory</th>
         </tr>
@@ -220,7 +220,7 @@ <h3>Hardware Summary <small>Summary of system components reported by LSHW</small
           <td>Unused Memory Banks</td>
           <td>@aa.lshw.memoryBanksUnused</td>
         </tr>
-  
+
         <tr>
           <th colspan="3">Disks</th>
         </tr>
@@ -244,7 +244,7 @@ <h3>Hardware Summary <small>Summary of system components reported by LSHW</small
           <td>Has PCIe Flash Disk</td>
           <td>@{if (aa.lshw.hasFlashStorage) "Yes" else "No"}</td>
         </tr>
-  
+
         <tr>
           <th colspan="3">Network</th>
         </tr>
@@ -258,7 +258,7 @@ <h3>Hardware Summary <small>Summary of system components reported by LSHW</small
           <td>Has 10Gb Interface</td>
           <td>@{if (aa.lshw.has10GbNic) "Yes" else "No"}</td>
         </tr>
-  
+
         <tr>
           <th colspan="3">Power</th>
         </tr>

diff --git a/conf/authentication.conf b/conf/authentication.conf
@@ -1,6 +1,6 @@
 authentication {
 
   type = default
-  file.userfile = "conf/users.conf"
+  permissionsFile = "conf/permissions.yaml"
 
 }
diff --git a/conf/dev_base.conf b/conf/dev_base.conf
@@ -18,6 +18,7 @@ features {
   useWhitelistOnRepurpose = true
   keepSomeMetaOnRepurpose = [ attr1, attr2 ]
   deleteSomeMetaOnRepurpose = [ attr4, attr3 ]
+  syslogAsset = tumblrtag1
   # default values below
   #searchResultColumns = [ TAG, HOSTNAME, PRIMARY_ROLE, STATUS, CREATED, UPDATED ]
 }

diff --git a/conf/docker/permissions.yaml b/conf/docker/permissions.yaml
@@ -10,7 +10,7 @@ users:
 permissions:
   feature.noRateLimit:
     - "u=tools"
-  feature.canSeePasswords:
+  feature.canSeeEncryptedTags:
     - "u=admins"
     - "u=tools"
     - "g=infra"

diff --git a/conf/permissions.yaml b/conf/permissions.yaml
@@ -10,12 +10,14 @@ users:
 permissions:
   feature.noRateLimit:
     - "u=tools"
-  feature.canSeePasswords:
+  feature.canSeeEncryptedTags:
     - "u=admins"
     - "u=tools"
     - "g=infra"
     - "g=ops"
     - "g=sre"
+  feature.canWriteEncryptedTags:
+    - "u=admins"
   controllers.Admin:
     - "g=infra"
     - "g=ops"