Skip to content

Commit

Permalink
fix(core): validate both old and new objects on Update (backport #4589)…
Browse files Browse the repository at this point in the history
… (#4593)

Signed-off-by: Mike Beaumont <[email protected]>
  • Loading branch information
michaelbeaumont authored Jul 13, 2022
1 parent d8cdf27 commit 1eceb83
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 7 deletions.
5 changes: 3 additions & 2 deletions pkg/api-server/resource_endpoints.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,18 +172,19 @@ func (r *resourceEndpoints) createResource(ctx context.Context, name string, mes
}

func (r *resourceEndpoints) updateResource(ctx context.Context, res model.Resource, restRes rest.Resource, response *restful.Response) {
_ = res.SetSpec(restRes.Spec)

if err := r.resourceAccess.ValidateUpdate(
model.ResourceKey{Mesh: res.GetMeta().GetMesh(), Name: res.GetMeta().GetName()},
res.GetSpec(),
restRes.Spec,
r.descriptor,
user.FromCtx(ctx),
); err != nil {
rest_errors.HandleError(response, err, "Access Denied")
return
}

_ = res.SetSpec(restRes.Spec)

if err := r.resManager.Update(ctx, res); err != nil {
rest_errors.HandleError(response, err, "Could not update a resource")
} else {
Expand Down
8 changes: 4 additions & 4 deletions pkg/core/resources/access/admin_resource_access.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,23 +30,23 @@ func NewAdminResourceAccess(cfg config_access.AdminResourcesStaticAccessConfig)

var _ ResourceAccess = &adminResourceAccess{}

func (a *adminResourceAccess) ValidateCreate(key model.ResourceKey, spec model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
func (a *adminResourceAccess) ValidateCreate(_ model.ResourceKey, _ model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
return a.validateAdminAccess(user, descriptor)
}

func (a *adminResourceAccess) ValidateUpdate(key model.ResourceKey, spec model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
func (a *adminResourceAccess) ValidateUpdate(_ model.ResourceKey, _ model.ResourceSpec, _ model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
return a.validateAdminAccess(user, descriptor)
}

func (a *adminResourceAccess) ValidateDelete(key model.ResourceKey, spec model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
func (a *adminResourceAccess) ValidateDelete(_ model.ResourceKey, _ model.ResourceSpec, descriptor model.ResourceTypeDescriptor, user user.User) error {
return a.validateAdminAccess(user, descriptor)
}

func (a *adminResourceAccess) ValidateList(descriptor model.ResourceTypeDescriptor, user user.User) error {
return a.validateAdminAccess(user, descriptor)
}

func (a *adminResourceAccess) ValidateGet(key model.ResourceKey, descriptor model.ResourceTypeDescriptor, user user.User) error {
func (a *adminResourceAccess) ValidateGet(_ model.ResourceKey, descriptor model.ResourceTypeDescriptor, user user.User) error {
return a.validateAdminAccess(user, descriptor)
}

Expand Down
2 changes: 2 additions & 0 deletions pkg/core/resources/access/admin_resource_access_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ var _ = Describe("Admin Resource Access", func() {
err := resourceAccess.ValidateUpdate(
model.ResourceKey{Name: "xyz"},
&system_proto.Secret{},
&system_proto.Secret{},
system.NewSecretResource().Descriptor(),
user.Admin,
)
Expand All @@ -88,6 +89,7 @@ var _ = Describe("Admin Resource Access", func() {
err := resourceAccess.ValidateUpdate(
model.ResourceKey{Name: "xyz"},
&system_proto.Secret{},
&system_proto.Secret{},
system.NewSecretResource().Descriptor(),
user.User{Name: "john doe", Groups: []string{"users"}},
)
Expand Down
2 changes: 1 addition & 1 deletion pkg/core/resources/access/resource_access.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (

type ResourceAccess interface {
ValidateCreate(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
ValidateUpdate(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
ValidateUpdate(key model.ResourceKey, currentSpec model.ResourceSpec, newSpec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
ValidateDelete(key model.ResourceKey, spec model.ResourceSpec, desc model.ResourceTypeDescriptor, user user.User) error
ValidateList(desc model.ResourceTypeDescriptor, user user.User) error
ValidateGet(key model.ResourceKey, desc model.ResourceTypeDescriptor, user user.User) error
Expand Down

0 comments on commit 1eceb83

Please sign in to comment.