[lxc-devel] [lxd/master] lxd/rbac: Fix auth for non-RBAC trusted clients

Wed, 03 Jun 2020 12:08:36 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7484

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>

From 3af43f2522e3c5004c96ce2e2a860863ea456a6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Wed, 3 Jun 2020 15:08:01 -0400
Subject: [PATCH] lxd/rbac: Fix auth for non-RBAC trusted clients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 lxd/daemon.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 0655b0bc98..30357daddf 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -416,7 +416,7 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version 
string, c APIEndpoint) {
                untrustedOk := (r.Method == "GET" && c.Get.AllowUntrusted) || 
(r.Method == "POST" && c.Post.AllowUntrusted)
                if trusted {
                        logger.Debug("Handling", log.Ctx{"method": r.Method, 
"url": r.URL.RequestURI(), "ip": r.RemoteAddr, "user": username})
-                       r = r.WithContext(context.WithValue(r.Context(), 
"username", username))
+                       r = 
r.WithContext(context.WithValue(context.WithValue(r.Context(), "username", 
username), "protocol", protocol))
                } else if untrustedOk && r.Header.Get("X-LXD-authenticated") == 
"" {
                        logger.Debug(fmt.Sprintf("Allowing untrusted %s", 
r.Method), log.Ctx{"url": r.URL.RequestURI(), "ip": r.RemoteAddr})
                } else if derr, ok := err.(*bakery.DischargeRequiredError); ok {
@@ -1369,6 +1369,10 @@ func (d *Daemon) userIsAdmin(r *http.Request) bool {
                return true
        }
 
+       if r.Context().Value("protocol") == "tls" {
+               return true
+       }
+
        return d.rbac.IsAdmin(r.Context().Value("username").(string))
 }
 
@@ -1377,6 +1381,10 @@ func (d *Daemon) userHasPermission(r *http.Request, 
project string, permission s
                return true
        }
 
+       if r.Context().Value("protocol") == "tls" {
+               return true
+       }
+
        return d.rbac.HasPermission(r.Context().Value("username").(string), 
project, permission)
 }
 

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to