@@ -310,52 +310,32 @@ func allowProjectResourceList(d *Daemon, r *http.Request) response.Response {
310
310
return response .Forbidden (nil )
311
311
}
312
312
313
- isRoot , err := auth .IsRootUserFromCtx (r .Context ())
313
+ isServerAdmin , err := auth .IsServerAdmin (r .Context (), d . identityCache )
314
314
if err != nil {
315
315
return response .InternalError (fmt .Errorf ("Failed to determine caller privilege: %w" , err ))
316
316
}
317
317
318
318
// A root user can list resources in any project.
319
- if isRoot {
319
+ if isServerAdmin {
320
320
return response .EmptySyncResponse
321
321
}
322
322
323
- authenticationMethod , err := auth .GetAuthenticationMethodFromCtx (r .Context ())
323
+ id , err := auth .GetIdentityFromCtx (r .Context (), d . identityCache )
324
324
if err != nil {
325
- return response .InternalError (fmt .Errorf ("Failed to determine caller authentication method : %w" , err ))
325
+ return response .InternalError (fmt .Errorf ("Failed to determine caller identity : %w" , err ))
326
326
}
327
327
328
- // OIDC authenticated clients are governed by fine-grained auth. They can call the endpoint but may see an empty list.
329
- if authenticationMethod == api .AuthenticationMethodOIDC {
330
- return response .EmptySyncResponse
331
- }
332
-
333
- username , err := auth .GetUsernameFromCtx (r .Context ())
334
- if err != nil {
335
- return response .InternalError (fmt .Errorf ("Failed to determine caller username: %w" , err ))
336
- }
337
-
338
- id , err := d .identityCache .Get (authenticationMethod , username )
339
- if err != nil {
340
- if authenticationMethod == auth .AuthenticationMethodPKI && api .StatusErrorCheck (err , http .StatusNotFound ) {
341
- // PKI user is implicitly trusted if they are not in the identity cache, since `core.trust_ca_certificates` is true.
342
- return response .EmptySyncResponse
343
- }
344
-
345
- return response .InternalError (fmt .Errorf ("Failed loading certificate for %q: %w" , username , err ))
346
- }
347
-
348
- isRestricted , err := identity .IsRestrictedIdentityType (id .IdentityType )
349
- if err != nil {
350
- return response .InternalError (fmt .Errorf ("Failed to check restricted status of identity: %w" , err ))
351
- }
352
-
353
- // Unrestricted TLS clients can list resources in any project.
354
- if ! isRestricted {
328
+ switch id .IdentityType {
329
+ case api .IdentityTypeOIDCClient :
330
+ // OIDC authenticated clients are governed by fine-grained auth. They can call the endpoint but may see an empty list.
355
331
return response .EmptySyncResponse
332
+ case api .IdentityTypeCertificateClientRestricted :
333
+ // A restricted client may be able to call the endpoint, continue.
334
+ default :
335
+ // No other identity types may list resources (e.g. metrics certificates).
336
+ return response .Forbidden (nil )
356
337
}
357
338
358
- // We now have a restricted TLS certificate.
359
339
// all-projects requests are not allowed
360
340
if shared .IsTrue (request .QueryParam (r , "all-projects" )) {
361
341
return response .Forbidden (fmt .Errorf ("Certificate is restricted" ))
0 commit comments