Skip to content

Commit 92468bb

Browse files
committed
lxd: Update allowProjectResourceList to use new auth utils.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
1 parent cba65fb commit 92468bb

File tree

1 file changed

+12
-32
lines changed

1 file changed

+12
-32
lines changed

lxd/daemon.go

+12-32
Original file line numberDiff line numberDiff line change
@@ -310,52 +310,32 @@ func allowProjectResourceList(d *Daemon, r *http.Request) response.Response {
310310
return response.Forbidden(nil)
311311
}
312312

313-
isRoot, err := auth.IsRootUserFromCtx(r.Context())
313+
isServerAdmin, err := auth.IsServerAdmin(r.Context(), d.identityCache)
314314
if err != nil {
315315
return response.InternalError(fmt.Errorf("Failed to determine caller privilege: %w", err))
316316
}
317317

318318
// A root user can list resources in any project.
319-
if isRoot {
319+
if isServerAdmin {
320320
return response.EmptySyncResponse
321321
}
322322

323-
authenticationMethod, err := auth.GetAuthenticationMethodFromCtx(r.Context())
323+
id, err := auth.GetIdentityFromCtx(r.Context(), d.identityCache)
324324
if err != nil {
325-
return response.InternalError(fmt.Errorf("Failed to determine caller authentication method: %w", err))
325+
return response.InternalError(fmt.Errorf("Failed to determine caller identity: %w", err))
326326
}
327327

328-
// OIDC authenticated clients are governed by fine-grained auth. They can call the endpoint but may see an empty list.
329-
if authenticationMethod == api.AuthenticationMethodOIDC {
330-
return response.EmptySyncResponse
331-
}
332-
333-
username, err := auth.GetUsernameFromCtx(r.Context())
334-
if err != nil {
335-
return response.InternalError(fmt.Errorf("Failed to determine caller username: %w", err))
336-
}
337-
338-
id, err := d.identityCache.Get(authenticationMethod, username)
339-
if err != nil {
340-
if authenticationMethod == auth.AuthenticationMethodPKI && api.StatusErrorCheck(err, http.StatusNotFound) {
341-
// PKI user is implicitly trusted if they are not in the identity cache, since `core.trust_ca_certificates` is true.
342-
return response.EmptySyncResponse
343-
}
344-
345-
return response.InternalError(fmt.Errorf("Failed loading certificate for %q: %w", username, err))
346-
}
347-
348-
isRestricted, err := identity.IsRestrictedIdentityType(id.IdentityType)
349-
if err != nil {
350-
return response.InternalError(fmt.Errorf("Failed to check restricted status of identity: %w", err))
351-
}
352-
353-
// Unrestricted TLS clients can list resources in any project.
354-
if !isRestricted {
328+
switch id.IdentityType {
329+
case api.IdentityTypeOIDCClient:
330+
// OIDC authenticated clients are governed by fine-grained auth. They can call the endpoint but may see an empty list.
355331
return response.EmptySyncResponse
332+
case api.IdentityTypeCertificateClientRestricted:
333+
// A restricted client may be able to call the endpoint, continue.
334+
default:
335+
// No other identity types may list resources (e.g. metrics certificates).
336+
return response.Forbidden(nil)
356337
}
357338

358-
// We now have a restricted TLS certificate.
359339
// all-projects requests are not allowed
360340
if shared.IsTrue(request.QueryParam(r, "all-projects")) {
361341
return response.Forbidden(fmt.Errorf("Certificate is restricted"))

0 commit comments

Comments
 (0)