From c5f14a37946a7abcaf00b19bb117e6b5f05986b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Mon, 25 Mar 2024 22:30:23 -0400 Subject: [PATCH 1/3] incusd/network_integrations: Filter config keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- cmd/incusd/network_integrations.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cmd/incusd/network_integrations.go b/cmd/incusd/network_integrations.go index 60e4dc6504e..456685d7a05 100644 --- a/cmd/incusd/network_integrations.go +++ b/cmd/incusd/network_integrations.go @@ -170,6 +170,12 @@ func networkIntegrationsGet(d *Daemon, r *http.Request) response.Response { return err } + // Check if the user should see the configuration. + err = s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectNetworkIntegration(result.Name), auth.EntitlementCanEdit) + if err != nil { + result.Config = map[string]string{} + } + // Add UsedBy field. usedBy, err := tx.GetNetworkPeersURLByIntegration(ctx, integration.Name) if err != nil { @@ -428,6 +434,12 @@ func networkIntegrationGet(d *Daemon, r *http.Request) response.Response { return err } + // Check if the user should see the configuration. + err = s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectNetworkIntegration(info.Name), auth.EntitlementCanEdit) + if err != nil { + info.Config = map[string]string{} + } + // Add UsedBy field. usedBy, err := tx.GetNetworkPeersURLByIntegration(ctx, info.Name) if err != nil { From 68946b5803203442b40e70e2ccc34ac017742a64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Mon, 25 Mar 2024 23:55:59 -0400 Subject: [PATCH 2/3] tests: Wait for initial connection to OpenFGA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- test/suites/openfga.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/suites/openfga.sh b/test/suites/openfga.sh index 16150501392..e495334b4dd 100644 --- a/test/suites/openfga.sh +++ b/test/suites/openfga.sh @@ -29,6 +29,9 @@ test_openfga() { incus config set openfga.api.token "$(fga_token)" incus config set openfga.store.id "${OPENFGA_STORE_ID}" + # Wait for initial connection to OpenFGA. + sleep 1s + echo "==> Checking permissions for unknown user..." user_is_not_server_admin user_is_not_server_operator From 9d0d9bcec0f077178f6e2809ea6bc83e4ae2776e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Tue, 26 Mar 2024 13:08:24 -0400 Subject: [PATCH 3/3] incusd: Reload OIDC on claim changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- cmd/incusd/api_1.0.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/incusd/api_1.0.go b/cmd/incusd/api_1.0.go index d12f3edf660..72118356c5b 100644 --- a/cmd/incusd/api_1.0.go +++ b/cmd/incusd/api_1.0.go @@ -824,7 +824,7 @@ func doApi10UpdateTriggers(d *Daemon, nodeChanged, clusterChanged map[string]str case "network.ovn.northbound_connection", "network.ovn.ca_cert", "network.ovn.client_cert", "network.ovn.client_key": ovnChanged = true - case "oidc.issuer", "oidc.client.id", "oidc.audience": + case "oidc.issuer", "oidc.client.id", "oidc.audience", "oidc.claim": oidcChanged = true case "openfga.api.url", "openfga.api.token", "openfga.store.id":