Skip to content

Commit

Permalink
loosen rbac for get cert
Browse files Browse the repository at this point in the history
  • Loading branch information
@meng-han
meng-han committed Nov 7, 2024
1 parent bb8cdf5 commit e134890
Showing 1 changed file with 9 additions and 13 deletions.
22 changes: 9 additions & 13 deletions confidant/authnz/rbac.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,19 +44,15 @@ def default_acl(*args, **kwargs):
if not ca_object.settings['name_regex']:
return False
cert_pattern = re.compile(ca_object.settings['name_regex'])
domains = [resource_id]
domains.extend(resource_kwargs.get('san', []))
# Ensure the CN and every value in the SAN is allowed for this
# user.
for domain in domains:
match = cert_pattern.match(domain)
if not match:
return False
service_name = match.group('service_name')
if not service_name:
return False
if not authnz.user_is_service(service_name):
return False
domain = resource_id
match = cert_pattern.match(domain)
if not match:
return False
service_name = match.group('service_name')
if not service_name:
return False
if not authnz.user_is_service(service_name):
return False
return True
return False
else:
Expand Down

0 comments on commit e134890

Please sign in to comment.