Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System auditor v3. #2168

Merged
merged 3 commits into from
Jun 11, 2024
Merged

System auditor v3. #2168

merged 3 commits into from
Jun 11, 2024

Conversation

jctanner
Copy link
Collaborator

@jctanner jctanner commented Jun 11, 2024
edited
Loading

@jctanner
System auditor v3.
900d225 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@github-actions github-actions bot added backport-4.2 This PR should be backported to stable-4.2 (1.2) backport-4.4 This PR should be backported to stable-4.4 (2.1) backport-4.5 This PR should be backported to stable-4.5 (2.2) backport-4.6 This PR should be backported to stable-4.6 (2.3) backport-4.7 This PR should be backported to stable-4.7 (2.4) backport-4.8 This PR should be backported to stable-4.8 (2.4) backport-4.9 This PR should be backported to stable-4.9 (2.4) labels Jun 11, 2024
@jctanner jctanner removed backport-4.2 This PR should be backported to stable-4.2 (1.2) backport-4.4 This PR should be backported to stable-4.4 (2.1) backport-4.5 This PR should be backported to stable-4.5 (2.2) backport-4.6 This PR should be backported to stable-4.6 (2.3) backport-4.7 This PR should be backported to stable-4.7 (2.4) backport-4.8 This PR should be backported to stable-4.8 (2.4) backport-4.9 This PR should be backported to stable-4.9 (2.4) labels Jun 11, 2024
@jctanner jctanner mentioned this pull request Jun 11, 2024
Closed
@jctanner
Copy link
Collaborator Author

unit test passed with zero permissions in the new role. Now adding just the "view" permissions already listed in app/constants.py ...

@jctanner
Copy link
Collaborator Author

With just those few permissions added, this is what the UI displays ...

image

@jctanner
Copy link
Collaborator Author

Unit tests are passing with the small set of permissions.

Next i'm going to re-add the integration test that checks for view-only permissions on the role.

@jctanner
Add the integration test.
782823f 
No-Issue

Signed-off-by: James Tanner <[email protected]>
@jctanner
Copy link
Collaborator Author

failing test passed locally ...

galaxy_ng/tests/integration/api/test_ui_paths.py::test_api_ui_v1_execution_environments_registries PASSED

@jctanner
Copy link
Collaborator Author

last job failed because the dnf mirrors are down ...

> [ 4/11] RUN switch_python "3.11":
0.195 switching python to 3.11
48.99 CentOS Stream 9 - BaseOS                         82  B/s | 3.9 kB     00:48    
48.99 Errors during downloading metadata for repository 'baseos':
48.99   - Downloading successful, but checksum doesn't match. Calculated: 97a2d3105057acb2d21bf14164f968749af4460244b59cd207c5887400baed6cc367922b1[226](https://github.com/ansible/galaxy_ng/actions/runs/9468876585/job/26089714475?pr=2168#step:8:227)0a2facf0344550acd70984fdd13d9dfa9321089fdc31b76ad014(sha512)  Expected: 15da37ba7919a607a78a0f45ae8c0c9fe655f56b4b8e503792311b1385b00c6ffdb0c4c6da84a3723fb353a596493db0b97f0ef36fc9d3882c9000fe64c4e97f(sha512) 
49.00 Error: Failed to download metadata for repo 'baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

@jctanner jctanner requested review from newswangerd and a team June 11, 2024 18:06
@jctanner
Copy link
Collaborator Author

Auditing the auditor ...

# cat check_sa_access.py 
#!/usr/bin/env python

import subprocess
import requests

BASEURL = 'http://localhost:55001'
AUTH = ('sa1', 'redhat1234')
ADMIN_AUTH = ('admin', 'admin')


def get_all_routes():
    cmd = 'pulpcore-manager show_urls'
    pid = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    stdout = pid.stdout.decode('utf-8')
    lines = stdout.split('\n')
    routes = [x.strip() for x in lines if x.strip()]
    routes = [x.split('\t', 1)[0] for x in routes]
    return routes


def main():
    routes = get_all_routes()

    for route in routes:
        if '<' in route:
            continue

        url = BASEURL + route
        rr = requests.get(url, auth=AUTH)
        rr_admin = requests.get(url, auth=ADMIN_AUTH)

        if rr_admin.status_code == rr.status_code:
            continue

        print(f'MISMATCH: {url} admin:{rr_admin.status_code} auditor:{rr.status_code}')



if __name__ == "__main__":
    main()


# python3 check_sa_access.py 
MISMATCH: http://localhost:55001/ansible/collections/ admin:405 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/access_policies/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/ansible/collections/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/content/ansible/collection_marks/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/contentguards/certguard/rhsm/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/contentguards/certguard/x509/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/distributions/core/artifacts/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/exporters/core/filesystem/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/exporters/core/pulp/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/importers/core/pulp/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/importers/core/pulp/import-check/ admin:405 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/orphans/ admin:405 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/orphans/cleanup/ admin:405 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/pulp_ansible/tags/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/repair/ admin:405 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/repositories/reclaim_space/ admin:405 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/signing-services/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/task-groups/ admin:200 auditor:403
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/tasks/purge/ admin:405 auditor:500
MISMATCH: http://localhost:55001/api/galaxy/pulp/api/v3/workers/ admin:200 auditor:403

@jctanner
Copy link
Collaborator Author

AFAIK, this is done. Whenever someone wants to merge it, feel free.

@newswangerd newswangerd merged commit f9e3705 into ansible:master Jun 11, 2024
19 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@newswangerd newswangerd newswangerd approved these changes

Assignees
No one assigned
Labels
multi-commit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jctanner @newswangerd