authz: protect VPC endpoints #743

davepacheco · 2022-03-09T23:38:02Z

See #419 for context. This change adds authz protection for VPC create/delete/update/get and the "list VPCs" endpoint. This does not affect any of the resources underneath VPCs (subnets, routers, firewalls, etc.).

I ran into #742 and fixed that here as well.

nexus/src/db/datastore.rs

bnaecker · 2022-03-10T16:43:43Z

nexus/src/db/datastore.rs

@@ -2110,18 +2198,15 @@ impl DataStore {
        let now = Utc::now();
        diesel::update(dsl::vpc)


At least some of the other deletion methods use the check_if_exists method to separately handle the case where there is no such object at all, and where there is one, but it's already been deleted. In the latter case, I think we want to not update time_deleted and return a success, to make the operation idempotent. If I understand correctly, this will return an object-not-found error in that case.

You might be right, though I think we expect that DELETE of a resource that doesn't exist in the public API produces a 404, not a successful result. This seems worth testing more broadly, though this one seems hard to test because you will have just looked up the VPC successfully to get to this code path.

Anyway, I think this is unrelated here (in that the behavior you're describing exists on "main" and isn't related to the change here). I'd like to file a separate issue to cover this.

I meant that: if there is no such record at all, return 404; if there is a record, but it's already deleted, return success. Or by "in the public API", did you mean one that isn't deleted? As an example, when you create a VPC (so you have the ID), then delete it twice, what should we return for that second call?

But that's a general question, I agree, and we should do it separately.

nexus/src/db/datastore.rs

nexus/src/nexus.rs

bnaecker

Awesome, thanks for doing this! I have a few questions about scope, but otherwise looks great.

davepacheco

Thanks for the review!

davepacheco · 2022-03-10T18:30:47Z

nexus/src/db/datastore.rs

@@ -2110,18 +2198,15 @@ impl DataStore {
        let now = Utc::now();
        diesel::update(dsl::vpc)


You might be right, though I think we expect that DELETE of a resource that doesn't exist in the public API produces a 404, not a successful result. This seems worth testing more broadly, though this one seems hard to test because you will have just looked up the VPC successfully to get to this code path.

Anyway, I think this is unrelated here (in that the behavior you're describing exists on "main" and isn't related to the change here). I'd like to file a separate issue to cover this.

nexus/src/db/datastore.rs

nexus/src/nexus.rs

davepacheco added 7 commits March 9, 2022 14:52

update unauthorized test

2d56033

add protection to LIST and GET VPCs

79f2385

protect VPC create endpoint

cbad266

add protection to PUT VPC

d601c1a

protect VPC delete

eedfd07

VPC update could return 200 (fixes #742)

e2f5460

fix some tests

e4934df

davepacheco mentioned this pull request Mar 9, 2022

tracking issue for authz work #419

Closed

71 tasks

davepacheco added 4 commits March 9, 2022 15:43

fix test

0eb3f01

fix test

b017370

clean up XXXs

d5cb1b3

actually add authz check to delete

ab79a3a

davepacheco requested review from bnaecker and david-crespo March 10, 2022 00:02

davepacheco marked this pull request as ready for review March 10, 2022 00:02