WIP - allow org-admins to modify organizations

In addition to give org-admins permissions to CRUD organizations,
this removes the requirement that in order to modify an organization,
the actor must be a member of the organization.

However, they must still have appropriate permissions to perform any CRUD action
related to an organization.

This supports the multi-tenancy case where a customer has many organizations to manage
but does not necessarily need to admins to be a part of those organizations. The primary
use case is SaaS offering , in which customers have full control over a chef
server installation but do not have local/chef-server-ctl access, and
must keep the pivotal key locked down for security purposes.

This functionality is already available using the pivotal/superuser key, but the
pivotal key should not be widely distributed. This functionality was also originally
intended to be available to org-admins but the completion of that work was never
prioritized.

Signed-off-by: Marc A. Paradise <marc.paradise@progress.com>

omnibus/files/server-ctl-cookbooks/infra-server/libraries/chef_server_data_bootstrap.rb

@@ -38,7 +38,7 @@ def bootstrap
  @superuser_authz_id = create_actor_in_authz(bifrost_superuser_id)
  users_authz_id = create_container_in_authz(superuser_authz_id)
  orgs_authz_id = create_container_in_authz(superuser_authz_id)
- create_server_admins_global_group_in_bifrost(users_authz_id)
+ create_server_admins_global_group_in_bifrost(orgs_authz_id, users_authz_id)
 
  # put pivotal in server-admins global group
  insert_authz_actor_into_group(server_admins_authz_id, superuser_authz_id)
@@ -61,13 +61,19 @@ def bootstrap
  private
 
  # Create and set up permissions for the server admins group.
- def create_server_admins_global_group_in_bifrost(users_authz_id)
+ def create_server_admins_global_group_in_bifrost(orgs_container_authz_id, users_container_authz_id)
  @server_admins_authz_id = create_group_in_authz(bifrost_superuser_id)
  %w(create read update delete).each do |permission|
  # grant server admins group permission on the users container,
  # as the erchef superuser.
- grant_authz_object_permission(permission, 'groups', 'containers', users_authz_id,
+ grant_authz_object_permission(permission, 'groups', 'containers', users_container_authz_id,
  server_admins_authz_id, superuser_authz_id)
+
+ # grant server admins group permission on the organizations container,
+ # as the erchef superuser.
+ grant_authz_object_permission(permission, 'groups', 'containers', orgs_container_authz_id,
+ server_admins_authz_id, superuser_authz_id)
+
  # grant superuser actor permissions on the server admin group,
  # as the bifrost superuser
  grant_authz_object_permission(permission, 'actors', 'groups', server_admins_authz_id,

src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_base.erl

@@ -29,6 +29,8 @@
  content_types_provided/2,
  finish_request/2,
  forbidden/2,
+ is_authorized_no_membership/2, %% verify request signature only
+ is_authorized_no_membership/3, %% verify request signature only with custom extractor
  is_authorized/2, %% verify request signature and org membership if appropriate
  is_authorized/3, %% verify request signature and org membership if appropriate, with custom extractor fun
  malformed_request/2, %% verify request headers and size requirements, call module verify_request
@@ -441,7 +443,23 @@ is_authorized(Req, State, Extractor) ->
  end;
  {false, ReqOther, StateOther} ->
  %% FIXME: the supported version is determined by the chef_authn application
- %% also, see: https://wiki.corp.chef.io/display/CORP/RFC+Authentication+Version+Negotiation
+ {"X-Ops-Sign version=\"1.0\" version=\"1.1\"", ReqOther, StateOther};
+ {{halt, _Code}, _Req, _State} = Halt -> Halt
+ end.
+
+is_authorized_no_membership(Req, State) ->
+ is_authorized_no_membership(Req, State, fun authorization_data_extractor/3).
+
+%% Verify request signature but do not verify org membership. Modules
+%% can invoke this directly instead of mixing in the default is_verified/2
+%% if they rely only on permissions for authorization and not org membership.
+-spec is_authorized_no_membership(wm_req(), #base_state{}, extractor()) -> any().
+is_authorized_no_membership(Req, State, Extractor) ->
+ case verify_request_signature(Req, State, Extractor) of
+ {true, _, _} = Result ->
+ Result;
+ {false, ReqOther, StateOther} ->
+ %% FIXME: the supported version is determined by the chef_authn application
  {"X-Ops-Sign version=\"1.0\" version=\"1.1\"", ReqOther, StateOther};
  {{halt, _Code}, _Req, _State} = Halt -> Halt
  end.

src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_named_organization.erl

@@ -14,7 +14,6 @@
  malformed_request/2,
  ping/2,
  forbidden/2,
- is_authorized/2,
  service_available/2]}]).
 
 -export([allowed_methods/2,
@@ -28,6 +27,7 @@
 -export([auth_info/2,
  init/1,
  init_resource_state/1,
+ is_authorized/2,
  malformed_request_message/3,
  request_type/0,
  validate_request/3]).
@@ -47,6 +47,13 @@ request_type() ->
 allowed_methods(Req, State) ->
  {['GET', 'PUT', 'DELETE'], Req, State}.
 
+
+is_authorized(Req, State) ->
+ %% To support management of multi-tenant installations by users w/ appropriate permissions
+ %% who are not the superuser, the user does not need to be a member of the organization
+ %% to operate on the organization.
+ oc_chef_wm_base:is_authorized_no_membership(Req, State).
+
 -spec validate_request(chef_wm:http_verb(), wm_req(), chef_wm:base_state()) ->
  {wm_req(), chef_wm:base_state()}.
 validate_request(Method, Req, State = #base_state{organization_guid = OrgId}) when Method == 'GET';

src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_org_associations.erl

@@ -28,7 +28,6 @@
  malformed_request/2,
  ping/2,
  forbidden/2,
- is_authorized/2,
  service_available/2]}]).
 
 -export([allowed_methods/2,
@@ -43,6 +42,7 @@
 -export([auth_info/2,
  init/1,
  init_resource_state/1,
+ is_authorized/2,
  malformed_request_message/3,
  create_path/2,
  request_type/0,
@@ -67,6 +67,13 @@ allowed_methods(Req, State) ->
  end,
  {Allowed, Req, State}.
 
+is_authorized(Req, State) ->
+ % To support management of multi-tenant installations by users w/ appropriate permissions
+ % who are not superusers, a user with appropriate ACLs does not need to be a member of
+ % the organization to operate on the organization - that includes the operations of this endpoint,
+ % CRD against org members.
+ chef_wm_base:is_authorized_no_membership(Req, State).
+
 -spec validate_request(chef_wm:http_verb(), wm_req(), chef_wm:base_state()) ->
  {wm_req(), chef_wm:base_state()}.
 validate_request('POST', Req, #base_state{chef_db_context = DbContext} = State) ->
@@ -117,14 +124,14 @@ auth_info(Req, #base_state{organization_name = OrgName,
 auth_info(Req, #base_state{requestor_id = RequestorAuthzId,
  organization_authz_id = OrgAuthzId,
  resource_state = #association_state{user = User} } = State) ->
- case wrq:method(Req) of
- 'POST' ->
- % Only the superuser can force-create an org-user association
-  {superuser_only, Req, State};
-  Method ->
-  {auth_type_for_method(Method, User, OrgAuthzId, RequestorAuthzId), Req, State}
- end.
-
+ {auth_type_for_method(wrq:method(req), User, OrgAuthzId, RequestorAuthzId), Req, State}.
+
+auth_type_for_method('POST', #chef_user{ authz_id = UserAuthzId }, OrgAuthzId, RequestorAuthzId) ->
+ %% requestor must have:
+ %% - update permissions in org (should not require membership in org)
+ %% - read permissions on user
+ %% - update permissions on org_user_association
+ [{object, OrgAuthzId, update}, {actor, UserAuthzId, read}, {object, OrgAuthzId, update}];
 auth_type_for_method('DELETE', #chef_user{ authz_id = UserAuthzId }, _OrgAuthzId, UserAuthzId) ->
  %% permissions-wise, user can always disassociate his or her own org association
  %% though we'll have additional safety checks below as well.

src/oc_erchef/habitat/config/chef_server_data_bootstrap.rb

@@ -23,7 +23,7 @@ def self.with_connection(database = 'template1', opts = {})
  postgres['db_superuser']="{{cfg.sql_user}}"
  postgres['db_superuser_password']="{{cfg.sql_password}}"
 {{/if}}
- 
+
  connection = nil
 
  # Some callers expect failure - this gives the option to suppress
@@ -118,7 +118,7 @@ def bootstrap
 
  users_authz_id = create_container_in_authz(superuser_authz_id)
  orgs_authz_id = create_container_in_authz(superuser_authz_id)
- create_server_admins_global_group_in_bifrost(users_authz_id)
+ create_server_admins_global_group_in_bifrost(orgs_authz_id, users_authz_id)
 
  # put pivotal in server-admins global group
  insert_authz_actor_into_group(server_admins_authz_id, superuser_authz_id)
@@ -142,13 +142,19 @@ def bootstrap
  private
 
  # Create and set up permissions for the server admins group.
- def create_server_admins_global_group_in_bifrost(users_authz_id)
+ def create_server_admins_global_group_in_bifrost(orgs_container_authz_id, users_container_authz_id)
  @server_admins_authz_id = create_group_in_authz(bifrost_superuser_id)
  %w{create read update delete}.each do |permission|
  # grant server admins group permission on the users container,
  # as the erchef superuser.
  grant_authz_object_permission(permission, "groups", "containers", users_authz_id,
  server_admins_authz_id, superuser_authz_id)
+
+ # grant server admins group permission on the organizations container,
+ # as the erchef superuser.
+ grant_authz_object_permission(permission, 'groups', 'containers', orgs_container_authz_id,
+ server_admins_authz_id, superuser_authz_id)
+
  # grant superuser actor permissions on the server admin group,
  # as the bifrost superuser
  grant_authz_object_permission(permission, "actors", "groups", server_admins_authz_id,
@@ -381,7 +387,7 @@ def load_superuser_public_key()
  @superuser_public_key = "DUMMY KEY FROM BOOTSTRAP"
 {{/if}}
  end
- 
+
  def load_bifrost()
  bifrost={}
 {{#if bind.oc_bifrost}}