From 419fb2aaa20941ae07d03b7d5cf32c8f5b84c6d5 Mon Sep 17 00:00:00 2001 From: Ken Sipe Date: Wed, 20 Dec 2017 08:09:46 -0600 Subject: [PATCH] switching to contravariance for security of the plugin. resulting in discovery of incorrect auth on group (#5841) --- .../mesosphere/marathon/plugin/auth/AuthorizedAction.scala | 2 +- .../mesosphere/marathon/api/akkahttp/v2/AppsController.scala | 4 ++-- .../scala/mesosphere/marathon/api/v2/GroupsResource.scala | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugin-interface/src/main/scala/mesosphere/marathon/plugin/auth/AuthorizedAction.scala b/plugin-interface/src/main/scala/mesosphere/marathon/plugin/auth/AuthorizedAction.scala index 15bc7e2d75a..da4977d94c7 100644 --- a/plugin-interface/src/main/scala/mesosphere/marathon/plugin/auth/AuthorizedAction.scala +++ b/plugin-interface/src/main/scala/mesosphere/marathon/plugin/auth/AuthorizedAction.scala @@ -9,7 +9,7 @@ import mesosphere.marathon.plugin.{ Group, RunSpec } * * @tparam R the type of the resource. */ -sealed trait AuthorizedAction[+R] +sealed trait AuthorizedAction[-R] /** * The following objects will be passed to the Authorizer when an action affects an application, in order to identify diff --git a/src/main/scala/mesosphere/marathon/api/akkahttp/v2/AppsController.scala b/src/main/scala/mesosphere/marathon/api/akkahttp/v2/AppsController.scala index 98e1379eeda..34af6919b72 100644 --- a/src/main/scala/mesosphere/marathon/api/akkahttp/v2/AppsController.scala +++ b/src/main/scala/mesosphere/marathon/api/akkahttp/v2/AppsController.scala @@ -17,7 +17,7 @@ import mesosphere.marathon.core.appinfo._ import mesosphere.marathon.core.deployment.DeploymentPlan import mesosphere.marathon.core.group.GroupManager import mesosphere.marathon.core.plugin.PluginManager -import mesosphere.marathon.plugin.auth.{ Authenticator => MarathonAuthenticator, Authorizer, CreateRunSpec, Identity, ViewResource } +import mesosphere.marathon.plugin.auth.{ Authorizer, CreateRunSpec, Identity, ViewResource, ViewRunSpec, Authenticator => MarathonAuthenticator } import mesosphere.marathon.state.{ AppDefinition, Identifiable, PathId } import play.api.libs.json.Json import PathId._ @@ -105,7 +105,7 @@ class AppsController( case None => reject(Rejections.EntityNotFound.app(appId)) case Some(info) => - authorized(ViewResource, info.app).apply { + authorized(ViewRunSpec, info.app).apply { complete(Json.obj("app" -> info)) } } diff --git a/src/main/scala/mesosphere/marathon/api/v2/GroupsResource.scala b/src/main/scala/mesosphere/marathon/api/v2/GroupsResource.scala index 5b0a75727a8..8943d4bcf88 100644 --- a/src/main/scala/mesosphere/marathon/api/v2/GroupsResource.scala +++ b/src/main/scala/mesosphere/marathon/api/v2/GroupsResource.scala @@ -333,7 +333,7 @@ class GroupsResource @Inject() ( val updatedGroup: Group = Raml.fromRaml( GroupConversion(groupUpdate, group, newVersion) -> appConversionFunc) - maybeExistingGroup.fold(checkAuthorization(CreateRunSpec, updatedGroup))(checkAuthorization(UpdateGroup, _)) + maybeExistingGroup.fold(checkAuthorization(UpdateGroup, updatedGroup))(checkAuthorization(UpdateGroup, _)) rootGroup.putGroup(updatedGroup, newVersion) }