root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 196 Packages Projects Releases Wiki Activity

Secrets: Skip allowlist check when decrypting if the list is empty (#107693)

This commit is contained in:
Matheus Macabu 2025-07-07 15:32:39 +02:00 committed by GitHub
parent 075770070e
commit cc069d301e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/registry/apis/secret/decrypt/authorizer.go
View File

@ -61,8 +61,10 @@ func (a *decryptAuthorizer) Authorize(ctx context.Context, secureValueName strin
// TEMPORARY: while we can't onboard every app into secrets, we can block them from decrypting // TEMPORARY: while we can't onboard every app into secrets, we can block them from decrypting
// securevalues preemptively here before even reaching out to the database. // securevalues preemptively here before even reaching out to the database.
// This check can be removed once we open the gates for any service to use secrets. // This check can be removed once we open the gates for any service to use secrets.
if _, exists := a.allowList[serviceIdentity]; !exists || serviceIdentity == "" { if len(a.allowList) > 0 {
return serviceIdentity, false if _, exists := a.allowList[serviceIdentity]; !exists || serviceIdentity == "" {
return serviceIdentity, false
}
} }
// Checks whether the token has the permission to decrypt secure values. // Checks whether the token has the permission to decrypt secure values.

9
pkg/registry/apis/secret/decrypt/authorizer_test.go
View File

@ -108,6 +108,15 @@ func TestDecryptAuthorizer(t *testing.T) {
require.False(t, allowed) require.False(t, allowed)
}) })
t.Run("when the allow list is empty, it allows all identities", func(t *testing.T) {
ctx := createAuthContext(context.Background(), "identity", []string{"secret.grafana.app/securevalues:decrypt"})
authorizer := ProvideDecryptAuthorizer(tracer, nil)
identity, allowed := authorizer.Authorize(ctx, "", []string{"identity"})
require.NotEmpty(t, identity)
require.True(t, allowed)
})
t.Run("when the identity is not in the allow list, it returns false", func(t *testing.T) { t.Run("when the identity is not in the allow list, it returns false", func(t *testing.T) {
ctx := createAuthContext(context.Background(), "identity", []string{"secret.grafana.app/securevalues:decrypt"}) ctx := createAuthContext(context.Background(), "identity", []string{"secret.grafana.app/securevalues:decrypt"})
authorizer := ProvideDecryptAuthorizer(tracer, map[string]struct{}{"allowed1": {}}) authorizer := ProvideDecryptAuthorizer(tracer, map[string]struct{}{"allowed1": {}})