fleet/server/authz/errors.go

package authz

import (
	"net/http"

	"github.com/fleetdm/fleet/v4/server/fleet"
	platform_http "github.com/fleetdm/fleet/v4/server/platform/http"
)

const (
	// ForbiddenErrorMessage is the error message that should be returned to
	// clients when an action is forbidden. It is intentionally vague to prevent
	// disclosing information that a client should not have access to.
	ForbiddenErrorMessage = "forbidden"
)

// Forbidden is the error type for authorization errors
type Forbidden struct {
	internal string
	subject  *fleet.User
	object   interface{}
	action   interface{}

	fleet.ErrorWithUUID
}

// ForbiddenWithInternal creates a new error that will return a simple
// "forbidden" to the client, logging internally the more detailed message
// provided.
func ForbiddenWithInternal(internal string, subject *fleet.User, object, action interface{}) *Forbidden {
	return &Forbidden{
		internal: internal,
		subject:  subject,
		object:   object,
		action:   action,
	}
}

// Error implements the error interface.
func (e *Forbidden) Error() string {
	return ForbiddenErrorMessage
}

// StatusCode implements the go-kit http StatusCoder interface.
func (e *Forbidden) StatusCode() int {
	return http.StatusForbidden
}

// Forbidden implements platform_authz.Forbidden interface.
func (e *Forbidden) Forbidden() {}

// Internal allows the internal error message to be logged.
func (e *Forbidden) Internal() string {
	return e.internal
}

// LogFields allows this error to be logged with subject, object, and action.
func (e *Forbidden) LogFields() []interface{} {
	// Only logging User's email, and not other details such as Password and Salt.
	email := "nil"
	if e.subject != nil {
		email = e.subject.Email
	}
	return []interface{}{
		"subject", email,
		"object", e.object,
		"action", e.action,
	}
}

// CheckMissing is the error to return when no authorization check was performed
// by the service.
//
// Deprecated: Use platform_http.CheckMissing instead. This alias is kept for
// backward compatibility.
type CheckMissing = platform_http.CheckMissing

// CheckMissingWithResponse creates a new error indicating the authorization
// check was missed, and including the response for further analysis by the error
// encoder.
//
// Deprecated: Use platform_http.CheckMissingWithResponse instead. This alias is
// kept for backward compatibility.
var CheckMissingWithResponse = platform_http.CheckMissingWithResponse
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`package authz`

Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`import (`
			`"net/http"`

Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
Refactor endpoint_utils for modularization (#36484) Resolves #37192 Separating generic endpoint_utils middleware logic from domain-specific business logic. New bounded contexts would share the generic logic and implement their own domain-specific logic. The two approaches used in this PR are: - Use common `platform` types - Use interfaces In the next PR we will move `endpointer_utils`, `authzcheck` and `ratelimit` into `platform` directory. # Checklist for submitter - [x] Added changes file ## Testing - [x] Added/updated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Refactor * Restructured internal error handling and context management to support bounded context architecture. * Improved error context collection and telemetry observability through a provider-based mechanism. * Decoupled licensing and authentication concerns into interfaces for better modularity. * Chores * Updated internal package dependencies to align with new architectural boundaries. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-12-31 15:12:00 +00:00			`platform_http "github.com/fleetdm/fleet/v4/server/platform/http"`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`const (`
			`// ForbiddenErrorMessage is the error message that should be returned to`
			`// clients when an action is forbidden. It is intentionally vague to prevent`
			`// disclosing information that a client should not have access to.`
			`ForbiddenErrorMessage = "forbidden"`
			`)`

Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`// Forbidden is the error type for authorization errors`
			`type Forbidden struct {`
			`internal string`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`subject *fleet.User`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`object interface{}`
			`action interface{}`
Add UUID to Fleet errors and clean up error msgs (#10411) #8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-03-13 16:44:06 +00:00
			`fleet.ErrorWithUUID`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

			`// ForbiddenWithInternal creates a new error that will return a simple`
			`// "forbidden" to the client, logging internally the more detailed message`
			`// provided.`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func ForbiddenWithInternal(internal string, subject fleet.User, object, action interface{}) Forbidden {`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`return &Forbidden{`
			`internal: internal,`
			`subject: subject,`
			`object: object,`
			`action: action,`
			`}`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

			`// Error implements the error interface.`
			`func (e *Forbidden) Error() string {`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`return ForbiddenErrorMessage`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`// StatusCode implements the go-kit http StatusCoder interface.`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`func (e *Forbidden) StatusCode() int {`
			`return http.StatusForbidden`
			`}`

Activity bounded context: `/api/latest/fleet/activities` (1 of 2) (#38115) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> Related issue: Resolves #37806 This PR creates an activity bounded context and moves the following HTTP endpoint (including the full vertical slice) there: `/api/latest/fleet/activities` NONE of the other activity functionality is moved! This is an incremental approach starting with just 1 API/service endpoint. A significant part of this PR is tests. This feature is now receiving significantly more unit/integration test coverage than before. Also, this PR does not remove the `ListActivities` datastore method in the legacy code. That will be done in the follow up PR (part 2 of 2). This refactoring effort also uncovered an activity/user authorization issue: https://fleetdm.slack.com/archives/C02A8BRABB5/p1768582236611479 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * New Features * Activity listing API now available with query filtering, date-range filtering, and type-based filtering * Pagination support for activity results with cursor-based and offset-based options * Configurable sorting by creation date or activity ID in ascending or descending order * Automatic enrichment of activity records with actor user details (name, email, avatar) * Role-based access controls applied to activity visibility based on user permissions <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2026-01-19 14:07:14 +00:00			`// Forbidden implements platform_authz.Forbidden interface.`
			`func (e *Forbidden) Forbidden() {}`

Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`// Internal allows the internal error message to be logged.`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`func (e *Forbidden) Internal() string {`
			`return e.internal`
			`}`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00
			`// LogFields allows this error to be logged with subject, object, and action.`
			`func (e *Forbidden) LogFields() []interface{} {`
Fixes to /fleet/queries/run endpoint (#14909) Fixes to /fleet/queries/run endpoint: - now returns 403 for an unauthorized user - now returns 400 when query_ids or host_ids are not specified #11446 and #11901 # Checklist for submitter If some of the following don't apply, delete the relevant line. API clarifications are in a separate PR https://github.com/fleetdm/fleet/pull/14956 - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality 2023-11-06 17:03:42 +00:00			`// Only logging User's email, and not other details such as Password and Salt.`
			`email := "nil"`
			`if e.subject != nil {`
			`email = e.subject.Email`
			`}`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`return []interface{}{`
Fixes to /fleet/queries/run endpoint (#14909) Fixes to /fleet/queries/run endpoint: - now returns 403 for an unauthorized user - now returns 400 when query_ids or host_ids are not specified #11446 and #11901 # Checklist for submitter If some of the following don't apply, delete the relevant line. API clarifications are in a separate PR https://github.com/fleetdm/fleet/pull/14956 - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality 2023-11-06 17:03:42 +00:00			`"subject", email,`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`"object", e.object,`
			`"action", e.action,`
			`}`
			`}`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00
			`// CheckMissing is the error to return when no authorization check was performed`
			`// by the service.`
Refactor endpoint_utils for modularization (#36484) Resolves #37192 Separating generic endpoint_utils middleware logic from domain-specific business logic. New bounded contexts would share the generic logic and implement their own domain-specific logic. The two approaches used in this PR are: - Use common `platform` types - Use interfaces In the next PR we will move `endpointer_utils`, `authzcheck` and `ratelimit` into `platform` directory. # Checklist for submitter - [x] Added changes file ## Testing - [x] Added/updated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Refactor * Restructured internal error handling and context management to support bounded context architecture. * Improved error context collection and telemetry observability through a provider-based mechanism. * Decoupled licensing and authentication concerns into interfaces for better modularity. * Chores * Updated internal package dependencies to align with new architectural boundaries. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-12-31 15:12:00 +00:00			`//`
			`// Deprecated: Use platform_http.CheckMissing instead. This alias is kept for`
			`// backward compatibility.`
			`type CheckMissing = platform_http.CheckMissing`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00
Improved Datastore usage of osquery hosts requests (#3601) * WIP * Amend tests * Do not load aggregated stats for packs * Add option to host lite * Fix remaining TODOs * Fix osquery_utils tests * Fix SQL * Fix SQL (bis) * Restore AuthenticateHost to load once * Code improvements and re-add deferred host save * More fixes to the PR * Wrap users table update on tx * Add caching to ListPacksForHost and ListScheduledQueriesInPack * Remove SaveHostSoftware (replaced by UpdateHostSoftware) * Add unit tests for new functionality * Add changes file * Fix scheduled queries test 2022-01-18 01:52:09 +00:00			`// CheckMissingWithResponse creates a new error indicating the authorization`
			`// check was missed, and including the response for further analysis by the error`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`// encoder.`
Refactor endpoint_utils for modularization (#36484) Resolves #37192 Separating generic endpoint_utils middleware logic from domain-specific business logic. New bounded contexts would share the generic logic and implement their own domain-specific logic. The two approaches used in this PR are: - Use common `platform` types - Use interfaces In the next PR we will move `endpointer_utils`, `authzcheck` and `ratelimit` into `platform` directory. # Checklist for submitter - [x] Added changes file ## Testing - [x] Added/updated tests - [x] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * Refactor * Restructured internal error handling and context management to support bounded context architecture. * Improved error context collection and telemetry observability through a provider-based mechanism. * Decoupled licensing and authentication concerns into interfaces for better modularity. * Chores * Updated internal package dependencies to align with new architectural boundaries. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-12-31 15:12:00 +00:00			`//`
			`// Deprecated: Use platform_http.CheckMissingWithResponse instead. This alias is`
			`// kept for backward compatibility.`
			`var CheckMissingWithResponse = platform_http.CheckMissingWithResponse`