From 25fd04ea1898b0f565b49f3c25968cd9d81a9c4f Mon Sep 17 00:00:00 2001 From: Lucas Manuel Rodriguez Date: Tue, 14 Dec 2021 01:53:29 -0300 Subject: [PATCH] Fix team packs rego policy rules (#3356) --- changes/issue-3353-team-packs-rego-rules | 1 + server/authz/policy.rego | 14 ++--- server/authz/policy_test.go | 73 ++++++++++++++++++++++++ server/test/users.go | 13 +++++ 4 files changed, 91 insertions(+), 10 deletions(-) create mode 100644 changes/issue-3353-team-packs-rego-rules diff --git a/changes/issue-3353-team-packs-rego-rules b/changes/issue-3353-team-packs-rego-rules new file mode 100644 index 0000000000..a97402f6a7 --- /dev/null +++ b/changes/issue-3353-team-packs-rego-rules @@ -0,0 +1 @@ +* Fleet Premium: Fix permissions to prevent team observers from editing packs. diff --git a/server/authz/policy.rego b/server/authz/policy.rego index 6dee043e7a..26b95f1dfd 100644 --- a/server/authz/policy.rego +++ b/server/authz/policy.rego @@ -362,15 +362,10 @@ allow { # Packs ## -# Global admins and maintainers and team maintainers can read/write packs +# Global admins and maintainers can read/write all packs allow { object.type == "pack" - subject.global_role == admin - action == [read, write][_] -} -allow { - object.type == "pack" - subject.global_role == maintainer + subject.global_role == [admin,maintainer][_] action == [read, write][_] } @@ -382,11 +377,10 @@ allow { action == read } -# Team admins and maintainers can read their team packs +# Team admins and maintainers can read/write their team packs allow { - object.team_ids[_] == subject.teams[_].id object.type == "pack" - team_role(subject, subject.teams[_].id) == [admin,maintainer][_] + team_role(subject, object.team_ids[_]) == [admin,maintainer][_] action == [read, write][_] } diff --git a/server/authz/policy_test.go b/server/authz/policy_test.go index 626e84a058..fe5ccdaca8 100644 --- a/server/authz/policy_test.go +++ b/server/authz/policy_test.go @@ -450,6 +450,79 @@ func TestAuthorizePacks(t *testing.T) { }) } +func TestAuthorizeTeamPacks(t *testing.T) { + t.Parallel() + + runTestCases(t, []authTestCase{ + // Team maintainer can read packs of the team. + { + user: test.UserTeamMaintainerTeam1, + object: &fleet.Pack{ + TeamIDs: []uint{1}, + }, + action: read, + allow: true, + }, + // Team observer cannot read packs of the team. + { + user: test.UserTeamObserverTeam1TeamAdminTeam2, + object: &fleet.Pack{ + TeamIDs: []uint{1}, + }, + action: read, + allow: false, + }, + // Team observer cannot write packs of the team. + { + user: test.UserTeamObserverTeam1TeamAdminTeam2, + object: &fleet.Pack{ + TeamIDs: []uint{1}, + }, + action: write, + allow: false, + }, + // Members of a team cannot read packs of another team. + { + user: test.UserTeamAdminTeam1, + object: &fleet.Pack{ + TeamIDs: []uint{2}, + }, + action: read, + allow: false, + }, + // Members of a team cannot read packs of another team. + { + user: test.UserTeamAdminTeam1, + object: &fleet.Pack{ + TeamIDs: []uint{2}, + }, + action: read, + allow: false, + }, + // Team maintainers can read global packs. + { + user: test.UserTeamMaintainerTeam1, + object: &fleet.Pack{}, + action: read, + allow: true, + }, + // Team admins can read global packs. + { + user: test.UserTeamAdminTeam1, + object: &fleet.Pack{}, + action: read, + allow: true, + }, + // Team admins cannot write global packs. + { + user: test.UserTeamAdminTeam1, + object: &fleet.Pack{}, + action: write, + allow: false, + }, + }) +} + func TestAuthorizeCarves(t *testing.T) { t.Parallel() diff --git a/server/test/users.go b/server/test/users.go index e333006ab1..2d12f48626 100644 --- a/server/test/users.go +++ b/server/test/users.go @@ -75,4 +75,17 @@ var ( }, }, } + UserTeamObserverTeam1TeamAdminTeam2 = &fleet.User{ + ID: 11, + Teams: []fleet.UserTeam{ + { + Team: fleet.Team{ID: 1}, + Role: fleet.RoleObserver, + }, + { + Team: fleet.Team{ID: 2}, + Role: fleet.RoleAdmin, + }, + }, + } )