Use canPerformActions authZ check appropriately in handlers (#625)

Fixes #282
2026-05-23 08:58:41 +00:00 · 2016-12-13 08:57:49 -08:00 · 2016-12-13 08:57:49 -08:00 · 556cbf43bd
commit 556cbf43bd
parent e1de01a2f8
1 changed files with 34 additions and 28 deletions
--- a/server/service/handler.go
+++ b/server/service/handler.go
@ -75,7 +75,13 @@ func MakeKolideServerEndpoints(svc kolide.Service, jwtKey string) KolideEndpoint
 		CreateUser:     makeCreateUserEndpoint(svc),

 		// Authenticated user endpoints
-		Me:                             authenticatedUser(jwtKey, svc, makeGetSessionUserEndpoint(svc)),
+		// Each of these endpoints should have exactly one
+		// authorization check around the make.*Endpoint method. At a
+		// minimum, canPerformActions. Some endpoints use
+		// stricter/different checks and should NOT also use
+		// canPerformActions (these other checks should also call
+		// canPerformActions if that is appropriate).
+		Me:                             authenticatedUser(jwtKey, svc, canPerformActions(makeGetSessionUserEndpoint(svc))),
 		GetUser:                        authenticatedUser(jwtKey, svc, canReadUser(makeGetUserEndpoint(svc))),
 		ListUsers:                      authenticatedUser(jwtKey, svc, canPerformActions(makeListUsersEndpoint(svc))),
 		ModifyUser:                     authenticatedUser(jwtKey, svc, validateModifyUserRequest(makeModifyUserEndpoint(svc))),
@ -83,37 +89,37 @@ func MakeKolideServerEndpoints(svc kolide.Service, jwtKey string) KolideEndpoint
 		DeleteSessionsForUser:          authenticatedUser(jwtKey, svc, canModifyUser(makeDeleteSessionsForUserEndpoint(svc))),
 		GetSessionInfo:                 authenticatedUser(jwtKey, svc, mustBeAdmin(makeGetInfoAboutSessionEndpoint(svc))),
 		DeleteSession:                  authenticatedUser(jwtKey, svc, mustBeAdmin(makeDeleteSessionEndpoint(svc))),
-		GetAppConfig:                   authenticatedUser(jwtKey, svc, makeGetAppConfigEndpoint(svc)),
+		GetAppConfig:                   authenticatedUser(jwtKey, svc, canPerformActions(makeGetAppConfigEndpoint(svc))),
 		ModifyAppConfig:                authenticatedUser(jwtKey, svc, mustBeAdmin(makeModifyAppConfigRequest(svc))),
 		CreateInvite:                   authenticatedUser(jwtKey, svc, mustBeAdmin(makeCreateInviteEndpoint(svc))),
 		ListInvites:                    authenticatedUser(jwtKey, svc, mustBeAdmin(makeListInvitesEndpoint(svc))),
 		DeleteInvite:                   authenticatedUser(jwtKey, svc, mustBeAdmin(makeDeleteInviteEndpoint(svc))),
-		GetQuery:                       authenticatedUser(jwtKey, svc, makeGetQueryEndpoint(svc)),
-		ListQueries:                    authenticatedUser(jwtKey, svc, makeListQueriesEndpoint(svc)),
-		CreateQuery:                    authenticatedUser(jwtKey, svc, makeCreateQueryEndpoint(svc)),
-		ModifyQuery:                    authenticatedUser(jwtKey, svc, makeModifyQueryEndpoint(svc)),
-		DeleteQuery:                    authenticatedUser(jwtKey, svc, makeDeleteQueryEndpoint(svc)),
-		DeleteQueries:                  authenticatedUser(jwtKey, svc, makeDeleteQueriesEndpoint(svc)),
-		CreateDistributedQueryCampaign: authenticatedUser(jwtKey, svc, makeCreateDistributedQueryCampaignEndpoint(svc)),
-		GetPack:             authenticatedUser(jwtKey, svc, makeGetPackEndpoint(svc)),
-		ListPacks:           authenticatedUser(jwtKey, svc, makeListPacksEndpoint(svc)),
-		CreatePack:          authenticatedUser(jwtKey, svc, makeCreatePackEndpoint(svc)),
-		ModifyPack:          authenticatedUser(jwtKey, svc, makeModifyPackEndpoint(svc)),
-		DeletePack:          authenticatedUser(jwtKey, svc, makeDeletePackEndpoint(svc)),
-		AddQueryToPack:      authenticatedUser(jwtKey, svc, makeAddQueryToPackEndpoint(svc)),
-		GetQueriesInPack:    authenticatedUser(jwtKey, svc, makeGetQueriesInPackEndpoint(svc)),
-		DeleteQueryFromPack: authenticatedUser(jwtKey, svc, makeDeleteQueryFromPackEndpoint(svc)),
-		GetHost:             authenticatedUser(jwtKey, svc, makeGetHostEndpoint(svc)),
-		ListHosts:           authenticatedUser(jwtKey, svc, makeListHostsEndpoint(svc)),
-		DeleteHost:          authenticatedUser(jwtKey, svc, makeDeleteHostEndpoint(svc)),
-		GetLabel:            authenticatedUser(jwtKey, svc, makeGetLabelEndpoint(svc)),
-		ListLabels:          authenticatedUser(jwtKey, svc, makeListLabelsEndpoint(svc)),
-		CreateLabel:         authenticatedUser(jwtKey, svc, makeCreateLabelEndpoint(svc)),
-		DeleteLabel:         authenticatedUser(jwtKey, svc, makeDeleteLabelEndpoint(svc)),
-		AddLabelToPack:      authenticatedUser(jwtKey, svc, makeAddLabelToPackEndpoint(svc)),
-		GetLabelsForPack:    authenticatedUser(jwtKey, svc, makeGetLabelsForPackEndpoint(svc)),
-		DeleteLabelFromPack: authenticatedUser(jwtKey, svc, makeDeleteLabelFromPackEndpoint(svc)),
-		SearchTargets:       authenticatedUser(jwtKey, svc, makeSearchTargetsEndpoint(svc)),
+		GetQuery:                       authenticatedUser(jwtKey, svc, canPerformActions(makeGetQueryEndpoint(svc))),
+		ListQueries:                    authenticatedUser(jwtKey, svc, canPerformActions(makeListQueriesEndpoint(svc))),
+		CreateQuery:                    authenticatedUser(jwtKey, svc, canPerformActions(makeCreateQueryEndpoint(svc))),
+		ModifyQuery:                    authenticatedUser(jwtKey, svc, canPerformActions(makeModifyQueryEndpoint(svc))),
+		DeleteQuery:                    authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteQueryEndpoint(svc))),
+		DeleteQueries:                  authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteQueriesEndpoint(svc))),
+		CreateDistributedQueryCampaign: authenticatedUser(jwtKey, svc, canPerformActions(makeCreateDistributedQueryCampaignEndpoint(svc))),
+		GetPack:             authenticatedUser(jwtKey, svc, canPerformActions(makeGetPackEndpoint(svc))),
+		ListPacks:           authenticatedUser(jwtKey, svc, canPerformActions(makeListPacksEndpoint(svc))),
+		CreatePack:          authenticatedUser(jwtKey, svc, canPerformActions(makeCreatePackEndpoint(svc))),
+		ModifyPack:          authenticatedUser(jwtKey, svc, canPerformActions(makeModifyPackEndpoint(svc))),
+		DeletePack:          authenticatedUser(jwtKey, svc, canPerformActions(makeDeletePackEndpoint(svc))),
+		AddQueryToPack:      authenticatedUser(jwtKey, svc, canPerformActions(makeAddQueryToPackEndpoint(svc))),
+		GetQueriesInPack:    authenticatedUser(jwtKey, svc, canPerformActions(makeGetQueriesInPackEndpoint(svc))),
+		DeleteQueryFromPack: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteQueryFromPackEndpoint(svc))),
+		GetHost:             authenticatedUser(jwtKey, svc, canPerformActions(makeGetHostEndpoint(svc))),
+		ListHosts:           authenticatedUser(jwtKey, svc, canPerformActions(makeListHostsEndpoint(svc))),
+		DeleteHost:          authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteHostEndpoint(svc))),
+		GetLabel:            authenticatedUser(jwtKey, svc, canPerformActions(makeGetLabelEndpoint(svc))),
+		ListLabels:          authenticatedUser(jwtKey, svc, canPerformActions(makeListLabelsEndpoint(svc))),
+		CreateLabel:         authenticatedUser(jwtKey, svc, canPerformActions(makeCreateLabelEndpoint(svc))),
+		DeleteLabel:         authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteLabelEndpoint(svc))),
+		AddLabelToPack:      authenticatedUser(jwtKey, svc, canPerformActions(makeAddLabelToPackEndpoint(svc))),
+		GetLabelsForPack:    authenticatedUser(jwtKey, svc, canPerformActions(makeGetLabelsForPackEndpoint(svc))),
+		DeleteLabelFromPack: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteLabelFromPackEndpoint(svc))),
+		SearchTargets:       authenticatedUser(jwtKey, svc, canPerformActions(makeSearchTargetsEndpoint(svc))),

 		// Osquery endpoints
 		EnrollAgent:                   makeEnrollAgentEndpoint(svc),