From 556cbf43bd36b5b83608903dd6e03633c6556710 Mon Sep 17 00:00:00 2001 From: Zachary Wasserman Date: Tue, 13 Dec 2016 08:57:49 -0800 Subject: [PATCH] Use canPerformActions authZ check appropriately in handlers (#625) Fixes #282 --- server/service/handler.go | 62 +++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/server/service/handler.go b/server/service/handler.go index ef3fac9144..bfac7ccdb7 100644 --- a/server/service/handler.go +++ b/server/service/handler.go @@ -75,7 +75,13 @@ func MakeKolideServerEndpoints(svc kolide.Service, jwtKey string) KolideEndpoint CreateUser: makeCreateUserEndpoint(svc), // Authenticated user endpoints - Me: authenticatedUser(jwtKey, svc, makeGetSessionUserEndpoint(svc)), + // Each of these endpoints should have exactly one + // authorization check around the make.*Endpoint method. At a + // minimum, canPerformActions. Some endpoints use + // stricter/different checks and should NOT also use + // canPerformActions (these other checks should also call + // canPerformActions if that is appropriate). + Me: authenticatedUser(jwtKey, svc, canPerformActions(makeGetSessionUserEndpoint(svc))), GetUser: authenticatedUser(jwtKey, svc, canReadUser(makeGetUserEndpoint(svc))), ListUsers: authenticatedUser(jwtKey, svc, canPerformActions(makeListUsersEndpoint(svc))), ModifyUser: authenticatedUser(jwtKey, svc, validateModifyUserRequest(makeModifyUserEndpoint(svc))), @@ -83,37 +89,37 @@ func MakeKolideServerEndpoints(svc kolide.Service, jwtKey string) KolideEndpoint DeleteSessionsForUser: authenticatedUser(jwtKey, svc, canModifyUser(makeDeleteSessionsForUserEndpoint(svc))), GetSessionInfo: authenticatedUser(jwtKey, svc, mustBeAdmin(makeGetInfoAboutSessionEndpoint(svc))), DeleteSession: authenticatedUser(jwtKey, svc, mustBeAdmin(makeDeleteSessionEndpoint(svc))), - GetAppConfig: authenticatedUser(jwtKey, svc, makeGetAppConfigEndpoint(svc)), + GetAppConfig: authenticatedUser(jwtKey, svc, canPerformActions(makeGetAppConfigEndpoint(svc))), ModifyAppConfig: authenticatedUser(jwtKey, svc, mustBeAdmin(makeModifyAppConfigRequest(svc))), CreateInvite: authenticatedUser(jwtKey, svc, mustBeAdmin(makeCreateInviteEndpoint(svc))), ListInvites: authenticatedUser(jwtKey, svc, mustBeAdmin(makeListInvitesEndpoint(svc))), DeleteInvite: authenticatedUser(jwtKey, svc, mustBeAdmin(makeDeleteInviteEndpoint(svc))), - GetQuery: authenticatedUser(jwtKey, svc, makeGetQueryEndpoint(svc)), - ListQueries: authenticatedUser(jwtKey, svc, makeListQueriesEndpoint(svc)), - CreateQuery: authenticatedUser(jwtKey, svc, makeCreateQueryEndpoint(svc)), - ModifyQuery: authenticatedUser(jwtKey, svc, makeModifyQueryEndpoint(svc)), - DeleteQuery: authenticatedUser(jwtKey, svc, makeDeleteQueryEndpoint(svc)), - DeleteQueries: authenticatedUser(jwtKey, svc, makeDeleteQueriesEndpoint(svc)), - CreateDistributedQueryCampaign: authenticatedUser(jwtKey, svc, makeCreateDistributedQueryCampaignEndpoint(svc)), - GetPack: authenticatedUser(jwtKey, svc, makeGetPackEndpoint(svc)), - ListPacks: authenticatedUser(jwtKey, svc, makeListPacksEndpoint(svc)), - CreatePack: authenticatedUser(jwtKey, svc, makeCreatePackEndpoint(svc)), - ModifyPack: authenticatedUser(jwtKey, svc, makeModifyPackEndpoint(svc)), - DeletePack: authenticatedUser(jwtKey, svc, makeDeletePackEndpoint(svc)), - AddQueryToPack: authenticatedUser(jwtKey, svc, makeAddQueryToPackEndpoint(svc)), - GetQueriesInPack: authenticatedUser(jwtKey, svc, makeGetQueriesInPackEndpoint(svc)), - DeleteQueryFromPack: authenticatedUser(jwtKey, svc, makeDeleteQueryFromPackEndpoint(svc)), - GetHost: authenticatedUser(jwtKey, svc, makeGetHostEndpoint(svc)), - ListHosts: authenticatedUser(jwtKey, svc, makeListHostsEndpoint(svc)), - DeleteHost: authenticatedUser(jwtKey, svc, makeDeleteHostEndpoint(svc)), - GetLabel: authenticatedUser(jwtKey, svc, makeGetLabelEndpoint(svc)), - ListLabels: authenticatedUser(jwtKey, svc, makeListLabelsEndpoint(svc)), - CreateLabel: authenticatedUser(jwtKey, svc, makeCreateLabelEndpoint(svc)), - DeleteLabel: authenticatedUser(jwtKey, svc, makeDeleteLabelEndpoint(svc)), - AddLabelToPack: authenticatedUser(jwtKey, svc, makeAddLabelToPackEndpoint(svc)), - GetLabelsForPack: authenticatedUser(jwtKey, svc, makeGetLabelsForPackEndpoint(svc)), - DeleteLabelFromPack: authenticatedUser(jwtKey, svc, makeDeleteLabelFromPackEndpoint(svc)), - SearchTargets: authenticatedUser(jwtKey, svc, makeSearchTargetsEndpoint(svc)), + GetQuery: authenticatedUser(jwtKey, svc, canPerformActions(makeGetQueryEndpoint(svc))), + ListQueries: authenticatedUser(jwtKey, svc, canPerformActions(makeListQueriesEndpoint(svc))), + CreateQuery: authenticatedUser(jwtKey, svc, canPerformActions(makeCreateQueryEndpoint(svc))), + ModifyQuery: authenticatedUser(jwtKey, svc, canPerformActions(makeModifyQueryEndpoint(svc))), + DeleteQuery: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteQueryEndpoint(svc))), + DeleteQueries: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteQueriesEndpoint(svc))), + CreateDistributedQueryCampaign: authenticatedUser(jwtKey, svc, canPerformActions(makeCreateDistributedQueryCampaignEndpoint(svc))), + GetPack: authenticatedUser(jwtKey, svc, canPerformActions(makeGetPackEndpoint(svc))), + ListPacks: authenticatedUser(jwtKey, svc, canPerformActions(makeListPacksEndpoint(svc))), + CreatePack: authenticatedUser(jwtKey, svc, canPerformActions(makeCreatePackEndpoint(svc))), + ModifyPack: authenticatedUser(jwtKey, svc, canPerformActions(makeModifyPackEndpoint(svc))), + DeletePack: authenticatedUser(jwtKey, svc, canPerformActions(makeDeletePackEndpoint(svc))), + AddQueryToPack: authenticatedUser(jwtKey, svc, canPerformActions(makeAddQueryToPackEndpoint(svc))), + GetQueriesInPack: authenticatedUser(jwtKey, svc, canPerformActions(makeGetQueriesInPackEndpoint(svc))), + DeleteQueryFromPack: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteQueryFromPackEndpoint(svc))), + GetHost: authenticatedUser(jwtKey, svc, canPerformActions(makeGetHostEndpoint(svc))), + ListHosts: authenticatedUser(jwtKey, svc, canPerformActions(makeListHostsEndpoint(svc))), + DeleteHost: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteHostEndpoint(svc))), + GetLabel: authenticatedUser(jwtKey, svc, canPerformActions(makeGetLabelEndpoint(svc))), + ListLabels: authenticatedUser(jwtKey, svc, canPerformActions(makeListLabelsEndpoint(svc))), + CreateLabel: authenticatedUser(jwtKey, svc, canPerformActions(makeCreateLabelEndpoint(svc))), + DeleteLabel: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteLabelEndpoint(svc))), + AddLabelToPack: authenticatedUser(jwtKey, svc, canPerformActions(makeAddLabelToPackEndpoint(svc))), + GetLabelsForPack: authenticatedUser(jwtKey, svc, canPerformActions(makeGetLabelsForPackEndpoint(svc))), + DeleteLabelFromPack: authenticatedUser(jwtKey, svc, canPerformActions(makeDeleteLabelFromPackEndpoint(svc))), + SearchTargets: authenticatedUser(jwtKey, svc, canPerformActions(makeSearchTargetsEndpoint(svc))), // Osquery endpoints EnrollAgent: makeEnrollAgentEndpoint(svc),