Fix policy rego bug with fleet policies (#3331)

* Fix policy rego bug with fleet policies * Simplify rego policy fix
2026-05-23 00:49:03 +00:00 · 2021-12-10 11:47:41 -03:00 · 2021-12-10 11:47:41 -03:00 · 8bbc52bbff
commit 8bbc52bbff
parent 9e905f8e10
4 changed files with 56 additions and 10 deletions
--- a/changes/issue-policy-rego-bug-in-fleet-policies
+++ b/changes/issue-policy-rego-bug-in-fleet-policies
@ -0,0 +1 @@
+* Fix bug in rego policy for fleet policies.
--- a/server/authz/policy.rego
+++ b/server/authz/policy.rego
@ -405,14 +405,14 @@ allow {
 # Policies
 ##

-# Global Admin and Maintainer users can read and write policies
+# Global Admin can read and write policies
 allow {
  object.type == "policy"
  subject.global_role == admin
  action == [read, write][_]
 }

-# Global maintainer can read and write global policies
+# Global Maintainer can read and write global policies
 allow {
  is_null(object.team_id)
  object.type == "policy"
@ -430,9 +430,8 @@ allow {
 # Team admin and maintainers can read and write policies for their teams
 allow {
  not is_null(object.team_id)
-  object.team_id == subject.teams[_].id
  object.type == "policy"
-  team_role(subject, subject.teams[_].id) == [admin,maintainer][_]
+  team_role(subject, object.team_id) == [admin,maintainer][_]
  action == [read, write][_]
 }

@ -444,13 +443,12 @@ allow {
  action == read
 }

-# Team Observer can read policies
+# Team Observer can read policies for their teams
 allow {
  not is_null(object.team_id)
-  object.team_id == subject.teams[_].id
  object.type == "policy"
-  team_role(subject, subject.teams[_].id) == observer
-  action == [read][_]
+  team_role(subject, object.team_id) == observer
+  action == read
 }

 ##
--- a/server/service/global_policies_test.go
+++ b/server/service/global_policies_test.go
@ -21,7 +21,11 @@ func TestGlobalPoliciesAuth(t *testing.T) {
 		return nil, nil
 	}
 	ds.PolicyFunc = func(ctx context.Context, id uint) (*fleet.Policy, error) {
-		return nil, nil
+		return &fleet.Policy{
+			PolicyData: fleet.PolicyData{
+				ID: id,
+			},
+		}, nil
 	}
 	ds.DeleteGlobalPoliciesFunc = func(ctx context.Context, ids []uint) ([]uint, error) {
 		return nil, nil
@ -35,6 +39,9 @@ func TestGlobalPoliciesAuth(t *testing.T) {
 	ds.NewActivityFunc = func(ctx context.Context, user *fleet.User, activityType string, details *map[string]interface{}) error {
 		return nil
 	}
+	ds.SavePolicyFunc = func(ctx context.Context, p *fleet.Policy) error {
+		return nil
+	}

 	testCases := []struct {
 		name            string
@ -95,6 +102,9 @@ func TestGlobalPoliciesAuth(t *testing.T) {
 			_, err = svc.GetPolicyByIDQueries(ctx, 1)
 			checkAuthErr(t, tt.shouldFailRead, err)

+			_, err = svc.ModifyGlobalPolicy(ctx, 1, fleet.ModifyPolicyPayload{})
+			checkAuthErr(t, tt.shouldFailWrite, err)
+
 			_, err = svc.DeleteGlobalPolicies(ctx, []uint{1})
 			checkAuthErr(t, tt.shouldFailWrite, err)

--- a/server/service/team_policies_test.go
+++ b/server/service/team_policies_test.go
@ -17,7 +17,12 @@ func TestTeamPoliciesAuth(t *testing.T) {
 	svc := newTestService(ds, nil, nil)

 	ds.NewTeamPolicyFunc = func(ctx context.Context, teamID uint, authorID *uint, args fleet.PolicyPayload) (*fleet.Policy, error) {
-		return &fleet.Policy{}, nil
+		return &fleet.Policy{
+			PolicyData: fleet.PolicyData{
+				ID:     1,
+				TeamID: ptr.Uint(1),
+			},
+		}, nil
 	}
 	ds.ListTeamPoliciesFunc = func(ctx context.Context, teamID uint) ([]*fleet.Policy, error) {
 		return nil, nil
@ -25,6 +30,20 @@ func TestTeamPoliciesAuth(t *testing.T) {
 	ds.TeamPolicyFunc = func(ctx context.Context, teamID uint, policyID uint) (*fleet.Policy, error) {
 		return nil, nil
 	}
+	ds.PolicyFunc = func(ctx context.Context, id uint) (*fleet.Policy, error) {
+		if id == 1 {
+			return &fleet.Policy{
+				PolicyData: fleet.PolicyData{
+					ID:     1,
+					TeamID: ptr.Uint(1),
+				},
+			}, nil
+		}
+		return nil, nil
+	}
+	ds.SavePolicyFunc = func(ctx context.Context, p *fleet.Policy) error {
+		return nil
+	}
 	ds.DeleteTeamPoliciesFunc = func(ctx context.Context, teamID uint, ids []uint) ([]uint, error) {
 		return nil, nil
 	}
@ -86,6 +105,21 @@ func TestTeamPoliciesAuth(t *testing.T) {
 			true,
 			true,
 		},
+		{
+			"team observer, and team admin of another team",
+			&fleet.User{Teams: []fleet.UserTeam{
+				{
+					Team: fleet.Team{ID: 1},
+					Role: fleet.RoleObserver,
+				},
+				{
+					Team: fleet.Team{ID: 2},
+					Role: fleet.RoleAdmin,
+				},
+			}},
+			true,
+			false,
+		},
 		{
 			"team maintainer, DOES NOT belong to team",
 			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleMaintainer}}},
@ -115,6 +149,9 @@ func TestTeamPoliciesAuth(t *testing.T) {
 			_, err = svc.GetTeamPolicyByIDQueries(ctx, 1, 1)
 			checkAuthErr(t, tt.shouldFailRead, err)

+			_, err = svc.ModifyTeamPolicy(ctx, 1, 1, fleet.ModifyPolicyPayload{})
+			checkAuthErr(t, tt.shouldFailWrite, err)
+
 			_, err = svc.DeleteTeamPolicies(ctx, 1, []uint{1})
 			checkAuthErr(t, tt.shouldFailWrite, err)
				`@ -0,0 +1 @@`
				`* Fix bug in rego policy for fleet policies.`