Checking user privileges before performing Input State operations. (#…

…4454) * Checking user privileges before performing Input State operations. Before this change, any user was able to start/stop inputs without the possession of the required privileges. The `InputStatesResource` class did not perform any permission checks for operations. After this change, a user who starts/stops an input requires the newly introduced `inputs:changestate` permission (consistent with permission handling of indices/processing/streams) in order to perform these state changes. Fixes #4439. * Adding new permission to set containing all permissions.
Graylog2 · Jan 4, 2018 · 6680fa6 · 6680fa6
1 parent 4c957a0
commit 6680fa6
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/...2-server/src/main/java/org/graylog2/rest/resources/system/inputs/InputStatesResource.java b/...2-server/src/main/java/org/graylog2/rest/resources/system/inputs/InputStatesResource.java
@@ -36,6 +36,7 @@
 import org.graylog2.rest.models.system.inputs.responses.InputSummary;
 import org.graylog2.shared.inputs.InputRegistry;
 import org.graylog2.shared.rest.resources.RestResource;
+import org.graylog2.shared.security.RestPermissions;
 
 import javax.inject.Inject;
 import javax.ws.rs.DELETE;
@@ -72,7 +73,8 @@ public InputStatesResource(InputRegistry inputRegistry,
     @ApiOperation(value = "Get all input states of this node")
     public InputStatesList list() {
         final Set<InputStateSummary> result = this.inputRegistry.stream()
-                .map(inputState -> getInputStateSummary(inputState))
+                .filter(inputState -> isPermitted(RestPermissions.INPUTS_READ, inputState.getStoppable().getId()))
+                .map(this::getInputStateSummary)
                 .collect(Collectors.toSet());
 
         return InputStatesList.create(result);
@@ -86,6 +88,7 @@ public InputStatesList list() {
             @ApiResponse(code = 404, message = "No such input on this node."),
     })
     public InputStateSummary get(@ApiParam(name = "inputId", required = true) @PathParam("inputId") String inputId) {
+        checkPermission(RestPermissions.INPUTS_READ, inputId);
         final IOState<MessageInput> inputState = this.inputRegistry.getInputState(inputId);
         if (inputState == null) {
             throw new NotFoundException("No input state for input id <" + inputId + "> on this node.");
@@ -102,6 +105,7 @@ public InputStateSummary get(@ApiParam(name = "inputId", required = true) @PathP
     })
     @AuditEvent(type = AuditEventTypes.MESSAGE_INPUT_START)
     public InputCreated start(@ApiParam(name = "inputId", required = true) @PathParam("inputId") String inputId) throws org.graylog2.database.NotFoundException {
+        checkPermission(RestPermissions.INPUTS_CHANGESTATE, inputId);
         inputService.find(inputId);
         final InputCreated result = InputCreated.create(inputId);
         this.serverEventBus.post(result);
@@ -118,6 +122,7 @@ public InputCreated start(@ApiParam(name = "inputId", required = true) @PathPara
     })
     @AuditEvent(type = AuditEventTypes.MESSAGE_INPUT_STOP)
     public InputDeleted stop(@ApiParam(name = "inputId", required = true) @PathParam("inputId") String inputId) throws org.graylog2.database.NotFoundException {
+        checkPermission(RestPermissions.INPUTS_CHANGESTATE, inputId);
         inputService.find(inputId);
         final InputDeleted result = InputDeleted.create(inputId);
         this.serverEventBus.post(result);

diff --git a/graylog2-server/src/main/java/org/graylog2/shared/security/RestPermissions.java b/graylog2-server/src/main/java/org/graylog2/shared/security/RestPermissions.java
@@ -67,6 +67,7 @@ public class RestPermissions implements PluginPermissions {
     public static final String INDICES_DELETE = "indices:delete";
     public static final String INDICES_FAILURES = "indices:failures";
     public static final String INDICES_READ = "indices:read";
+    public static final String INPUTS_CHANGESTATE = "inputs:changestate";
     public static final String INPUTS_CREATE = "inputs:create";
     public static final String INPUTS_EDIT = "inputs:edit";
     public static final String INPUTS_READ = "inputs:read";
@@ -172,6 +173,7 @@ public class RestPermissions implements PluginPermissions {
         .add(create(INDICES_DELETE, ""))
         .add(create(INDICES_FAILURES, ""))
         .add(create(INDICES_READ, ""))
+        .add(create(INPUTS_CHANGESTATE, ""))
         .add(create(INPUTS_CREATE, ""))
         .add(create(INPUTS_EDIT, ""))
         .add(create(INPUTS_READ, ""))