Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can CreateRule in project without proper permission #4301

Closed
blakestier opened this issue Sep 2, 2020 · 1 comment
Closed

Can CreateRule in project without proper permission #4301

blakestier opened this issue Sep 2, 2020 · 1 comment
Labels
auth-team anything that needs to be on the auth team board automate-auth bug 🐛 Something isn't working customer-reported issues reported by customers emergent
Milestone
Auth: Sprint 21

Comments

@blakestier
Copy link

Describe the problem

Users can create rules on projects that they do not have iam:projects:update permissions on.

Replication Case

In the automate ui,
Create a project with ID no-perms.
Create a user who has no permissions on any projects.
Using that user's Bearer token (taken from the network tab), attempt to create a rule on that project.

curl -kH "Authorization: Bearer $BTOK" $TARGET_HOST/apis/iam/v2/projects/no-perms/rules -d "$(jq -n '{ id: "rule2", name: "my foo rule", type: "NODE", project_id: "foo-project", conditions: [{ operator: "EQUALS", attribute: "CHEF_SERVER", values: ["why am i allowed to doooo thissss"]}]}')" | jq .

See the call succeed.

Possible Solution

We need to check the projects in the CreateRule function:

automate/components/authz-service/storage/postgres/rule.go

Line 19 in b3ca377

func (p *pg) CreateRule(ctx context.Context, rule *storage.Rule) (*storage.Rule, error) {

like we do on UpdateRule:

automate/components/authz-service/storage/postgres/rule.go

Line 68 in b3ca377

projectsFilter, err := projectsListFromContext(ctx)

@blakestier blakestier added bug 🐛 Something isn't working automate-auth auth-team anything that needs to be on the auth team board labels Sep 2, 2020
@susanev susanev added customer-reported issues reported by customers emergent labels Sep 3, 2020
@susanev susanev added this to the Auth: Sprint 21 milestone Sep 3, 2020
@msorens
Copy link
Contributor

msorens commented Sep 3, 2020
edited
Loading

I have not been able to confirm the stated premises.
What I observe (just using api tokens rather than user bearer tokens), is that without iam:projects:update one cannot create a rule. It already has a permission guard for that:

automate/components/automate-gateway/api/iam/v2/rules.proto

Line 70 in ab83ff0

option (chef.automate.api.iam.policy).action = "iam:projects:update";

And returns the appropriate error:

{"error":"unauthorized: members [\"token:t1\"]
cannot perform action \"iam:projects:update\"
on resource \"iam:projects:no-perms\"
filtered by projects []"

I then created a policy allowing just that one permission, making my token a member, then I could successfully create a rule.

@msorens msorens changed the title Add authz call around CreateRule Can CreateRule in project without proper permission Sep 3, 2020
@msorens msorens closed this as completed Sep 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth-team anything that needs to be on the auth team board automate-auth bug 🐛 Something isn't working customer-reported issues reported by customers emergent
Projects
None yet
Milestone
Auth: Sprint 21
Development

No branches or pull requests
3 participants
@susanev @msorens @blakestier