/
api_validate_privilege_escalation.go
112 lines (96 loc) · 3.38 KB
/
api_validate_privilege_escalation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
/*
Copyright 2020,2021 Avi Zimmerman
This file is part of kvdi.
kvdi is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
kvdi is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with kvdi. If not, see <https://www.gnu.org/licenses/>.
*/
package api
import (
"net/http"
rbacv1 "github.com/kvdi/kvdi/apis/rbac/v1"
"github.com/kvdi/kvdi/pkg/types"
"github.com/kvdi/kvdi/pkg/util/apiutil"
"github.com/kvdi/kvdi/pkg/util/rbac"
)
var elevateDenyReason = "The requested operation grants more privileges than the user has."
func denyUserElevatePerms(d *desktopAPI, reqUser *types.VDIUser, r *http.Request) (allowed bool, reason string, err error) {
// This is an ugly hack at the moment. This will be triggered if called from
// allowSameUser while configuring MFA options. No need to check.
if apiutil.GetGorillaPath(r) == "/api/users/{user}/mfa" {
return true, "", nil
}
// Check that a POST /users will not grant permissions the user does not have.
if reqObj, ok := apiutil.GetRequestObject(r).(*types.CreateUserRequest); ok {
vdiRoles, err := d.vdiCluster.GetRoles(d.client)
if err != nil {
return false, "", err
}
for _, role := range reqObj.Roles {
roleObj := getRoleByName(vdiRoles, role)
if roleObj == nil {
continue
}
for _, rule := range roleObj.GetRules() {
if !rbac.UserIncludesRule(reqUser, rule, NewResourceGetter(d)) {
return false, elevateDenyReason, nil
}
}
}
return true, "", nil
}
// Check that a PUT /users/{user} will not grant permissions the user does not have.
if reqObj, ok := apiutil.GetRequestObject(r).(*types.UpdateUserRequest); ok {
vdiRoles, err := d.vdiCluster.GetRoles(d.client)
if err != nil {
return false, "", err
}
for _, role := range reqObj.Roles {
roleObj := getRoleByName(vdiRoles, role)
if roleObj == nil {
continue
}
for _, rule := range roleObj.GetRules() {
if !rbac.UserIncludesRule(reqUser, rule, NewResourceGetter(d)) {
return false, elevateDenyReason, nil
}
}
}
return true, "", nil
}
// Check that a POST /roles will not grant permissions the user does not have.
if reqObj, ok := apiutil.GetRequestObject(r).(*types.CreateRoleRequest); ok {
for _, rule := range reqObj.GetRules() {
if !rbac.UserIncludesRule(reqUser, rule, NewResourceGetter(d)) {
return false, elevateDenyReason, nil
}
}
return true, "", nil
}
// Check that a PUT /roles/{role} will not grant permissions the user does not have.
if reqObj, ok := apiutil.GetRequestObject(r).(*types.UpdateRoleRequest); ok {
for _, rule := range reqObj.GetRules() {
if !rbac.UserIncludesRule(reqUser, rule, NewResourceGetter(d)) {
return false, elevateDenyReason, nil
}
}
return true, "", nil
}
apiLogger.Info("Method used privilege validator without adding request logic")
return false, elevateDenyReason, nil
}
func getRoleByName(roles []*rbacv1.VDIRole, name string) *rbacv1.VDIRole {
for _, role := range roles {
if role.GetName() == name {
return role
}
}
return nil
}