Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Order of capability checks at endpoints is confusing #1751

Closed
fredreichbier opened this issue Jul 19, 2019 · 0 comments

Comments

@fredreichbier
Copy link
Member

commented Jul 19, 2019

Steps to reproduce:

  • Create any scope=USER policy, e.g. with action auditlog
  • Get an auth token as a user:
$ http POST 'http://localhost:5000/auth' username=user000 password=password000
...
            "role": "user",
...
  • Try to write a CA connector:
$ http POST 'http://localhost:5000/caconnector/foo' PI-Authorization:$TOKEN
HTTP/1.0 403 FORBIDDEN
Cache-Control: no-cache
Content-Length: 792
Content-Type: application/json
Date: Fri, 19 Jul 2019 09:11:28 GMT
Server: Werkzeug/0.14.1 Python/2.7.16

{
    "detail": null,
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "error": {
            "code": 303,
            "message": "User actions are defined, but the action caconnectorwrite is not allowed!"
        },
        "status": false
    },
    "signature": "...",
    "time": 1563527488.809524,
    "version": "privacyIDEA 3.0.2.dev2"
}

Only admins are allowed to write CA connectors. So we should instead get a message Authentication failure. You do not have the necessary role (['admin']) to access this resource!.

Please note that this is not a security bug, because users will never be allowed to write CA connectors. If we remove the policy, we get the expected behavior:

$ http POST 'http://localhost:5000/caconnector/foo' PI-Authorization:$TOKEN
HTTP/1.0 401 UNAUTHORIZED
Cache-Control: no-cache
Content-Length: 815
Content-Type: application/json
Date: Fri, 19 Jul 2019 09:14:09 GMT
Server: Werkzeug/0.14.1 Python/2.7.16

{
    "detail": null,
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "error": {
            "code": 4306,
            "message": "Authentication failure. You do not have the necessary role (['admin']) to access this resource!"
        },
        "status": false
    },
    "signature": "...",
    "time": 1563527649.626396,
    "version": "privacyIDEA 3.0.2.dev2"
}

Similar behavior can be found for several other endpoints. We should always check for the admin role before performing any policy checks.

@fredreichbier fredreichbier added this to the 3.1 polishing policies milestone Jul 19, 2019

fredreichbier added a commit that referenced this issue Jul 19, 2019

Fix order of endpoint decorators
Now, the role check of ``admin_required`` is always
performed first.

Closes #1751

fredreichbier added a commit that referenced this issue Jul 19, 2019

Fix order of endpoint decorators
Now, the role check of ``admin_required`` is always
performed first.

Closes #1751
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.