[RBAC] Issues detected when using RBAC

[AdriiiPRodri]

Hi team,

Recently we have had three problems using the APP with Wazuh version 4.0. The first of these problems is related to the dev-tools. The endpoint /security/users/me is not working properly. It always returns all system permissions. For example, in this screenshot we only have permission to see the agents that belong to the group US_WEST:

We see that the permissions have been correctly applied as only agent 002 belongs to this group. However, when we make a request with the endpoint /security/users/me all the permissions are returned to us:

Note: This error may occur with more security endpoints.

The second problem is related to the overview of the Wazuh APP. Despite having the permission to see the agents of the group US_WEST, we see that we have 0 agents. Investigating the requests that are made to obtain this information, we see that it is called the endpoint /agents/summary/status which returns a correct output taking into account our permissions: {active: 1, disconnected: 0, never_connected: 0, pending: 0, total: 1}

The third problem is related to the 'Agents' tab, when we click on it no agent appears. In order to obtain this information, the endpoint /agents/000/config/request/remote is used. However, our user does not have permissions on agent 000 as it does not belong to the US_WEST group. This causes users to always have to add agent 000 to the permissions.

These are the permissions we have used to perform these tests:

Regards

[frankeros]

Hi @AdriiiPRodri,

Regarding the issue about the query in Dev Tools GET /security/users/me is not taking into account the permissions as the query GET /agents is doing.

From the app, when the token is generated with run_as:

{ 
  method: 'POST',
  headers: { 'content-type': 'application/json' },
  auth: { username: 'wazuh-wui', password: 'wazuh-wui' },
  url: 'https://localhost:55000/security/user/authenticate/run_as',
  data: { 
     user_name: 'test',
     is_reserved: false,
     is_hidden: false,
     is_internal_user: true,
     user_requested_tenant: null,
     backend_roles: [],
     custom_attribute_names: [],
     tenants: { test: true, global_tenant: true },
     roles: [ 'admin', 'kibana_user', 'own_index' ] 
  } 
}

The token obtained is: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNjA0NTAzNDk0LCJleHAiOjE2MDQ1MDcwOTQsInN1YiI6IndhenVoLXd1aSIsInJ1bl9hcyI6dHJ1ZSwicmJhY19yb2xlcyI6WzEwMF0sInJiYWNfbW9kZSI6IndoaXRlIn0.JGDHDpuHLGDpmFqaxmB_mYC0-2VDu2PYp9_eCflFsAo

If we sent a curl with this token to the endpoint GET /security/users/me the user is still wazuh-wui

In conclusion, both queries are sent with the same token, so we think that maybe is the API who isn't taking into account the user permissions for the endpoint GET /security/users/me. However, the endpoint GET GET /security/users/me/polices is returning correctly, it's returning only the policies that the user is associated with.

Can you check this, please?

[AdriiiPRodri]

Hi @frankeros,

We have been testing and it is correct, the endpoint /security/users/me does not return the correct permissions when the user has authenticated through an authorization context.

We have the fix ready and it will be merge as soon as possible. Thanks for the report.

[frankeros]

Hi @AdriiiPRodri,
Thanks to you.
Regarding the other issues that you reported, I created the issue #6502, because we need some improvement in the enpodint /agents/summary/status to be able to skip the 000 agent.