From 20e26d55ec07c305944b54945e085624c118ae0e Mon Sep 17 00:00:00 2001 From: Orne Brocaar Date: Wed, 26 Aug 2020 09:38:22 +0100 Subject: [PATCH] Fix gateway-profile authorization for api keys. Closes #525. --- internal/api/external/auth/validators.go | 35 ++++++++++++++++--- internal/api/external/auth/validators_test.go | 18 ++++++++++ 2 files changed, 48 insertions(+), 5 deletions(-) diff --git a/internal/api/external/auth/validators.go b/internal/api/external/auth/validators.go index 98550cc21..32285d0f9 100644 --- a/internal/api/external/auth/validators.go +++ b/internal/api/external/auth/validators.go @@ -1085,30 +1085,55 @@ func ValidateOrganizationUserAccess(flag Flag, organizationID, userID int64) Val // ValidateGatewayProfileAccess validates if the client has access // to the gateway-profiles. func ValidateGatewayProfileAccess(flag Flag) ValidatorFunc { - query := ` + userQuery := ` select 1 from "user" u ` - var where = [][]string{} + apiKeyQuery := ` + select + 1 + from + api_key ak + ` + + var userWhere = [][]string{} + var apiKeyWhere = [][]string{} switch flag { case Create, Update, Delete: // global admin - where = [][]string{ + userWhere = [][]string{ {"(u.email = $1 or u.id = $2)", "u.is_active = true", "u.is_admin = true"}, } + + // admin api key + apiKeyWhere = [][]string{ + {"ak.id = $1", "ak.is_admin = true"}, + } case Read, List: // any active user - where = [][]string{ + userWhere = [][]string{ {"(u.email = $1 or u.id = $2)", "u.is_active = true"}, } + + // any api key + apiKeyWhere = [][]string{ + {"ak.id = $1"}, + } } return func(db sqlx.Queryer, claims *Claims) (bool, error) { - return executeQuery(db, query, where, claims.Username, claims.UserID) + switch claims.Subject { + case SubjectUser: + return executeQuery(db, userQuery, userWhere, claims.Username, claims.UserID) + case SubjectAPIKey: + return executeQuery(db, apiKeyQuery, apiKeyWhere, claims.APIKeyID) + default: + return false, nil + } } } diff --git a/internal/api/external/auth/validators_test.go b/internal/api/external/auth/validators_test.go index 7f9ab38d7..8a06aded5 100644 --- a/internal/api/external/auth/validators_test.go +++ b/internal/api/external/auth/validators_test.go @@ -331,6 +331,24 @@ func (ts *ValidatorTestSuite) TestGateway() { Claims: Claims{UserID: users[2].id}, ExpectedOK: false, }, + { + Name: "admin api key can create, update, delete, read and list", + Validators: []ValidatorFunc{ValidateGatewayProfileAccess(Create), ValidateGatewayProfileAccess(Update), ValidateGatewayProfileAccess(Delete), ValidateGatewayProfileAccess(Read), ValidateGatewayProfileAccess(List)}, + Claims: Claims{APIKeyID: apiKeys[0].ID}, + ExpectedOK: true, + }, + { + Name: "any api key can read and list", + Validators: []ValidatorFunc{ValidateGatewayProfileAccess(Read), ValidateGatewayProfileAccess(List)}, + Claims: Claims{APIKeyID: apiKeys[3].ID}, + ExpectedOK: true, + }, + { + Name: "non-admin api keys can not create, update or delete", + Validators: []ValidatorFunc{ValidateGatewayProfileAccess(Create), ValidateGatewayProfileAccess(Update), ValidateGatewayProfileAccess(Delete)}, + Claims: Claims{APIKeyID: apiKeys[1].ID}, + ExpectedOK: false, + }, } ts.RunTests(t, tests)