opensource/magistrala
1
0
Fork 0
mirror of https://github.com/absmach/magistrala.git synced 2026-06-23 04:10:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SMQ-2836 - Skip checking super admin if the role in JWT is not super admin (#3099)

Browse Source 
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
This commit is contained in:
Felix Gateru
2025-08-29 13:09:31 +03:00
committed by GitHub
parent e842bfaab6
commit 8ab1f4c408
7 changed files with 50 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/http/common.go
+2 -1
View File
@@ -185,7 +185,8 @@ func EncodeError(_ context.Context, err error, w http.ResponseWriter) {
switch {
case errors.Contains(err, svcerr.ErrAuthorization),
errors.Contains(err, svcerr.ErrDomainAuthorization),
errors.Contains(err, svcerr.ErrUnauthorizedPAT):
errors.Contains(err, svcerr.ErrUnauthorizedPAT),
errors.Contains(err, svcerr.ErrSuperAdminAction):
err = unwrap(err)
w.WriteHeader(http.StatusForbidden)
channels/middleware/authorization.go
+7 -4
View File
@@ -187,7 +187,7 @@ func (am *authorizationMiddleware) ListChannels(ctx context.Context, session aut
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
params := map[string]any{
@@ -212,7 +212,7 @@ func (am *authorizationMiddleware) ListUserChannels(ctx context.Context, session
return channels.ChannelsPage{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err != nil {
if err := am.checkSuperAdmin(ctx, session); err != nil {
return channels.ChannelsPage{}, errors.Wrap(err, errList)
}
params := map[string]any{
@@ -631,10 +631,13 @@ func (am *authorizationMiddleware) extAuthorize(ctx context.Context, extOp svcut
return nil
}
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, userID string) error {
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
if session.Role != authn.AdminRole {
return svcerr.ErrSuperAdminAction
}
if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
SubjectType: policies.UserType,
Subject: userID,
Subject: session.UserID,
Permission: policies.AdminPermission,
ObjectType: policies.PlatformType,
Object: policies.SuperMQObject,
clients/middleware/authorization.go
+7 -4
View File
@@ -172,7 +172,7 @@ func (am *authorizationMiddleware) ListClients(ctx context.Context, session auth
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -200,7 +200,7 @@ func (am *authorizationMiddleware) ListUserClients(ctx context.Context, session
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err != nil {
if err := am.checkSuperAdmin(ctx, session); err != nil {
return clients.ClientsPage{}, err
}
params := map[string]any{
@@ -551,10 +551,13 @@ func (am *authorizationMiddleware) extAuthorize(ctx context.Context, extOp svcut
return nil
}
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, userID string) error {
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
if session.Role != authn.AdminRole {
return svcerr.ErrSuperAdminAction
}
if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
SubjectType: policies.UserType,
Subject: userID,
Subject: session.UserID,
Permission: policies.AdminPermission,
ObjectType: policies.PlatformType,
Object: policies.SuperMQObject,
domains/middleware/authorization.go
+7 -4
View File
@@ -69,7 +69,7 @@ func (am *authorizationMiddleware) CreateDomain(ctx context.Context, session aut
}
func (am *authorizationMiddleware) RetrieveDomain(ctx context.Context, session authn.Session, id string, withRoles bool) (domains.Domain, error) {
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
return am.svc.RetrieveDomain(ctx, session, id, withRoles)
}
@@ -173,7 +173,7 @@ func (am *authorizationMiddleware) FreezeDomain(ctx context.Context, session aut
}
func (am *authorizationMiddleware) ListDomains(ctx context.Context, session authn.Session, page domains.Page) (domains.DomainsPage, error) {
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
params := map[string]any{
@@ -313,10 +313,13 @@ func (am *authorizationMiddleware) checkAdmin(ctx context.Context, session authn
return svcerr.ErrAuthorization
}
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, userID string) error {
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
if session.Role != authn.AdminRole {
return svcerr.ErrSuperAdminAction
}
if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
SubjectType: policies.UserType,
Subject: userID,
Subject: session.UserID,
Permission: policies.AdminPermission,
ObjectType: policies.PlatformType,
Object: policies.SuperMQObject,
groups/middleware/authorization.go
+7 -6
View File
@@ -257,8 +257,7 @@ func (am *authorizationMiddleware) ListGroups(ctx context.Context, session authn
}
}
err := am.checkSuperAdmin(ctx, session.UserID)
if err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
return am.svc.ListGroups(ctx, session, gm)
}
@@ -284,8 +283,7 @@ func (am *authorizationMiddleware) ListGroups(ctx context.Context, session authn
}
func (am *authorizationMiddleware) ListUserGroups(ctx context.Context, session authn.Session, userID string, pm groups.PageMeta) (groups.Page, error) {
err := am.checkSuperAdmin(ctx, session.UserID)
if err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
return am.svc.ListGroups(ctx, session, pm)
}
@@ -682,10 +680,13 @@ func (am *authorizationMiddleware) ListChildrenGroups(ctx context.Context, sessi
return am.svc.ListChildrenGroups(ctx, session, id, startLevel, endLevel, pm)
}
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, adminID string) error {
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
if session.Role != authn.AdminRole {
return svcerr.ErrSuperAdminAction
}
if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
SubjectType: policies.UserType,
Subject: adminID,
Subject: session.UserID,
Permission: policies.AdminPermission,
ObjectType: policies.PlatformType,
Object: policies.SuperMQObject,
pkg/errors/service/types.go
+3
View File
@@ -90,4 +90,7 @@ var (
// ErrRetainOneMember indicates that at least one owner must be retained in the entity.
ErrRetainOneMember = errors.New("must retain at least one member")
// ErrSuperAdminAction indicates that the user is not a super admin.
ErrSuperAdminAction = errors.New("not authorized to perform admin action")
)
users/middleware/authorization.go
+17 -14
View File
@@ -35,7 +35,7 @@ func AuthorizationMiddleware(svc users.Service, authz smqauthz.Authorization, se
func (am *authorizationMiddleware) Register(ctx context.Context, session authn.Session, user users.User, selfRegister bool) (users.User, error) {
if selfRegister {
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
}
@@ -56,7 +56,7 @@ func (am *authorizationMiddleware) View(ctx context.Context, session authn.Sessi
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -90,7 +90,7 @@ func (am *authorizationMiddleware) ListUsers(ctx context.Context, session authn.
return users.UsersPage{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -114,7 +114,7 @@ func (am *authorizationMiddleware) Update(ctx context.Context, session authn.Ses
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -134,7 +134,7 @@ func (am *authorizationMiddleware) UpdateTags(ctx context.Context, session authn
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -153,7 +153,7 @@ func (am *authorizationMiddleware) UpdateEmail(ctx context.Context, session auth
return users.User{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -173,7 +173,7 @@ func (am *authorizationMiddleware) UpdateUsername(ctx context.Context, session a
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -193,7 +193,7 @@ func (am *authorizationMiddleware) UpdateProfilePicture(ctx context.Context, ses
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -241,7 +241,7 @@ func (am *authorizationMiddleware) UpdateRole(ctx context.Context, session authn
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err != nil {
if err := am.checkSuperAdmin(ctx, session); err != nil {
return users.User{}, err
}
session.SuperAdmin = true
@@ -265,7 +265,7 @@ func (am *authorizationMiddleware) Enable(ctx context.Context, session authn.Ses
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -285,7 +285,7 @@ func (am *authorizationMiddleware) Disable(ctx context.Context, session authn.Se
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -305,7 +305,7 @@ func (am *authorizationMiddleware) Delete(ctx context.Context, session authn.Ses
}
}
if err := am.checkSuperAdmin(ctx, session.UserID); err == nil {
if err := am.checkSuperAdmin(ctx, session); err == nil {
session.SuperAdmin = true
}
@@ -335,10 +335,13 @@ func (am *authorizationMiddleware) OAuthAddUserPolicy(ctx context.Context, user
return am.svc.OAuthAddUserPolicy(ctx, user)
}
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, adminID string) error {
func (am *authorizationMiddleware) checkSuperAdmin(ctx context.Context, session authn.Session) error {
if session.Role != authn.AdminRole {
return svcerr.ErrSuperAdminAction
}
if err := am.authz.Authorize(ctx, smqauthz.PolicyReq{
SubjectType: policies.UserType,
Subject: adminID,
Subject: session.UserID,
Permission: policies.AdminPermission,
ObjectType: policies.PlatformType,
Object: policies.SuperMQObject,