opensource/magistrala
1
0
Fork 0
mirror of https://github.com/absmach/magistrala.git synced 2026-06-23 04:10:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SMQ-2670 - Fix Unauthorized User IDs can be added to domain entity role members (#2684)

Browse Source 
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
This commit is contained in:
Steve Munene
2025-02-28 16:06:59 +03:00
committed by GitHub
parent 17b5224090
commit 98bc206169
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
groups/middleware/authorization.go
+1
View File
@@ -94,6 +94,7 @@ func (am *authorizationMiddleware) CreateGroup(ctx context.Context, session auth
return groups.Group{}, []roles.RoleProvision{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
}
}
if err := am.extAuthorize(ctx, groups.DomainOpCreateGroup, smqauthz.PolicyReq{
Domain: session.DomainID,
SubjectType: policies.UserType,
pkg/roles/rolemanager/middleware/authoirzation.go → pkg/roles/rolemanager/middleware/authorization.go
+41
View File
@@ -9,6 +9,7 @@ import (
"github.com/absmach/supermq/pkg/authn"
smqauthz "github.com/absmach/supermq/pkg/authz"
"github.com/absmach/supermq/pkg/errors"
svcerr "github.com/absmach/supermq/pkg/errors/service"
"github.com/absmach/supermq/pkg/policies"
"github.com/absmach/supermq/pkg/roles"
"github.com/absmach/supermq/pkg/svcutil"
@@ -209,6 +210,10 @@ func (ram RoleManagerAuthorizationMiddleware) RoleAddMembers(ctx context.Context
}); err != nil {
return []string{}, err
}
if err := ram.authorizeMembers(ctx, session, members); err != nil {
return []string{}, err
}
return ram.svc.RoleAddMembers(ctx, session, entityID, roleID, members)
}
@@ -314,3 +319,39 @@ func (ram RoleManagerAuthorizationMiddleware) authorize(ctx context.Context, op
func (ram RoleManagerAuthorizationMiddleware) RemoveMemberFromAllRoles(ctx context.Context, session authn.Session, memberID string) (err error) {
return ram.svc.RemoveMemberFromAllRoles(ctx, session, memberID)
}
func (ram RoleManagerAuthorizationMiddleware) authorizeMembers(ctx context.Context, session authn.Session, members []string) error {
switch ram.entityType {
case policies.DomainType:
for _, member := range members {
if err := ram.authz.Authorize(ctx, smqauthz.PolicyReq{
Permission: policies.MembershipPermission,
Subject: member,
SubjectType: policies.UserType,
SubjectKind: policies.UsersKind,
Object: policies.SuperMQObject,
ObjectType: policies.PlatformType,
}); err != nil {
return errors.Wrap(errors.ErrAuthorization, err)
}
}
return nil
case policies.ChannelType, policies.GroupType, policies.ClientType:
for _, member := range members {
if err := ram.authz.Authorize(ctx, smqauthz.PolicyReq{
Permission: policies.MembershipPermission,
Subject: policies.EncodeDomainUserID(session.DomainID, member),
SubjectType: policies.UserType,
SubjectKind: policies.UsersKind,
Object: session.DomainID,
ObjectType: policies.DomainType,
}); err != nil {
return errors.Wrap(svcerr.ErrDomainAuthorization, err)
}
}
return nil
default:
return errors.Wrap(errors.ErrAuthorization, errors.New("unsupported policies type"))
}
}