sipwise
/
ngcp-panel
mirror of https://github.com/sipwise/ngcp-panel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TT#129162 tighten user access checks

Browse Source 
* add additional centralised checks for inactive and read_only users.
* use_userdata_from_session=0 now for all auth realms to cause the data
  re-fetched from the database, to avoid scenarios when a user is set
  as inactive or read_only and UI keeps using the cached data.
  the change only affects cookie and JWT subscriber based sessions
  as in all other cases, the auth data is fetched from the storage regardless.
* add is_active=1 flag for the internal 'system' role, as otherwise
  access would be permanently denied for it.
* default 403 error for denied api requests is changed to "Forbidden"
  instead of "Forbidden path".

Change-Id: I1d6d3c765ca8e017e11845c1f5260243a3963c3b
(cherry picked from commit 20e77c7b54)
mr6.5.13
Kirill Solomko 5 years ago
parent 2326d58af5
commit 26b2732bb5
3 changed files with 52 additions and 21 deletions
Show Stats Download Patch File Download Diff File

8
lib/NGCP/Panel.pm
Unescape View File

@ -135,7 +135,7 @@ __PACKAGE__->config(
user_model => 'DB::admins',
id_field => 'id',
store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm',
use_userdata_from_session => 1,
use_userdata_from_session => 0,
}
},
admin_bcrypt => {
@ -150,7 +150,7 @@ __PACKAGE__->config(
user_model => 'DB::admins',
id_field => 'id',
store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm',
use_userdata_from_session => 1,
use_userdata_from_session => 0,
}
},
api_admin_cert => {
@ -199,7 +199,7 @@ __PACKAGE__->config(
class => 'DBIx::Class',
user_model => 'DB::provisioning_voip_subscribers',
store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm',
# use_userdata_from_session => 1,
use_userdata_from_session => 0,
},
use_session => 0,
},
@ -247,7 +247,7 @@ __PACKAGE__->config(
user_model => 'DB::provisioning_voip_subscribers',
id_field => 'id',
store_user_class => 'NGCP::Panel::Authentication::Store::RoleFromRealm',
use_userdata_from_session => 1,
use_userdata_from_session => 0,
}
}
},

12
lib/NGCP/Panel/Authentication/Store/SystemRole.pm
Unescape View File

@ -10,6 +10,18 @@ sub roles {
: $self->{roles};
}
sub id { 0 };
sub is_active { 1 };
sub is_system { 1 };
sub is_master { 1 };
sub is_superuser { 1 };
sub is_ccare { 0 };
sub is_readonly { 0 };
sub show_passwords { 1 };
sub call_data { 1 };
sub billing_data { 1 };
sub lawful_intercept { 0 };
1;
# vim ts=4 sw=4 et

53
lib/NGCP/Panel/Controller/Root.pm
Unescape View File

@ -154,7 +154,7 @@ sub auto :Private {
return;
}
$self->api_apply_fake_time($c);
return 1;
return $self->check_user_access($c);;
} elsif ($c->req->headers->header("NGCP-UserAgent") &&
$c->req->headers->header("NGCP-UserAgent") eq "NGCP::API::Client") {
$c->log->debug("++++++ Root::auto API request with system auth");
@ -167,7 +167,7 @@ sub auto :Private {
}
$self->api_apply_fake_time($c);
return 1;
return $self->check_user_access($c);
} elsif ($c->req->headers->header("Authorization") &&
$c->req->headers->header("Authorization") =~ m/^Bearer /) {
$c->log->debug("++++++ Root::auto API request with JWT");
@ -180,7 +180,7 @@ sub auto :Private {
}
$self->api_apply_fake_time($c);
return 1;
return $self->check_user_access($c);
} elsif ($ngcp_api_realm eq "subscriber") {
$c->log->debug("++++++ Root::auto API subscriber request with http auth");
my $realm = "api_subscriber_http";
@ -212,7 +212,7 @@ sub auto :Private {
return;
}
$self->api_apply_fake_time($c);
return 1;
return $self->check_user_access($c);
} else {
$c->log->debug("++++++ Root::auto API admin request with http auth");
my $realm = "api_admin_http";
@ -231,6 +231,7 @@ sub auto :Private {
if($c->user->read_only && $c->req->method eq "POST" &&
$c->req->uri->path =~ m|^/api/admincerts/$|) {
$c->log->info("let read-only user '".$c->user->login."' generate admin cert for itself");
return 1;
} elsif($c->user->read_only && !($c->req->method =~ /^(GET|HEAD|OPTIONS)$/)) {
$c->log->error("invalid method '".$c->req->method."' for read-only user '".$c->user->login."', rejecting");
$c->user->logout;
@ -243,7 +244,7 @@ sub auto :Private {
return;
}
$self->api_apply_fake_time($c);
return 1;
return $self->check_user_access($c);
}
}
@ -273,16 +274,6 @@ sub auto :Private {
$c->log->debug("*** Root::auto grant access for authenticated user");
# check for read_only on write operations
if($c->user->read_only && (
$c->req->uri->path =~ /create/
|| $c->req->uri->path =~ /edit/
|| $c->req->uri->path =~ /delete/
|| !($c->req->method =~ /^(GET|HEAD|OPTIONS)$/)
)) {
$c->detach('/denied_page');
}
if (exists $c->config->{external_documentation}{link} && 'ARRAY' ne ref $c->config->{external_documentation}{link}) {
$c->config->{external_documentation}{link} = [$c->config->{external_documentation}{link}];
}
@ -303,7 +294,7 @@ sub auto :Private {
$c->session->{created_objects} = {} unless(defined $c->session->{created_objects});
return 1;
return $self->check_user_access($c);
}
sub root_index :Path :Args(0) {
@ -380,13 +371,41 @@ sub denied_page :Private {
$c->log->error('Access denied to path ' . $c->request->path );
if($c->request->path =~ /^api\/.+/) {
$c->response->content_type('application/json');
$c->response->body(JSON::to_json({ code => 403, message => 'Path forbidden' })."\n");
$c->response->body(JSON::to_json({ code => 403, message => 'Forbidden' })."\n");
} else {
$c->stash(template => 'denied_page.tt');
}
$c->response->status(403);
}
sub check_user_access {
my ($self, $c) = @_;
my $path = $c->req->uri->path;
if ($path =~ /^\/(login|logout|login_jwt|admin_login_jwt)$/) {
return 1;
}
# deny access to inactive users
if ($c->user_exists && !$c->user->uuid && !$c->user->is_active) {
$c->detach('/denied_page');
return;
}
# deny access to read-only users
if ($c->user_exists && $c->user->read_only &&
($path =~ /create/ ||
$path =~ /edit/ ||
$path =~ /delete/ ||
$c->req->method =~ /^(POST|PUT|PATCH|DELETE)$/)) {
$c->detach('/denied_page');
return;
}
return 1;
}
sub emptyajax :Chained('/') :PathPart('emptyajax') :Args(0) {
my ($self, $c) = @_;

Write Preview
Loading…
Cancel
Save