From 55d434744a85ebb60a41481a0ec3e856c65fd339 Mon Sep 17 00:00:00 2001 From: Edoardo Spadolini Date: Wed, 22 Dec 2021 16:15:08 +0100 Subject: [PATCH] Only allow access request deletion through static roles' permissions --- lib/auth/auth_with_roles.go | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index cfb0c905ea9b3..0c4c8c88023f2 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -93,6 +93,23 @@ func (a *ServerWithRoles) withOptions(opts ...actionOption) actionConfig { return cfg } +func (a *ServerWithRoles) withStaticRoles() (actionConfig, error) { + user, err := a.authServer.GetUser(a.context.User.GetName(), false) + if err != nil { + return actionConfig{}, trace.Wrap(err) + } + + checker, err := services.FetchRoles(user.GetRoles(), a.authServer, user.GetTraits()) + if err != nil { + return actionConfig{}, trace.Wrap(err) + } + + return actionConfig{context: Context{ + User: user, + Checker: checker, + }}, nil +} + func (c actionConfig) action(namespace, resource string, verbs ...string) error { if len(verbs) == 0 { return trace.BadParameter("no verbs provided for authorization check on resource %q", resource) @@ -1385,7 +1402,17 @@ func (a *ServerWithRoles) getProxyPublicAddr() string { } func (a *ServerWithRoles) DeleteAccessRequest(ctx context.Context, name string) error { - if err := a.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbDelete); err != nil { + cfg, err := a.withStaticRoles() + if err != nil { + return err + } + if err := cfg.action(apidefaults.Namespace, types.KindAccessRequest, types.VerbDelete); err != nil { + if trace.IsAccessDenied(err) { + if a.withOptions(quietAction(true)).action(apidefaults.Namespace, types.KindAccessRequest, types.VerbDelete) == nil { + // the user would've had permission with the roles granted by access requests + return trace.WrapWithMessage(err, "access request deletion through elevated roles is not allowed") + } + } return trace.Wrap(err) } return a.authServer.DeleteAccessRequest(ctx, name)