JakeHillion/storj
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

satellite/admin: restrict api access based on user groups

Browse Source 
This change reworks the allowedAuthorization function to check what
groups the user is a part of to determine if authorization should be
granted. By wrapping each handler with withAuth, we can specify the
allowed groups for each api method individually.

github issue: https://github.com/storj/storj/issues/5565

Change-Id: I1804dda04d5b16d19e93bd7199fb3fc89fca1294
This commit is contained in:
Cameron 2023-02-21 16:47:45 -05:00
parent fafa6658a9
commit 4e94e6188c
1 changed files with 72 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
satellite/admin/server.go
View File

@ -11,6 +11,7 @@ import (
"fmt"
"net"
"net/http"
"strings"
"time"
"github.com/gorilla/mux"
@ -97,37 +98,44 @@ func NewServer(log *zap.Logger, listener net.Listener, db DB, buckets *buckets.S
root := mux.NewRouter()
api := root.PathPrefix("/api/").Subrouter()
api.Use(allowedAuthorization(log, config))
// When adding new options, also update README.md
api.HandleFunc("/users", server.addUser).Methods("POST")
api.HandleFunc("/users/{useremail}", server.updateUser).Methods("PUT")
api.HandleFunc("/users/{useremail}", server.userInfo).Methods("GET")
api.HandleFunc("/users/{useremail}/limits", server.userLimits).Methods("GET")
api.HandleFunc("/users/{useremail}", server.deleteUser).Methods("DELETE")
api.HandleFunc("/users/{useremail}/limits", server.updateLimits).Methods("PUT")
api.HandleFunc("/users/{useremail}/mfa", server.disableUserMFA).Methods("DELETE")
api.HandleFunc("/users/{useremail}/freeze", server.freezeUser).Methods("PUT")
api.HandleFunc("/users/{useremail}/freeze", server.unfreezeUser).Methods("DELETE")
api.HandleFunc("/oauth/clients", server.createOAuthClient).Methods("POST")
api.HandleFunc("/oauth/clients/{id}", server.updateOAuthClient).Methods("PUT")
api.HandleFunc("/oauth/clients/{id}", server.deleteOAuthClient).Methods("DELETE")
api.HandleFunc("/projects", server.addProject).Methods("POST")
api.HandleFunc("/projects/{project}/usage", server.checkProjectUsage).Methods("GET")
api.HandleFunc("/projects/{project}/limit", server.getProjectLimit).Methods("GET")
api.HandleFunc("/projects/{project}/limit", server.putProjectLimit).Methods("PUT", "POST")
api.HandleFunc("/projects/{project}", server.getProject).Methods("GET")
api.HandleFunc("/projects/{project}", server.renameProject).Methods("PUT")
api.HandleFunc("/projects/{project}", server.deleteProject).Methods("DELETE")
api.HandleFunc("/projects/{project}/apikeys", server.listAPIKeys).Methods("GET")
api.HandleFunc("/projects/{project}/apikeys", server.addAPIKey).Methods("POST")
api.HandleFunc("/projects/{project}/apikeys/{name}", server.deleteAPIKeyByName).Methods("DELETE")
api.HandleFunc("/projects/{project}/buckets/{bucket}", server.getBucketInfo).Methods("GET")
api.HandleFunc("/projects/{project}/buckets/{bucket}/geofence", server.createGeofenceForBucket).Methods("POST")
api.HandleFunc("/projects/{project}/buckets/{bucket}/geofence", server.deleteGeofenceForBucket).Methods("DELETE")
api.HandleFunc("/apikeys/{apikey}", server.deleteAPIKey).Methods("DELETE")
api.HandleFunc("/restkeys/{useremail}", server.addRESTKey).Methods("POST")
api.HandleFunc("/restkeys/{apikey}/revoke", server.revokeRESTKey).Methods("PUT")
// prod owners only
fullAccessAPI := api.NewRoute().Subrouter()
fullAccessAPI.Use(withAuth(log, config, nil))
fullAccessAPI.HandleFunc("/users", server.addUser).Methods("POST")
fullAccessAPI.HandleFunc("/users/{useremail}", server.updateUser).Methods("PUT")
fullAccessAPI.HandleFunc("/users/{useremail}", server.deleteUser).Methods("DELETE")
fullAccessAPI.HandleFunc("/users/{useremail}/mfa", server.disableUserMFA).Methods("DELETE")
fullAccessAPI.HandleFunc("/oauth/clients", server.createOAuthClient).Methods("POST")
fullAccessAPI.HandleFunc("/oauth/clients/{id}", server.updateOAuthClient).Methods("PUT")
fullAccessAPI.HandleFunc("/oauth/clients/{id}", server.deleteOAuthClient).Methods("DELETE")
fullAccessAPI.HandleFunc("/projects", server.addProject).Methods("POST")
fullAccessAPI.HandleFunc("/projects/{project}", server.renameProject).Methods("PUT")
fullAccessAPI.HandleFunc("/projects/{project}", server.deleteProject).Methods("DELETE")
fullAccessAPI.HandleFunc("/projects/{project}", server.getProject).Methods("GET")
fullAccessAPI.HandleFunc("/projects/{project}/apikeys", server.addAPIKey).Methods("POST")
fullAccessAPI.HandleFunc("/projects/{project}/apikeys", server.listAPIKeys).Methods("GET")
fullAccessAPI.HandleFunc("/projects/{project}/apikeys/{name}", server.deleteAPIKeyByName).Methods("DELETE")
fullAccessAPI.HandleFunc("/projects/{project}/buckets/{bucket}", server.getBucketInfo).Methods("GET")
fullAccessAPI.HandleFunc("/projects/{project}/buckets/{bucket}/geofence", server.createGeofenceForBucket).Methods("POST")
fullAccessAPI.HandleFunc("/projects/{project}/buckets/{bucket}/geofence", server.deleteGeofenceForBucket).Methods("DELETE")
fullAccessAPI.HandleFunc("/projects/{project}/usage", server.checkProjectUsage).Methods("GET")
fullAccessAPI.HandleFunc("/apikeys/{apikey}", server.deleteAPIKey).Methods("DELETE")
fullAccessAPI.HandleFunc("/restkeys/{useremail}", server.addRESTKey).Methods("POST")
fullAccessAPI.HandleFunc("/restkeys/{apikey}/revoke", server.revokeRESTKey).Methods("PUT")
// limit update access required
limitUpdateAPI := api.NewRoute().Subrouter()
limitUpdateAPI.Use(withAuth(log, config, []string{config.Groups.LimitUpdate}))
limitUpdateAPI.HandleFunc("/users/{useremail}", server.userInfo).Methods("GET")
limitUpdateAPI.HandleFunc("/users/{useremail}/limits", server.userLimits).Methods("GET")
limitUpdateAPI.HandleFunc("/users/{useremail}/limits", server.updateLimits).Methods("PUT")
limitUpdateAPI.HandleFunc("/users/{useremail}/freeze", server.freezeUser).Methods("PUT")
limitUpdateAPI.HandleFunc("/users/{useremail}/freeze", server.unfreezeUser).Methods("DELETE")
limitUpdateAPI.HandleFunc("/projects/{project}/limit", server.getProjectLimit).Methods("GET")
limitUpdateAPI.HandleFunc("/projects/{project}/limit", server.putProjectLimit).Methods("PUT", "POST")
// This handler must be the last one because it uses the root as prefix,
// otherwise will try to serve all the handlers set after this one.
@ -173,7 +181,10 @@ func (server *Server) Close() error {
return Error.Wrap(server.server.Close())
}
func allowedAuthorization(log *zap.Logger, config Config) func(next http.Handler) http.Handler {
// withAuth checks if the requester is authorized to perform an operation. If the request did not come from the oauth proxy, verify the auth token.
// Otherwise, check that the user has the required permissions to conduct the operation. `allowedGroups` is a list of groups that are authorized.
// If it is nil, then the api method is not accessible from the oauth proxy.
func withAuth(log *zap.Logger, config Config, allowedGroups []string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -194,6 +205,37 @@ func allowedAuthorization(log *zap.Logger, config Config) func(next http.Handler
"", http.StatusForbidden)
return
}
} else {
// request made from oauth proxy. Check user groups against allowedGroups.
if allowedGroups == nil {
sendJSONError(w, "Forbidden",
"This operation is not authorized through oauth. Please contact a production owner to proceed.", http.StatusForbidden)
return
}
var allowed bool
userGroupsString := r.Header.Get("X-Forwarded-Groups")
userGroups := strings.Split(userGroupsString, ",")
for _, userGroup := range userGroups {
if userGroup == "" {
continue
}
for _, permGroup := range allowedGroups {
if userGroup == permGroup {
allowed = true
break
}
}
if allowed {
break
}
}
if !allowed {
sendJSONError(w, "Forbidden",
fmt.Sprintf("User must be a member of one of these groups to conduct this operation: %s", allowedGroups), http.StatusForbidden)
return
}
}
log.Info(