extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-01-08 23:20:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

access grant checking for access (#432)

Browse Source
This commit is contained in:
Michael Quigley 2024-03-04 13:56:02 -05:00
parent 12639c27e6
commit d9019d1ef3
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
2 changed files with 33 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
controller/access.go
View File

@ -27,12 +27,14 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
envZId := params.Body.EnvZID
envId := 0
ownerAcctId := 0
if envs, err := str.FindEnvironmentsForAccount(int(principal.ID), trx); err == nil {
found := false
for _, env := range envs {
if env.ZId == envZId {
logrus.Debugf("found identity '%v' for user '%v'", envZId, principal.Email)
envId = env.Id
ownerAcctId = *env.AccountId
found = true
break
}
@ -57,9 +59,10 @@ func (h *accessHandler) Handle(params share.AccessParams, principal *rest_model_
return share.NewAccessNotFound()
}
if shr.PermissionMode != store.OpenPermissionMode {
logrus.Errorf("closed permission mode selected")
return share.NewAccessNotFound()
if shr.PermissionMode == store.ClosedPermissionMode {
if err := h.checkAccessGrants(shr, ownerAcctId, principal, trx); err != nil {
logrus.Errorf("closed permission mode for '%v' fails for '%v': %v", shr.Token, principal.Email, err)
}
}
if err := h.checkLimits(shr, trx); err != nil {
@ -116,3 +119,18 @@ func (h *accessHandler) checkLimits(shr *store.Share, trx *sqlx.Tx) error {
}
return nil
}
func (h *accessHandler) checkAccessGrants(shr *store.Share, ownerAccountId int, principal *rest_model_zrok.Principal, trx *sqlx.Tx) error {
if int(principal.ID) == ownerAccountId {
logrus.Infof("accessing own share '%v' for '%v'", shr.Token, principal.Email)
return nil
}
count, err := str.CheckAccessGrantForShareAndAccount(shr.Id, int(principal.ID), trx)
if err != nil {
return err
}
if count > 0 {
return nil
}
return errors.Errorf("access denied for '%v' accessing '%v'", principal.Email, shr.Token)
}

15
controller/store/accessGrant.go
View File

@ -23,10 +23,10 @@ func (str *Store) CreateAccessGrant(shareId, accountId int, tx *sqlx.Tx) (int, e
return id, nil
}
func (str *Store) FindAccessGrantsForAccount(accountId int, tx *sqlx.Tx) ([]*AccessGrant, error) {
rows, err := tx.Queryx("select access_grants.* from access_grants where account_id = $1 and not deleted", accountId)
func (str *Store) FindAccessGrantsForShare(shrId int, tx *sqlx.Tx) ([]*AccessGrant, error) {
rows, err := tx.Queryx("select access_grants.* from access_grants where share_id = $1 and not deleted", shrId)
if err != nil {
return nil, errors.Wrap(err, "error selecting access_grants by account_id")
return nil, errors.Wrap(err, "error selecting access_grants by share_id")
}
var ags []*AccessGrant
for rows.Next() {
@ -39,6 +39,15 @@ func (str *Store) FindAccessGrantsForAccount(accountId int, tx *sqlx.Tx) ([]*Acc
return ags, nil
}
func (str *Store) CheckAccessGrantForShareAndAccount(shrId, acctId int, tx *sqlx.Tx) (int, error) {
count := 0
err := tx.QueryRowx("select count(0) from access_grans where share_id = $1 and account_id = $2", shrId, acctId).StructScan(&count)
if err != nil {
return 0, errors.Wrap(err, "error selecting access_grants by share_id and account_id")
}
return count, nil
}
func (str *Store) DeleteAccessGrant(id int, tx *sqlx.Tx) error {
stmt, err := tx.Prepare("update access_grants set updated_at = current_timestamp, deleted = true where id = $1")
if err != nil {