Fix wrong authorization level on selected routes

Fix leaking of username on failed authorization Add comment to chronograf.UserQuery Fix logic in hasPrivilege method
2017-10-18 15:45:06 -04:00 · 2017-10-18 15:45:06 -04:00 · 8d472646cd
parent a0d300d280
commit 8d472646cd
3 changed files with 11 additions and 18 deletions
--- a/chronograf.go
+++ b/chronograf.go
@ -606,6 +606,8 @@ type User struct {
 	Scheme      string      `json:"scheme,omitempty"`
 }

+// UserQuery represents the attributes that a user may be retrieved by.
+// It is predominantly used in the UsersStore.Get method.
 type UserQuery struct {
 	ID       *uint64
 	Name     *string
--- a/server/auth.go
+++ b/server/auth.go
@ -2,7 +2,6 @@ package server

 import (
 	"context"
-	"fmt"
 	"net/http"

 	"github.com/influxdata/chronograf"
@ -68,35 +67,35 @@ func AuthorizedUser(store chronograf.UsersStore, useAuth bool, role string, logg
 		username, err := getUsername(ctx)
 		if err != nil {
 			log.Error("Failed to retrieve username from context")
-			Error(w, http.StatusUnauthorized, fmt.Sprintf("User is not authorized"), logger)
+			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
 			return
 		}
 		provider, err := getProvider(ctx)
 		if err != nil {
 			log.Error("Failed to retrieve provider from context")
-			Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)
+			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
 			return
 		}

 		u, err := store.Get(ctx, chronograf.UserQuery{Name: &username, Provider: &provider})
 		if err != nil {
 			log.Error("Error to retrieving user")
-			Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)
+			Error(w, http.StatusUnauthorized, "User is not authorized", logger)
 			return
 		}

-		if hasPrivelege(u, role) {
+		if hasPrivilege(u, role) {
 			next(w, r)
 			return
 		}

-		Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)
+		Error(w, http.StatusUnauthorized, "User is not authorized", logger)
 		return

 	})
 }

-func hasPrivelege(u *chronograf.User, role string) bool {
+func hasPrivilege(u *chronograf.User, role string) bool {
 	if u == nil {
 		return false
 	}
@ -107,8 +106,6 @@ func hasPrivelege(u *chronograf.User, role string) bool {
 			switch r.Name {
 			case ViewerRoleName, EditorRoleName, AdminRoleName:
 				return true
-			default:
-				return false
 			}
 		}
 	case EditorRoleName:
@ -116,8 +113,6 @@ func hasPrivelege(u *chronograf.User, role string) bool {
 			switch r.Name {
 			case EditorRoleName, AdminRoleName:
 				return true
-			default:
-				return false
 			}
 		}
 	case AdminRoleName:
@ -125,12 +120,8 @@ func hasPrivelege(u *chronograf.User, role string) bool {
 			switch r.Name {
 			case AdminRoleName:
 				return true
-			default:
-				return false
 			}
 		}
-	default:
-		return false
 	}

 	return false
--- a/server/mux.go
+++ b/server/mux.go
@ -91,7 +91,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
 	router.DELETE("/chronograf/v1/sources/:id", EnsureEditor(service.RemoveSource))

 	// Source Proxy to Influx; Has gzip compression around the handler
-	influx := gziphandler.GzipHandler(http.HandlerFunc(service.Influx))
+	influx := gziphandler.GzipHandler(http.HandlerFunc(EnsureViewer(service.Influx)))
 	router.Handler("POST", "/chronograf/v1/sources/:id/proxy", influx)

 	// Write proxies line protocol write requests to InfluxDB
@ -101,7 +101,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
 	router.POST("/chronograf/v1/sources/:id/queries", EnsureEditor(service.Queries))

 	// All possible permissions for users in this source
-	router.GET("/chronograf/v1/sources/:id/permissions", EnsureAdmin(service.Permissions))
+	router.GET("/chronograf/v1/sources/:id/permissions", EnsureViewer(service.Permissions))

 	// Users associated with the data source
 	router.GET("/chronograf/v1/sources/:id/users", EnsureViewer(service.SourceUsers))
@ -197,7 +197,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
 	router.POST("/chronograf/v1/sources/:id/dbs/:dbid/rps", EnsureEditor(service.NewRetentionPolicy))

 	router.PUT("/chronograf/v1/sources/:id/dbs/:dbid/rps/:rpid", EnsureEditor(service.UpdateRetentionPolicy))
-	router.DELETE("/chronograf/v1/sources/:id/dbs/:dbid/rps/:rpid", EnsureEditor(service.DropRetentionPolicy))
+	router.DELETE("/chronograf/v1/sources/:id/dbs/:dbid/rps/:rpid", EnsureAdmin(service.DropRetentionPolicy))

 	allRoutes := &AllRoutes{
 		Logger:      opts.Logger,