- standard user cannot delete another users api-keys (#6208) (#6217)

- added new method to get api key by ID - added tests
2021-12-06 10:21:33 +13:00 · 2021-12-06 10:21:33 +13:00 · 5839f96787
parent 7cc28b10a0
commit 5839f96787
5 changed files with 56 additions and 0 deletions
--- a/api/apikey/apikey.go
+++ b/api/apikey/apikey.go
@ -11,6 +11,7 @@ import (
 type APIKeyService interface {
 	HashRaw(rawKey string) []byte
 	GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error)
+	GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error)
 	GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error)
 	GetDigestUserAndKey(digest []byte) (portainer.User, portainer.APIKey, error)
 	UpdateAPIKey(apiKey *portainer.APIKey) error
--- a/api/apikey/service.go
+++ b/api/apikey/service.go
@ -63,6 +63,11 @@ func (a *apiKeyService) GenerateApiKey(user portainer.User, description string)
 	return prefixedAPIKey, apiKey, nil
 }

+// GetAPIKey returns an API key by its ID.
+func (a *apiKeyService) GetAPIKey(apiKeyID portainer.APIKeyID) (*portainer.APIKey, error) {
+	return a.apiKeyRepository.GetAPIKey(apiKeyID)
+}
+
 // GetAPIKeys returns all the API keys associated to a user.
 func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey, error) {
 	return a.apiKeyRepository.GetAPIKeysByUserID(userID)
--- a/api/apikey/service_test.go
+++ b/api/apikey/service_test.go
@ -71,6 +71,26 @@ func Test_GenerateApiKey(t *testing.T) {
 	})
 }

+func Test_GetAPIKey(t *testing.T) {
+	is := assert.New(t)
+
+	store, teardown := bolt.MustNewTestStore(true)
+	defer teardown()
+
+	service := NewAPIKeyService(store.APIKeyRepository(), store.User())
+
+	t.Run("Successfully returns all API keys", func(t *testing.T) {
+		user := portainer.User{ID: 1}
+		_, apiKey, err := service.GenerateApiKey(user, "test-1")
+		is.NoError(err)
+
+		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
+		is.NoError(err)
+
+		is.Equal(apiKey, apiKeyGot)
+	})
+}
+
 func Test_GetAPIKeys(t *testing.T) {
 	is := assert.New(t)

--- a/api/http/handler/users/user_remove_access_token.go
+++ b/api/http/handler/users/user_remove_access_token.go
@ -56,6 +56,15 @@ func (handler *Handler) userRemoveAccessToken(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a user with the specified identifier inside the database", err}
 	}

+	// check if the key exists and the key belongs to the user
+	apiKey, err := handler.apiKeyService.GetAPIKey(portainer.APIKeyID(apiKeyID))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "API Key not found", err}
+	}
+	if apiKey.UserID != portainer.UserID(userID) {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to remove api-key", httperrors.ErrUnauthorized}
+	}
+
 	err = handler.apiKeyService.DeleteAPIKey(portainer.APIKeyID(apiKeyID))
 	if err != nil {
 		if err == apikey.ErrInvalidAPIKey {
--- a/api/http/handler/users/user_remove_access_token_test.go
+++ b/api/http/handler/users/user_remove_access_token_test.go
@ -97,4 +97,25 @@ func Test_userRemoveAccessToken(t *testing.T) {

 		is.Equal(0, len(keys))
 	})
+
+	t.Run("user cannot delete another users API Keys using api-key auth", func(t *testing.T) {
+		_, adminAPIKey, err := apiKeyService.GenerateApiKey(*adminUser, "admin-key")
+		is.NoError(err)
+
+		rawAPIKey, _, err := apiKeyService.GenerateApiKey(*user, "user-key")
+		is.NoError(err)
+
+		req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("/users/%d/tokens/%d", user.ID, adminAPIKey.ID), nil)
+		req.Header.Add("x-api-key", rawAPIKey)
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		is.Equal(http.StatusForbidden, rr.Code)
+
+		adminKeyGot, err := apiKeyService.GetAPIKey(adminAPIKey.ID)
+		is.NoError(err)
+
+		is.Equal(adminAPIKey, adminKeyGot)
+	})
 }