sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-06 17:08:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

[management] permission manager validate account access

Browse Source
This commit is contained in:
Pedro Costa
2025-03-05 16:55:44 +00:00
parent 9325fb7990
commit f9f47b0ad8
25 changed files with 267 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
management/server/account.go
View File

@@ -29,6 +29,7 @@ import (
"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
nbpeer "github.com/netbirdio/netbird/management/server/peer"
"github.com/netbirdio/netbird/management/server/permissions"
"github.com/netbirdio/netbird/management/server/posture"
"github.com/netbirdio/netbird/management/server/settings"
"github.com/netbirdio/netbird/management/server/status"
@@ -89,6 +90,8 @@ type DefaultAccountManager struct {
integratedPeerValidator integrated_validator.IntegratedValidator
metrics telemetry.AppMetrics
permissionsManager permissions.Manager
}
// getJWTGroupsChanges calculates the changes needed to sync a user's JWT groups.
@@ -156,6 +159,7 @@ func BuildManager(
metrics telemetry.AppMetrics,
proxyController port_forwarding.Controller,
settingsManager settings.Manager,
permissionsManager permissions.Manager,
) (*DefaultAccountManager, error) {
start := time.Now()
defer func() {
@@ -180,6 +184,7 @@ func BuildManager(
requestBuffer: NewAccountRequestBuffer(ctx, store),
proxyController: proxyController,
settingsManager: settingsManager,
permissionsManager: permissionsManager,
}
accountsCounter, err := store.GetAccountsCounter(ctx)
if err != nil {
@@ -508,9 +513,10 @@ func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, u
return err
}
if !user.HasAdminPower() {
return status.Errorf(status.PermissionDenied, "user is not allowed to delete account")
}
// @note not necessary, below it explicitly checks for Owner role
// if !user.HasAdminPower() {
// return status.Errorf(status.PermissionDenied, "user is not allowed to delete account")
// }
if user.Role != types.UserRoleOwner {
return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
@@ -1027,8 +1033,8 @@ func (am *DefaultAccountManager) GetAccountByID(ctx context.Context, accountID s
return nil, err
}
if user.AccountID != accountID {
return nil, status.Errorf(status.PermissionDenied, "the user has no permission to access account data")
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user); err != nil {
return nil, err
}
return am.Store.GetAccount(ctx, accountID)
@@ -1061,6 +1067,7 @@ func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, u
return accountID, user.Id, nil
}
// @note, this can remain cause above we explicitly early return if auth id for a child account
if user.AccountID != accountID {
return "", "", status.Errorf(status.PermissionDenied, "user %s is not part of the account %s", userAuth.UserId, accountID)
}
@@ -1521,7 +1528,11 @@ func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, account
return nil, err
}
if user.AccountID != accountID || (!user.HasAdminPower() && !user.IsServiceUser) {
if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user); err != nil {
return nil, err
}
if !user.HasAdminPower() && !user.IsServiceUser {
return nil, status.Errorf(status.PermissionDenied, "the user has no permission to access account data")
}