canonical · benhoyt · Jul 16, 2024 · Jun 12, 2024 · Jun 12, 2024 · Jun 12, 2024
diff --git a/internals/cli/cmd_notices.go b/internals/cli/cmd_notices.go
@@ -54,7 +54,7 @@ func init() {
 		Summary:     cmdNoticesSummary,
 		Description: cmdNoticesDescription,
 		ArgsHelp: merge(timeArgsHelp, map[string]string{
-			"--users":   "Show all notices with any user ID (admin only; cannot be used with --uid)",
+			"--users":   "'all' to list all notices with any user ID (admin only; cannot be used with --uid)",
 			"--uid":     "Only list notices with this user ID (admin only; cannot be used with --users)",
 			"--type":    "Only list notices of this type (multiple allowed)",
 			"--key":     "Only list notices with this key (multiple allowed)",

diff --git a/internals/daemon/access.go b/internals/daemon/access.go
@@ -16,40 +16,55 @@ package daemon
 
 import (
 	"net/http"
-	"os"
+
+	"github.com/canonical/pebble/internals/overlord/state"
+)
+
+const (
+	accessDenied = "access denied"
 )
 
 // AccessChecker checks whether a particular request is allowed.
 type AccessChecker interface {
-	// Check if access should be granted or denied. In case of granting access,
-	// return nil. In case access is denied, return a non-nil error response,
-	// such as Unauthorized("access denied").
-	CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response
+	// CheckAccess reports whether access should be granted or denied. If
+	// access is granted, return nil. If access is denied, return a non-nil
+	// error such as Unauthorized("access denied").
+	CheckAccess(d *Daemon, r *http.Request, user *UserState) Response
 }
 
-// OpenAccess allows all requests, including non-local sockets (e.g. TCP)
+// OpenAccess allows all requests, including non-local sockets (for example, TCP).
 type OpenAccess struct{}
 
-func (ac OpenAccess) CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response {
+func (ac OpenAccess) CheckAccess(d *Daemon, r *http.Request, user *UserState) Response {
 	return nil
 }
 
-// AdminAccess allows requests over the UNIX domain socket from the root uid and the current user's uid
+// AdminAccess allows requests over the unix domain socket from the root UID
+// and the current user's UID.
 type AdminAccess struct{}
 
-func (ac AdminAccess) CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response {
-	if ucred != nil && (ucred.Uid == 0 || ucred.Uid == uint32(os.Getuid())) {
+func (ac AdminAccess) CheckAccess(d *Daemon, r *http.Request, user *UserState) Response {
+	if user == nil {
+		return Unauthorized(accessDenied)
+	}
+	if user.Access == state.AdminAccess {
 		return nil
 	}
-	return Unauthorized("access denied")
+	// An identity explicitly set to "access: read" or "access: untrusted" isn't allowed.
+	return Unauthorized(accessDenied)
 }
 
 // UserAccess allows requests over the UNIX domain socket from any local user
 type UserAccess struct{}
 
-func (ac UserAccess) CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response {
-	if ucred == nil {
-		return Unauthorized("access denied")
+func (ac UserAccess) CheckAccess(d *Daemon, r *http.Request, user *UserState) Response {
+	if user == nil {
+		return Unauthorized(accessDenied)
 	}
-	return nil
+	switch user.Access {
+	case state.ReadAccess, state.AdminAccess:
+		return nil
+	}
+	// An identity explicitly set to "access: untrusted" isn't allowed.
+	return Unauthorized(accessDenied)
 }
diff --git a/internals/daemon/access_test.go b/internals/daemon/access_test.go
@@ -15,15 +15,13 @@
 package daemon_test
 
 import (
-	"os"
-
 	. "gopkg.in/check.v1"
 
 	"github.com/canonical/pebble/internals/daemon"
+	"github.com/canonical/pebble/internals/overlord/state"
 )
 
-type accessSuite struct {
-}
+type accessSuite struct{}
 
 var _ = Suite(&accessSuite{})
 
@@ -33,50 +31,43 @@ func (s *accessSuite) TestOpenAccess(c *C) {
 	var ac daemon.AccessChecker = daemon.OpenAccess{}
 
 	// OpenAccess allows access without peer credentials.
-	c.Check(ac.CheckAccess(nil, nil, nil, nil), IsNil)
-
-	// OpenAccess allows access from normal user
-	ucred := &daemon.Ucrednet{Uid: 42, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
-
-	// OpenAccess allows access from root user
-	ucred = &daemon.Ucrednet{Uid: 0, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+	c.Check(ac.CheckAccess(nil, nil, nil), IsNil)
+
+	// User with "access: admin|read|untrusted" is granted access
+	user := &daemon.UserState{Access: state.AdminAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), IsNil)
+	user = &daemon.UserState{Access: state.ReadAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), IsNil)
+	user = &daemon.UserState{Access: state.UntrustedAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), IsNil)
 }
 
 func (s *accessSuite) TestUserAccess(c *C) {
 	var ac daemon.AccessChecker = daemon.UserAccess{}
 
 	// UserAccess denies access without peer credentials.
-	c.Check(ac.CheckAccess(nil, nil, nil, nil), DeepEquals, errUnauthorized)
+	c.Check(ac.CheckAccess(nil, nil, nil), DeepEquals, errUnauthorized)
 
-	// UserAccess allows access from root user
-	ucred := &daemon.Ucrednet{Uid: 0, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+	// User with "access: admin|read" is granted access
+	user := &daemon.UserState{Access: state.AdminAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), IsNil)
+	user = &daemon.UserState{Access: state.ReadAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), IsNil)
 
-	// UserAccess allows access form normal user
-	ucred = &daemon.Ucrednet{Uid: 42, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+	// But not UntrustedAccess
+	user = &daemon.UserState{Access: state.UntrustedAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), DeepEquals, errUnauthorized)
 }
 
 func (s *accessSuite) TestAdminAccess(c *C) {
 	var ac daemon.AccessChecker = daemon.AdminAccess{}
 
 	// AdminAccess denies access without peer credentials.
-	c.Check(ac.CheckAccess(nil, nil, nil, nil), DeepEquals, errUnauthorized)
-
-	// Current user's UID
-	uid := uint32(os.Getuid())
-
-	// Non-root users that are different from the current user are forbidden
-	ucred := &daemon.Ucrednet{Uid: uid + 1, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), DeepEquals, errUnauthorized)
-
-	// The current user is granted access
-	ucred = &daemon.Ucrednet{Uid: uid, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+	c.Check(ac.CheckAccess(nil, nil, nil), DeepEquals, errUnauthorized)
 
-	// Root is granted access
-	ucred = &daemon.Ucrednet{Uid: 0, Pid: 100}
-	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+	// But not ReadAccess or UntrustedAccess
+	user := &daemon.UserState{Access: state.ReadAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), DeepEquals, errUnauthorized)
+	user = &daemon.UserState{Access: state.UntrustedAccess}
+	c.Check(ac.CheckAccess(nil, nil, user), DeepEquals, errUnauthorized)
 }
diff --git a/internals/daemon/api_notices.go b/internals/daemon/api_notices.go
@@ -42,30 +42,30 @@ type addedNotice struct {
 	ID string `json:"id"`
 }
 
-func v1GetNotices(c *Command, r *http.Request, _ *UserState) Response {
-	query := r.URL.Query()
-
-	requestUID, err := uidFromRequest(r)
-	if err != nil {
+func v1GetNotices(c *Command, r *http.Request, user *UserState) Response {
+	// TODO(benhoyt): the design of notices presumes UIDs; if in future when we
+	//                support identities that aren't UID based, we'll need to fix this.
+	if user == nil || user.UID == nil {
 		return Forbidden("cannot determine UID of request, so cannot retrieve notices")
 	}
-	daemonUID := uint32(sysGetuid())
 
 	// By default, return notices with the request UID and public notices.
-	userID := &requestUID
+	userID := user.UID
 
+	query := r.URL.Query()
 	if len(query["user-id"]) > 0 {
-		if !isAdmin(requestUID, daemonUID) {
+		if user.Access != state.AdminAccess {
 			return Forbidden(`only admins may use the "user-id" filter`)
 		}
+		var err error
 		userID, err = sanitizeUserIDFilter(query["user-id"])
 		if err != nil {
 			return BadRequest(`invalid "user-id" filter: %v`, err)
 		}
 	}
 
 	if len(query["users"]) > 0 {
-		if !isAdmin(requestUID, daemonUID) {
+		if user.Access != state.AdminAccess {
 			return Forbidden(`only admins may use the "users" filter`)
 		}
 		if len(query["user-id"]) > 0 {
@@ -136,15 +136,6 @@ func v1GetNotices(c *Command, r *http.Request, _ *UserState) Response {
 	return SyncResponse(notices)
 }
 
-// Get the UID of the request. If the UID is not known, return an error.
-func uidFromRequest(r *http.Request) (uint32, error) {
-	ucred, err := ucrednetGet(r.RemoteAddr)
-	if err != nil {
-		return 0, fmt.Errorf("could not parse request UID")
-	}
-	return ucred.Uid, nil
-}
-
 // Construct the user IDs filter which will be passed to state.Notices.
 // Must only be called if the query user ID argument is set.
 func sanitizeUserIDFilter(queryUserID []string) (*uint32, error) {
@@ -187,13 +178,8 @@ func sanitizeTypesFilter(queryTypes []string) ([]state.NoticeType, error) {
 	return types, nil
 }
 
-func isAdmin(requestUID, daemonUID uint32) bool {
-	return requestUID == 0 || requestUID == daemonUID
-}
-
-func v1PostNotices(c *Command, r *http.Request, _ *UserState) Response {
-	requestUID, err := uidFromRequest(r)
-	if err != nil {
+func v1PostNotices(c *Command, r *http.Request, user *UserState) Response {
+	if user == nil || user.UID == nil {
 		return Forbidden("cannot determine UID of request, so cannot create notice")
 	}
 
@@ -242,7 +228,7 @@ func v1PostNotices(c *Command, r *http.Request, _ *UserState) Response {
 	st.Lock()
 	defer st.Unlock()
 
-	noticeId, err := st.AddNotice(&requestUID, state.CustomNotice, payload.Key, &state.AddNoticeOptions{
+	noticeId, err := st.AddNotice(user.UID, state.CustomNotice, payload.Key, &state.AddNoticeOptions{
 		Data:        data,
 		RepeatAfter: repeatAfter,
 	})
@@ -253,12 +239,10 @@ func v1PostNotices(c *Command, r *http.Request, _ *UserState) Response {
 	return SyncResponse(addedNotice{ID: noticeId})
 }
 
-func v1GetNotice(c *Command, r *http.Request, _ *UserState) Response {
-	requestUID, err := uidFromRequest(r)
-	if err != nil {
+func v1GetNotice(c *Command, r *http.Request, user *UserState) Response {
+	if user == nil || user.UID == nil {
 		return Forbidden("cannot determine UID of request, so cannot retrieve notice")
 	}
-	daemonUID := uint32(sysGetuid())
 	noticeID := muxVars(r)["id"]
 	st := c.d.overlord.State()
 	st.Lock()
@@ -267,19 +251,22 @@ func v1GetNotice(c *Command, r *http.Request, _ *UserState) Response {
 	if notice == nil {
 		return NotFound("cannot find notice with ID %q", noticeID)
 	}
-	if !noticeViewableByUser(notice, requestUID, daemonUID) {
+	if !noticeViewableByUser(notice, user) {
 		return Forbidden("not allowed to access notice with id %q", noticeID)
 	}
 	return SyncResponse(notice)
 }
 
-func noticeViewableByUser(notice *state.Notice, requestUID, daemonUID uint32) bool {
+func noticeViewableByUser(notice *state.Notice, user *UserState) bool {
 	userID, isSet := notice.UserID()
 	if !isSet {
+		// Notice has no UID, so it's viewable by any user (with a UID).
 		return true
 	}
-	if isAdmin(requestUID, daemonUID) {
+	if user.Access == state.AdminAccess {
+		// User is admin, they can view anything.
 		return true
 	}
-	return requestUID == userID
+	// Otherwise user's UID must match notice's UID.
+	return *user.UID == userID
 }