Disallow sharing of user-endpoints through invites (#4753)

Signed-off-by: Thomas Quandt <[email protected]>
cloudfoundry · Feb 9, 2021 · ec30299 · ec30299
1 parent fc6a400
commit ec30299
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 5 deletions.
diff --git a/src/frontend/packages/cloud-foundry/src/features/cf/user-invites/user-invite.service.ts b/src/frontend/packages/cloud-foundry/src/features/cf/user-invites/user-invite.service.ts
@@ -143,13 +143,15 @@ export class UserInviteService {
       map(v => v.entity.metadata && v.entity.metadata.userInviteAllowed === 'true')
     );
 
-    this.canConfigure$ = combineLatest(
+    this.canConfigure$ = combineLatest([
       waitForCFPermissions(this.store, this.activeRouteCfOrgSpace.cfGuid),
-      this.store.select('auth')
-    ).pipe(
-      map(([cf, auth]) =>
+      this.store.select('auth'),
+      cfEndpointService.endpoint$
+    ]).pipe(
+      map(([cf, auth, endpoint]) =>
         cf.global.isAdmin &&
-        auth.sessionData['plugin-config'] && auth.sessionData['plugin-config'].userInvitationsEnabled === 'true')
+        auth.sessionData['plugin-config'] && auth.sessionData['plugin-config'].userInvitationsEnabled === 'true' &&
+        endpoint.entity.creator.admin) 
     );
   }
 

diff --git a/src/jetstream/info.go b/src/jetstream/info.go
@@ -111,6 +111,7 @@ func (p *portalProxy) getInfo(c echo.Context) (*interfaces.Info, error) {
 			u, err := p.StratosAuthService.GetUser(cnsi.Creator)
 			if err == nil {
 				endpoint.Creator.Admin = u.Admin
+				// dont set username of admins for security reasons
 				if u.Admin == false {
 					endpoint.Creator.Name = u.Name
 				}

diff --git a/src/jetstream/plugins/userinvite/admin.go b/src/jetstream/plugins/userinvite/admin.go
@@ -79,6 +79,11 @@ func (invite *UserInvite) configure(c echo.Context) error {
 		)
 	}
 
+	_, err := invite.checkEndpointCreator(cfGUID, c)
+	if err != nil {
+		return err
+	}
+
 	uaaRecord, _, err := invite.RefreshToken(cfGUID, clientID, clientSecret)
 	if err != nil {
 		return err

diff --git a/src/jetstream/plugins/userinvite/auth.go b/src/jetstream/plugins/userinvite/auth.go
@@ -119,6 +119,42 @@ func (invite *UserInvite) refreshToken(clientID, clientSecret string, endpoint i
 	return &uaaResponse, tokenRecord, nil
 }
 
+// Check that there is an endpoint with the specified ID and if the creator is an admin
+func (invite *UserInvite) checkEndpointCreator(cfGUID string, c echo.Context) (interfaces.CNSIRecord, error) {
+	endpoint, err := invite.portalProxy.GetCNSIRecord(cfGUID)
+	if err != nil {
+		// Could find the endpoint
+		return interfaces.CNSIRecord{}, interfaces.NewHTTPShadowError(
+			http.StatusBadRequest,
+			"Can not find enpoint",
+			"Can not find enpoint: %s", cfGUID,
+		)
+	}
+
+	if len(endpoint.Creator) > 0 {
+		stratosAuthService := invite.portalProxy.GetStratosAuthService()
+
+		creator, err := stratosAuthService.GetUser(endpoint.Creator)
+		if err != nil {
+			return interfaces.CNSIRecord{}, interfaces.NewHTTPShadowError(
+				http.StatusBadRequest,
+				"Can not find creator account",
+				"Can not find creator account: %s", endpoint.Creator,
+			)
+		}
+
+		if !creator.Admin {
+			return interfaces.CNSIRecord{}, interfaces.NewHTTPShadowError(
+				http.StatusBadRequest,
+				"Not an admin endpoint",
+				"Not an admin endpoint: %s", cfGUID,
+			)
+		}
+	}
+
+	return endpoint, nil
+}
+
 func (invite *UserInvite) checkEndpoint(cfGUID string) (interfaces.CNSIRecord, error) {
 	// Check that there is an endpoint with the specified ID and that it is a Cloud Foundry endpoint
 	endpoint, err := invite.portalProxy.GetCNSIRecord(cfGUID)