Skip to content

Commit

Permalink
Merge pull request #52 from jmpsec/permissions-ui
Browse files Browse the repository at this point in the history 
Permissions for users
  • Loading branch information
@javuto
javuto authored Mar 20, 2020
2 parents 34c643e + 75456a7 commit 2488696
Show file tree
Hide file tree
Showing 30 changed files with 1,725 additions and 1,134 deletions.
50 changes: 48 additions & 2 deletions admin/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,54 @@ const (
)

// Helper to verify if user is an admin
func checkAdminLevel(level string) bool {
return (level == adminLevel)
func checkAdminLevel(user users.AdminUser) bool {
return user.Admin
}

// Helper to check if query access is granted
func checkQueryLevel(permissions users.UserPermissions) bool {
return permissions.Query
}

// Helper to check if carve access is granted
func checkCarveLevel(permissions users.UserPermissions) bool {
return permissions.Carve
}

// Helper to check if environment access is granted
func checkEnvironmentLevel(permissions users.UserPermissions, environment string) bool {
return permissions.Environments[environment]
}

// Helper to check permissions for a user
func checkPermissions(username string, query, carve, env bool, environment string) bool {
exist, user := adminUsers.ExistsGet(username)
if !exist {
return false
}
// Admin always have access
if user.Admin {
return true
}
perms, err := adminUsers.ConvertPermissions(user.Permissions.RawMessage)
if err != nil {
log.Printf("error converting permissions %v", err)
return false
}
// Check for query access
if query {
return checkQueryLevel(perms)
}
// Check for carve access
if carve {
return checkCarveLevel(perms)
}
// Check for environment access
if env {
return checkEnvironmentLevel(perms, environment)
}
// At this point, no access granted
return false
}

// Handler to check access to a resource based on the authentication enabled
Expand Down
92 changes: 74 additions & 18 deletions admin/handlers-get.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,14 @@ func environmentHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error unknown environment (%s)", env)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkPermissions(ctx[ctxUser], false, false, true, env) {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricTokenErr)
return
}
// Extract target
// FIXME verify target
target, ok := vars["target"]
Expand Down Expand Up @@ -132,8 +140,6 @@ func environmentHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error getting platforms: %v", err)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Prepare template data
templateData := TableTemplateData{
Title: "Nodes in " + env,
Expand Down Expand Up @@ -176,6 +182,14 @@ func platformHandler(w http.ResponseWriter, r *http.Request) {
log.Println("error getting target")
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkPermissions(ctx[ctxUser], false, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricTokenErr)
return
}
// Prepare template
t, err := template.ParseFiles(
templatesFilesFolder+"/table.html",
Expand Down Expand Up @@ -204,8 +218,6 @@ func platformHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error getting platforms: %v", err)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Prepare template data
templateData := TableTemplateData{
Title: "Nodes in " + platform,
Expand Down Expand Up @@ -234,7 +246,7 @@ func queryRunGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], true, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -310,7 +322,7 @@ func queryListGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], true, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -363,7 +375,7 @@ func carvesRunGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, true, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -433,7 +445,7 @@ func carvesListGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, true, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -486,7 +498,7 @@ func queryLogsHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], true, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -568,7 +580,7 @@ func carvesDetailsHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, true, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -676,6 +688,14 @@ func confGETHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error unknown environment (%s)", envVar)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkPermissions(ctx[ctxUser], false, false, true, envVar) {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
}
// Prepare template
tempateFiles := NewTemplateFiles(templatesFilesFolder, "conf.html").filepaths
t, err := template.ParseFiles(tempateFiles...)
Expand Down Expand Up @@ -705,8 +725,6 @@ func confGETHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error getting environment %v", err)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Prepare template data
templateData := ConfTemplateData{
Title: envVar + " Configuration",
Expand Down Expand Up @@ -744,6 +762,14 @@ func enrollGETHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error unknown environment (%s)", envVar)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkPermissions(ctx[ctxUser], false, false, true, envVar) {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
}
// Prepare template
tempateFiles := NewTemplateFiles(templatesFilesFolder, "enroll.html").filepaths
t, err := template.ParseFiles(tempateFiles...)
Expand Down Expand Up @@ -773,8 +799,6 @@ func enrollGETHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("error getting environment %v", err)
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Prepare template data
shellQuickAdd, _ := environments.QuickAddOneLinerShell(env)
powershellQuickAdd, _ := environments.QuickAddOneLinerPowershell(env)
Expand Down Expand Up @@ -886,7 +910,7 @@ func envsGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -939,7 +963,7 @@ func settingsGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -1019,7 +1043,7 @@ func usersGETHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down Expand Up @@ -1077,6 +1101,38 @@ func usersGETHandler(w http.ResponseWriter, r *http.Request) {
incMetric(metricAdminOK)
}

// Handler for platform/environment stats in JSON
func permissionsGETHandler(w http.ResponseWriter, r *http.Request) {
incMetric(metricAdminReq)
utils.DebugHTTPDump(r, settingsmgr.DebugHTTP(settings.ServiceAdmin), false)
vars := mux.Vars(r)
// Extract username and verify
usernameVar, ok := vars["username"]
if !ok || !adminUsers.Exists(usernameVar) {
if settingsmgr.DebugService(settings.ServiceAdmin) {
log.Printf("DebugService: error getting username")
}
return
}
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkPermissions(ctx[ctxUser], false, false, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
}
// Get permissions
permissions, err := adminUsers.GetPermissions(usernameVar)
if err != nil {
incMetric(metricAdminErr)
log.Printf("error getting permissions %v", err)
}
// Serve JSON
utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, permissions)
incMetric(metricJSONOK)
}

// Handler for GET requests to download carves
func carvesDownloadHandler(w http.ResponseWriter, r *http.Request) {
incMetric(metricAdminReq)
Expand All @@ -1085,7 +1141,7 @@ func carvesDownloadHandler(w http.ResponseWriter, r *http.Request) {
// Get context data
ctx := r.Context().Value(contextKey("session")).(contextValue)
// Check permissions
if !checkAdminLevel(ctx[ctxLevel]) {
if !checkPermissions(ctx[ctxUser], false, true, false, "") {
log.Printf("%s has insuficient permissions", ctx[ctxUser])
incMetric(metricAdminErr)
return
Expand Down
Loading

0 comments on commit 2488696

Please sign in to comment.