jmpsec · javuto · Mar 20, 2020 · Mar 16, 2020 · Mar 18, 2020 · Mar 18, 2020
diff --git a/admin/auth.go b/admin/auth.go
@@ -25,8 +25,54 @@ const (
 )
 
 // Helper to verify if user is an admin
-func checkAdminLevel(level string) bool {
-	return (level == adminLevel)
+func checkAdminLevel(user users.AdminUser) bool {
+	return user.Admin
+}
+
+// Helper to check if query access is granted
+func checkQueryLevel(permissions users.UserPermissions) bool {
+	return permissions.Query
+}
+
+// Helper to check if carve access is granted
+func checkCarveLevel(permissions users.UserPermissions) bool {
+	return permissions.Carve
+}
+
+// Helper to check if environment access is granted
+func checkEnvironmentLevel(permissions users.UserPermissions, environment string) bool {
+	return permissions.Environments[environment]
+}
+
+// Helper to check permissions for a user
+func checkPermissions(username string, query, carve, env bool, environment string) bool {
+	exist, user := adminUsers.ExistsGet(username)
+	if !exist {
+		return false
+	}
+	// Admin always have access
+	if user.Admin {
+		return true
+	}
+	perms, err := adminUsers.ConvertPermissions(user.Permissions.RawMessage)
+	if err != nil {
+		log.Printf("error converting permissions %v", err)
+		return false
+	}
+	// Check for query access
+	if query {
+		return checkQueryLevel(perms)
+	}
+	// Check for carve access
+	if carve {
+		return checkCarveLevel(perms)
+	}
+	// Check for environment access
+	if env {
+		return checkEnvironmentLevel(perms, environment)
+	}
+	// At this point, no access granted
+	return false
 }
 
 // Handler to check access to a resource based on the authentication enabled

diff --git a/admin/handlers-get.go b/admin/handlers-get.go
@@ -101,6 +101,14 @@ func environmentHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error unknown environment (%s)", env)
 		return
 	}
+	// Get context data
+	ctx := r.Context().Value(contextKey("session")).(contextValue)
+	// Check permissions
+	if !checkPermissions(ctx[ctxUser], false, false, true, env) {
+		log.Printf("%s has insuficient permissions", ctx[ctxUser])
+		incMetric(metricTokenErr)
+		return
+	}
 	// Extract target
 	// FIXME verify target
 	target, ok := vars["target"]
@@ -132,8 +140,6 @@ func environmentHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error getting platforms: %v", err)
 		return
 	}
-	// Get context data
-	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Prepare template data
 	templateData := TableTemplateData{
 		Title:        "Nodes in " + env,
@@ -176,6 +182,14 @@ func platformHandler(w http.ResponseWriter, r *http.Request) {
 		log.Println("error getting target")
 		return
 	}
+	// Get context data
+	ctx := r.Context().Value(contextKey("session")).(contextValue)
+	// Check permissions
+	if !checkPermissions(ctx[ctxUser], false, false, false, "") {
+		log.Printf("%s has insuficient permissions", ctx[ctxUser])
+		incMetric(metricTokenErr)
+		return
+	}
 	// Prepare template
 	t, err := template.ParseFiles(
 		templatesFilesFolder+"/table.html",
@@ -204,8 +218,6 @@ func platformHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error getting platforms: %v", err)
 		return
 	}
-	// Get context data
-	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Prepare template data
 	templateData := TableTemplateData{
 		Title:        "Nodes in " + platform,
@@ -234,7 +246,7 @@ func queryRunGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], true, false, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -310,7 +322,7 @@ func queryListGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], true, false, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -363,7 +375,7 @@ func carvesRunGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, true, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -433,7 +445,7 @@ func carvesListGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, true, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -486,7 +498,7 @@ func queryLogsHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], true, false, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -568,7 +580,7 @@ func carvesDetailsHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, true, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -676,6 +688,14 @@ func confGETHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error unknown environment (%s)", envVar)
 		return
 	}
+	// Get context data
+	ctx := r.Context().Value(contextKey("session")).(contextValue)
+	// Check permissions
+	if !checkPermissions(ctx[ctxUser], false, false, true, envVar) {
+		log.Printf("%s has insuficient permissions", ctx[ctxUser])
+		incMetric(metricAdminErr)
+		return
+	}
 	// Prepare template
 	tempateFiles := NewTemplateFiles(templatesFilesFolder, "conf.html").filepaths
 	t, err := template.ParseFiles(tempateFiles...)
@@ -705,8 +725,6 @@ func confGETHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error getting environment %v", err)
 		return
 	}
-	// Get context data
-	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Prepare template data
 	templateData := ConfTemplateData{
 		Title:        envVar + " Configuration",
@@ -744,6 +762,14 @@ func enrollGETHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error unknown environment (%s)", envVar)
 		return
 	}
+	// Get context data
+	ctx := r.Context().Value(contextKey("session")).(contextValue)
+	// Check permissions
+	if !checkPermissions(ctx[ctxUser], false, false, true, envVar) {
+		log.Printf("%s has insuficient permissions", ctx[ctxUser])
+		incMetric(metricAdminErr)
+		return
+	}
 	// Prepare template
 	tempateFiles := NewTemplateFiles(templatesFilesFolder, "enroll.html").filepaths
 	t, err := template.ParseFiles(tempateFiles...)
@@ -773,8 +799,6 @@ func enrollGETHandler(w http.ResponseWriter, r *http.Request) {
 		log.Printf("error getting environment %v", err)
 		return
 	}
-	// Get context data
-	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Prepare template data
 	shellQuickAdd, _ := environments.QuickAddOneLinerShell(env)
 	powershellQuickAdd, _ := environments.QuickAddOneLinerPowershell(env)
@@ -886,7 +910,7 @@ func envsGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, false, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -939,7 +963,7 @@ func settingsGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, false, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -1019,7 +1043,7 @@ func usersGETHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, false, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return
@@ -1077,6 +1101,38 @@ func usersGETHandler(w http.ResponseWriter, r *http.Request) {
 	incMetric(metricAdminOK)
 }
 
+// Handler for platform/environment stats in JSON
+func permissionsGETHandler(w http.ResponseWriter, r *http.Request) {
+	incMetric(metricAdminReq)
+	utils.DebugHTTPDump(r, settingsmgr.DebugHTTP(settings.ServiceAdmin), false)
+	vars := mux.Vars(r)
+	// Extract username and verify
+	usernameVar, ok := vars["username"]
+	if !ok || !adminUsers.Exists(usernameVar) {
+		if settingsmgr.DebugService(settings.ServiceAdmin) {
+			log.Printf("DebugService: error getting username")
+		}
+		return
+	}
+	// Get context data
+	ctx := r.Context().Value(contextKey("session")).(contextValue)
+	// Check permissions
+	if !checkPermissions(ctx[ctxUser], false, false, false, "") {
+		log.Printf("%s has insuficient permissions", ctx[ctxUser])
+		incMetric(metricAdminErr)
+		return
+	}
+	// Get permissions
+	permissions, err := adminUsers.GetPermissions(usernameVar)
+	if err != nil {
+		incMetric(metricAdminErr)
+		log.Printf("error getting permissions %v", err)
+	}
+	// Serve JSON
+	utils.HTTPResponse(w, utils.JSONApplicationUTF8, http.StatusOK, permissions)
+	incMetric(metricJSONOK)
+}
+
 // Handler for GET requests to download carves
 func carvesDownloadHandler(w http.ResponseWriter, r *http.Request) {
 	incMetric(metricAdminReq)
@@ -1085,7 +1141,7 @@ func carvesDownloadHandler(w http.ResponseWriter, r *http.Request) {
 	// Get context data
 	ctx := r.Context().Value(contextKey("session")).(contextValue)
 	// Check permissions
-	if !checkAdminLevel(ctx[ctxLevel]) {
+	if !checkPermissions(ctx[ctxUser], false, true, false, "") {
 		log.Printf("%s has insuficient permissions", ctx[ctxUser])
 		incMetric(metricAdminErr)
 		return