fleet/server/authz/errors.go

package authz

import (
	"net/http"

	"github.com/fleetdm/fleet/v4/server/fleet"
)

const (
	// ForbiddenErrorMessage is the error message that should be returned to
	// clients when an action is forbidden. It is intentionally vague to prevent
	// disclosing information that a client should not have access to.
	ForbiddenErrorMessage = "forbidden"
)

// Forbidden is the error type for authorization errors
type Forbidden struct {
	internal string
	subject  *fleet.User
	object   interface{}
	action   interface{}

	fleet.ErrorWithUUID
}

// ForbiddenWithInternal creates a new error that will return a simple
// "forbidden" to the client, logging internally the more detailed message
// provided.
func ForbiddenWithInternal(internal string, subject *fleet.User, object, action interface{}) *Forbidden {
	return &Forbidden{
		internal: internal,
		subject:  subject,
		object:   object,
		action:   action,
	}
}

// Error implements the error interface.
func (e *Forbidden) Error() string {
	return ForbiddenErrorMessage
}

// StatusCode implements the go-kit http StatusCoder interface.
func (e *Forbidden) StatusCode() int {
	return http.StatusForbidden
}

// Internal allows the internal error message to be logged.
func (e *Forbidden) Internal() string {
	return e.internal
}

// LogFields allows this error to be logged with subject, object, and action.
func (e *Forbidden) LogFields() []interface{} {
	return []interface{}{
		"subject", e.subject,
		"object", e.object,
		"action", e.action,
	}
}

// CheckMissing is the error to return when no authorization check was performed
// by the service.
type CheckMissing struct {
	response interface{}

	fleet.ErrorWithUUID
}

// CheckMissingWithResponse creates a new error indicating the authorization
// check was missed, and including the response for further analysis by the error
// encoder.
func CheckMissingWithResponse(response interface{}) *CheckMissing {
	return &CheckMissing{response: response}
}

func (e *CheckMissing) Error() string {
	return ForbiddenErrorMessage
}

func (e *CheckMissing) Internal() string {
	return "Missing authorization check"
}

func (e *CheckMissing) Response() interface{} {
	return e.response
}
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`package authz`

Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`import (`
			`"net/http"`

Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`const (`
			`// ForbiddenErrorMessage is the error message that should be returned to`
			`// clients when an action is forbidden. It is intentionally vague to prevent`
			`// disclosing information that a client should not have access to.`
			`ForbiddenErrorMessage = "forbidden"`
			`)`

Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`// Forbidden is the error type for authorization errors`
			`type Forbidden struct {`
			`internal string`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`subject *fleet.User`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`object interface{}`
			`action interface{}`
Add UUID to Fleet errors and clean up error msgs (#10411) #8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-03-13 16:44:06 +00:00
			`fleet.ErrorWithUUID`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

			`// ForbiddenWithInternal creates a new error that will return a simple`
			`// "forbidden" to the client, logging internally the more detailed message`
			`// provided.`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func ForbiddenWithInternal(internal string, subject fleet.User, object, action interface{}) Forbidden {`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`return &Forbidden{`
			`internal: internal,`
			`subject: subject,`
			`object: object,`
			`action: action,`
			`}`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

			`// Error implements the error interface.`
			`func (e *Forbidden) Error() string {`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`return ForbiddenErrorMessage`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`// StatusCode implements the go-kit http StatusCoder interface.`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`func (e *Forbidden) StatusCode() int {`
			`return http.StatusForbidden`
			`}`

Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00			`// Internal allows the internal error message to be logged.`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`func (e *Forbidden) Internal() string {`
			`return e.internal`
			`}`
Log subject/object/action with authz failures (#972) 2021-06-05 13:22:13 +00:00
			`// LogFields allows this error to be logged with subject, object, and action.`
			`func (e *Forbidden) LogFields() []interface{} {`
			`return []interface{}{`
			`"subject", e.subject,`
			`"object", e.object,`
			`"action", e.action,`
			`}`
			`}`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00
			`// CheckMissing is the error to return when no authorization check was performed`
			`// by the service.`
			`type CheckMissing struct {`
			`response interface{}`
Add UUID to Fleet errors and clean up error msgs (#10411) #8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-03-13 16:44:06 +00:00
			`fleet.ErrorWithUUID`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`}`

Improved Datastore usage of osquery hosts requests (#3601) * WIP * Amend tests * Do not load aggregated stats for packs * Add option to host lite * Fix remaining TODOs * Fix osquery_utils tests * Fix SQL * Fix SQL (bis) * Restore AuthenticateHost to load once * Code improvements and re-add deferred host save * More fixes to the PR * Wrap users table update on tx * Add caching to ListPacksForHost and ListScheduledQueriesInPack * Remove SaveHostSoftware (replaced by UpdateHostSoftware) * Add unit tests for new functionality * Add changes file * Fix scheduled queries test 2022-01-18 01:52:09 +00:00			`// CheckMissingWithResponse creates a new error indicating the authorization`
			`// check was missed, and including the response for further analysis by the error`
Clean up service and return license errors (#1097) - Expose license errors instead of permission errors by adding explicit skip authorization. - Remove pre-Teams authorization checks from service. Fixes #964 2021-06-16 17:55:41 +00:00			`// encoder.`
			`func CheckMissingWithResponse(response interface{}) *CheckMissing {`
			`return &CheckMissing{response: response}`
			`}`

			`func (e *CheckMissing) Error() string {`
			`return ForbiddenErrorMessage`
			`}`

			`func (e *CheckMissing) Internal() string {`
			`return "Missing authorization check"`
			`}`

			`func (e *CheckMissing) Response() interface{} {`
			`return e.response`
			`}`