customRoleEscalationCheck checks to make sure the caller has every permission they are adding to a custom role. This prevents permission escalation.
(ctx context.Context, actor rbac.Subject, perm rbac.Permission, object rbac.Object)
| 1401 | // customRoleEscalationCheck checks to make sure the caller has every permission they are adding |
| 1402 | // to a custom role. This prevents permission escalation. |
| 1403 | func (q *querier) customRoleEscalationCheck(ctx context.Context, actor rbac.Subject, perm rbac.Permission, object rbac.Object) error { |
| 1404 | if perm.Negate { |
| 1405 | // Users do not need negative permissions. We can include it later if required. |
| 1406 | return xerrors.Errorf("invalid permission for action=%q type=%q, no negative permissions", perm.Action, perm.ResourceType) |
| 1407 | } |
| 1408 | |
| 1409 | if perm.Action == policy.WildcardSymbol || perm.ResourceType == policy.WildcardSymbol { |
| 1410 | // It is possible to check for supersets with wildcards, but wildcards can also |
| 1411 | // include resources and actions that do not exist today. Custom roles should only be allowed |
| 1412 | // to include permissions for existing resources. |
| 1413 | return xerrors.Errorf("invalid permission for action=%q type=%q, no wildcard symbols", perm.Action, perm.ResourceType) |
| 1414 | } |
| 1415 | |
| 1416 | object.Type = perm.ResourceType |
| 1417 | if err := q.auth.Authorize(ctx, actor, perm.Action, object); err != nil { |
| 1418 | // This is a forbidden error, but we can provide more context. Since the user can create a role, just not |
| 1419 | // with this perm. |
| 1420 | return xerrors.Errorf("invalid permission for action=%q type=%q, not allowed to grant this permission", perm.Action, perm.ResourceType) |
| 1421 | } |
| 1422 | |
| 1423 | return nil |
| 1424 | } |
| 1425 | |
| 1426 | // customRoleCheck will validate a custom role for inserting or updating. |
| 1427 | // If the role is not valid, an error will be returned. |
no test coverage detected