github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(security): check user existence for each protected requests (#1679)

pull/1680/head
Anthony Lapenna 2018-02-28 08:09:51 +01:00 committed by GitHub
parent b8f8df5f48
commit b9a1c68ea0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
api/http/security/bouncer.go
View File

@ -12,6 +12,7 @@ type (
// RequestBouncer represents an entity that manages API request accesses // RequestBouncer represents an entity that manages API request accesses
RequestBouncer struct { RequestBouncer struct {
jwtService portainer.JWTService jwtService portainer.JWTService
userService portainer.UserService
teamMembershipService portainer.TeamMembershipService teamMembershipService portainer.TeamMembershipService
authDisabled bool authDisabled bool
} }
@ -27,9 +28,10 @@ type (
) )
// NewRequestBouncer initializes a new RequestBouncer // NewRequestBouncer initializes a new RequestBouncer
func NewRequestBouncer(jwtService portainer.JWTService, teamMembershipService portainer.TeamMembershipService, authDisabled bool) *RequestBouncer { func NewRequestBouncer(jwtService portainer.JWTService, userService portainer.UserService, teamMembershipService portainer.TeamMembershipService, authDisabled bool) *RequestBouncer {
return &RequestBouncer{ return &RequestBouncer{
jwtService: jwtService, jwtService: jwtService,
userService: userService,
teamMembershipService: teamMembershipService, teamMembershipService: teamMembershipService,
authDisabled: authDisabled, authDisabled: authDisabled,
} }
@ -136,6 +138,15 @@ func (bouncer *RequestBouncer) mwCheckAuthentication(next http.Handler) http.Han
httperror.WriteErrorResponse(w, err, http.StatusUnauthorized, nil) httperror.WriteErrorResponse(w, err, http.StatusUnauthorized, nil)
return return
} }
_, err = bouncer.userService.User(tokenData.ID)
if err != nil && err == portainer.ErrUserNotFound {
httperror.WriteErrorResponse(w, portainer.ErrUnauthorized, http.StatusUnauthorized, nil)
return
} else if err != nil {
httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, nil)
return
}
} else { } else {
tokenData = &portainer.TokenData{ tokenData = &portainer.TokenData{
Role: portainer.AdministratorRole, Role: portainer.AdministratorRole,

2
api/http/server.go
View File

@ -41,7 +41,7 @@ type Server struct {
// Start starts the HTTP server // Start starts the HTTP server
func (server *Server) Start() error { func (server *Server) Start() error {
requestBouncer := security.NewRequestBouncer(server.JWTService, server.TeamMembershipService, server.AuthDisabled) requestBouncer := security.NewRequestBouncer(server.JWTService, server.UserService, server.TeamMembershipService, server.AuthDisabled)
proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService) proxyManager := proxy.NewManager(server.ResourceControlService, server.TeamMembershipService, server.SettingsService)
var fileHandler = handler.NewFileHandler(filepath.Join(server.AssetsPath, "public")) var fileHandler = handler.NewFileHandler(filepath.Join(server.AssetsPath, "public"))