From 9e6d5884c2ae84714011a1c7d585e8eb7b6e6a99 Mon Sep 17 00:00:00 2001 From: Denis Arh Date: Mon, 2 Aug 2021 16:11:00 +0200 Subject: [PATCH] Fix RBAC resource checks --- automation/service/access_control.gen.go | 19 +-- compose/service/access_control.gen.go | 117 ++++++------------ federation/service/access_control.gen.go | 57 +++------ .../gocode/rbac/access_control.go.tpl | 19 +-- system/service/access_control.gen.go | 98 +++++---------- 5 files changed, 99 insertions(+), 211 deletions(-) diff --git a/automation/service/access_control.gen.go b/automation/service/access_control.gen.go index 126b265155..f71c7a3e56 100644 --- a/automation/service/access_control.gen.go +++ b/automation/service/access_control.gen.go @@ -325,8 +325,6 @@ func rbacWorkflowResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.WorkflowResourceType):], sep), sep) prc = []string{ "ID", @@ -337,22 +335,17 @@ func rbacWorkflowResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Workflow", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } diff --git a/compose/service/access_control.gen.go b/compose/service/access_control.gen.go index 572bbebd80..1ffb02284d 100644 --- a/compose/service/access_control.gen.go +++ b/compose/service/access_control.gen.go @@ -18,11 +18,12 @@ package service import ( "context" "fmt" + "strings" + "github.com/cortezaproject/corteza-server/compose/types" "github.com/cortezaproject/corteza-server/pkg/actionlog" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/spf13/cast" - "strings" ) type ( @@ -602,8 +603,6 @@ func rbacChartResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.ChartResourceType):], sep), sep) prc = []string{ "namespaceID", @@ -615,22 +614,17 @@ func rbacChartResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Chart", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -654,8 +648,6 @@ func rbacModuleFieldResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.ModuleFieldResourceType):], sep), sep) prc = []string{ "namespaceID", @@ -668,22 +660,17 @@ func rbacModuleFieldResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for ModuleField", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -707,8 +694,6 @@ func rbacModuleResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.ModuleResourceType):], sep), sep) prc = []string{ "namespaceID", @@ -720,22 +705,17 @@ func rbacModuleResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Module", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -759,8 +739,6 @@ func rbacNamespaceResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.NamespaceResourceType):], sep), sep) prc = []string{ "ID", @@ -771,22 +749,17 @@ func rbacNamespaceResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Namespace", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -810,8 +783,6 @@ func rbacPageResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.PageResourceType):], sep), sep) prc = []string{ "namespaceID", @@ -823,22 +794,17 @@ func rbacPageResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Page", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -862,8 +828,6 @@ func rbacRecordResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.RecordResourceType):], sep), sep) prc = []string{ "namespaceID", @@ -876,22 +840,17 @@ func rbacRecordResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Record", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } diff --git a/federation/service/access_control.gen.go b/federation/service/access_control.gen.go index 430e8718ee..b72a2c50ed 100644 --- a/federation/service/access_control.gen.go +++ b/federation/service/access_control.gen.go @@ -311,8 +311,6 @@ func rbacExposedModuleResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.ExposedModuleResourceType):], sep), sep) prc = []string{ "nodeID", @@ -324,22 +322,17 @@ func rbacExposedModuleResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for ExposedModule", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -363,8 +356,6 @@ func rbacNodeResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.NodeResourceType):], sep), sep) prc = []string{ "ID", @@ -375,22 +366,17 @@ func rbacNodeResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Node", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -414,8 +400,6 @@ func rbacSharedModuleResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.SharedModuleResourceType):], sep), sep) prc = []string{ "nodeID", @@ -427,22 +411,17 @@ func rbacSharedModuleResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for SharedModule", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } diff --git a/pkg/codegen-v3/assets/templates/gocode/rbac/access_control.go.tpl b/pkg/codegen-v3/assets/templates/gocode/rbac/access_control.go.tpl index b56448089b..509a782f00 100644 --- a/pkg/codegen-v3/assets/templates/gocode/rbac/access_control.go.tpl +++ b/pkg/codegen-v3/assets/templates/gocode/rbac/access_control.go.tpl @@ -219,8 +219,6 @@ func rbac{{ .Resource }}ResourceValidator(r string, oo ...string) error { {{ if .RBAC.Resource.References }} const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len({{ $GoType }}ResourceType):], sep), sep) prc = []string{ {{- range .RBAC.Resource.References }} @@ -233,23 +231,18 @@ func rbac{{ .Resource }}ResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for {{ .Resource }}", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } {{- end }} - return nil } {{- end }} diff --git a/system/service/access_control.gen.go b/system/service/access_control.gen.go index d64771deb4..983d3ca3af 100644 --- a/system/service/access_control.gen.go +++ b/system/service/access_control.gen.go @@ -17,12 +17,11 @@ package service import ( "context" "fmt" - "strings" - "github.com/cortezaproject/corteza-server/pkg/actionlog" "github.com/cortezaproject/corteza-server/pkg/rbac" "github.com/cortezaproject/corteza-server/system/types" "github.com/spf13/cast" + "strings" ) type ( @@ -740,8 +739,6 @@ func rbacApplicationResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.ApplicationResourceType):], sep), sep) prc = []string{ "ID", @@ -752,22 +749,17 @@ func rbacApplicationResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Application", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -791,8 +783,6 @@ func rbacAuthClientResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.AuthClientResourceType):], sep), sep) prc = []string{ "ID", @@ -803,22 +793,17 @@ func rbacAuthClientResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for AuthClient", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -842,8 +827,6 @@ func rbacRoleResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.RoleResourceType):], sep), sep) prc = []string{ "ID", @@ -854,22 +837,17 @@ func rbacRoleResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Role", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -893,8 +871,6 @@ func rbacTemplateResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.TemplateResourceType):], sep), sep) prc = []string{ "ID", @@ -905,22 +881,17 @@ func rbacTemplateResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for Template", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil } @@ -944,8 +915,6 @@ func rbacUserResourceValidator(r string, oo ...string) error { const sep = "/" var ( - specIdUsed = true - pp = strings.Split(strings.Trim(r[len(types.UserResourceType):], sep), sep) prc = []string{ "ID", @@ -956,22 +925,17 @@ func rbacUserResourceValidator(r string, oo ...string) error { return fmt.Errorf("invalid resource path structure") } - for i, p := range pp { - if p == "*" { - if !specIdUsed { + for i := 0; i < len(pp); i++ { + if pp[i] != "*" { + if i > 0 && pp[i-1] == "*" { return fmt.Errorf("invalid resource path wildcard level (%d) for User", i) } - specIdUsed = false - continue - } - - specIdUsed = true - if _, err := cast.ToUint64E(p); err != nil { - return fmt.Errorf("invalid reference for %s: '%s'", prc[i], p) + if _, err := cast.ToUint64E(pp[i]); err != nil { + return fmt.Errorf("invalid reference for %s: '%s'", prc[i], pp[i]) + } } } - return nil }