From c8b14a64efe225c297eb4e5a395f41ab63458b97 Mon Sep 17 00:00:00 2001 From: Stanimir Penkov Date: Thu, 7 Feb 2019 17:13:56 +0200 Subject: [PATCH] NY-6923: Fix: Missing check for state: permission denied when getting account by login option - check added; - removed outdated comments; Signed-off-by: Stanimir Penkov --- .../account/permissions/PermissionsValidator.java | 15 +++++++-------- .../account/services/AccountServiceImpl.java | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java b/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java index 44edf68..e24cd67 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java @@ -20,10 +20,6 @@ public class PermissionsValidator { public boolean isRpcAllowed(String accountId) { - // WARNING: THe line bellow is to be removed and code following uncommented - // when Istio starts sending an access token with each and every request - // return true; - DecodedJWT decodedToken = retrieveDecodedToken(); String requestingAccountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); @@ -33,6 +29,13 @@ public class PermissionsValidator { return isAuthorizedRequestingRole(decodedToken); } + public boolean isRpcAllowedForCurrentRole() { + + DecodedJWT decodedToken = retrieveDecodedToken(); + + return isAuthorizedRequestingRole(decodedToken); + } + private DecodedJWT retrieveDecodedToken() { String accessToken = (String) PermissionsInterceptor.ACCESS_TOKEN_CTX.get(); // This check is for isAdminToken method @@ -45,10 +48,6 @@ public class PermissionsValidator { public boolean isRpcAllowed(List existingAccountsForProfile) { - // WARNING: The line bellow is to be removed and code following uncommented - // when Istio starts sending an access token with each and every request - // return true; - String accessToken = (String) PermissionsInterceptor.ACCESS_TOKEN_CTX.get(); DecodedJWT decodedToken = JWT.decode(accessToken); String requestingAccountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); diff --git a/src/main/java/biz/nynja/account/services/AccountServiceImpl.java b/src/main/java/biz/nynja/account/services/AccountServiceImpl.java index 4c2f0d2..4175987 100644 --- a/src/main/java/biz/nynja/account/services/AccountServiceImpl.java +++ b/src/main/java/biz/nynja/account/services/AccountServiceImpl.java @@ -1177,11 +1177,26 @@ public class AccountServiceImpl extends AccountServiceGrpc.AccountServiceImplBas Optional account = accountProvider.getAccountResponseByLoginOption( request.getAuthenticationType(), request.getAuthenticationIdentifier()); if (!account.isPresent()) { + // If account is not found the method isRpcAllowedForCurrentRole() is used to check the current role and + // if it is "USER" to return "ERROR_PERMISSION_DENIED" + if (!permissionsValidator.isRpcAllowedForCurrentRole()) { + logAndBuildGrpcAccountResponse(responseObserver, AccountResponse.newBuilder(), + "Account info can not be obtained for this account.", "", Cause.ERROR_PERMISSION_DENIED, + "Permission denied"); + return; + } logAndBuildGrpcAccountResponse(responseObserver, AccountResponse.newBuilder(), "Account not found for login option: " + request.getAuthenticationIdentifier() + ":" + request.getAuthenticationIdentifier(), "", Cause.ACCOUNT_NOT_FOUND, "Account not found"); } else { + + if (!permissionsValidator.isRpcAllowed(account.get().getAccountDetails().getAccountId())) { + logAndBuildGrpcAccountResponse(responseObserver, AccountResponse.newBuilder(), + "Account info can not be obtained for this account.", "", Cause.ERROR_PERMISSION_DENIED, + "Permission denied"); + return; + } AccountResponse response = account.get(); logger.info("SUCCESS: Found account by login option {}. Account Id={}.", request.getAuthenticationIdentifier(), response.getAccountDetails().getAccountId()); -- GitLab