From ee5bac3418986734b1c8c06b2bc5a098dad3cccc Mon Sep 17 00:00:00 2001 From: Dharan Aditya Date: Tue, 9 Jul 2024 16:48:14 +0530 Subject: [PATCH 1/6] keep admin session active --- server/src/rbac.rs | 6 +++++- server/src/rbac/map.rs | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/server/src/rbac.rs b/server/src/rbac.rs index bfd1be817..749ca07c1 100644 --- a/server/src/rbac.rs +++ b/server/src/rbac.rs @@ -105,7 +105,11 @@ impl Users { } pub fn remove_session(&self, session: &SessionKey) -> Option { - mut_sessions().remove_session(session) + if !session.is_admin() { + mut_sessions().remove_session(session) + } else { + None + } } pub fn new_session(&self, user: &User, session: SessionKey) { diff --git a/server/src/rbac/map.rs b/server/src/rbac/map.rs index b5b92e5a7..92821bd91 100644 --- a/server/src/rbac/map.rs +++ b/server/src/rbac/map.rs @@ -132,6 +132,15 @@ pub enum SessionKey { SessionId(ulid::Ulid), } +impl SessionKey { + pub fn is_admin(&self) -> bool { + if let SessionKey::BasicAuth{username, password} = self { + return username.eq(&CONFIG.parseable.username) && password.eq(&CONFIG.parseable.password) + } + return false + } +} + #[derive(Debug, Default)] pub struct Sessions { // map session key to user and their permission From fa725784e181b78b26a5d0b6a1d57c067be71b3a Mon Sep 17 00:00:00 2001 From: Dharan Aditya Date: Tue, 9 Jul 2024 17:26:09 +0530 Subject: [PATCH 2/6] override permission if session belongs to admin --- server/src/handlers/airplane.rs | 9 ++++++++- server/src/rbac.rs | 6 +----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/server/src/handlers/airplane.rs b/server/src/handlers/airplane.rs index 08401265a..91d708fb5 100644 --- a/server/src/handlers/airplane.rs +++ b/server/src/handlers/airplane.rs @@ -60,6 +60,8 @@ use tonic::{Request, Response, Status, Streaming}; use crate::handlers::livetail::extract_session_key; use crate::metadata::STREAM_INFO; +use crate::rbac::role::model::DefaultPrivilege; +use crate::rbac::role::RoleBuilder; use crate::rbac::Users; use super::http::query::get_results_from_cache; @@ -231,7 +233,12 @@ impl FlightService for AirServiceImpl { } else { None }; - let permissions = Users.get_permissions(&key); + + let permissions = if key.is_admin() { + RoleBuilder::from(&DefaultPrivilege::Admin).build() + } else { + Users.get_permissions(&key) + }; authorize_and_set_filter_tags(&mut query, permissions, &stream_name).map_err(|_| { Status::permission_denied("User Does not have permission to access this") diff --git a/server/src/rbac.rs b/server/src/rbac.rs index 749ca07c1..bfd1be817 100644 --- a/server/src/rbac.rs +++ b/server/src/rbac.rs @@ -105,11 +105,7 @@ impl Users { } pub fn remove_session(&self, session: &SessionKey) -> Option { - if !session.is_admin() { - mut_sessions().remove_session(session) - } else { - None - } + mut_sessions().remove_session(session) } pub fn new_session(&self, user: &User, session: SessionKey) { From c7897d2f9a764f369e50096bcf9128b596010a86 Mon Sep 17 00:00:00 2001 From: Dharan Aditya Date: Tue, 9 Jul 2024 17:39:38 +0530 Subject: [PATCH 3/6] documentation --- server/src/handlers/airplane.rs | 4 +++- server/src/rbac/map.rs | 9 ++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/server/src/handlers/airplane.rs b/server/src/handlers/airplane.rs index 91d708fb5..91dc76757 100644 --- a/server/src/handlers/airplane.rs +++ b/server/src/handlers/airplane.rs @@ -234,7 +234,9 @@ impl FlightService for AirServiceImpl { None }; - let permissions = if key.is_admin() { + // Override permissions if the session belongs to the admin. + // Fixes: https://github.com/parseablehq/parseable/issues/822 + let permissions = if key.is_admin_session() { RoleBuilder::from(&DefaultPrivilege::Admin).build() } else { Users.get_permissions(&key) diff --git a/server/src/rbac/map.rs b/server/src/rbac/map.rs index 92821bd91..6abe9e5f4 100644 --- a/server/src/rbac/map.rs +++ b/server/src/rbac/map.rs @@ -133,11 +133,10 @@ pub enum SessionKey { } impl SessionKey { - pub fn is_admin(&self) -> bool { - if let SessionKey::BasicAuth{username, password} = self { - return username.eq(&CONFIG.parseable.username) && password.eq(&CONFIG.parseable.password) - } - return false + /// Checks if the session key belongs to an admin user. + pub fn is_admin_session(&self) -> bool { + matches!(self, SessionKey::BasicAuth { username, password } + if username == &CONFIG.parseable.username && password == &CONFIG.parseable.password) } } From 8a96251ea0b6d933da638d1c040853a8731fa8fd Mon Sep 17 00:00:00 2001 From: Dharan Aditya Date: Wed, 10 Jul 2024 22:56:46 +0530 Subject: [PATCH 4/6] fix --- server/src/handlers/airplane.rs | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/server/src/handlers/airplane.rs b/server/src/handlers/airplane.rs index 91dc76757..f9498076b 100644 --- a/server/src/handlers/airplane.rs +++ b/server/src/handlers/airplane.rs @@ -60,6 +60,7 @@ use tonic::{Request, Response, Status, Streaming}; use crate::handlers::livetail::extract_session_key; use crate::metadata::STREAM_INFO; +use crate::rbac; use crate::rbac::role::model::DefaultPrivilege; use crate::rbac::role::RoleBuilder; use crate::rbac::Users; @@ -234,13 +235,20 @@ impl FlightService for AirServiceImpl { None }; - // Override permissions if the session belongs to the admin. - // Fixes: https://github.com/parseablehq/parseable/issues/822 - let permissions = if key.is_admin_session() { - RoleBuilder::from(&DefaultPrivilege::Admin).build() - } else { - Users.get_permissions(&key) - }; + // try authorize + match Users.authorize(key.clone(), rbac::role::Action::Query, None, None) { + rbac::Response::Authorized => (), + rbac::Response::UnAuthorized => { + return Err(Status::permission_denied( + "user is not authenticated to access this resource", + )) + } + rbac::Response::ReloadRequired => { + return Err(Status::unauthenticated("reload required")) + } + } + + let permissions = Users.get_permissions(&key); authorize_and_set_filter_tags(&mut query, permissions, &stream_name).map_err(|_| { Status::permission_denied("User Does not have permission to access this") From db6ea92e3629ae8d7362c9ea269e0c0ac6695636 Mon Sep 17 00:00:00 2001 From: Dharan Aditya Date: Wed, 10 Jul 2024 22:58:04 +0530 Subject: [PATCH 5/6] remove unused code --- server/src/rbac/map.rs | 8 -------- 1 file changed, 8 deletions(-) diff --git a/server/src/rbac/map.rs b/server/src/rbac/map.rs index 6abe9e5f4..b5b92e5a7 100644 --- a/server/src/rbac/map.rs +++ b/server/src/rbac/map.rs @@ -132,14 +132,6 @@ pub enum SessionKey { SessionId(ulid::Ulid), } -impl SessionKey { - /// Checks if the session key belongs to an admin user. - pub fn is_admin_session(&self) -> bool { - matches!(self, SessionKey::BasicAuth { username, password } - if username == &CONFIG.parseable.username && password == &CONFIG.parseable.password) - } -} - #[derive(Debug, Default)] pub struct Sessions { // map session key to user and their permission From cd802cc6b8db72220e43d37965205206f7615c29 Mon Sep 17 00:00:00 2001 From: Dharan Aditya Date: Wed, 10 Jul 2024 23:07:48 +0530 Subject: [PATCH 6/6] clippy & fmt --- server/src/handlers/airplane.rs | 2 -- 1 file changed, 2 deletions(-) diff --git a/server/src/handlers/airplane.rs b/server/src/handlers/airplane.rs index f9498076b..c803ba194 100644 --- a/server/src/handlers/airplane.rs +++ b/server/src/handlers/airplane.rs @@ -61,8 +61,6 @@ use tonic::{Request, Response, Status, Streaming}; use crate::handlers::livetail::extract_session_key; use crate::metadata::STREAM_INFO; use crate::rbac; -use crate::rbac::role::model::DefaultPrivilege; -use crate::rbac::role::RoleBuilder; use crate::rbac::Users; use super::http::query::get_results_from_cache;