floraachy
/
console
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: validating index search permission in discover api (#37) 

* fix: validating index search permission in discover api

* fix: wrong error tips for validating index permission
This commit is contained in:
silenceqi 2024-12-16 11:48:14 +08:00 committed by GitHub
parent bafef0e65e
commit 318ba82eed
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/security/validate.go
View File

@ -153,7 +153,10 @@ func ValidateIndex(req IndexRequest, userRole RolePermission) (err error) {
}
}
if _, ok := userRole.ElasticPrivilege.Index[req.Cluster]; !ok {
return fmt.Errorf("no permission of cluster [%s]", req.Cluster)
if !hasAllCluster {
return fmt.Errorf("no permission of cluster [%s]", req.Cluster)
}
return fmt.Errorf("no index permission %s of cluster [%s]", req.Privilege, req.Cluster)
}
allowed = validateIndexPermission(req.Index, apiPrivileges, userRole.ElasticPrivilege.Index[req.Cluster])
if allowed {

21
modules/elastic/api/discover.go
View File

@ -28,6 +28,7 @@ import (
"fmt"
"github.com/buger/jsonparser"
log "github.com/cihub/seelog"
"infini.sh/console/core/security"
httprouter "infini.sh/framework/core/api/router"
"infini.sh/framework/core/elastic"
"infini.sh/framework/core/orm"
@ -65,6 +66,26 @@ func (h *APIHandler) HandleEseSearchAction(w http.ResponseWriter, req *http.Requ
h.WriteError(w, err.Error(), http.StatusInternalServerError)
return
}
//validate index search api permission
reqUser, err := security.FromUserContext(req.Context())
if err != nil {
log.Error(err)
h.WriteError(w, err.Error(), http.StatusInternalServerError)
return
}
newRole := security.CombineUserRoles(reqUser.Roles)
indexReq := security.IndexRequest{
Cluster: targetClusterID,
Index: reqParams.Index,
Privilege: []string{"indices.search"},
}
err = security.ValidateIndex(indexReq, newRole)
if err != nil {
log.Error(err)
h.WriteError(w, err.Error(), http.StatusForbidden)
return
}
ver := client.GetVersion()
if _, ok := reqParams.Body["track_total_hits"]; ok {

2
modules/elastic/api/init.go
View File

@ -74,7 +74,7 @@ func init() {
api.HandleAPIMethod(api.GET, "/elasticsearch/:id/saved_objects/view/:view_id", clusterAPI.RequireClusterPermission(clusterAPI.HandleGetViewAction))
api.HandleAPIMethod(api.POST, "/elasticsearch/:id/view/:view_id/_set_default_layout", clusterAPI.RequireClusterPermission(clusterAPI.SetDefaultLayout))
api.HandleAPIMethod(api.POST, "/elasticsearch/:id/search/ese", clusterAPI.RequireClusterPermission(clusterAPI.HandleEseSearchAction))
api.HandleAPIMethod(api.POST, "/elasticsearch/:id/search/ese", clusterAPI.RequireLogin(clusterAPI.HandleEseSearchAction))
api.HandleAPIMethod(api.GET, "/elasticsearch/:id/search/trace_id", clusterAPI.HandleTraceIDSearchAction)
api.HandleAPIMethod(api.POST, "/elasticsearch/:id/suggestions/values/:index", clusterAPI.RequireClusterPermission(clusterAPI.HandleValueSuggestionAction))
api.HandleAPIMethod(api.POST, "/elasticsearch/:id/setting", clusterAPI.RequireClusterPermission(clusterAPI.HandleSettingAction))