mirre-mt/pcmt
1
0
Fork 0
Code Issues 6 Pull Requests Releases 4 Activity

go: add more logs on unauthorised access
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
* log details about unauthorised access
* return semantically correct 403 (instead of 401) on unauthorised access
* allow read-only admin access to "hibp breach details" endpoint
This commit is contained in:
surtur 2023-09-10 14:12:13 +02:00
parent 67165c82cc
commit 882b7dfd28
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
6 changed files with 52 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
handlers/handlers.go
View File

@ -10,6 +10,8 @@ import (
"github.com/labstack/echo/v4" "github.com/labstack/echo/v4"
) )
const unauthorisedAccess = "Unauthorised access detected"
func Index() echo.HandlerFunc { func Index() echo.HandlerFunc {
return func(c echo.Context) error { return func(c echo.Context) error {
defer addHeaders(c) defer addHeaders(c)

27
handlers/manage-apikeys.go
View File

@ -13,15 +13,32 @@ func ManageAPIKeys() echo.HandlerFunc {
return func(c echo.Context) error { return func(c echo.Context) error {
addHeaders(c) addHeaders(c)
u := c.Get("sessUsr") u, ok := c.Get("sessUsr").(moduser.User)
if !ok {
return renderErrorPage(
c,
http.StatusUnauthorized,
http.StatusText(http.StatusUnauthorized),
"username was nil",
)
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint", "endpoint", "/manage/api-keys", "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
c, status, msg+": You should not be here", "Restricted endpoint",
)
}
p := newPage() p := newPage()
p.Title = "Manage API Keys" p.Title = "Manage API Keys"
p.Current = "api-keys" p.Current = "api-keys"
p.User = u
if _, ok := u.(moduser.User); ok {
p.User = u.(moduser.User)
}
if setting.APIKeyHIBP() != "" { if setting.APIKeyHIBP() != "" {
p.Data["hibpApiKey"] = setting.APIKeyHIBP() p.Data["hibpApiKey"] = setting.APIKeyHIBP()

28
handlers/manage-user.go
View File

@ -46,9 +46,9 @@ func ManageUsers() echo.HandlerFunc {
} }
if !u.IsAdmin { if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint") log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -177,9 +177,9 @@ func CreateUser() echo.HandlerFunc { //nolint:gocognit
} }
if !u.IsAdmin { if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint") log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -283,9 +283,9 @@ func ViewUser() echo.HandlerFunc {
} }
if !u.IsAdmin { if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint") log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -420,9 +420,9 @@ func EditUser() echo.HandlerFunc {
} }
if !u.IsAdmin { if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint") log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -522,9 +522,9 @@ func UpdateUser() echo.HandlerFunc { //nolint:gocognit
} }
if !u.IsAdmin { if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint") log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -756,7 +756,9 @@ func DeleteUserConfirmation() echo.HandlerFunc {
"username was nil", "username was nil",
) )
} else if !u.IsAdmin { } else if !u.IsAdmin {
status := http.StatusUnauthorized log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -855,7 +857,9 @@ func DeleteUser() echo.HandlerFunc {
"username was nil", "username was nil",
) )
} else if !u.IsAdmin { } else if !u.IsAdmin {
status := http.StatusUnauthorized log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(

8
handlers/search-hibp.go
View File

@ -23,7 +23,9 @@ func GetSearchHIBP() echo.HandlerFunc {
if !ok { if !ok {
c.Logger().Warnf("Error getting user from session cookie") c.Logger().Warnf("Error getting user from session cookie")
} else if u.IsAdmin { } else if u.IsAdmin {
status := http.StatusUnauthorized log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -102,7 +104,9 @@ func SearchHIBP() echo.HandlerFunc {
// ) // )
c.Logger().Warnf("Error getting user from session cookie") c.Logger().Warnf("Error getting user from session cookie")
} else if u.IsAdmin { } else if u.IsAdmin {
status := http.StatusUnauthorized log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(

8
handlers/user-init-password-change.go
View File

@ -26,7 +26,9 @@ func InitialPasswordChangePost() echo.HandlerFunc {
"Username was nil", "Username was nil",
) )
} else if u.IsAdmin { } else if u.IsAdmin {
status := http.StatusUnauthorized log.Warn("this is a restricted endpoint", "endpoint", "/user/initial-password-change", "user", u.Username, "isAdmin", u.IsAdmin, "route name", c.Path())
status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(
@ -145,7 +147,9 @@ func InitialPasswordChange() echo.HandlerFunc {
"Username was nil", "Username was nil",
) )
} else if u.IsAdmin { } else if u.IsAdmin {
status := http.StatusUnauthorized log.Warn("this is a restricted endpoint", "endpoint", "/user/initial-password-change", "user", u.Username, "isAdmin", u.IsAdmin, "route name", c.Path())
status := http.StatusForbidden
msg := http.StatusText(status) msg := http.StatusText(status)
return renderErrorPage( return renderErrorPage(

7
handlers/view-hibp.go
View File

@ -19,13 +19,6 @@ func ViewHIBP() echo.HandlerFunc {
u, ok := c.Get("sessUsr").(moduser.User) u, ok := c.Get("sessUsr").(moduser.User)
if !ok { if !ok {
c.Logger().Warnf("Error getting user from session cookie") c.Logger().Warnf("Error getting user from session cookie")
} else if u.IsAdmin {
status := http.StatusUnauthorized
msg := http.StatusText(status)
return renderErrorPage(
c, status, msg+": You should not be here", "This endpoint is for users only",
)
} }
h := new(hibpBreachDetail) h := new(hibpBreachDetail)