go: add more logs on unauthorised access
All checks were successful
continuous-integration/drone/push Build is passing

* log details about unauthorised access
* return semantically correct 403 (instead of 401) on unauthorised access
* allow read-only admin access to "hibp breach details" endpoint
This commit is contained in:
surtur 2023-09-10 14:12:13 +02:00
parent 67165c82cc
commit 882b7dfd28
Signed by: wanderer
SSH Key Fingerprint: SHA256:MdCZyJ2sHLltrLBp0xQO0O1qTW9BT/xl5nXkDvhlMCI
6 changed files with 52 additions and 28 deletions

@ -10,6 +10,8 @@ import (
"github.com/labstack/echo/v4"
)
const unauthorisedAccess = "Unauthorised access detected"
func Index() echo.HandlerFunc {
return func(c echo.Context) error {
defer addHeaders(c)

@ -13,15 +13,32 @@ func ManageAPIKeys() echo.HandlerFunc {
return func(c echo.Context) error {
addHeaders(c)
u := c.Get("sessUsr")
u, ok := c.Get("sessUsr").(moduser.User)
if !ok {
return renderErrorPage(
c,
http.StatusUnauthorized,
http.StatusText(http.StatusUnauthorized),
"username was nil",
)
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint", "endpoint", "/manage/api-keys", "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
c, status, msg+": You should not be here", "Restricted endpoint",
)
}
p := newPage()
p.Title = "Manage API Keys"
p.Current = "api-keys"
if _, ok := u.(moduser.User); ok {
p.User = u.(moduser.User)
}
p.User = u
if setting.APIKeyHIBP() != "" {
p.Data["hibpApiKey"] = setting.APIKeyHIBP()

@ -46,9 +46,9 @@ func ManageUsers() echo.HandlerFunc {
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint")
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -177,9 +177,9 @@ func CreateUser() echo.HandlerFunc { //nolint:gocognit
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint")
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -283,9 +283,9 @@ func ViewUser() echo.HandlerFunc {
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint")
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -420,9 +420,9 @@ func EditUser() echo.HandlerFunc {
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint")
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -522,9 +522,9 @@ func UpdateUser() echo.HandlerFunc { //nolint:gocognit
}
if !u.IsAdmin {
c.Logger().Debug("this is a restricted endpoint")
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusUnauthorized
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -756,7 +756,9 @@ func DeleteUserConfirmation() echo.HandlerFunc {
"username was nil",
)
} else if !u.IsAdmin {
status := http.StatusUnauthorized
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -855,7 +857,9 @@ func DeleteUser() echo.HandlerFunc {
"username was nil",
)
} else if !u.IsAdmin {
status := http.StatusUnauthorized
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(

@ -23,7 +23,9 @@ func GetSearchHIBP() echo.HandlerFunc {
if !ok {
c.Logger().Warnf("Error getting user from session cookie")
} else if u.IsAdmin {
status := http.StatusUnauthorized
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -102,7 +104,9 @@ func SearchHIBP() echo.HandlerFunc {
// )
c.Logger().Warnf("Error getting user from session cookie")
} else if u.IsAdmin {
status := http.StatusUnauthorized
log.Warn(unauthorisedAccess, "endpoint", c.Path(), "method", c.Request().Method, "user", u.Username, "isAdmin", u.IsAdmin)
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(

@ -26,7 +26,9 @@ func InitialPasswordChangePost() echo.HandlerFunc {
"Username was nil",
)
} else if u.IsAdmin {
status := http.StatusUnauthorized
log.Warn("this is a restricted endpoint", "endpoint", "/user/initial-password-change", "user", u.Username, "isAdmin", u.IsAdmin, "route name", c.Path())
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(
@ -145,7 +147,9 @@ func InitialPasswordChange() echo.HandlerFunc {
"Username was nil",
)
} else if u.IsAdmin {
status := http.StatusUnauthorized
log.Warn("this is a restricted endpoint", "endpoint", "/user/initial-password-change", "user", u.Username, "isAdmin", u.IsAdmin, "route name", c.Path())
status := http.StatusForbidden
msg := http.StatusText(status)
return renderErrorPage(

@ -19,13 +19,6 @@ func ViewHIBP() echo.HandlerFunc {
u, ok := c.Get("sessUsr").(moduser.User)
if !ok {
c.Logger().Warnf("Error getting user from session cookie")
} else if u.IsAdmin {
status := http.StatusUnauthorized
msg := http.StatusText(status)
return renderErrorPage(
c, status, msg+": You should not be here", "This endpoint is for users only",
)
}
h := new(hibpBreachDetail)