SMQ-2670 - Fix Unauthorized User IDs can be added to domain entity ro…

…le members (#2684) Signed-off-by: nyagamunene <[email protected]>
absmach · Feb 28, 2025 · 98bc206 · 98bc206
1 parent 17b5224
commit 98bc206
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/groups/middleware/authorization.go b/groups/middleware/authorization.go
@@ -94,6 +94,7 @@ func (am *authorizationMiddleware) CreateGroup(ctx context.Context, session auth
 			return groups.Group{}, []roles.RoleProvision{}, errors.Wrap(svcerr.ErrUnauthorizedPAT, err)
 		}
 	}
+
 	if err := am.extAuthorize(ctx, groups.DomainOpCreateGroup, smqauthz.PolicyReq{
 		Domain:      session.DomainID,
 		SubjectType: policies.UserType,

diff --git a/...s/rolemanager/middleware/authoirzation.go → ...s/rolemanager/middleware/authorization.go b/...s/rolemanager/middleware/authoirzation.go → ...s/rolemanager/middleware/authorization.go
@@ -9,6 +9,7 @@ import (
 	"github.com/absmach/supermq/pkg/authn"
 	smqauthz "github.com/absmach/supermq/pkg/authz"
 	"github.com/absmach/supermq/pkg/errors"
+	svcerr "github.com/absmach/supermq/pkg/errors/service"
 	"github.com/absmach/supermq/pkg/policies"
 	"github.com/absmach/supermq/pkg/roles"
 	"github.com/absmach/supermq/pkg/svcutil"
@@ -209,6 +210,10 @@ func (ram RoleManagerAuthorizationMiddleware) RoleAddMembers(ctx context.Context
 	}); err != nil {
 		return []string{}, err
 	}
+
+	if err := ram.authorizeMembers(ctx, session, members); err != nil {
+		return []string{}, err
+	}
 	return ram.svc.RoleAddMembers(ctx, session, entityID, roleID, members)
 }
 
@@ -314,3 +319,39 @@ func (ram RoleManagerAuthorizationMiddleware) authorize(ctx context.Context, op
 func (ram RoleManagerAuthorizationMiddleware) RemoveMemberFromAllRoles(ctx context.Context, session authn.Session, memberID string) (err error) {
 	return ram.svc.RemoveMemberFromAllRoles(ctx, session, memberID)
 }
+
+func (ram RoleManagerAuthorizationMiddleware) authorizeMembers(ctx context.Context, session authn.Session, members []string) error {
+	switch ram.entityType {
+	case policies.DomainType:
+		for _, member := range members {
+			if err := ram.authz.Authorize(ctx, smqauthz.PolicyReq{
+				Permission:  policies.MembershipPermission,
+				Subject:     member,
+				SubjectType: policies.UserType,
+				SubjectKind: policies.UsersKind,
+				Object:      policies.SuperMQObject,
+				ObjectType:  policies.PlatformType,
+			}); err != nil {
+				return errors.Wrap(errors.ErrAuthorization, err)
+			}
+		}
+		return nil
+
+	case policies.ChannelType, policies.GroupType, policies.ClientType:
+		for _, member := range members {
+			if err := ram.authz.Authorize(ctx, smqauthz.PolicyReq{
+				Permission:  policies.MembershipPermission,
+				Subject:     policies.EncodeDomainUserID(session.DomainID, member),
+				SubjectType: policies.UserType,
+				SubjectKind: policies.UsersKind,
+				Object:      session.DomainID,
+				ObjectType:  policies.DomainType,
+			}); err != nil {
+				return errors.Wrap(svcerr.ErrDomainAuthorization, err)
+			}
+		}
+		return nil
+	default:
+		return errors.Wrap(errors.ErrAuthorization, errors.New("unsupported policies type"))
+	}
+}