Add auth for read operation

gravitational · Sep 16, 2024 · 2896303 · 2896303
1 parent d7c3e00
commit 2896303
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 8 deletions.
diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go
@@ -77,6 +77,15 @@ func NewService(cfg ServiceConfig) (*Service, error) {
 
 // GetAutoUpdateConfig gets the current autoupdate config singleton.
 func (s *Service) GetAutoUpdateConfig(ctx context.Context, req *autoupdate.GetAutoUpdateConfigRequest) (*autoupdate.AutoUpdateConfig, error) {
+	authCtx, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateConfig, types.VerbRead); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	config, err := s.cache.GetAutoUpdateConfig(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -165,6 +174,15 @@ func (s *Service) DeleteAutoUpdateConfig(ctx context.Context, req *autoupdate.De
 
 // GetAutoUpdateVersion gets the current autoupdate version singleton.
 func (s *Service) GetAutoUpdateVersion(ctx context.Context, req *autoupdate.GetAutoUpdateVersionRequest) (*autoupdate.AutoUpdateVersion, error) {
+	authCtx, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbRead); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	version, err := s.cache.GetAutoUpdateVersion(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)

diff --git a/lib/auth/autoupdate/autoupdatev1/service_test.go b/lib/auth/autoupdate/autoupdatev1/service_test.go
@@ -110,10 +110,14 @@ func TestServiceAccess(t *testing.T) {
 			allowedVerbs: []string{types.VerbUpdate, types.VerbCreate},
 		},
 		{
-			name:             "GetAutoUpdateConfig",
-			allowedStates:    []authz.AdminActionAuthState{},
-			disallowedStates: []authz.AdminActionAuthState{},
-			allowedVerbs:     []string{types.VerbRead},
+			name: "GetAutoUpdateConfig",
+			allowedStates: []authz.AdminActionAuthState{
+				authz.AdminActionAuthUnauthorized,
+				authz.AdminActionAuthNotRequired,
+				authz.AdminActionAuthMFAVerified,
+				authz.AdminActionAuthMFAVerifiedWithReuse,
+			},
+			allowedVerbs: []string{types.VerbRead},
 		},
 		{
 			name:          "DeleteAutoUpdateConfig",
@@ -149,10 +153,14 @@ func TestServiceAccess(t *testing.T) {
 			allowedVerbs: []string{types.VerbUpdate, types.VerbCreate},
 		},
 		{
-			name:             "GetAutoUpdateVersion",
-			allowedStates:    []authz.AdminActionAuthState{},
-			disallowedStates: []authz.AdminActionAuthState{},
-			allowedVerbs:     []string{types.VerbRead},
+			name: "GetAutoUpdateVersion",
+			allowedStates: []authz.AdminActionAuthState{
+				authz.AdminActionAuthUnauthorized,
+				authz.AdminActionAuthNotRequired,
+				authz.AdminActionAuthMFAVerified,
+				authz.AdminActionAuthMFAVerifiedWithReuse,
+			},
+			allowedVerbs: []string{types.VerbRead},
 		},
 		{
 			name:          "DeleteAutoUpdateVersion",