is_allowed

bencherdev · Nov 26, 2024 · ed2e567 · ed2e567
1 parent 31e3aca
commit ed2e567
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 15 deletions.
diff --git a/services/api/src/error.rs b/services/api/src/error.rs
@@ -5,6 +5,8 @@ use dropshot::HttpError;
 use http::StatusCode;
 use thiserror::Error;
 
+pub const BEARER_TOKEN_FORMAT: &str = "Expected format is `Authorization: Bearer <bencher.api.token>`. Where `<bencher.api.token>` is your Bencher API token.";
+
 #[derive(Debug, Clone, Copy)]
 pub enum BencherResource {
     Organization,
@@ -134,7 +136,9 @@ where
     V: fmt::Debug,
     E: fmt::Display,
 {
-    not_found_error(format!("{resource} ({value:?}) not found: {error}",))
+    not_found_error(
+        format!("{resource} ({value:?}) not found: {error}\n{resource} may be private and require authentication or it may not exist.\n{BEARER_TOKEN_FORMAT}"),
+    )
 }
 
 pub fn resource_conflict_error<V, E>(resource: BencherResource, value: V, error: E) -> HttpError

diff --git a/services/api/src/model/organization/mod.rs b/services/api/src/model/organization/mod.rs
@@ -11,7 +11,7 @@ use dropshot::HttpError;
 
 use crate::{
     context::{DbConnection, Rbac},
-    error::forbidden_error,
+    error::{forbidden_error, resource_not_found_error, BencherResource},
     model::user::{auth::AuthUser, InsertUser},
     schema::{self, organization as organization_table},
     util::{
@@ -53,11 +53,23 @@ impl QueryOrganization {
         organization: &ResourceId,
         auth_user: &AuthUser,
         permission: bencher_rbac::organization::Permission,
+    ) -> Result<Self, HttpError> {
+        // Do not leak information about organizations.
+        // Always return the same error.
+        Self::is_allowed_resource_id_inner(conn, rbac, organization, auth_user, permission).map_err(
+            |_e| resource_not_found_error(BencherResource::Organization, organization, permission),
+        )
+    }
+
+    fn is_allowed_resource_id_inner(
+        conn: &mut DbConnection,
+        rbac: &Rbac,
+        organization: &ResourceId,
+        auth_user: &AuthUser,
+        permission: bencher_rbac::organization::Permission,
     ) -> Result<Self, HttpError> {
         let query_organization = Self::from_resource_id(conn, organization)?;
-        rbac.is_allowed_organization(auth_user, permission, &query_organization)
-            .map_err(forbidden_error)?;
-        Ok(query_organization)
+        query_organization.allowed(rbac, auth_user, permission)
     }
 
     pub fn is_allowed_id(
@@ -66,11 +78,36 @@ impl QueryOrganization {
         organization_id: OrganizationId,
         auth_user: &AuthUser,
         permission: bencher_rbac::organization::Permission,
+    ) -> Result<Self, HttpError> {
+        // Do not leak information about organizations.
+        // Always return the same error.
+        Self::is_allowed_id_inner(conn, rbac, organization_id, auth_user, permission).map_err(
+            |_e| {
+                resource_not_found_error(BencherResource::Organization, organization_id, permission)
+            },
+        )
+    }
+
+    fn is_allowed_id_inner(
+        conn: &mut DbConnection,
+        rbac: &Rbac,
+        organization_id: OrganizationId,
+        auth_user: &AuthUser,
+        permission: bencher_rbac::organization::Permission,
     ) -> Result<Self, HttpError> {
         let query_organization = Self::get(conn, organization_id)?;
-        rbac.is_allowed_organization(auth_user, permission, &query_organization)
+        query_organization.allowed(rbac, auth_user, permission)
+    }
+
+    fn allowed(
+        self,
+        rbac: &Rbac,
+        auth_user: &AuthUser,
+        permission: bencher_rbac::organization::Permission,
+    ) -> Result<Self, HttpError> {
+        rbac.is_allowed_organization(auth_user, permission, &self)
             .map_err(forbidden_error)?;
-        Ok(query_organization)
+        Ok(self)
     }
 
     pub fn into_json(self) -> JsonOrganization {

diff --git a/services/api/src/model/project/mod.rs b/services/api/src/model/project/mod.rs
@@ -10,7 +10,10 @@ use dropshot::HttpError;
 
 use crate::{
     context::{DbConnection, Rbac},
-    error::{assert_parentage, forbidden_error, unauthorized_error, BencherResource},
+    error::{
+        assert_parentage, forbidden_error, resource_not_found_error, unauthorized_error,
+        BencherResource,
+    },
     model::{organization::QueryOrganization, user::auth::AuthUser},
     schema::{self, project as project_table},
     util::{
@@ -20,7 +23,7 @@ use crate::{
     },
 };
 
-use super::{organization::OrganizationId, user::auth::BEARER_TOKEN_FORMAT};
+use super::organization::OrganizationId;
 
 pub mod benchmark;
 pub mod branch;
@@ -79,6 +82,19 @@ impl QueryProject {
         project: &ResourceId,
         auth_user: &AuthUser,
         permission: Permission,
+    ) -> Result<Self, HttpError> {
+        // Do not leak information about private projects.
+        // Always return the same error.
+        Self::is_allowed_inner(conn, rbac, project, auth_user, permission)
+            .map_err(|_e| resource_not_found_error(BencherResource::Project, project, permission))
+    }
+
+    fn is_allowed_inner(
+        conn: &mut DbConnection,
+        rbac: &Rbac,
+        project: &ResourceId,
+        auth_user: &AuthUser,
+        permission: Permission,
     ) -> Result<Self, HttpError> {
         let query_project = Self::from_resource_id(conn, project)?;
         rbac.is_allowed_project(auth_user, permission, &query_project)
@@ -91,6 +107,19 @@ impl QueryProject {
         rbac: &Rbac,
         project: &ResourceId,
         auth_user: Option<&AuthUser>,
+    ) -> Result<Self, HttpError> {
+        // Do not leak information about private projects.
+        // Always return the same error.
+        Self::is_allowed_public_inner(conn, rbac, project, auth_user).map_err(|_e| {
+            resource_not_found_error(BencherResource::Project, project, Permission::View)
+        })
+    }
+
+    fn is_allowed_public_inner(
+        conn: &mut DbConnection,
+        rbac: &Rbac,
+        project: &ResourceId,
+        auth_user: Option<&AuthUser>,
     ) -> Result<Self, HttpError> {
         let query_project = Self::from_resource_id(conn, project)?;
         // Check to see if the project is public
@@ -104,9 +133,7 @@ impl QueryProject {
                 .map_err(forbidden_error)?;
             Ok(query_project)
         } else {
-            Err(unauthorized_error(format!(
-                "Project ({query_project:?}) is not public and requires authentication.\n{BEARER_TOKEN_FORMAT}",
-            )))
+            Err(unauthorized_error(project))
         }
     }
 

diff --git a/services/api/src/model/user/auth.rs b/services/api/src/model/user/auth.rs
@@ -20,15 +20,13 @@ use oso::{PolarValue, ToPolar};
 use crate::{
     conn_lock,
     context::{ApiContext, DbConnection, Rbac},
-    error::{bad_request_error, forbidden_error},
+    error::{bad_request_error, forbidden_error, BEARER_TOKEN_FORMAT},
     model::{organization::OrganizationId, project::ProjectId},
     schema,
 };
 
 use super::{QueryUser, UserId};
 
-pub const BEARER_TOKEN_FORMAT: &str = "Expected format is `Authorization: Bearer <bencher.api.token>`. Where `<bencher.api.token>` is your Bencher API token.";
-
 #[derive(Debug, Clone)]
 pub struct AuthUser {
     pub user: QueryUser,