IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Direct DB perm checks: check that the namespaces match (#97828)

Browse Source 
check that the namespace of the caller matches the namespace in the request
This commit is contained in:
Ieva 2024-12-12 10:57:16 +00:00 committed by GitHub
parent f710573b37
commit 32554c78a8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/services/authz/rbac/service.go
View File

@ -78,10 +78,17 @@ func (s *Service) validateRequest(ctx context.Context, req *authzv1.CheckRequest
if req.GetNamespace() == "" {
return nil, status.Error(codes.InvalidArgument, "namespace is required")
}
namespace := req.GetNamespace()
ns, err := claims.ParseNamespace(namespace)
authInfo, has := claims.From(ctx)
if !has {
return nil, status.Error(codes.Internal, "could not get auth info from context")
}
if !claims.NamespaceMatches(authInfo.GetNamespace(), req.GetNamespace()) {
return nil, status.Error(codes.PermissionDenied, "namespace does not match")
}
ns, err := claims.ParseNamespace(req.GetNamespace())
if err != nil {
ctxLogger.Error("could not parse namespace", "namespace", namespace, "error", err)
ctxLogger.Error("could not parse namespace", "namespace", req.GetNamespace(), "error", err)
return nil, err
}