Change notification settings only for members of the NordVPN group

NordSecurity · Jan 17, 2025 · f64e535 · f64e535
1 parent a70aae6
commit f64e535
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 31 deletions.
diff --git a/daemon/rpc_set_notify.go b/daemon/rpc_set_notify.go
@@ -10,6 +10,19 @@ import (
 )
 
 func (r *RPC) SetNotify(ctx context.Context, in *pb.SetNotifyRequest) (*pb.Payload, error) {
+	isInNordVPNGroup, err := internal.IsInAllowedGroup(uint32(in.Uid))
+	if err != nil {
+		return &pb.Payload{
+			Type: internal.CodeInternalError,
+		}, nil
+	}
+
+	if !isInNordVPNGroup {
+		return &pb.Payload{
+			Type: internal.CodeNotInNordVPNGroup,
+		}, nil
+	}
+
 	var cfg config.Config
 	if err := r.cm.Load(&cfg); err != nil {
 		log.Println(internal.ErrorPrefix, err)

diff --git a/internal/codes.go b/internal/codes.go
@@ -63,6 +63,7 @@ const (
 	CodePqWithoutNordlynx              int64 = 3049
 	CodeFeatureHidden                  int64 = 3050
 	CodeTechnologyDisabled             int64 = 3051
+	CodeNotInNordVPNGroup              int64 = 3052
 )
 
 type ErrorWithCode struct {

diff --git a/internal/permissions.go b/internal/permissions.go
@@ -0,0 +1,36 @@
+package internal
+
+import (
+	"fmt"
+	"os/user"
+)
+
+var allowedGroups []string = []string{"nordvpn"}
+var ErrNoPermission error = fmt.Errorf("requesting user does not have permissions")
+
+// IsInAllowedGroup returns true if user with the given UID is in nordvpn privileged group
+func IsInAllowedGroup(uid uint32) (bool, error) {
+	userInfo, err := user.LookupId(fmt.Sprintf("%d", uid))
+	if err != nil {
+		return false, fmt.Errorf("authenticate user, lookup user info: %s", err)
+	}
+	// user belongs to the allowed group?
+	groups, err := userInfo.GroupIds()
+	if err != nil {
+		return false, fmt.Errorf("authenticate user, check user groups: %s", err)
+	}
+
+	for _, groupId := range groups {
+		groupInfo, err := user.LookupGroupId(groupId)
+		if err != nil {
+			return false, fmt.Errorf("authenticate user, check user group: %s", err)
+		}
+		for _, allowGroupName := range allowedGroups {
+			if groupInfo.Name == allowGroupName {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
+}
diff --git a/internal/socket.go b/internal/socket.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"os/user"
 	"reflect"
 	"strconv"
 	"strings"
@@ -14,35 +13,6 @@ import (
 	"google.golang.org/grpc/credentials"
 )
 
-var allowedGroups []string = []string{"nordvpn"}
-var ErrNoPermission error = fmt.Errorf("requesting user does not have permissions")
-
-func isInAllowedGroup(ucred *unix.Ucred) (bool, error) {
-	userInfo, err := user.LookupId(fmt.Sprintf("%d", ucred.Uid))
-	if err != nil {
-		return false, fmt.Errorf("authenticate user, lookup user info: %s", err)
-	}
-	// user belongs to the allowed group?
-	groups, err := userInfo.GroupIds()
-	if err != nil {
-		return false, fmt.Errorf("authenticate user, check user groups: %s", err)
-	}
-
-	for _, groupId := range groups {
-		groupInfo, err := user.LookupGroupId(groupId)
-		if err != nil {
-			return false, fmt.Errorf("authenticate user, check user group: %s", err)
-		}
-		for _, allowGroupName := range allowedGroups {
-			if groupInfo.Name == allowGroupName {
-				return true, nil
-			}
-		}
-	}
-
-	return false, nil
-}
-
 // getUnixCreds returns info from unix socket connection about the process on the other end.
 func getUnixCreds(conn net.Conn, authenticator SocketAuthenticator) (*unix.Ucred, error) {
 	conn2 := extractConnection(conn)
@@ -96,7 +66,7 @@ func (DaemonAuthenticator) Authenticate(ucred *unix.Ucred) error {
 		return nil
 	}
 
-	isGroup, err := isInAllowedGroup(ucred)
+	isGroup, err := IsInAllowedGroup(ucred.Uid)
 	if err != nil {
 		return err
 	}