Allow non-admins to use the checkRelation

cmd/jimmctl/cmd/relation_test.go

@@ -612,9 +612,9 @@ func (s *relationSuite) TestCheckRelation(c *gc.C) {
 	_, err := cmdtesting.RunCommand(
 		c,
 		cmd.NewCheckRelationCommandForTesting(s.ClientStore(), bClient),
-		"diglett",
+		"user-diglett",
 		"reader",
-		"dugtrio",
+		"controller-jimm",
 	)
 	c.Assert(err, gc.ErrorMatches, `unauthorized \(unauthorized access\)`)
 }

internal/jujuapi/access_control.go

@@ -358,15 +358,17 @@ func (r *controllerRoot) CheckRelation(ctx context.Context, req apiparams.CheckR
 	const op = errors.Op("jujuapi.CheckRelation")
 	checkResp := apiparams.CheckRelationResponse{Allowed: false}
 
-	if !r.user.JimmAdmin {
-		return checkResp, errors.E(op, errors.CodeUnauthorized, "unauthorized")
-	}
-
 	parsedTuple, err := r.parseTuple(ctx, req.Tuple)
 	if err != nil {
 		return checkResp, errors.E(op, errors.CodeFailedToParseTupleKey, err)
 	}
 
+	userCheckingSelf := parsedTuple.Object.Kind == openfga.UserType && parsedTuple.Object.ID == r.user.Username
+
+	if !(r.user.JimmAdmin || userCheckingSelf) {
+		return checkResp, errors.E(op, errors.CodeUnauthorized, "unauthorized")
+	}
+
 	allowed, err := r.jimm.AuthorizationClient().CheckRelation(ctx, *parsedTuple, false)
 	if err != nil {
 		zapctx.Error(ctx, "failed to check relation", zap.NamedError("check-relation-error", err))

internal/jujuapi/access_control_test.go

@@ -827,7 +827,6 @@ func (s *accessControlSuite) TestJAASTag(c *gc.C) {
 			c.Assert(err, gc.IsNil)
 			c.Assert(t, gc.Equals, test.expectedJAASTag)
 		}
-
 	}
 }
 
@@ -877,6 +876,34 @@ func (s *accessControlSuite) TestListRelationshipTuples(c *gc.C) {
 
 }
 
+func (s *accessControlSuite) TestCheckRelationAsNonAdmin(c *gc.C) {
+	conn := s.open(c, nil, "bob")
+	defer conn.Close()
+	client := api.NewClient(conn)
+
+	userAliceKey := "user-alice@external"
+	userBobKey := "user-bob@external"
+
+	// Verify Bob checking for Alice's permission fails
+	input := apiparams.RelationshipTuple{
+		Object:       userAliceKey,
+		Relation:     "administrator",
+		TargetObject: "controller-jimm",
+	}
+	req := apiparams.CheckRelationRequest{Tuple: input}
+	_, err := client.CheckRelation(&req)
+	c.Assert(err, gc.ErrorMatches, `unauthorized \(unauthorized access\)`)
+	// Verify Bob can check for his own permission.
+	input = apiparams.RelationshipTuple{
+		Object:       userBobKey,
+		Relation:     "administrator",
+		TargetObject: "controller-jimm",
+	}
+	req = apiparams.CheckRelationRequest{Tuple: input}
+	_, err = client.CheckRelation(&req)
+	c.Assert(err, gc.IsNil)
+}
+
 func (s *accessControlSuite) TestCheckRelationOfferReaderFlow(c *gc.C) {
 	ctx := context.Background()
 	ofgaClient := s.JIMM.OpenFGAClient