lxd: Enforce users to be authenticated before running the access hand…

…ler. Previously we ran the access handler regardless of whether a request was authenticated. This would usually fail because there would be no username in the request context. However we need to be careful that a user is authenticated if predicating access on the presence of a CA certificate. Signed-off-by: Mark Laing <mark.laing@canonical.com>
canonical · Nov 7, 2023 · 7ba9039 · 7ba9039
1 parent cb4be75
commit 7ba9039
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/lxd/daemon.go b/lxd/daemon.go
@@ -586,14 +586,23 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
 				return response.NotImplemented(nil)
 			}
 
-			if action.AccessHandler != nil {
-				// Defer access control to custom handler
+			// All APIEndpointActions should have an access handler or should allow untrusted requests.
+			if action.AccessHandler == nil && !action.AllowUntrusted {
+				return response.InternalError(fmt.Errorf("Access handler not defined for %s %s", r.Method, r.URL.RequestURI()))
+			}
+
+			// If the request is not trusted, only call the handler if the action allows it.
+			if !trusted {
+				if !action.AllowUntrusted {
+					return response.Forbidden(errors.New("You must be authenticated"))
+				}
+
+				return action.Handler(d, r)
+			} else if action.AccessHandler != nil {
 				resp := action.AccessHandler(d, r)
 				if resp != response.EmptySyncResponse {
 					return resp
 				}
-			} else if !action.AllowUntrusted {
-				return response.Forbidden(nil)
 			}
 
 			return action.Handler(d, r)