Skip to content

Commit

Permalink
lxd: Enforce users to be authenticated before running the access hand…
Browse files Browse the repository at this point in the history
…ler.

Previously we ran the access handler regardless of whether a request was
authenticated. This would usually fail because there would be no
username in the request context. However we need to be careful that a
user is authenticated if predicating access on the presence of a CA
certificate.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
  • Loading branch information
markylaing committed Nov 15, 2023
1 parent 64fa9a5 commit 7cce0df
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions lxd/daemon.go
Original file line number Diff line number Diff line change
Expand Up @@ -586,14 +586,22 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
return response.NotImplemented(nil)
}

// All APIEndpointActions should have an access handler or should allow untrusted requests.
if action.AccessHandler == nil && !action.AllowUntrusted {
return response.InternalError(fmt.Errorf("Access handler not defined for %s %s", r.Method, r.URL.RequestURI()))
}

// If the request is not trusted, only call the handler if the action allows it.
if !trusted && !action.AllowUntrusted {
return response.Forbidden(errors.New("You must be authenticated"))
}

// Call the access handler if there is one.
if action.AccessHandler != nil {
// Defer access control to custom handler
resp := action.AccessHandler(d, r)
if resp != response.EmptySyncResponse {
return resp
}
} else if !action.AllowUntrusted {
return response.Forbidden(nil)
}

return action.Handler(d, r)
Expand Down

0 comments on commit 7cce0df

Please sign in to comment.