lxd: Enforce users to be authenticated before running the access hand…

…ler. Previously we ran the access handler regardless of whether a request was authenticated. This would usually fail because there would be no username in the request context. However we need to be careful that a user is authenticated if predicating access on the presence of a CA certificate. Signed-off-by: Mark Laing <mark.laing@canonical.com>
canonical · Nov 7, 2023 · e4002f2 · e4002f2
1 parent cb4be75
commit e4002f2
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/lxd/daemon.go b/lxd/daemon.go
@@ -586,14 +586,22 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
 				return response.NotImplemented(nil)
 			}
 
+			// All APIEndpointActions should have an access handler or should allow untrusted requests.
+			if action.AccessHandler == nil && !action.AllowUntrusted {
+				return response.InternalError(fmt.Errorf("Access handler not defined for %s %s", r.Method, r.URL.RequestURI()))
+			}
+
+			// If the request is not trusted, only call the handler if the action allows it.
+			if !trusted && !action.AllowUntrusted {
+				return response.Forbidden(errors.New("You must be authenticated"))
+			}
+
+			// Call the access handler if there is one.
 			if action.AccessHandler != nil {
-				// Defer access control to custom handler
 				resp := action.AccessHandler(d, r)
 				if resp != response.EmptySyncResponse {
 					return resp
 				}
-			} else if !action.AllowUntrusted {
-				return response.Forbidden(nil)
 			}
 
 			return action.Handler(d, r)