From e1e52eaec4d00711762249dfe3479c64e9060e5c Mon Sep 17 00:00:00 2001
From: Fabian Seidl <fabian.b.seidl@stud.h-da.de>
Date: Thu, 28 Apr 2022 09:56:53 +0200
Subject: [PATCH] fixed check for creating more than one user when not logged
 in, added check to see if provided token belongs to user

---
 .../northbound/server/auth_interceptor.go     | 33 ++++++++++++-------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/controller/northbound/server/auth_interceptor.go b/controller/northbound/server/auth_interceptor.go
index cc127da9b..96b11971e 100644
--- a/controller/northbound/server/auth_interceptor.go
+++ b/controller/northbound/server/auth_interceptor.go
@@ -35,6 +35,11 @@ func (auth AuthInterceptor) Unary() grpc.UnaryServerInterceptor {
 		case *apb.CreateUsersRequest:
 			if len(r.User) < 2 {
 				return handler(ctx, req)
+			} else {
+				err := auth.authorize(ctx, info.FullMethod)
+				if err != nil {
+					return nil, err
+				}
 			}
 		default:
 			err := auth.authorize(ctx, info.FullMethod)
@@ -80,7 +85,16 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error
 			return err
 		}
 
-		err = verifyPermisisonForRequestedCall(claims, method)
+		user, err := userc.Get(store.Query{Name: claims.Username})
+		if err != nil {
+			return err
+		}
+
+		if user.GetToken() != token {
+			return status.Errorf(codes.PermissionDenied, "invalid token")
+		}
+
+		err = verifyPermisisonForRequestedCall(user.GetRoles(), method)
 		if err != nil {
 			return err
 		}
@@ -91,13 +105,8 @@ func (auth AuthInterceptor) authorize(ctx context.Context, method string) error
 	return nil
 }
 
-func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod string) error {
-	user, err := userc.Get(store.Query{Name: claims.Username})
-	if err != nil {
-		return err
-	}
-
-	roles, err := rolec.GetAll()
+func verifyPermisisonForRequestedCall(userRoles map[string]string, requestedMethod string) error {
+	storedRoles, err := rolec.GetAll()
 	if err != nil {
 		return err
 	}
@@ -106,10 +115,10 @@ func verifyPermisisonForRequestedCall(claims *rbac.UserClaims, requestedMethod s
 	// first loop through map with roles associated to user
 	// second loop check if name of user role exists in roles
 	// third loop check if role associated to current user has permission for call
-	for _, userRole := range user.GetRoles() {
-		for _, role := range roles {
-			if userRole == role.Name() {
-				for _, permission := range role.GetPermissions() {
+	for _, userRole := range userRoles {
+		for _, storedRole := range storedRoles {
+			if userRole == storedRole.Name() {
+				for _, permission := range storedRole.GetPermissions() {
 					if permission == requestedMethod {
 						return nil
 					}
-- 
GitLab