Access control: Attach ID to error message (#33472)

2021-05-12 23:00:27 +02:00 · 2021-05-12 23:00:27 +02:00 · c2e761f28e
parent 49fa711577
commit c2e761f28e
1 changed files with 41 additions and 4 deletions
--- a/pkg/services/accesscontrol/middleware/middleware.go
+++ b/pkg/services/accesscontrol/middleware/middleware.go
@ -2,8 +2,12 @@ package middleware

 import (
 	"bytes"
+	"fmt"
 	"net/http"
 	"text/template"
+	"time"
+
+	"github.com/grafana/grafana/pkg/util"

 	macaron "gopkg.in/macaron.v1"

@ -38,15 +42,48 @@ func Middleware(ac accesscontrol.AccessControl) func(macaron.Handler, string, ..

 			hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, runtimeScope...)
 			if err != nil {
-				c.Logger.Error("Error from access control system", "error", err)
-				c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)
+				Deny(c, permission, runtimeScope, err)
 				return
 			}
 			if !hasAccess {
-				c.Logger.Info("Access denied", "userID", c.UserId, "permission", permission, "scopes", runtimeScope)
-				c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)
+				Deny(c, permission, runtimeScope, nil)
 				return
 			}
 		}
 	}
 }
+
+func Deny(c *models.ReqContext, permission string, scopes []string, err error) {
+	id := newID()
+	if err != nil {
+		c.Logger.Error("Error from access control system", "error", err, "accessErrorID", id)
+	} else {
+		c.Logger.Info("Access denied",
+			"userID", c.UserId,
+			"permission", permission,
+			"scopes", scopes,
+			"accessErrorID", id)
+	}
+
+	// If the user triggers an error in the access control system, we
+	// don't want the user to be aware of that, so the user gets the
+	// same information from the system regardless of if it's an
+	// internal server error or access denied.
+	c.JSON(http.StatusForbidden, map[string]string{
+		"title":         "Access denied", // the component needs to pick this up
+		"message":       fmt.Sprintf("Your user account does not have permissions to do the action. We recorded your attempt with log message %s. Contact your administrator for help.", id),
+		"accessErrorId": id,
+	})
+}
+
+func newID() string {
+	// Less ambiguity than alphanumerical.
+	numerical := []byte("0123456789")
+	id, err := util.GetRandomString(10, numerical...)
+	if err != nil {
+		// this should not happen, but if it does, a timestamp is as
+		// useful as anything.
+		id = fmt.Sprintf("%d", time.Now().UnixNano())
+	}
+	return "ACE" + id
+}