Skip to content

Commit

Permalink
chore: Improve permissions check on LDAP endpoints (#32335)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusbsilva137 authored and ggazzo committed Jun 19, 2024
1 parent 5ab6696 commit 5aea82a
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 12 deletions.
13 changes: 2 additions & 11 deletions apps/meteor/app/api/server/v1/ldap.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,18 @@ import { LDAP } from '@rocket.chat/core-services';
import { Match, check } from 'meteor/check';

import { SystemLogger } from '../../../../server/lib/logger/system';
import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
import { settings } from '../../../settings/server';
import { API } from '../api';

API.v1.addRoute(
'ldap.testConnection',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['test-admin-options'] },
{
async post() {
if (!this.userId) {
throw new Error('error-invalid-user');
}

if (!(await hasPermissionAsync(this.userId, 'test-admin-options'))) {
throw new Error('error-not-authorized');
}

if (settings.get<boolean>('LDAP_Enable') !== true) {
throw new Error('LDAP_disabled');
}
Expand All @@ -39,7 +34,7 @@ API.v1.addRoute(

API.v1.addRoute(
'ldap.testSearch',
{ authRequired: true },
{ authRequired: true, permissionsRequired: ['test-admin-options'] },
{
async post() {
check(
Expand All @@ -53,10 +48,6 @@ API.v1.addRoute(
throw new Error('error-invalid-user');
}

if (!(await hasPermissionAsync(this.userId, 'test-admin-options'))) {
throw new Error('error-not-authorized');
}

if (settings.get('LDAP_Enable') !== true) {
throw new Error('LDAP_disabled');
}
Expand Down
52 changes: 51 additions & 1 deletion apps/meteor/tests/end-to-end/api/26-LDAP.ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
import { expect } from 'chai';
import { before, describe, it } from 'mocha';
import { before, after, describe, it } from 'mocha';
import type { Response } from 'supertest';

import { getCredentials, api, request, credentials } from '../../data/api-data.js';
import { updatePermission } from '../../data/permissions.helper';

describe('LDAP', function () {
this.retries(0);
Expand Down Expand Up @@ -44,4 +45,53 @@ describe('LDAP', function () {
});
});
});

describe('[/ldap.testSearch]', () => {
before(async () => {
return updatePermission('test-admin-options', ['admin']);
});

after(async () => {
return updatePermission('test-admin-options', ['admin']);
});

it('should not allow testing LDAP search if user does NOT have the test-admin-options permission', async () => {
await updatePermission('test-admin-options', []);
await request
.post(api('ldap.testSearch'))
.set(credentials)
.send({
username: 'test-search',
})
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res: Response) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});

describe('[/ldap.testConnection]', () => {
before(async () => {
return updatePermission('test-admin-options', ['admin']);
});

after(async () => {
return updatePermission('test-admin-options', ['admin']);
});

it('should not allow testing LDAP connection if user does NOT have the test-admin-options permission', async () => {
await updatePermission('test-admin-options', []);
await request
.post(api('ldap.testConnection'))
.set(credentials)
.expect('Content-Type', 'application/json')
.expect(403)
.expect((res: Response) => {
expect(res.body).to.have.property('success', false);
expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
});
});
});
});

0 comments on commit 5aea82a

Please sign in to comment.