[bugfix] security: fix check grant god when FLAGS_enable_authorize is… (

#4840) * [bugfix] security: fix check grant god when FLAGS_enable_authorize is false * update test case * refine test, add cloud auth type scenario
vesoft-inc · Nov 17, 2022 · 9796c33 · 9796c33
1 parent 050f9f3
commit 9796c33
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 10 deletions.
diff --git a/src/graph/service/PermissionManager.cpp b/src/graph/service/PermissionManager.cpp
@@ -133,25 +133,26 @@ Status PermissionManager::canWriteRole(ClientSession *session,
                                        meta::cpp2::RoleType targetRole,
                                        GraphSpaceID spaceId,
                                        const std::string &targetUser) {
-  if (!FLAGS_enable_authorize) {
-    return Status::OK();
+  // Some check should be done no matter FLAGS_enable_authorize is true or false
+  // Check 1. Reject any user grant or revoke role to GOD,
+  if (targetRole == meta::cpp2::RoleType::GOD) {
+    return Status::PermissionError("No permission to grant/revoke god user.");
   }
-  // Cloud auth user cannot grant role
+
+  // Check 2. Cloud auth user cannot grant role
   if (FLAGS_auth_type == "cloud") {
     return Status::PermissionError("Cloud authenticate user can't write role.");
   }
+
+  if (!FLAGS_enable_authorize) {
+    return Status::OK();
+  }
   /**
    * Reject grant or revoke to himself.
    */
   if (session->user() == targetUser) {
     return Status::PermissionError("No permission to grant/revoke yourself.");
   }
-  /*
-   * Reject any user grant or revoke role to GOD
-   */
-  if (targetRole == meta::cpp2::RoleType::GOD) {
-    return Status::PermissionError("No permission to grant/revoke god user.");
-  }
   /*
    * God user can be grant or revoke any one.
    */

diff --git a/tests/tck/cluster/Example.feature b/tests/tck/cluster/Example.feature
@@ -20,7 +20,7 @@ Feature: Example
       """
       GRANT ROLE god on s1 to user1
       """
-    Then the execution should be successful
+    Then an PermissionError should be raised at runtime: No permission to grant/revoke god user.
 
   Scenario: test with enable authorize
     Given a nebulacluster with 1 graphd and 1 metad and 1 storaged:
@@ -39,3 +39,21 @@ Feature: Example
       GRANT ROLE god on s1 to user1
       """
     Then an PermissionError should be raised at runtime: No permission to grant/revoke god user.
+
+  Scenario: test with auth type is cloud
+    Given a nebulacluster with 1 graphd and 1 metad and 1 storaged:
+      """
+      graphd:auth_type=cloud
+      """
+    When executing query:
+      """
+      CREATE USER user1 WITH PASSWORD 'nebula';
+      CREATE SPACE s1(vid_type=int)
+      """
+    And wait 3 seconds
+    Then the execution should be successful
+    When executing query:
+      """
+      GRANT ROLE god on s1 to user1
+      """
+    Then an PermissionError should be raised at runtime: Cloud authenticate user can't write role.