NET-163: Return 403 instead of 401 (#2326)

Tobias Cudnik · web-flow · commit 3a4363c89072 · 2023-05-25T09:40:39.000-04:00
* return 401 instead of 403

* fixed http.StatusForbidden

* Tagged build version (temp)

* Unauthorized_Err when applicable

* untagged version
diff --git a/.dockerignore b/.dockerignore
@@ -1,2 +1,4 @@
 config/dnsconfig/
-data/
+data/
+/.git
+/*.tar
diff --git a/controllers/node.go b/controllers/node.go
@@ -157,7 +157,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) {
 func authorize(hostAllowed, networkCheck bool, authNetwork string, next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
-			Code: http.StatusUnauthorized, Message: logic.Unauthorized_Msg,
+			Code: http.StatusForbidden, Message: logic.Forbidden_Msg,
 		}
 
 		var params = mux.Vars(r)
diff --git a/controllers/server.go b/controllers/server.go
@@ -56,7 +56,7 @@ func getStatus(w http.ResponseWriter, r *http.Request) {
 func allowUsers(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
-			Code: http.StatusInternalServerError, Message: logic.Unauthorized_Msg,
+			Code: http.StatusInternalServerError, Message: logic.Forbidden_Msg,
 		}
 		bearerToken := r.Header.Get("Authorization")
 		var tokenSplit = strings.Split(bearerToken, " ")
diff --git a/logic/security.go b/logic/security.go
@@ -18,6 +18,8 @@ const (
 	ALL_NETWORK_ACCESS = "THIS_USER_HAS_ALL"
 
 	master_uname     = "masteradministrator"
+	Forbidden_Msg    = "forbidden"
+	Forbidden_Err    = models.Error(Forbidden_Msg)
 	Unauthorized_Msg = "unauthorized"
 	Unauthorized_Err = models.Error(Unauthorized_Msg)
 )
@@ -27,7 +29,7 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
-			Code: http.StatusUnauthorized, Message: Unauthorized_Msg,
+			Code: http.StatusForbidden, Message: Forbidden_Msg,
 		}
 
 		var params = mux.Vars(r)
@@ -66,7 +68,7 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
 func NetUserSecurityCheck(isNodes, isClients bool, next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
-			Code: http.StatusUnauthorized, Message: "unauthorized",
+			Code: http.StatusForbidden, Message: Forbidden_Msg,
 		}
 		r.Header.Set("ismaster", "no")
 
@@ -152,18 +154,18 @@ func UserPermissions(reqAdmin bool, netname string, token string) ([]string, str
 		return nil, username, Unauthorized_Err
 	}
 	if !isadmin && reqAdmin {
-		return nil, username, Unauthorized_Err
+		return nil, username, Forbidden_Err
 	}
 	userNetworks = networks
 	if isadmin {
 		return []string{ALL_NETWORK_ACCESS}, username, nil
 	}
 	// check network admin access
 	if len(netname) > 0 && (len(userNetworks) == 0 || !authenticateNetworkUser(netname, userNetworks)) {
-		return nil, username, Unauthorized_Err
+		return nil, username, Forbidden_Err
 	}
 	if isEE && len(netname) > 0 && !pro.IsUserNetAdmin(netname, username) {
-		return nil, "", Unauthorized_Err
+		return nil, "", Forbidden_Err
 	}
 	return userNetworks, username, nil
 }
@@ -193,7 +195,7 @@ func authenticateDNSToken(tokenString string) bool {
 func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var errorResponse = models.ErrorResponse{
-			Code: http.StatusUnauthorized, Message: Unauthorized_Msg,
+			Code: http.StatusForbidden, Message: Forbidden_Msg,
 		}
 		var params = mux.Vars(r)
 		var requestedUser = params["username"]

-Original file line number
+Diff line change
@@ @@ -1,2 +1,4 @@ @@
 config/dnsconfig/
 -data/
 +data/
 +/.git
 +/*.tar
Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ func authenticate(response http.ResponseWriter, request *http.Request) {`
`157`	`157`	`func authorize(hostAllowed, networkCheck bool, authNetwork string, next http.Handler) http.HandlerFunc {`
`158`	`158`	`return func(w http.ResponseWriter, r *http.Request) {`
`159`	`159`	`var errorResponse = models.ErrorResponse{`
`160`		`- Code: http.StatusUnauthorized, Message: logic.Unauthorized_Msg,`
	`160`	`+ Code: http.StatusForbidden, Message: logic.Forbidden_Msg,`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`var params = mux.Vars(r)`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ func getStatus(w http.ResponseWriter, r *http.Request) {`
`56`	`56`	`func allowUsers(next http.Handler) http.HandlerFunc {`
`57`	`57`	`return func(w http.ResponseWriter, r *http.Request) {`
`58`	`58`	`var errorResponse = models.ErrorResponse{`
`59`		`- Code: http.StatusInternalServerError, Message: logic.Unauthorized_Msg,`
	`59`	`+ Code: http.StatusInternalServerError, Message: logic.Forbidden_Msg,`
`60`	`60`	`}`
`61`	`61`	`bearerToken := r.Header.Get("Authorization")`
`62`	`62`	`var tokenSplit = strings.Split(bearerToken, " ")`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ const (`
`18`	`18`	`ALL_NETWORK_ACCESS = "THIS_USER_HAS_ALL"`
`19`	`19`
`20`	`20`	`master_uname = "masteradministrator"`
	`21`	`+ Forbidden_Msg = "forbidden"`
	`22`	`+ Forbidden_Err = models.Error(Forbidden_Msg)`
`21`	`23`	`Unauthorized_Msg = "unauthorized"`
`22`	`24`	`Unauthorized_Err = models.Error(Unauthorized_Msg)`
`23`	`25`	`)`
`@@ -27,7 +29,7 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {`
`27`	`29`
`28`	`30`	`return func(w http.ResponseWriter, r *http.Request) {`
`29`	`31`	`var errorResponse = models.ErrorResponse{`
`30`		`- Code: http.StatusUnauthorized, Message: Unauthorized_Msg,`
	`32`	`+ Code: http.StatusForbidden, Message: Forbidden_Msg,`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`var params = mux.Vars(r)`
`@@ -66,7 +68,7 @@ func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {`
`66`	`68`	`func NetUserSecurityCheck(isNodes, isClients bool, next http.Handler) http.HandlerFunc {`
`67`	`69`	`return func(w http.ResponseWriter, r *http.Request) {`
`68`	`70`	`var errorResponse = models.ErrorResponse{`
`69`		`- Code: http.StatusUnauthorized, Message: "unauthorized",`
	`71`	`+ Code: http.StatusForbidden, Message: Forbidden_Msg,`
`70`	`72`	`}`
`71`	`73`	`r.Header.Set("ismaster", "no")`
`72`	`74`
`@@ -152,18 +154,18 @@ func UserPermissions(reqAdmin bool, netname string, token string) ([]string, str`
`152`	`154`	`return nil, username, Unauthorized_Err`
`153`	`155`	`}`
`154`	`156`	`if !isadmin && reqAdmin {`
`155`		`- return nil, username, Unauthorized_Err`
	`157`	`+ return nil, username, Forbidden_Err`
`156`	`158`	`}`
`157`	`159`	`userNetworks = networks`
`158`	`160`	`if isadmin {`
`159`	`161`	`return []string{ALL_NETWORK_ACCESS}, username, nil`
`160`	`162`	`}`
`161`	`163`	`// check network admin access`
`162`	`164`	`if len(netname) > 0 && (len(userNetworks) == 0 \|\| !authenticateNetworkUser(netname, userNetworks)) {`
`163`		`- return nil, username, Unauthorized_Err`
	`165`	`+ return nil, username, Forbidden_Err`
`164`	`166`	`}`
`165`	`167`	`if isEE && len(netname) > 0 && !pro.IsUserNetAdmin(netname, username) {`
`166`		`- return nil, "", Unauthorized_Err`
	`168`	`+ return nil, "", Forbidden_Err`
`167`	`169`	`}`
`168`	`170`	`return userNetworks, username, nil`
`169`	`171`	`}`
`@@ -193,7 +195,7 @@ func authenticateDNSToken(tokenString string) bool {`
`193`	`195`	`func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {`
`194`	`196`	`return func(w http.ResponseWriter, r *http.Request) {`
`195`	`197`	`var errorResponse = models.ErrorResponse{`
`196`		`- Code: http.StatusUnauthorized, Message: Unauthorized_Msg,`
	`198`	`+ Code: http.StatusForbidden, Message: Forbidden_Msg,`
`197`	`199`	`}`
`198`	`200`	`var params = mux.Vars(r)`
`199`	`201`	`var requestedUser = params["username"]`