misc(provisioner): check project ownership in APIs (#1630)

* misc(provisioner): check project ownership in APIs * misc(provisioner): emit error events for unauthorized calls * misc: remove envrc * misc(provisioner): remove the errors event msg
shuttle-hq · Feb 19, 2024 · 6e135a0 · 6e135a0
1 parent 46c71e7
commit 6e135a0
Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/.envrc b/.envrc
diff --git a/.gitignore b/.gitignore
@@ -44,3 +44,4 @@ yarn.lock
 
 *.wasm
 *.sqlite*
+.envrc
diff --git a/common/src/backends/mod.rs b/common/src/backends/mod.rs
@@ -25,6 +25,12 @@ pub trait ClaimExt {
         projects_dal: &G,
         resource_dal: &mut R,
     ) -> Result<bool, client::Error>;
+    /// Verify if the claim subject has ownership of a project.
+    async fn owns_project<G: ProjectsDal>(
+        &self,
+        projects_dal: &G,
+        project_name: &str,
+    ) -> Result<bool, client::Error>;
 }
 
 impl ClaimExt for Claim {
@@ -57,4 +63,15 @@ impl ClaimExt for Claim {
 
         Ok(self.limits.rds_quota > (rds_count as u32))
     }
+
+    #[instrument(skip_all)]
+    async fn owns_project<G: ProjectsDal>(
+        &self,
+        projects_dal: &G,
+        project_name: &str,
+    ) -> Result<bool, client::Error> {
+        let token = self.token.as_ref().expect("token to be set");
+        let projects = projects_dal.get_user_projects(token).await?;
+        Ok(projects.iter().any(|project| project.name == project_name))
+    }
 }
diff --git a/provisioner/src/lib.rs b/provisioner/src/lib.rs
@@ -478,6 +478,18 @@ impl Provisioner for ShuttleProvisioner {
         if !ProjectName::is_valid(&request.project_name) {
             return Err(Status::invalid_argument("invalid project name"));
         }
+
+        // Check project ownership.
+        if !claim
+            .owns_project(&self.gateway_client, &request.project_name)
+            .await
+            .map_err(|_| Status::internal("can not verify project ownership"))?
+        {
+            let status = Status::permission_denied("the request lacks the authorizations");
+            error!(error = &status as &dyn std::error::Error);
+            return Err(status);
+        }
+
         let db_type = request.db_type.unwrap();
 
         let reply = match db_type {
@@ -527,11 +539,24 @@ impl Provisioner for ShuttleProvisioner {
         request: Request<DatabaseRequest>,
     ) -> Result<Response<DatabaseDeletionResponse>, Status> {
         request.verify(Scope::ResourcesWrite)?;
+        let claim = request.get_claim()?;
 
         let request = request.into_inner();
         if !ProjectName::is_valid(&request.project_name) {
             return Err(Status::invalid_argument("invalid project name"));
         }
+
+        // Check project ownership.
+        if !claim
+            .owns_project(&self.gateway_client, &request.project_name)
+            .await
+            .map_err(|_| Status::internal("can not verify project ownership"))?
+        {
+            let status = Status::permission_denied("the request lacks the authorizations");
+            error!(error = &status as &dyn std::error::Error);
+            return Err(status);
+        }
+
         let db_type = request.db_type.unwrap();
 
         let reply = match db_type {