canonical · benhoyt · Feb 22, 2024 · Feb 13, 2024 · Feb 13, 2024 · Feb 14, 2024
diff --git a/internals/daemon/access.go b/internals/daemon/access.go
@@ -0,0 +1,55 @@
+// Copyright (C) 2024 Canonical Ltd
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License version 3 as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package daemon
+
+import (
+	"net/http"
+	"os"
+)
+
+// AccessChecker checks whether a particular request is allowed.
+type AccessChecker interface {
+	// Check if access should be granted or denied. In case of granting access,
+	// return nil. In case access is denied, return a non-nil error response,
+	// such as Unauthorized("access denied").
+	CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response
+}
+
+// OpenAccess allows all requests, including non-local sockets (e.g. TCP)
+type OpenAccess struct{}
+
+func (ac OpenAccess) CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response {
+	return nil
+}
+
+// AdminAccess allows requests over the UNIX domain socket from the root uid and the current user's uid
+type AdminAccess struct{}
+
+func (ac AdminAccess) CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response {
+	if ucred != nil && (ucred.Uid == 0 || ucred.Uid == uint32(os.Getuid())) {
+		return nil
+	}
+	return Unauthorized("access denied")
+}
+
+// UserAccess allows requests over the UNIX domain socket from any local user
+type UserAccess struct{}
+
+func (ac UserAccess) CheckAccess(d *Daemon, r *http.Request, ucred *Ucrednet, user *UserState) Response {
+	if ucred == nil {
+		return Unauthorized("access denied")
+	}
+	return nil
+}
diff --git a/internals/daemon/access_test.go b/internals/daemon/access_test.go
@@ -0,0 +1,82 @@
+// Copyright (C) 2024 Canonical Ltd
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License version 3 as
+// published by the Free Software Foundation.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package daemon_test
+
+import (
+	"os"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/canonical/pebble/internals/daemon"
+)
+
+type accessSuite struct {
+}
+
+var _ = Suite(&accessSuite{})
+
+var errUnauthorized = daemon.Unauthorized("access denied")
+
+func (s *accessSuite) TestOpenAccess(c *C) {
+	var ac daemon.AccessChecker = daemon.OpenAccess{}
+
+	// OpenAccess allows access without peer credentials.
+	c.Check(ac.CheckAccess(nil, nil, nil, nil), IsNil)
+
+	// OpenAccess allows access from normal user
+	ucred := &daemon.Ucrednet{Uid: 42, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+
+	// OpenAccess allows access from root user
+	ucred = &daemon.Ucrednet{Uid: 0, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+}
+
+func (s *accessSuite) TestUserAccess(c *C) {
+	var ac daemon.AccessChecker = daemon.UserAccess{}
+
+	// UserAccess denies access without peer credentials.
+	c.Check(ac.CheckAccess(nil, nil, nil, nil), DeepEquals, errUnauthorized)
+
+	// UserAccess allows access from root user
+	ucred := &daemon.Ucrednet{Uid: 0, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+
+	// UserAccess allows access form normal user
+	ucred = &daemon.Ucrednet{Uid: 42, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+}
+
+func (s *accessSuite) TestAdminAccess(c *C) {
+	var ac daemon.AccessChecker = daemon.AdminAccess{}
+
+	// AdminAccess denies access without peer credentials.
+	c.Check(ac.CheckAccess(nil, nil, nil, nil), DeepEquals, errUnauthorized)
+
+	// Current user's UID
+	uid := uint32(os.Getuid())
+
+	// Non-root users that are different from the current user are forbidden
+	ucred := &daemon.Ucrednet{Uid: uid + 1, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), DeepEquals, errUnauthorized)
+
+	// The current user is granted access
+	ucred = &daemon.Ucrednet{Uid: uid, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+
+	// Root is granted access
+	ucred = &daemon.Ucrednet{Uid: 0, Pid: 100}
+	c.Check(ac.CheckAccess(nil, nil, ucred, nil), IsNil)
+}
diff --git a/internals/daemon/api.go b/internals/daemon/api.go
@@ -25,84 +25,89 @@ import (
 )
 
 var API = []*Command{{
-	// See daemon.go:canAccess for details how the access is controlled.
-	Path:    "/v1/system-info",
-	GuestOK: true,
-	GET:     v1SystemInfo,
-}, {
-	Path:    "/v1/health",
-	GuestOK: true,
-	GET:     v1Health,
-}, {
-	Path:   "/v1/warnings",
-	UserOK: true,
-	GET:    v1GetWarnings,
-	POST:   v1AckWarnings,
-}, {
-	Path:   "/v1/changes",
-	UserOK: true,
-	GET:    v1GetChanges,
-}, {
-	Path:   "/v1/changes/{id}",
-	UserOK: true,
-	GET:    v1GetChange,
-	POST:   v1PostChange,
-}, {
-	Path:   "/v1/changes/{id}/wait",
-	UserOK: true,
-	GET:    v1GetChangeWait,
-}, {
-	Path:   "/v1/services",
-	UserOK: true,
-	GET:    v1GetServices,
-	POST:   v1PostServices,
-}, {
-	Path:   "/v1/services/{name}",
-	UserOK: true,
-	GET:    v1GetService,
-	POST:   v1PostService,
-}, {
-	Path:   "/v1/plan",
-	UserOK: true,
-	GET:    v1GetPlan,
-}, {
-	Path:   "/v1/layers",
-	UserOK: true,
-	POST:   v1PostLayers,
-}, {
-	Path:   "/v1/files",
-	UserOK: true,
-	GET:    v1GetFiles,
-	POST:   v1PostFiles,
-}, {
-	Path:   "/v1/logs",
-	UserOK: true,
-	GET:    v1GetLogs,
-}, {
-	Path:   "/v1/exec",
-	UserOK: true,
-	POST:   v1PostExec,
-}, {
-	Path:   "/v1/tasks/{task-id}/websocket/{websocket-id}",
-	UserOK: true,
-	GET:    v1GetTaskWebsocket,
-}, {
-	Path:   "/v1/signals",
-	UserOK: true,
-	POST:   v1PostSignals,
-}, {
-	Path:   "/v1/checks",
-	UserOK: true,
-	GET:    v1GetChecks,
-}, {
-	Path:   "/v1/notices",
-	UserOK: true,
-	GET:    v1GetNotices,
-	POST:   v1PostNotices,
-}, {
-	Path:   "/v1/notices/{id}",
-	UserOK: true,
-	GET:    v1GetNotice,
+	Path:       "/v1/system-info",
+	ReadAccess: OpenAccess{},
+	GET:        v1SystemInfo,
+}, {
+	Path:       "/v1/health",
+	ReadAccess: OpenAccess{},
+	GET:        v1Health,
+}, {
+	Path:        "/v1/warnings",
+	ReadAccess:  UserAccess{},
+	WriteAccess: UserAccess{},
+	GET:         v1GetWarnings,
+	POST:        v1AckWarnings,
+}, {
+	Path:       "/v1/changes",
+	ReadAccess: UserAccess{},
+	GET:        v1GetChanges,
+}, {
+	Path:        "/v1/changes/{id}",
+	ReadAccess:  UserAccess{},
+	WriteAccess: UserAccess{},
+	GET:         v1GetChange,
+	POST:        v1PostChange,
+}, {
+	Path:       "/v1/changes/{id}/wait",
+	ReadAccess: UserAccess{},
+	GET:        v1GetChangeWait,
+}, {
+	Path:        "/v1/services",
+	ReadAccess:  UserAccess{},
+	WriteAccess: UserAccess{},
+	GET:         v1GetServices,
+	POST:        v1PostServices,
+}, {
+	Path:        "/v1/services/{name}",
+	ReadAccess:  UserAccess{},
+	WriteAccess: UserAccess{},
+	GET:         v1GetService,
+	POST:        v1PostService,
+}, {
+	Path:       "/v1/plan",
+	ReadAccess: UserAccess{},
+	GET:        v1GetPlan,
+}, {
+	Path:        "/v1/layers",
+	WriteAccess: UserAccess{},
+	POST:        v1PostLayers,
+}, {
+	Path:        "/v1/files",
+	ReadAccess:  UserAccess{},
+	WriteAccess: UserAccess{},
+	GET:         v1GetFiles,
+	POST:        v1PostFiles,
+}, {
+	Path:       "/v1/logs",
+	ReadAccess: UserAccess{},
+	GET:        v1GetLogs,
+}, {
+	Path:        "/v1/exec",
+	WriteAccess: UserAccess{},
+	POST:        v1PostExec,
+}, {
+	Path:       "/v1/tasks/{task-id}/websocket/{websocket-id}",
+	ReadAccess: UserAccess{},
+	GET:        v1GetTaskWebsocket,
+}, {
+	Path:        "/v1/signals",
+	WriteAccess: UserAccess{},
+	POST:        v1PostSignals,
+}, {
+	Path:       "/v1/checks",
+	ReadAccess: UserAccess{},
+	GET:        v1GetChecks,
+}, {
+	Path:        "/v1/notices",
+	ReadAccess:  UserAccess{},
+	WriteAccess: UserAccess{},
+	GET:         v1GetNotices,
+	POST:        v1PostNotices,
+}, {
+	Path:       "/v1/notices/{id}",
+	ReadAccess: UserAccess{},
+	GET:        v1GetNotice,
 }}
 
 var (

diff --git a/internals/daemon/api_test.go b/internals/daemon/api_test.go
@@ -80,7 +80,6 @@ func (s *apiSuite) TestSysInfo(c *check.C) {
 	c.Assert(sysInfoCmd.GET, check.NotNil)
 	c.Check(sysInfoCmd.PUT, check.IsNil)
 	c.Check(sysInfoCmd.POST, check.IsNil)
-	c.Check(sysInfoCmd.DELETE, check.IsNil)
 
 	rec := httptest.NewRecorder()