merge pull request #7 from https-richardy/fix/06-prevent-permission-privilege-escalation

prevent permission privilege escalation

Author: https-richardy

Source/HttpsRichardy.Federation.Application/Handlers/Permission/PermissionCreationHandler.cs

@@ -1,11 +1,18 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Permission;
 
-public sealed class PermissionCreationHandler(IPermissionCollection collection, IRealmProvider realmProvider) :
+public sealed class PermissionCreationHandler(IPermissionCollection collection, IPermissionNamespacePolicy policy, IRealmProvider realmProvider) :
     IDispatchHandler<PermissionCreationScheme, Result<PermissionDetailsScheme>>
 {
     public async Task<Result<PermissionDetailsScheme>> HandleAsync(PermissionCreationScheme parameters, CancellationToken cancellation = default)
     {
         var realm = realmProvider.GetCurrentRealm();
+        var result = await policy.EnsurePermissionIsAllowedAsync(realm, new() { Name = parameters.Name }, cancellation);
+
+        if (result.IsFailure)
+        {
+            return Result<PermissionDetailsScheme>.Failure(PermissionErrors.PermissionNameIsReserved);
+        }
+
         var filters = PermissionFilters.WithSpecifications()
             .WithName(parameters.Name)
             .Build();
@@ -23,4 +30,4 @@ public async Task<Result<PermissionDetailsScheme>> HandleAsync(PermissionCreatio
 
         return Result<PermissionDetailsScheme>.Success(PermissionMapper.AsResponse(createdPermission));
     }
-}
+}

Source/HttpsRichardy.Federation.Application/Handlers/Permission/PermissionUpdateHandler.cs

@@ -1,6 +1,6 @@
 namespace HttpsRichardy.Federation.Application.Handlers.Permission;
 
-public sealed class PermissionUpdateHandler(IPermissionCollection collection, IRealmProvider realmProvider) :
+public sealed class PermissionUpdateHandler(IPermissionCollection collection, IPermissionNamespacePolicy policy, IRealmProvider realmProvider) :
     IDispatchHandler<PermissionUpdateScheme, Result<PermissionDetailsScheme>>
 {
     public async Task<Result<PermissionDetailsScheme>> HandleAsync(PermissionUpdateScheme parameters, CancellationToken cancellation = default)
@@ -18,10 +18,16 @@ public async Task<Result<PermissionDetailsScheme>> HandleAsync(PermissionUpdateS
             return Result<PermissionDetailsScheme>.Failure(PermissionErrors.PermissionDoesNotExist);
         }
 
+        var result = await policy.EnsurePermissionIsAllowedAsync(realm, new() { Name = parameters.Name }, cancellation);
+        if (result.IsFailure)
+        {
+            return Result<PermissionDetailsScheme>.Failure(PermissionErrors.PermissionNameIsReserved);
+        }
+
         permission = PermissionMapper.AsPermission(parameters, permission, realm);
 
         var updatedPermission = await collection.UpdateAsync(permission, cancellation: cancellation);
 
         return Result<PermissionDetailsScheme>.Success(PermissionMapper.AsResponse(updatedPermission));
     }
-}
+}

Source/HttpsRichardy.Federation.Application/Handlers/Realm/RealmCreationHandler.cs

@@ -31,7 +31,7 @@ public async Task<Result<RealmDetailsScheme>> HandleAsync(
         var defaultRealm = matchingRealms.FirstOrDefault()!;
 
         realm.Permissions = defaultRealm.Permissions
-            .Where(permission => DefaultRealmPermissions.InitialPermissions.Contains(permission.Name))
+            .Where(permission => RealmPermissions.InitialPermissions.Contains(permission.Name))
             .ToList();
 
         await collection.InsertAsync(realm, cancellation: cancellation);

Source/HttpsRichardy.Federation.Application/Policies/PermissionNamespacePolicy.cs

@@ -0,0 +1,15 @@
+namespace HttpsRichardy.Federation.Application.Policies;
+
+public sealed class PermissionNamespacePolicy : IPermissionNamespacePolicy
+{
+    public async Task<Result> EnsurePermissionIsAllowedAsync(
+        Realm realm, Permission permission, CancellationToken cancellation = default)
+    {
+        var isReserved = RealmPermissions.SystemPermissions
+            .Contains(permission.Name);
+
+        return isReserved
+            ? Result.Failure(PermissionErrors.PermissionNameIsReserved)
+            : Result.Success();
+    }
+}

Source/HttpsRichardy.Federation.Application/Usings.cs

@@ -30,7 +30,6 @@
 global using HttpsRichardy.Federation.Application.Providers;
 global using HttpsRichardy.Federation.Application.Mappers;
 global using HttpsRichardy.Federation.Application.Utilities;
-global using HttpsRichardy.Federation.Application.Handlers.Authorization;
 
 global using FluentValidation;
 global using HttpsRichardy.Dispatcher.Contracts;

Source/HttpsRichardy.Federation.Common/Constants/DefaultRealmPermissions.cs

@@ -0,0 +1,57 @@
+namespace HttpsRichardy.Federation.Common.Constants;
+
+public static class RealmPermissions
+{
+    public static readonly HashSet<string> InitialPermissions =
+    [
+        Permissions.CreateGroup,
+        Permissions.DeleteGroup,
+        Permissions.ViewGroups,
+        Permissions.EditGroup,
+
+        Permissions.DeleteUser,
+        Permissions.EditUser,
+        Permissions.ViewUsers,
+
+        Permissions.CreatePermission,
+        Permissions.AssignPermissions,
+        Permissions.RevokePermissions,
+        Permissions.ViewPermissions,
+        Permissions.EditPermission,
+        Permissions.DeletePermission,
+
+        Permissions.CreateScope,
+        Permissions.EditScope,
+        Permissions.DeleteGroup,
+        Permissions.ViewScopes
+    ];
+
+    public static readonly HashSet<string> SystemPermissions =
+    [
+        Permissions.CreateGroup,
+        Permissions.DeleteGroup,
+        Permissions.EditGroup,
+        Permissions.ViewGroups,
+
+        Permissions.DeleteUser,
+        Permissions.EditUser,
+        Permissions.ViewUsers,
+
+        Permissions.CreatePermission,
+        Permissions.AssignPermissions,
+        Permissions.RevokePermissions,
+        Permissions.ViewPermissions,
+        Permissions.EditPermission,
+        Permissions.DeletePermission,
+
+        Permissions.CreateRealm,
+        Permissions.DeleteRealm,
+        Permissions.EditRealm,
+        Permissions.ViewRealms,
+
+        Permissions.CreateScope,
+        Permissions.EditScope,
+        Permissions.DeleteScope,
+        Permissions.ViewScopes
+    ];
+}

Source/HttpsRichardy.Federation.Common/Constants/RealmPermissions.cs

@@ -7,6 +7,11 @@ public static class PermissionErrors
         Description: "The permission with the specified name already exists."
     );
 
+    public static readonly Error PermissionNameIsReserved = new(
+        Code: "#ERROR-7B1E2",
+        Description: "The permission name is reserved by the system."
+    );
+
     public static readonly Error PermissionDoesNotExist = new(
         Code: "#ERROR-93697",
         Description: "The specified permission does not exist."

Source/HttpsRichardy.Federation.Domain/Errors/PermissionErrors.cs

@@ -0,0 +1,20 @@
+namespace HttpsRichardy.Federation.Domain.Policies;
+
+// defines a policy responsible for protecting the system permission namespace
+// from unauthorized usage by realms
+
+// certain permissions are reserved by the federation system and represent
+// privileged administrative capabilities (e.g. managing realms or federation resources)
+
+// this policy ensures that realms cannot create or manipulate permissions
+// whose identifiers belong to the reserved system namespace, preventing
+// privilege escalation through permission name collision
+
+public interface IPermissionNamespacePolicy
+{
+    public Task<Result> EnsurePermissionIsAllowedAsync(
+        Realm realm,
+        Permission permission,
+        CancellationToken cancellation = default
+    );
+}

Source/HttpsRichardy.Federation.Domain/Policies/IPermissionNamespacePolicy.cs

@@ -9,7 +9,9 @@ public static void AddServices(this IServiceCollection services)
         services.AddTransient<IAuthenticationService, AuthenticationService>();
         services.AddTransient<ISecurityTokenService, JwtSecurityTokenService>();
         services.AddTransient<IClientCredentialsGenerator, ClientCredentialsGenerator>();
+
         services.AddTransient<IRedirectUriPolicy, RedirectUriPolicy>();
+        services.AddTransient<IPermissionNamespacePolicy, PermissionNamespacePolicy>();
 
         services.AddTransient<IAuthorizationFlowHandler, ClientCredentialsGrantHandler>();
         services.AddTransient<IAuthorizationFlowHandler, AuthorizationCodeGrantHandler>();