Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unability to update rule files with specific rule file permissions #6869

Open
Desvelao opened this issue Jul 24, 2024 · 1 comment
Open

Unability to update rule files with specific rule file permissions #6869

Desvelao opened this issue Jul 24, 2024 · 1 comment
Labels
level/task Task issue type/bug Bug issue

Comments

@Desvelao
Copy link
Member

Wazuh Rev Browser
X.Y.Z xyzw Chrome, Firefox, Safari, etc

Description
There is a bug in the validation of the user permission with specific rule files when trying to update a file that according to the action/resource configuration for the API user, this should be able to update. The button is disabled and the user can not update the file.

The error could happen with decoders and lists. It should be researched.

Reference: https://groups.google.com/g/wazuh/c/z2HzX-4o-b4/m/ZXxhQNriBAAJ

Side note:
As part of the research of the case, I found a problem with the API endpoint to update the rule file that do not support the specific resource such as rule:file:<placeholder>

console $ TOKEN=$(curl -k -X POST -u "wazuh-wui:MyS3cr37P450r.*-" https://localhost:55000/security/user/authenticate/run_as?raw=true -d '{"user_name":"wzread"}' -H "content-type:application/json")
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   503  100   481  100    22   2101     96 --:--:-- --:--:-- --:--:--  2206
console $ curl -k -H "Authorization: Bearer ${TOKEN}" https://localhost:55000/security/users/me/policies
{"data": {"agent:read": {"agent:id:*": "allow", "agent:group:*": "allow"}, "group:read": {"group:id:*": "allow"}, "ciscat:read": {"agent:id:*": "allow"}, "cluster:status": {"*:*:*": "allow"}, "manager:read": {"*:*:*": "allow"}, "manager:read_api_config": {"*:*:*": "allow"}, "cluster:read_api_config": {"node:id:*": "allow"}, "cluster:read": {"node:id:*": "allow"}, "decoders:read": {"decoder:file:*": "allow"}, "lists:read": {"list:file:*": "allow"}, "rootcheck:read": {"agent:id:*": "allow"}, "rules:read": {"rule:file:*": "allow", "rule:file:specific-file.xml": "allow"}, "mitre:read": {"*:*:*": "allow"}, "sca:read": {"agent:id:*": "allow"}, "syscheck:read": {"agent:id:*": "allow"}, "syscollector:read": {"agent:id:*": "allow"}, "rules:delete": {"rule:file:specific-file.xml": "allow"}, "rules:update": {"rule:file:specific-file.xml": "allow"}, "rbac_mode": "white"}, "message": "Current user processed policies information was returned", "error": 0}console $ ^C
console $ curl -k -H "Authorization: Bearer ${TOKEN}" https://localhost:55000/rules/files/specific-file.xml -d @specific-file.xml -XPUT -H "content-type:application/octet-stream"
{"title": "Permission Denied", "detail": "Permission denied: Resource type: *:*", "remediation": "Please, make sure you have permissions to execute the current request. For more information on how to set up permissions, please visit https://documentation.wazuh.com/4.8/user-manual/api/rbac/configuration.html", "dapi_errors": {"node01": {"error": "Permission denied: Resource type: *:*"}}, "error": 4000}

Using the endpoint to delete the file works as expected:

console $ curl -k -H "Authorization: Bearer ${TOKEN}" https://localhost:55000/rules/files/specific-file.xml -XDELETE
{"data": {"affected_items": ["etc/rules/specific-file.xml"], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "Rule was successfully deleted", "error": 0}

Preconditions

  1. Create an API policy with permissions to read, update and delete a specific file with:
    actions: rules:read, rules:update and rules:delete
    resource: rule:file:<name-specific-file>.xml
  2. Create a API role and assign the created policy
  3. Assign the API role to an internal user of Wazuh dashboard (create the user as necessary)
  4. Create the specific file and restart the Wazuh server

Steps to reproduce

  1. Login with the user with restricted permissions
  2. Navigate to the rule list
  3. Click on the specific rule file

Expected Result

  1. The button should not be disabled and not display a message related to missing permissions

Actual Result

  1. The button to save the file is disabled and hovering on it displays a message related to missing permissions

Screenshots
2024-07-24_12-56
@Desvelao
Copy link
Member Author

Discussing with the team, the creation of rules (it could apply to decoders and cdb lists) uses the rules:update action that is resourceless ( *:*:*). This means does not support the usage of specific rule files using rule:files:<placeholder>.

So in this scenario, we could review the user permissions validation service works for the virtual requirement and should replace the specific permission for the resourceless to the button to save the file.

@Desvelao Desvelao added level/task Task issue type/bug Bug issue labels Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task Task issue type/bug Bug issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Desvelao