scripte/archivmail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(PROJ-23): Privilege Escalation in Tenant-LDAP + Login-Reihenfolge

Browse Source 
- BUG-1 (P0): domain_admin kann keine Rollen > auditor in default_role/
  group_mappings setzen — serverseitige Allowlist-Prüfung in
  handleSaveTenantLDAP (user/auditor) und handleAdminSaveTenantLDAP
  (user/auditor/domain_admin)
- WARN-1: Login-Fallback-Reihenfolge korrigiert — tenant_ldap wird
  jetzt VOR globalem ldap_config geprüft (Spec: tenant > global > local)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
sysops
2026-03-18 00:32:47 +01:00
parent 9e7add31cd
commit 787db6638f
2 changed files with 69 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/ldap_tenants.go
+27
View File
@@ -447,6 +447,20 @@ func (s *Server) handleSaveTenantLDAP(w http.ResponseWriter, r *http.Request) {
}
cfg.TenantID = *sess.TenantID
// BUG-1 fix: domain_admin may only assign user/auditor roles — prevent privilege escalation
// via LDAP default_role or group_mappings even when bypassing the frontend.
allowedForTenantAdmin := map[string]bool{"user": true, "auditor": true}
if cfg.DefaultRole != "" && !allowedForTenantAdmin[cfg.DefaultRole] {
writeError(w, http.StatusForbidden, "role not allowed for tenant LDAP config")
return
}
for _, gm := range cfg.GroupMappings {
if !allowedForTenantAdmin[gm.Role] {
writeError(w, http.StatusForbidden, "group mapping role not allowed")
return
}
}
if err := s.tenantLdapStore.Save(r.Context(), cfg, sess.Username); err != nil {
writeError(w, http.StatusInternalServerError, "failed to save tenant ldap config")
return
@@ -575,6 +589,19 @@ func (s *Server) handleAdminSaveTenantLDAP(w http.ResponseWriter, r *http.Reques
}
cfg.TenantID = id
// superadmin may assign up to domain_admin in group mappings — not superadmin itself.
allowedForSuperAdmin := map[string]bool{"user": true, "auditor": true, "domain_admin": true}
if cfg.DefaultRole != "" && !allowedForSuperAdmin[cfg.DefaultRole] {
writeError(w, http.StatusForbidden, "role not allowed for tenant LDAP config")
return
}
for _, gm := range cfg.GroupMappings {
if !allowedForSuperAdmin[gm.Role] {
writeError(w, http.StatusForbidden, "group mapping role not allowed")
return
}
}
sess := sessionFromCtx(r.Context())
if err := s.tenantLdapStore.Save(r.Context(), cfg, sess.Username); err != nil {
writeError(w, http.StatusInternalServerError, "failed to save tenant ldap config")