search

ironmansoftware / powershell-universal

Issue tracker for PowerShell Universal
https://powershelluniversal.com
35 stars 4 forks source link

Issue Running Scripts due to NotAuthorized Error #3491

Closed adamdriscoll closed 2 months ago

adamdriscoll commented 2 months ago

Version

4.3.2

Severity

High

Environment

msi

Steps to Reproduce

https://forums.ironmansoftware.com/t/invoke-psuscript-in-4-3-3-gets-not-authorized-worked-in-4-3-2/11010/15 https://forums.ironmansoftware.com/t/secrets-are-not-available-in-sub-script-how-to-fix/10953/19

Some example configurations that may cause this:

Access controls on a custom role that allow access to scripts.

I cannot reproduce this. Current configuration:

Access Controls

New-PSUAccessControl -Role "DashboardRole" -ObjectType "Script" -Type "View, Execute"

Roles

New-PSURole -Name "Administrator" -Description "Administrators can manage settings, create and edit any entity and view all the entities with PowerShell Universal." -Policy {
    param(
        [Security.ClaimsPrincipal]$User
    )

    <# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

    $false
} 
New-PSURole -Name "Operator" -Description "Operators have access to manage and execute scripts, create other entities within PowerShell Universal but cannot manage PowerShell Universal itself." -Policy {
    param(
        [Security.ClaimsPrincipal]$User
    )

    <# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

    $false
} 
New-PSURole -Name "Reader" -Description "Readers have read-only access to PowerShell Universal. They cannot make changes to any entity within the system." -Policy {
    param(
        [Security.ClaimsPrincipal]$User
    )

    <# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

    $false
} 
New-PSURole -Name "Execute" -Description "Execute scripts within PowerShell Universal." -Policy {
    param(
        [Security.ClaimsPrincipal]$User
    )

    <# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

    $false
} 
New-PSURole -Name "User" -Description "Does not have access to the admin console but can be assigned resources like APIs, scripts, dashboards and pages." -Policy {
    param(
        [Security.ClaimsPrincipal]$User
    )

    <# 
  Policies should return $true or $false to determine whether the user has the particular 
  claim that require them for that role.
#>

    $false
} 
New-PSURole -Name "DashboardRole" -Policy {
    $true
}

Expected behavior

Scripts Run

Users

image

User's view of the admin console

image

User Running a Script

image

Parent Script

$Roles
Invoke-PSUScript CacheProducts.ps1 -Wait -InformationAction SilentlyContinue

Child Script

$Secret:Test

Variables

New-PSUVariable -Name "Test" -Vault "Database" -Type "System.String" -Role @('DashboardRole', 'Administrator')

Actual behavior

Scripts cannot be run due to this error

Additional Environment data

No response

Screenshots/Animations

No response

adamdriscoll commented 2 months ago

I have been able to reproduce the child script not accessing secret variables with roles. What I found was that this would only happen sometimes. We had a check for $null in the code base that should have been checking for an empty string as well. If it was an empty string, then the check would fail and we wouldn't properly communicate the user's roles down the child script and thus the secrets wouldn't work. This will be fixed in 4.3.4.

I'm running a nightly build if anyone wants to test that.

As for the NotAuthorized issue, it looks like that is coming of our access control service but I can't get it to trigger in my environment.

image