And MSP-group user should not see the Upgrade Now button

praetorian-inc / chariot-ui

Chariot Offensive Security Platform

https://preview.chariot.praetorian.com

MIT License

15 stars 6 forks source link

And MSP-group user should not see the Upgrade Now button #127

Closed peter-kwan closed 1 week ago

peter-kwan commented 1 week ago

Bug Description peter.kwan@praetorian.com is in the MSP group essentially as a "paid customer". But the Upgrade Now button is visible on screen.

I believe it is because of this check: https://github.com/praetorian-inc/chariot-ui/blob/ff9ec412f30311539a7b96459e08bc5951784a3f/src/components/ui/Body.tsx#L28

Expected Behavior For paid customers without a research@praetorian.com collaborator, we should not display the Upgrade Now button.

peter-kwan commented 1 week ago

Confirmed from @treburn that he is seeing this when he assumed role into the customer accounts.

noah-tutt-praetorian commented 1 week ago

for now, is checking for any Praetorian collaborator sufficient?

peter-kwan commented 1 week ago

Probably okay.

peter-kwan commented 1 week ago

Regardless, checking for either research@praetorian.com or *@praetorian.com can be abused because anyone can add a collaborator any time:

Screenshot 2024-06-20 at 3 37 54 PM

peter-kwan commented 1 week ago

May be in the backend Link account handler -- we enforce that non-MSP users can't add @praetorian.com collaborator?

peter-kwan commented 1 week ago

Gave it more thought.

Checking for @praetorian.com to decide on whether to display the Upgrade button is sufficient.

Abusers can add a praetorian.com collaborator any day. That would serve to hide the Upgrade button. But whether or not we triage risk for them is our call. We will only triage those who clicked the Upgrade button.

noah-tutt-praetorian commented 1 week ago

That was my thought process as well.

storbeck commented 1 week ago

peter.kwan@praetorian.com is in the MSP group essentially as a "paid customer"

Are groups exposed to the frontend? I don't see it in the API response.

{
    "username": "geoff.storbeck+github@praetorian.com",
    "key": "#account#geoff.storbeck+github@praetorian.com#geoff.storbeck@praetorian.com",
    "name": "geoff.storbeck+github@praetorian.com",
    "member": "geoff.storbeck@praetorian.com",
    "value": "",
    "config": null,
    "updated": "2024-05-21T18:38:43Z",
    "ttl": 0
}

peter-kwan commented 1 week ago

It is an API in the backend to Cognito. UI code does not have direct access to Cognito.

noah-tutt-praetorian commented 1 week ago

They are in the JWT claims, but only for the “real” user, and not the assumed user.

storbeck commented 1 week ago

Put in this change https://github.com/praetorian-inc/chariot-ui/commit/db01e889f7d3f27d2a8fba978610bea29a821807

to satisfy

Checking for @praetorian.com to decide on whether to display the Upgrade button is sufficient.