Check user access to the device type provided to /config/vars

Change-type: patch See: https://balena.zulipchat.com/#narrow/stream/345889-balena-io.2Fos/topic/balenaOS.20for.20RPi.205.20.5BUnder.20NDA.5D/near/393642691
balena-io · Sep 28, 2023 · da18977 · da18977
1 parent cd99532
commit da18977
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 5 deletions.
diff --git a/src/features/vars-schema/schema.ts b/src/features/vars-schema/schema.ts
@@ -1,6 +1,6 @@
 import type { RequestHandler } from 'express';
 import type { JSONSchema6 } from 'json-schema';
-
+import { sbvrUtils } from '@balena/pinejs';
 import {
 	BLOCKED_NAMES,
 	DEVICE_TYPE_SPECIFIC_CONFIG_VAR_PROPERTIES,
@@ -13,19 +13,46 @@ import {
 	ALLOWED_NAMESPACES,
 } from './env-vars';
 
+const { api } = sbvrUtils;
+
 // Return config variable constants for use by external components.
 // A query string parameter of 'deviceType' is accepted, which should
 // be a device type slug.
-export const schema: RequestHandler = (req, res) => {
+export const schema: RequestHandler = async (req, res) => {
+	const deviceTypeSlug = await (async () => {
+		if (typeof req.query.deviceType !== 'string') {
+			return;
+		}
+
+		const resinApi = api.resin.clone({ passthrough: { req } });
+		// Ensure that the user has access to the provided device type.
+		const dt = (await resinApi.get({
+			resource: 'device_type',
+			id: {
+				slug: req.query.deviceType,
+			},
+			options: {
+				$select: 'id',
+			},
+		})) as { id: number } | undefined;
+
+		if (dt != null) {
+			return req.query.deviceType;
+		}
+		// We do not throw when the DT is not found for backwards compatibility reasons.
+	})();
+
 	const configVarSchema: JSONSchema6 = {
 		type: 'object',
 		$schema: 'http://json-schema.org/draft-06/schema#',
 		properties: Object.assign(
 			{},
 			SUPERVISOR_CONFIG_VAR_PROPERTIES,
-			...DEVICE_TYPE_SPECIFIC_CONFIG_VAR_PROPERTIES.filter((config) =>
-				config.capableDeviceTypes.includes(req.query.deviceType as string),
-			).map((config) => config.properties),
+			...(deviceTypeSlug != null
+				? DEVICE_TYPE_SPECIFIC_CONFIG_VAR_PROPERTIES.filter((config) =>
+						config.capableDeviceTypes.includes(deviceTypeSlug),
+				  ).map((config) => config.properties)
+				: []),
 		),
 	};
 

diff --git a/test/01_basic.ts b/test/01_basic.ts
@@ -109,6 +109,14 @@ describe('Basic', () => {
 			checkBaseVarsResult(vars);
 		});
 
+		it(`should return the base vars when device type is not found`, async () => {
+			const { body: vars } = await supertest()
+				.get(`/config/vars?deviceType=wrong-device-type`)
+				.expect(200);
+
+			checkBaseVarsResult(vars);
+		});
+
 		[
 			{ deviceType: 'beaglebone-black' },
 			{