Check permissions when performing websocket actions

router/tokens/websocket.go

@@ -3,6 +3,7 @@ package tokens
 import (
 	"encoding/json"
 	"github.com/gbrlsnchs/jwt/v3"
+	"strings"
 )
 
 type WebsocketPayload struct {
@@ -20,7 +21,7 @@ func (p *WebsocketPayload) GetPayload() *jwt.Payload {
 // Checks if the given token payload has a permission string.
 func (p *WebsocketPayload) HasPermission(permission string) bool {
 	for _, k := range p.Permissions {
-		if k == permission {
+		if k == permission || (!strings.HasPrefix(permission, "admin") && k == "*") {
 			return true
 		}
 	}

router/websocket/listeners.go

@@ -50,6 +50,7 @@ func (h *Handler) ListenForServerEvents(ctx context.Context) {
 		server.ConsoleOutputEvent,
 		server.InstallOutputEvent,
 		server.DaemonMessageEvent,
+		server.BackupCompletedEvent,
 	}
 
 	eventChannel := make(chan server.Event)

router/websocket/websocket.go

@@ -20,11 +20,14 @@ import (
 var alg *jwt.HMACSHA
 
 const (
-	PermissionConnect        = "connect"
-	PermissionSendCommand    = "send-command"
-	PermissionSendPower      = "send-power"
-	PermissionReceiveErrors  = "receive-errors"
-	PermissionReceiveInstall = "receive-install"
+	PermissionConnect          = "websocket.*"
+	PermissionSendCommand      = "control.console"
+	PermissionSendPowerStart   = "control.start"
+	PermissionSendPowerStop    = "control.stop"
+	PermissionSendPowerRestart = "control.restart"
+	PermissionReceiveErrors    = "admin.errors"
+	PermissionReceiveInstall   = "admin.install"
+	PermissionReceiveBackups   = "backup.read"
 )
 
 type Handler struct {
@@ -88,6 +91,14 @@ func (h *Handler) SendJson(v *Message) error {
 		}
 	}
 
+	// If the user does not have permission to see backup events, do not emit
+	// them over the socket.
+	if v.Event == server.BackupCompletedEvent {
+		if h.JWT != nil && !h.JWT.HasPermission(PermissionReceiveBackups) {
+			return nil
+		}
+	}
+
 	return h.unsafeSendJson(v)
 }
 
@@ -203,26 +214,32 @@ func (h *Handler) HandleInbound(m Message) error {
 		}
 	case SetStateEvent:
 		{
-			if !h.JWT.HasPermission(PermissionSendPower) {
-				return nil
-			}
-
 			switch strings.Join(m.Args, "") {
 			case "start":
+				if h.JWT.HasPermission(PermissionSendPowerStart) {
 					return h.server.Environment.Start()
+				}
+				break
 			case "stop":
+				if h.JWT.HasPermission(PermissionSendPowerStop) {
 					return h.server.Environment.Stop()
+				}
+				break
 			case "restart":
-				{
+				if h.JWT.HasPermission(PermissionSendPowerRestart) {
 					if err := h.server.Environment.WaitForStop(60, false); err != nil {
 						return err
 					}
 
 					return h.server.Environment.Start()
 				}
+				break
 			case "kill":
+				if h.JWT.HasPermission(PermissionSendPowerStop) {
 					return h.server.Environment.Terminate(os.Kill)
 				}
+				break
+			}
 
 			return nil
 		}

server/events.go

@@ -12,6 +12,7 @@ const (
 	ConsoleOutputEvent   = "console output"
 	StatusEvent          = "status"
 	StatsEvent           = "stats"
+	BackupCompletedEvent = "backup completed"
 )
 
 type Event struct {