devolutions-gateway/crates/devolutions-pedm/src/api/elevate_session.rs at 7015a5176897afacf5278299c7ea853d159dc1a3 · Devolutions/devolutions-gateway · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
use std::sync::Arc;

use aide::NoApi;
use axum::extract::State;
use axum::Extension;
use parking_lot::RwLock;
use tracing::info;

use crate::elevations;
use crate::error::Error;
use crate::policy::Policy;

use super::NamedPipeConnectInfo;

pub(crate) async fn elevate_session(
    Extension(named_pipe_info): Extension<NamedPipeConnectInfo>,
    NoApi(State(policy)): NoApi<State<Arc<RwLock<Policy>>>>,
) -> Result<(), Error> {
    let policy = policy.read();

    if let Some(profile) = policy.user_current_profile(&named_pipe_info.user) {
        if !profile.elevation_settings.session.enabled {
            info!(user = ?named_pipe_info.user, "User tried to elevate session, but wasn't allowed");
            return Err(Error::AccessDenied);
        }

        info!(user = ?named_pipe_info.user, "Elevating user until revocation");

        elevations::elevate_session(named_pipe_info.user);

        Ok(())
    } else {
        info!(user = ?named_pipe_info.user, "User tried to elevate session, but wasn't assigned to profile");
        Err(Error::AccessDenied)
    }
}