fix: validate claim value and role ID in OIDC mapping functions (#2796)

Author: kmendell

backend/api/handlers/oidc.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"log/slog"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/danielgtaylor/huma/v2"
@@ -517,8 +518,19 @@ func (h *OidcHandler) CreateOidcRoleMapping(ctx context.Context, input *CreateOi
 	if h.roleService == nil {
 		return nil, huma.Error500InternalServerError("service not available")
 	}
-	mapping, err := h.roleService.CreateOidcMapping(ctx, input.Body.ClaimValue, input.Body.RoleID, input.Body.EnvironmentID)
+	claimValue := strings.TrimSpace(input.Body.ClaimValue)
+	roleID := strings.TrimSpace(input.Body.RoleID)
+	if claimValue == "" {
+		return nil, huma.Error400BadRequest("claim value is required")
+	}
+	if roleID == "" {
+		return nil, huma.Error400BadRequest("role id is required")
+	}
+	mapping, err := h.roleService.CreateOidcMapping(ctx, claimValue, roleID, input.Body.EnvironmentID)
 	if err != nil {
+		if common.IsInvalidRoleAssignmentError(err) {
+			return nil, huma.Error400BadRequest(err.Error())
+		}
 		return nil, huma.Error500InternalServerError("failed to create mapping: " + err.Error())
 	}
 	out := &CreateOidcRoleMappingOutput{}
@@ -531,14 +543,25 @@ func (h *OidcHandler) UpdateOidcRoleMapping(ctx context.Context, input *UpdateOi
 	if h.roleService == nil {
 		return nil, huma.Error500InternalServerError("service not available")
 	}
-	mapping, err := h.roleService.UpdateOidcMapping(ctx, input.ID, input.Body.ClaimValue, input.Body.RoleID, input.Body.EnvironmentID)
+	claimValue := strings.TrimSpace(input.Body.ClaimValue)
+	roleID := strings.TrimSpace(input.Body.RoleID)
+	if claimValue == "" {
+		return nil, huma.Error400BadRequest("claim value is required")
+	}
+	if roleID == "" {
+		return nil, huma.Error400BadRequest("role id is required")
+	}
+	mapping, err := h.roleService.UpdateOidcMapping(ctx, input.ID, claimValue, roleID, input.Body.EnvironmentID)
 	if err != nil {
 		if common.IsOidcMappingNotFoundError(err) {
 			return nil, huma.Error404NotFound("mapping not found")
 		}
 		if common.IsOidcMappingEnvManagedError(err) {
 			return nil, huma.Error409Conflict(err.Error())
 		}
+		if common.IsInvalidRoleAssignmentError(err) {
+			return nil, huma.Error400BadRequest(err.Error())
+		}
 		return nil, huma.Error500InternalServerError("failed to update mapping: " + err.Error())
 	}
 	out := &UpdateOidcRoleMappingOutput{}

backend/internal/services/role_service.go

@@ -743,25 +743,45 @@ func (s *RoleService) GetOidcMapping(ctx context.Context, id string) (*models.Oi
 }
 
 func (s *RoleService) CreateOidcMapping(ctx context.Context, claimValue, roleID string, environmentID *string) (*models.OidcRoleMapping, error) {
-	if strings.TrimSpace(claimValue) == "" {
+	claimValue = strings.TrimSpace(claimValue)
+	roleID = strings.TrimSpace(roleID)
+	if claimValue == "" {
 		return nil, errors.New("claim value is required")
 	}
-	if strings.TrimSpace(roleID) == "" {
+	if roleID == "" {
 		return nil, errors.New("role id is required")
 	}
-	mapping := &models.OidcRoleMapping{
-		ClaimValue:    claimValue,
-		RoleID:        roleID,
-		EnvironmentID: environmentID,
-		Source:        models.OidcMappingSourceManual,
-	}
-	if err := s.db.WithContext(ctx).Create(mapping).Error; err != nil {
-		return nil, fmt.Errorf("failed to create oidc mapping: %w", err)
+	var mapping models.OidcRoleMapping
+	err := dbutil.WithTx(ctx, s.db.DB, func(tx *gorm.DB) error {
+		if err := validateRoleIDsExistInternal(tx, []string{roleID}); err != nil {
+			return err
+		}
+		mapping = models.OidcRoleMapping{
+			ClaimValue:    claimValue,
+			RoleID:        roleID,
+			EnvironmentID: environmentID,
+			Source:        models.OidcMappingSourceManual,
+		}
+		if err := tx.Create(&mapping).Error; err != nil {
+			return fmt.Errorf("failed to create oidc mapping: %w", err)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
 	}
-	return mapping, nil
+	return &mapping, nil
 }
 
 func (s *RoleService) UpdateOidcMapping(ctx context.Context, id, claimValue, roleID string, environmentID *string) (*models.OidcRoleMapping, error) {
+	claimValue = strings.TrimSpace(claimValue)
+	roleID = strings.TrimSpace(roleID)
+	if claimValue == "" {
+		return nil, errors.New("claim value is required")
+	}
+	if roleID == "" {
+		return nil, errors.New("role id is required")
+	}
 	var out models.OidcRoleMapping
 	err := dbutil.WithTx(ctx, s.db.DB, func(tx *gorm.DB) error {
 		var existing models.OidcRoleMapping
@@ -774,6 +794,9 @@ func (s *RoleService) UpdateOidcMapping(ctx context.Context, id, claimValue, rol
 		if existing.Source == models.OidcMappingSourceEnv {
 			return &common.OidcMappingEnvManagedError{}
 		}
+		if err := validateRoleIDsExistInternal(tx, []string{roleID}); err != nil {
+			return err
+		}
 		existing.ClaimValue = claimValue
 		existing.RoleID = roleID
 		existing.EnvironmentID = environmentID
@@ -789,6 +812,38 @@ func (s *RoleService) UpdateOidcMapping(ctx context.Context, id, claimValue, rol
 	return &out, nil
 }
 
+func validateRoleIDsExistInternal(tx *gorm.DB, roleIDs []string) error {
+	if len(roleIDs) == 0 {
+		return nil
+	}
+	roleIDSet := make(map[string]struct{}, len(roleIDs))
+	for _, roleID := range roleIDs {
+		if roleID == "" {
+			return errors.New("role id is required")
+		}
+		roleIDSet[roleID] = struct{}{}
+	}
+
+	normalized := make([]string, 0, len(roleIDSet))
+	for roleID := range roleIDSet {
+		normalized = append(normalized, roleID)
+	}
+	var found []string
+	if err := tx.Model(&models.Role{}).Where("id IN ?", normalized).Pluck("id", &found).Error; err != nil {
+		return fmt.Errorf("failed to verify role ids: %w", err)
+	}
+	foundSet := make(map[string]struct{}, len(found))
+	for _, id := range found {
+		foundSet[id] = struct{}{}
+	}
+	for _, id := range normalized {
+		if _, ok := foundSet[id]; !ok {
+			return &common.InvalidRoleAssignmentError{RoleID: id}
+		}
+	}
+	return nil
+}
+
 func (s *RoleService) DeleteOidcMapping(ctx context.Context, id string) error {
 	return dbutil.WithTx(ctx, s.db.DB, func(tx *gorm.DB) error {
 		var existing models.OidcRoleMapping

backend/pkg/authz/access_policy.go

@@ -57,26 +57,39 @@ var accessSurfacesInternal = []AccessSurface{
 
 	routeSurfaceInternal("route.dashboard", "/dashboard", "Dashboard", AccessScopeModeSelectedEnvPlusGlobal, []string{PermDashboardRead}, 10),
 	routeSurfaceInternal("route.projects", "/projects", "Projects", AccessScopeModeSelectedEnvPlusGlobal, []string{PermProjectsList, PermProjectsRead}, 30),
+	routeSurfaceInternal("route.projects.new", "/projects/new", "Create project", AccessScopeModeSelectedEnvPlusGlobal, []string{PermProjectsList, PermProjectsRead, PermProjectsCreate}, 0),
+	routeSurfaceInternal("route.projects.detail", "/projects/{projectId}", "Project", AccessScopeModeSelectedEnvPlusGlobal, []string{PermProjectsList, PermProjectsRead}, 0),
 	routeSurfaceInternal("route.environments", "/environments", "Environments", AccessScopeModeGlobalOnly, []string{PermEnvironmentsList, PermEnvironmentsRead}, 130),
+	routeSurfaceInternal("route.environments.detail", "/environments/{id}", "Environment", AccessScopeModeGlobalOnly, []string{PermEnvironmentsList, PermEnvironmentsRead}, 0),
 	routeSurfaceInternal("route.environments.gitops", "/environments/{id}/gitops", "GitOps Syncs", AccessScopeModeSelectedEnvPlusGlobal, []string{PermGitOpsList, PermGitOpsRead}, 0),
 	routeSurfaceInternal("route.containers", "/containers", "Containers", AccessScopeModeSelectedEnvPlusGlobal, []string{PermContainersList, PermContainersRead}, 20),
+	routeSurfaceInternal("route.containers.detail", "/containers/{containerId}", "Container", AccessScopeModeSelectedEnvPlusGlobal, []string{PermContainersList, PermContainersRead}, 0),
 	routeSurfaceInternal("route.images", "/images", "Images", AccessScopeModeSelectedEnvPlusGlobal, []string{PermImagesList, PermImagesRead}, 50),
+	routeSurfaceInternal("route.images.detail", "/images/{imageId}", "Image", AccessScopeModeSelectedEnvPlusGlobal, []string{PermImagesList, PermImagesRead}, 0),
 	routeSurfaceInternal("route.images.builds", "/images/builds", "Builds", AccessScopeModeSelectedEnvPlusGlobal, []string{PermImagesBuild}, 0),
 	routeSurfaceInternal("route.images.vulnerabilities", "/images/vulnerabilities", "Vulnerabilities", AccessScopeModeSelectedEnvPlusGlobal, []string{PermVulnsRead}, 0),
 	routeSurfaceInternal("route.updates", "/updates", "Image Updates", AccessScopeModeSelectedEnvPlusGlobal, []string{PermImageUpdatesRead}, 0),
 	routeSurfaceInternal("route.networks", "/networks", "Networks", AccessScopeModeSelectedEnvPlusGlobal, []string{PermNetworksList, PermNetworksRead}, 70),
+	routeSurfaceInternal("route.networks.detail", "/networks/{networkId}", "Network", AccessScopeModeSelectedEnvPlusGlobal, []string{PermNetworksList, PermNetworksRead}, 0),
 	routeSurfaceInternal("route.ports", "/ports", "Ports", AccessScopeModeSelectedEnvPlusGlobal, []string{PermContainersList}, 0),
 	routeSurfaceInternal("route.networks.topology", "/networks/topology", "Network Topology", AccessScopeModeSelectedEnvPlusGlobal, []string{PermNetworksRead}, 0),
 	routeSurfaceInternal("route.volumes", "/volumes", "Volumes", AccessScopeModeSelectedEnvPlusGlobal, []string{PermVolumesList, PermVolumesRead}, 60),
+	routeSurfaceInternal("route.volumes.detail", "/volumes/{volumeName}", "Volume", AccessScopeModeSelectedEnvPlusGlobal, []string{PermVolumesList, PermVolumesRead}, 0),
 	routeSurfaceInternal("route.swarm", "/swarm", "Swarm", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmRead}, 0),
 	routeSurfaceInternal("route.swarm.services", "/swarm/services", "Services", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmServices}, 80),
+	routeSurfaceInternal("route.swarm.services.detail", "/swarm/services/{serviceId}", "Service", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmServices}, 0),
 	routeSurfaceInternal("route.swarm.nodes", "/swarm/nodes", "Nodes", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmNodes}, 0),
 	routeSurfaceInternal("route.swarm.tasks", "/swarm/tasks", "Tasks", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmRead}, 0),
 	routeSurfaceInternal("route.swarm.stacks", "/swarm/stacks", "Stacks", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmStacks}, 90),
+	routeSurfaceInternal("route.swarm.stacks.new", "/swarm/stacks/new", "Create stack", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmStacks}, 0),
+	routeSurfaceInternal("route.swarm.stacks.detail", "/swarm/stacks/{name}", "Stack", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmStacks}, 0),
 	routeSurfaceInternal("route.swarm.cluster", "/swarm/cluster", "Cluster", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmRead}, 100),
 	routeSurfaceInternal("route.swarm.configs", "/swarm/configs", "Configs", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmConfigs}, 0),
 	routeSurfaceInternal("route.swarm.secrets", "/swarm/secrets", "Secrets", AccessScopeModeSelectedEnvPlusGlobal, []string{PermSwarmSecrets}, 0),
 	routeSurfaceInternal("route.events", "/events", "Events", AccessScopeModeGlobalOnly, []string{PermEventsRead}, 110),
+	routeSurfaceInternal("route.customize.templates.create", "/customize/templates/create", "Create template", AccessScopeModeGlobalOnly, []string{PermCustomizeManage, PermTemplatesList, PermTemplatesRead}, 0),
+	routeSurfaceInternal("route.customize.templates.default", "/customize/templates/default", "Default template", AccessScopeModeGlobalOnly, []string{PermCustomizeManage, PermTemplatesList, PermTemplatesRead}, 0),
+	routeSurfaceInternal("route.customize.templates.detail", "/customize/templates/{id}", "Template", AccessScopeModeGlobalOnly, []string{PermCustomizeManage, PermTemplatesList, PermTemplatesRead}, 0),
 
 	settingsCategorySurfaceInternal("activity", "/settings/activity", "Activity", AccessScopeModeGlobalOnly, []string{PermSettingsRead}),
 	settingsCategorySurfaceInternal("apikeys", "/settings/api-keys", "API Keys", AccessScopeModeGlobalOnly, []string{PermApiKeysList, PermApiKeysRead}),
@@ -86,6 +99,8 @@ var accessSurfacesInternal = []AccessSurface{
 	settingsCategorySurfaceInternal("jobschedule", "", "Job Schedule", AccessScopeModeSelectedEnvPlusGlobal, []string{PermJobsManage}),
 	settingsCategorySurfaceInternal("notifications", "/settings/notifications", "Notifications", AccessScopeModeSelectedEnvPlusGlobal, []string{PermNotificationsManage}),
 	settingsCategorySurfaceInternal("roles", "/settings/roles", "Roles", AccessScopeModeGlobalOnly, []string{PermRolesList, PermRolesRead}),
+	routeSurfaceInternal("route.settings.roles.new", "/settings/roles/new", "Create role", AccessScopeModeGlobalOnly, []string{PermRolesList, PermRolesRead}, 0),
+	routeSurfaceInternal("route.settings.roles.detail", "/settings/roles/{id}", "Role", AccessScopeModeGlobalOnly, []string{PermRolesList, PermRolesRead}, 0),
 	settingsCategorySurfaceInternal("timeouts", "/settings/timeouts", "Timeouts", AccessScopeModeGlobalOnly, []string{PermSettingsRead}),
 	settingsCategorySurfaceInternal("users", "/settings/users", "Users", AccessScopeModeGlobalOnly, []string{PermUsersList, PermUsersRead}),
 	settingsCategorySurfaceInternal("webhooks", "/settings/webhooks", "Webhooks", AccessScopeModeSelectedEnvPlusGlobal, []string{PermWebhooksList}),

backend/pkg/authz/permission_set.go

@@ -44,19 +44,26 @@ func (ps *PermissionSet) Allows(perm, envID string) bool {
 // Global set contains every defined permission. Used by the backward-compat
 // IsAdminFromContext helper and by last-admin guards.
 //
-// Implementation: every insertion path runs through
-// services.validatePermissionsInternal → authz.IsKnownPermission, which does
-// an exact-set check against AllPermissions(). ps.Global is therefore a true
-// subset of AllPermissions, and equal cardinality implies equality — no
-// per-call slice allocation or O(N) walk on the auth hot path.
+// Implementation: first checks cardinality against TotalPermissionsCount() for a
+// fast early exit, then walks AllPermissions() to confirm every known
+// permission is present. This guards against a ps.Global that contains the right
+// count but includes injected unknown permissions instead of all real ones.
 func (ps *PermissionSet) IsGlobalAdmin() bool {
 	if ps == nil {
 		return false
 	}
 	if ps.Sudo {
 		return true
 	}
-	return len(ps.Global) >= TotalPermissionsCount()
+	if len(ps.Global) != TotalPermissionsCount() {
+		return false
+	}
+	for _, permission := range AllPermissions() {
+		if _, ok := ps.Global[permission]; !ok {
+			return false
+		}
+	}
+	return true
 }
 
 // SudoPermissionSet returns a PermissionSet that allows every action. Used for

backend/pkg/authz/permission_set_test.go

@@ -32,6 +32,46 @@ func TestPermissionSetEnvScopedDoesNotLeak(t *testing.T) {
 	}
 }
 
+func TestPermissionSetIsGlobalAdminRejectsUnknownPermissions(t *testing.T) {
+	ps := NewPermissionSet()
+	perms := AllPermissions()
+	for i, perm := range perms {
+		if i == 0 {
+			continue
+		}
+		ps.AddGlobal(perm)
+	}
+	ps.AddGlobal("projects:made-up")
+
+	if ps.IsGlobalAdmin() {
+		t.Fatal("global admin should reject injected unknown permissions")
+	}
+}
+
+func TestPermissionSetIsGlobalAdminRequiresExactKnownSet(t *testing.T) {
+	ps := NewPermissionSet()
+	perms := AllPermissions()
+	for _, perm := range perms[1:] {
+		ps.AddGlobal(perm)
+	}
+	ps.AddGlobal("containers:does-not-exist")
+
+	if ps.IsGlobalAdmin() {
+		t.Fatal("global admin should require the complete known permission set")
+	}
+}
+
+func TestPermissionSetIsGlobalAdmin(t *testing.T) {
+	ps := NewPermissionSet()
+	for _, perm := range AllPermissions() {
+		ps.AddGlobal(perm)
+	}
+
+	if !ps.IsGlobalAdmin() {
+		t.Fatal("complete known permission set should be global admin")
+	}
+}
+
 func TestSudoAllowsEverything(t *testing.T) {
 	ps := SudoPermissionSet()
 	if !ps.Allows(PermContainersDelete, "any-env") {

frontend/src/lib/utils/access-policy.ts

@@ -34,7 +34,12 @@ export function getRouteAccessSurfaces(manifest: PermissionsManifest | null | un
 	return (manifest?.accessSurfaces ?? [])
 		.filter((surface) => !!surface.url)
 		.slice()
-		.sort((a, b) => (b.url?.length ?? 0) - (a.url?.length ?? 0));
+		.sort((a, b) => {
+			const aTemplates = (a.url?.match(/\{[^}]+\}/g) ?? []).length;
+			const bTemplates = (b.url?.match(/\{[^}]+\}/g) ?? []).length;
+			if (aTemplates !== bTemplates) return aTemplates - bTemplates;
+			return (b.url?.length ?? 0) - (a.url?.length ?? 0);
+		});
 }
 
 export function getFallbackAccessSurfaces(manifest: PermissionsManifest | null | undefined): AccessSurface[] {
@@ -50,7 +55,7 @@ export function pathMatchesAccessSurface(path: string, surface: AccessSurface):
 
 	const pathSegments = splitPathInternal(path);
 	const templateSegments = splitPathInternal(template);
-	if (templateSegments.length > pathSegments.length) return false;
+	if (templateSegments.length !== pathSegments.length) return false;
 
 	for (let i = 0; i < templateSegments.length; i++) {
 		const expected = templateSegments[i];

frontend/src/lib/utils/auth.ts

@@ -109,7 +109,8 @@ export function getAuthRedirectPath(
 	path: string,
 	user: User | null,
 	envId?: string,
-	accessManifest?: PermissionsManifest | null
+	accessManifest?: PermissionsManifest | null,
+	accessManifestLoadFailed = false
 ): string | null {
 	const isSignedIn = !!user;
 
@@ -125,6 +126,16 @@ export function getAuthRedirectPath(
 		return '/dashboard';
 	}
 
+	if (
+		isSignedIn &&
+		!accessManifestLoadFailed &&
+		path !== '/no-access' &&
+		!accessManifest?.accessSurfaces?.length &&
+		matchesAny(path, PROTECTED_PREFIXES)
+	) {
+		return '/no-access';
+	}
+
 	if (!isSignedIn || !user) return null;
 
 	if (path !== '/no-access' && !userHasAnyAccess(user)) {

frontend/src/routes/(app)/+layout.svelte

@@ -20,6 +20,7 @@
 	const user = $derived(data.user);
 	const settings = $derived(data.settings);
 	const permissionsManifest = $derived(data.permissionsManifest);
+	const permissionsManifestLoadFailed = $derived(data.permissionsManifestLoadFailed);
 	const swarmEnabled = $derived(data.swarmEnabled === true);
 
 	const isMobile = new IsMobile();
@@ -46,7 +47,13 @@
 	});
 
 	$effect(() => {
-		const redirectPath = getAuthRedirectPath(page.url.pathname, user, currentEnvId, permissionsManifest);
+		const redirectPath = getAuthRedirectPath(
+			page.url.pathname,
+			user,
+			currentEnvId,
+			permissionsManifest,
+			permissionsManifestLoadFailed
+		);
 		if (redirectPath) {
 			goto(redirectPath);
 		}