Fixed User type accounts being able to change resource limits of their own domain and account

[erikbocks]

Description

The updateResourceLimit API, by default, is allowed only to the Root Admin, Domain Admin, and Resource Admin role types. These role types cannot change their account and domain limits using the API. However, if an account is created with a User type role, and the permission to this API is granted, they will be capable of changing their own account and domain resource limits and bypassing what has been allocated to them. In this scenario, the user could also cause a DoS by allocating all the resources (for instance, all the IP addresses).

This PR fixes this by implementing an account type validation that throws an exception if the caller's account is of type User.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

In an example environment, a Modified User role was created, based on the default User role. Then, the permission to call the updateResourceLimit API was granted. A new account, named user, was created using the Modified User role. By default, the user had a limit of 20 Public IP to allocate.

Using the user credentials, the user can run the following command in CMK to unlimit the number of Public IP they can allocate:

update resourceLimit account=user resourcetype=1 max=-1 domainid=<domain_id>

With that, the user can exhaust the available public IPs in the environment. It also applies to the other limit types.

Besides changing its account limit, it can also change its domain limits by running the following command:

update resourceLimit resourcetype=1 max=-1 domainid=<domain_id>

The user cannot change the limits of other accounts within its domain or other domains' limits.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.58%. Comparing base (40c8bc5) to head (123a0a8).
⚠️ Report is 1 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (40c8bc5) and HEAD (123a0a8). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (40c8bc5)	HEAD (123a0a8)
unittests	1	0

Additional details and impacted files

@@              Coverage Diff              @@
##               main   #12046       +/-   ##
=============================================
- Coverage     17.55%    3.58%   -13.97%     
=============================================
  Files          5910      445     -5465     
  Lines        529334    37534   -491800     
  Branches      64654     6901    -57753     
=============================================
- Hits          92905     1346    -91559     
+ Misses       425973    36024   -389949     
+ Partials      10456      164    -10292     

Flag	Coverage Δ
uitests	3.58% <ø> (ø)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.