Revise auth requirements for debug endpoints (#38173)

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)

## Testing

- [x] Added/updated automated tests

- [x] QA'd all new/changed functionality manually

Author: iansltx

changes/pprof-tweaks

@@ -0,0 +1 @@
+* Revised auth requirements for /debug endpoints

server/service/debug_handler.go

@@ -39,7 +39,7 @@ func (m *debugAuthenticationMiddleware) Middleware(next http.Handler) http.Handl
 			return
 		}
 
-		if !v.CanPerformActions() {
+		if !v.CanPerformActions() || v.User.GlobalRole == nil || *v.User.GlobalRole != fleet.RoleAdmin {
 			http.Error(w, "Unauthorized", http.StatusForbidden)
 			return
 		}

server/service/debug_handler_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/fleetdm/fleet/v4/server/config"
 	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/ptr"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )
@@ -66,7 +67,39 @@ func TestDebugHandlerAuthenticationSessionInvalid(t *testing.T) {
 	assert.Equal(t, http.StatusUnauthorized, res.Code)
 }
 
-func TestDebugHandlerAuthenticationSuccess(t *testing.T) {
+func TestDebugHandlerAuthenticationFailsDueToRole(t *testing.T) {
+	for test, user := range map[string]fleet.User{
+		"no role":                {},
+		"global observer role":   {GlobalRole: ptr.String(fleet.RoleObserver)},
+		"global maintainer role": {GlobalRole: ptr.String(fleet.RoleMaintainer)},
+		"non-global role":        {Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1, Name: "foo"}, Role: fleet.RoleAdmin}}},
+	} {
+		t.Run(test, func(t *testing.T) {
+			svc := &mockService{}
+			svc.On(
+				"GetSessionByKey",
+				mock.Anything,
+				"fake_session_key",
+			).Return(&fleet.Session{UserID: 42, ID: 1}, nil)
+			svc.On(
+				"UserUnauthorized",
+				mock.Anything,
+				uint(42),
+			).Return(&user, nil)
+
+			handler := MakeDebugHandler(svc, testConfig, nil, nil, nil)
+
+			req := httptest.NewRequest(http.MethodGet, "https://fleetdm.com/debug/pprof/cmdline", nil)
+			req.Header.Add("Authorization", "BEARER fake_session_key")
+			res := httptest.NewRecorder()
+
+			handler.ServeHTTP(res, req)
+			assert.Equal(t, http.StatusForbidden, res.Code)
+		})
+	}
+}
+
+func TestDebugHandlerAuthenticationSucceeds(t *testing.T) {
 	svc := &mockService{}
 	svc.On(
 		"GetSessionByKey",
@@ -77,7 +110,7 @@ func TestDebugHandlerAuthenticationSuccess(t *testing.T) {
 		"UserUnauthorized",
 		mock.Anything,
 		uint(42),
-	).Return(&fleet.User{}, nil)
+	).Return(&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}, nil)
 
 	handler := MakeDebugHandler(svc, testConfig, nil, nil, nil)