Task/access control (#1758)

snehith57624 · web-flow · commit 3d41b12146d1 · 2022-05-30T19:59:07.000+05:30
* updating rbac checks

* Update RBAC checks

* Adding CD pipeline check

* Adding RBAC for trigger

* updating as per PR comments

* adding logs

* merge conflicts

* update rbac checks

* update rbac checks

* update rbac checks

* update rbac checks

* changes as per PR comments

* changes as per PR comments

* changes as per PR comments

* update as per PR comments

* update as per PR comments
diff --git a/api/restHandler/app/BuildPipelineRestHandler.go b/api/restHandler/app/BuildPipelineRestHandler.go
@@ -172,6 +172,26 @@ func (handler PipelineConfigRestHandlerImpl) PatchCiPipelines(w http.ResponseWri
 		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
 		return
 	}
+
+	pipelineData, err := handler.pipelineRepository.FindActiveByAppIdAndPipelineId(patchRequest.AppId, patchRequest.CiPipeline.Id)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	var environmentIds []int
+	for _, pipeline := range pipelineData {
+		environmentIds = append(environmentIds, pipeline.EnvironmentId)
+	}
+	if handler.appWorkflowService.CheckCdPipelineByCiPipelineId(patchRequest.CiPipeline.Id) {
+		for _, envId := range environmentIds {
+			envObject := handler.enforcerUtil.GetEnvRBACNameByCiPipelineIdAndEnvId(patchRequest.CiPipeline.Id, envId)
+			if ok := handler.enforcer.Enforce(token, casbin.ResourceEnvironment, casbin.ActionUpdate, envObject); !ok {
+				common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
+				return
+			}
+		}
+	}
+
 	createResp, err := handler.pipelineBuilder.PatchCiPipeline(&patchRequest)
 	if err != nil {
 		handler.Logger.Errorw("service err, PatchCiPipelines", "err", err, "PatchCiPipelines", patchRequest)
@@ -659,7 +679,9 @@ func (handler PipelineConfigRestHandlerImpl) GetCIPipelineById(w http.ResponseWr
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+
 	handler.Logger.Infow("request payload, GetCIPipelineById", "err", err, "appId", appId, "pipelineId", pipelineId)
+
 	app, err := handler.pipelineBuilder.GetApp(appId)
 	if err != nil {
 		handler.Logger.Infow("service error, GetCIPipelineById", "err", err, "appId", appId, "pipelineId", pipelineId)
@@ -671,6 +693,26 @@ func (handler PipelineConfigRestHandlerImpl) GetCIPipelineById(w http.ResponseWr
 		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
 		return
 	}
+
+	pipelineData, err := handler.pipelineRepository.FindActiveByAppIdAndPipelineId(appId, pipelineId)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	var environmentIds []int
+	for _, pipeline := range pipelineData {
+		environmentIds = append(environmentIds, pipeline.EnvironmentId)
+	}
+	if handler.appWorkflowService.CheckCdPipelineByCiPipelineId(pipelineId) {
+		for _, envId := range environmentIds {
+			envObject := handler.enforcerUtil.GetEnvRBACNameByCiPipelineIdAndEnvId(pipelineId, envId)
+			if ok := handler.enforcer.Enforce(token, casbin.ResourceEnvironment, casbin.ActionUpdate, envObject); !ok {
+				common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
+				return
+			}
+		}
+	}
+
 	ciPipeline, err := handler.pipelineBuilder.GetCiPipelineById(pipelineId)
 	if err != nil {
 		handler.Logger.Infow("service error, GetCIPipelineById", "err", err, "appId", appId, "pipelineId", pipelineId)
@@ -898,6 +940,27 @@ func (handler PipelineConfigRestHandlerImpl) CancelWorkflow(w http.ResponseWrite
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusForbidden)
 		return
 	}
+	if handler.appWorkflowService.CheckCdPipelineByCiPipelineId(pipelineId) {
+		pipelineData, err := handler.pipelineRepository.FindActiveByAppIdAndPipelineId(ciPipeline.AppId, pipelineId)
+		if err != nil {
+			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+			return
+		}
+		var environmentIds []int
+		for _, pipeline := range pipelineData {
+			environmentIds = append(environmentIds, pipeline.EnvironmentId)
+		}
+		if handler.appWorkflowService.CheckCdPipelineByCiPipelineId(pipelineId) {
+			for _, envId := range environmentIds {
+				envObject := handler.enforcerUtil.GetEnvRBACNameByCiPipelineIdAndEnvId(pipelineId, envId)
+				if ok := handler.enforcer.Enforce(token, casbin.ResourceEnvironment, casbin.ActionUpdate, envObject); !ok {
+					common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
+					return
+				}
+			}
+		}
+	}
+
 	//RBAC
 
 	resp, err := handler.ciHandler.CancelBuild(workflowId)
diff --git a/api/restHandler/app/DeploymentPipelineRestHandler.go b/api/restHandler/app/DeploymentPipelineRestHandler.go
@@ -1472,6 +1472,19 @@ func (handler PipelineConfigRestHandlerImpl) GetCdPipelineById(w http.ResponseWr
 		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
 		return
 	}
+
+	envId, err := handler.pipelineBuilder.GetEnvironmentByCdPipelineId(pipelineId)
+	if err != nil {
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	envObject := handler.enforcerUtil.GetEnvRBACNameByCdPipelineIdAndEnvId(pipelineId, envId)
+	if ok := handler.enforcer.Enforce(token, casbin.ResourceEnvironment, casbin.ActionUpdate, envObject); !ok {
+		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), "Unauthorized User", http.StatusForbidden)
+		return
+	}
+
 	ciConf, err := handler.pipelineBuilder.GetCdPipelineById(pipelineId)
 	if err != nil {
 		handler.Logger.Errorw("service err, GetCdPipelineById", "err", err, "appId", appId, "pipelineId", pipelineId)
diff --git a/internal/sql/repository/pipelineConfig/PipelineRepository.go b/internal/sql/repository/pipelineConfig/PipelineRepository.go
@@ -89,6 +89,7 @@ type PipelineRepository interface {
 	FindActiveByEnvId(envId int) (pipelines []*Pipeline, err error)
 	FindAllPipelinesByChartsOverrideAndAppIdAndChartId(chartOverridden bool, appId int, chartId int) (pipelines []*Pipeline, err error)
 	Exists() (exist bool, err error)
+	FindActiveByAppIdAndPipelineId(appId int, pipelineId int) ([]*Pipeline, error)
 	UpdateCdPipeline(pipeline *Pipeline) error
 }
 
@@ -371,6 +372,17 @@ func (impl PipelineRepositoryImpl) Exists() (exist bool, err error) {
 	exist, err = impl.dbConnection.Model(&pipelines).Exists()
 	return exist, err
 }
+
+func (impl PipelineRepositoryImpl) FindActiveByAppIdAndPipelineId(appId int, pipelineId int) ([]*Pipeline, error) {
+	var pipelines []*Pipeline
+	err := impl.dbConnection.Model(&pipelines).
+		Where("app_id = ?", appId).
+		Where("ci_pipeline_id = ?", pipelineId).
+		Where("deleted = ?", false).
+		Select()
+	return pipelines, err
+}
+
 func (impl PipelineRepositoryImpl) UpdateCdPipeline(pipeline *Pipeline) error {
 	err := impl.dbConnection.Update(pipeline)
 	return err
diff --git a/pkg/appWorkflow/AppWorkflowService.go b/pkg/appWorkflow/AppWorkflowService.go
@@ -38,6 +38,7 @@ type AppWorkflowService interface {
 	SaveAppWorkflowMapping(wf AppWorkflowMappingDto) (AppWorkflowMappingDto, error)
 	FindAppWorkflowMapping(workflowId int) ([]AppWorkflowMappingDto, error)
 	FindAppWorkflowMappingByComponent(id int, compType string) ([]*appWorkflow.AppWorkflowMapping, error)
+	CheckCdPipelineByCiPipelineId(id int) bool
 	FindAppWorkflowByName(name string, appId int) (AppWorkflowDto, error)
 }
 
@@ -285,3 +286,12 @@ func (impl AppWorkflowServiceImpl) FindAppWorkflowByName(name string, appId int)
 	}
 	return *appWorkflowDto, err
 }
+
+func (impl AppWorkflowServiceImpl) CheckCdPipelineByCiPipelineId(id int) bool {
+	appWorkflowMapping, err := impl.appWorkflowRepository.FindWFCDMappingByCIPipelineId(id)
+
+	if err == nil && appWorkflowMapping != nil {
+		return true
+	}
+	return false
+}
diff --git a/pkg/pipeline/PipelineBuilder.go b/pkg/pipeline/PipelineBuilder.go
@@ -101,6 +101,7 @@ type PipelineBuilder interface {
 
 	GetMaterialsForAppId(appId int) []*bean.GitMaterial
 	FindAllMatchesByAppName(appName string) ([]*AppBean, error)
+	GetEnvironmentByCdPipelineId(pipelineId int) (int, error)
 }
 
 type PipelineBuilderImpl struct {
@@ -2019,6 +2020,15 @@ type PipelineStrategy struct {
 	Default            bool                              `json:"default"`
 }
 
+func (impl PipelineBuilderImpl) GetEnvironmentByCdPipelineId(pipelineId int) (int, error) {
+	dbPipeline, err := impl.pipelineRepository.FindById(pipelineId)
+	if err != nil || dbPipeline == nil {
+		impl.logger.Errorw("error in fetching pipeline", "err", err)
+		return 0, err
+	}
+	return dbPipeline.EnvironmentId, err
+}
+
 func (impl PipelineBuilderImpl) GetCdPipelineById(pipelineId int) (cdPipeline *bean.CDPipelineConfigObject, err error) {
 	dbPipeline, err := impl.pipelineRepository.FindById(pipelineId)
 	if err != nil && errors.IsNotFound(err) {
diff --git a/util/rbac/EnforcerUtil.go b/util/rbac/EnforcerUtil.go
@@ -45,6 +45,7 @@ type EnforcerUtil interface {
 	GetHelmObject(appId int, envId int) string
 	GetHelmObjectByAppNameAndEnvId(appName string, envId int) string
 	GetHelmObjectByProjectIdAndEnvId(teamId int, envId int) string
+	GetEnvRBACNameByCdPipelineIdAndEnvId(cdPipelineId int, envId int) string
 }
 type EnforcerUtilImpl struct {
 	logger                *zap.SugaredLogger
@@ -206,6 +207,24 @@ func (impl EnforcerUtilImpl) GetEnvRBACNameByCiPipelineIdAndEnvId(ciPipelineId i
 	return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
 }
 
+func (impl EnforcerUtilImpl) GetEnvRBACNameByCdPipelineIdAndEnvId(cdPipelineId int, envId int) string {
+	pipeline, err := impl.pipelineRepository.FindById(cdPipelineId)
+	if err != nil {
+		impl.logger.Error(err)
+		return fmt.Sprintf("%s/%s", "", "")
+	}
+	application, err := impl.appRepo.FindById(pipeline.AppId)
+	if err != nil {
+		return fmt.Sprintf("%s/%s", "", "")
+	}
+	appName := application.AppName
+	env, err := impl.environmentRepository.FindById(envId)
+	if err != nil {
+		return fmt.Sprintf("%s/%s", "", strings.ToLower(appName))
+	}
+	return fmt.Sprintf("%s/%s", strings.ToLower(env.EnvironmentIdentifier), strings.ToLower(appName))
+}
+
 func (impl EnforcerUtilImpl) GetTeamRbacObjectByCiPipelineId(ciPipelineId int) string {
 	ciPipeline, err := impl.ciPipelineRepository.FindById(ciPipelineId)
 	if err != nil {
@@ -315,4 +334,4 @@ func (impl EnforcerUtilImpl) GetHelmObjectByProjectIdAndEnvId(teamId int, envId
 		environmentIdentifier = fmt.Sprintf("%s__%s", env.Cluster.ClusterName, env.EnvironmentIdentifier)
 	}*/
 	return fmt.Sprintf("%s/%s/%s", strings.ToLower(team.Name), environmentIdentifier, "*")
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ type AppWorkflowService interface {`
`38`	`38`	`SaveAppWorkflowMapping(wf AppWorkflowMappingDto) (AppWorkflowMappingDto, error)`
`39`	`39`	`FindAppWorkflowMapping(workflowId int) ([]AppWorkflowMappingDto, error)`
`40`	`40`	`FindAppWorkflowMappingByComponent(id int, compType string) ([]*appWorkflow.AppWorkflowMapping, error)`
	`41`	`+ CheckCdPipelineByCiPipelineId(id int) bool`
`41`	`42`	`FindAppWorkflowByName(name string, appId int) (AppWorkflowDto, error)`
`42`	`43`	`}`
`43`	`44`
`@@ -285,3 +286,12 @@ func (impl AppWorkflowServiceImpl) FindAppWorkflowByName(name string, appId int)`
`285`	`286`	`}`
`286`	`287`	`return *appWorkflowDto, err`
`287`	`288`	`}`
	`289`	`+`
	`290`	`+func (impl AppWorkflowServiceImpl) CheckCdPipelineByCiPipelineId(id int) bool {`
	`291`	`+ appWorkflowMapping, err := impl.appWorkflowRepository.FindWFCDMappingByCIPipelineId(id)`
	`292`	`+`
	`293`	`+ if err == nil && appWorkflowMapping != nil {`
	`294`	`+ return true`
	`295`	`+ }`
	`296`	`+ return false`
	`297`	`+}`