Merge branch 'main' into APL-861

Author: ElderMatt

CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.5.0](https://github.com/redkubes/otomi-api/compare/v4.4.0...v4.5.0) (2025-06-03)
+
+
+### Bug Fixes
+
+* remove unused obj property from settingsInfo ([#730](https://github.com/redkubes/otomi-api/issues/730)) ([48c6437](https://github.com/redkubes/otomi-api/commit/48c643713da7fde7365ff186006d05f539a82560))
+* security policies & self service permissions ([#732](https://github.com/redkubes/otomi-api/issues/732)) ([96ad35e](https://github.com/redkubes/otomi-api/commit/96ad35e91f0b0e94ea26455e1c3a185136ad937b))
+* team(s) endpoints ([#733](https://github.com/redkubes/otomi-api/issues/733)) ([85be61c](https://github.com/redkubes/otomi-api/commit/85be61caa8c16563e3e48cd01188beaa3eea1f52))
+
+
+### Others
+
+* add code owners ([#727](https://github.com/redkubes/otomi-api/issues/727)) ([8c9689c](https://github.com/redkubes/otomi-api/commit/8c9689c4093f814e3cc0eb76a0b4bd653c1cc15e))
+* do not run postman for dependabot and update some deps ([#731](https://github.com/redkubes/otomi-api/issues/731)) ([afd648b](https://github.com/redkubes/otomi-api/commit/afd648bf93444001c881ba825203de11d8967a1f))
+
 ## [4.4.0](https://github.com/redkubes/otomi-api/compare/v4.3.0...v4.4.0) (2025-05-14)
 
 

package-lock.json

@@ -165,7 +165,7 @@
       "tag": true
     }
   },
-  "version": "4.4.0",
+  "version": "4.5.0",
   "watch": {
     "build:models": {
       "patterns": [

package.json

@@ -1,5 +1,4 @@
-/* eslint-disable @typescript-eslint/no-empty-function */
-
+import { Express } from 'express'
 import { mockDeep } from 'jest-mock-extended'
 import { initApp, loadSpec } from 'src/app'
 import getToken from 'src/fixtures/jwt'
@@ -9,9 +8,8 @@ import { HttpError } from './error'
 import { Git } from './git'
 import { getSessionStack } from './middleware'
 import { App, CodeRepo, Repo, SealedSecret } from './otomi-models'
-import * as getValuesSchemaModule from './utils'
 import { RepoService } from './services/RepoService'
-import { Express } from 'express'
+import * as getValuesSchemaModule from './utils'
 
 const platformAdminToken = getToken(['platform-admin'])
 const teamAdminToken = getToken(['team-admin', 'team-team1'])
@@ -152,11 +150,11 @@ describe('API authz tests', () => {
     expect(response.body.values).toEqual(values)
   })
 
-  test('team member can get all teams', async () => {
+  test('team member cannot get all teams', async () => {
     await agent
       .get('/v1/teams')
       .set('Authorization', `Bearer ${teamMemberToken}`)
-      .expect(200)
+      .expect(403)
       .expect('Content-Type', /json/)
   })
 
@@ -172,12 +170,12 @@ describe('API authz tests', () => {
       .expect(403)
   })
 
-  test('team member can get other teams', async () => {
+  test('team member cannot get other teams', async () => {
     jest.spyOn(otomiStack, 'getTeam').mockResolvedValue({} as never)
     await agent
       .get('/v1/teams/team2')
       .set('Authorization', `Bearer ${teamMemberToken}`)
-      .expect(200)
+      .expect(403)
       .expect('Content-Type', /json/)
   })
 

src/api.authz.test.ts

@@ -134,3 +134,242 @@ describe('Schema collection wise permissions', () => {
     sessionTeam.authz = {}
   })
 })
+
+describe('Self-service permissions', () => {
+  const spec: OpenAPIDoc = {
+    components: {
+      schemas: {
+        Kubecfg: { type: 'object', 'x-acl': { teamMember: ['read'] }, properties: {} },
+        DockerConfig: { type: 'object', 'x-acl': { teamMember: ['read'] }, properties: {} },
+        Cloudtty: { type: 'object', 'x-acl': { teamMember: ['create'] }, properties: {} },
+        Policy: { type: 'object', 'x-acl': { teamMember: ['update'] }, properties: {} },
+      },
+    },
+    paths: {},
+    security: [],
+  }
+
+  const teamId = 'mercury'
+  let authz: Authz
+  beforeEach(() => {
+    authz = new Authz(spec).init({ ...sessionTeam, teams: [teamId] })
+  })
+
+  test('Team member can download kubeconfig (self-service)', () => {
+    expect(authz.hasSelfService(teamId, 'downloadKubeconfig')).toBeDefined()
+  })
+  test('Team member can download docker login (self-service)', () => {
+    expect(authz.hasSelfService(teamId, 'downloadDockerLogin')).toBeDefined()
+  })
+  test('Team member can use cloud shell (self-service)', () => {
+    expect(authz.hasSelfService(teamId, 'useCloudShell')).toBeDefined()
+  })
+  test('Team member can edit security policies (self-service)', () => {
+    expect(authz.hasSelfService(teamId, 'editSecurityPolicies')).toBeDefined()
+  })
+  test('Team member cannot use undefined self-service permission', () => {
+    expect(authz.hasSelfService(teamId, 'notARealPermission')).toBeDefined()
+  })
+})
+
+describe('Authz middleware cases', () => {
+  const spec: OpenAPIDoc = {
+    components: { schemas: { Service: { type: 'object', 'x-acl': { teamMember: ['read'] }, properties: {} } } },
+    paths: {},
+    security: [],
+  }
+  let authz: Authz
+  beforeEach(() => {
+    authz = new Authz(spec).init(sessionTeam)
+  })
+
+  test('Returns false if user is not in team', () => {
+    expect(authz.validateWithCasl('read', 'Service', 'notMyTeam')).toBe(false)
+  })
+  test('Returns true if user is in team', () => {
+    expect(authz.validateWithCasl('read', 'Service', 'mercury')).toBe(true)
+  })
+  test('Returns false if schema is missing', () => {
+    expect(authz.validateWithCasl('read', '', 'mercury')).toBe(false)
+  })
+  test('Returns false if action is not allowed', () => {
+    expect(authz.validateWithCasl('delete', 'Service', 'mercury')).toBe(false)
+  })
+})
+
+describe('Platform admin, team admin and team member scenarios', () => {
+  const spec: OpenAPIDoc = {
+    components: {
+      schemas: {
+        Resource: {
+          type: 'object',
+          'x-acl': {
+            platformAdmin: ['create-any', 'read-any', 'update-any', 'delete-any'],
+            teamAdmin: ['create', 'read', 'update', 'delete'],
+            teamMember: ['read'],
+          },
+          properties: {},
+        },
+      },
+    },
+    paths: {},
+    security: [],
+  }
+  const platformAdmin: SessionUser = { ...sessionTeam, isPlatformAdmin: true, roles: [SessionRole.PlatformAdmin] }
+  const teamAdmin: SessionUser = { ...sessionTeam, isTeamAdmin: true, roles: [SessionRole.TeamAdmin] }
+  const myTeam = 'mercury'
+  const otherTeam = 'venus'
+
+  test('Platform admin can CRUD any resource', () => {
+    const authz = new Authz(spec).init(platformAdmin)
+    expect(authz.validateWithCasl('create', 'Resource', 'anyTeam')).toBe(true)
+    expect(authz.validateWithCasl('read', 'Resource', 'anyTeam')).toBe(true)
+    expect(authz.validateWithCasl('update', 'Resource', 'anyTeam')).toBe(true)
+    expect(authz.validateWithCasl('delete', 'Resource', 'anyTeam')).toBe(true)
+  })
+  test('Team admin can CRUD resources in their team', () => {
+    const authz = new Authz(spec).init(teamAdmin)
+    expect(authz.validateWithCasl('create', 'Resource', myTeam)).toBe(true)
+    expect(authz.validateWithCasl('read', 'Resource', myTeam)).toBe(true)
+    expect(authz.validateWithCasl('update', 'Resource', myTeam)).toBe(true)
+    expect(authz.validateWithCasl('delete', 'Resource', myTeam)).toBe(true)
+  })
+  test('Team admin cannot CRUD resources in other teams', () => {
+    const authz = new Authz(spec).init(teamAdmin)
+    expect(authz.validateWithCasl('create', 'Resource', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('read', 'Resource', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('update', 'Resource', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('delete', 'Resource', otherTeam)).toBe(false)
+  })
+  test('Team member can Read resources', () => {
+    const authz = new Authz(spec).init(sessionTeam)
+    expect(authz.validateWithCasl('read', 'Resource', myTeam)).toBe(true)
+  })
+  test('Team member cannot CUD resources', () => {
+    const authz = new Authz(spec).init(sessionTeam)
+    expect(authz.validateWithCasl('create', 'Resource', myTeam)).toBe(false)
+    expect(authz.validateWithCasl('update', 'Resource', myTeam)).toBe(false)
+    expect(authz.validateWithCasl('delete', 'Resource', myTeam)).toBe(false)
+  })
+  test('Team member cannot CRUD resources in other teams', () => {
+    const authz = new Authz(spec).init(sessionTeam)
+    expect(authz.validateWithCasl('create', 'Resource', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('read', 'Resource', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('update', 'Resource', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('delete', 'Resource', otherTeam)).toBe(false)
+  })
+  test('Platform admin can perform self-service actions', () => {
+    const authz = new Authz(spec).init(platformAdmin)
+    expect(authz.hasSelfService('anyTeam', 'downloadKubeconfig')).toBeDefined()
+    expect(authz.hasSelfService('anyTeam', 'downloadDockerLogin')).toBeDefined()
+    expect(authz.hasSelfService('anyTeam', 'useCloudShell')).toBeDefined()
+    expect(authz.hasSelfService('anyTeam', 'editSecurityPolicies')).toBeDefined()
+  })
+})
+
+describe('ABAC attribute denial', () => {
+  const spec: OpenAPIDoc = {
+    components: {
+      schemas: {
+        Team: { type: 'object', 'x-acl': { teamMember: ['update'] }, properties: {} },
+      },
+    },
+    paths: {},
+    security: [],
+  }
+  const teamId = 'teamA'
+  let authz: Authz
+  beforeEach(() => {
+    authz = new Authz(spec).init(sessionTeam)
+    sessionTeam.authz = { [teamId]: { deniedAttributes: { Team: ['foo', 'bar'] } } }
+  })
+  test('Denied attributes are respected', () => {
+    expect(() => authz.hasSelfService(teamId, 'foo')).not.toThrow()
+    expect(() => authz.hasSelfService(teamId, 'bar')).not.toThrow()
+  })
+  test('Allowed attribute is not denied', () => {
+    expect(() => authz.hasSelfService(teamId, 'baz')).not.toThrow()
+  })
+  afterEach(() => {
+    sessionTeam.authz = {}
+  })
+})
+
+describe('Fallback to CASL when no self-service permission', () => {
+  const spec: OpenAPIDoc = {
+    components: {
+      schemas: {
+        App: { type: 'object', 'x-acl': { teamMember: ['read'] }, properties: {} },
+      },
+    },
+    paths: {},
+    security: [],
+  }
+  let authz: Authz
+  beforeEach(() => {
+    authz = new Authz(spec).init(sessionTeam)
+  })
+  test('Falls back to CASL for non-self-service action', () => {
+    expect(authz.validateWithCasl('read', 'App', 'mercury')).toBe(true)
+  })
+  test('Returns false for denied action', () => {
+    expect(authz.validateWithCasl('delete', 'App', 'mercury')).toBe(false)
+  })
+})
+
+describe('Team member self-service vs. other team resources', () => {
+  const spec: OpenAPIDoc = {
+    components: {
+      schemas: {
+        Service: {
+          type: 'object',
+          'x-acl': {
+            teamMember: ['read', 'update', 'delete', 'create'],
+          },
+          properties: {
+            name: { type: 'string' },
+            teamId: { type: 'string' },
+          },
+        },
+      },
+    },
+    paths: {},
+    security: [],
+  }
+  const myTeam = 'mercury'
+  const otherTeam = 'venus'
+  let authz: Authz
+  beforeEach(() => {
+    authz = new Authz(spec).init({ ...sessionTeam, teams: [myTeam] })
+  })
+
+  test('Team member can CRUD own team resource', () => {
+    expect(authz.validateWithCasl('create', 'Service', myTeam)).toBe(true)
+    expect(authz.validateWithCasl('read', 'Service', myTeam)).toBe(true)
+    expect(authz.validateWithCasl('update', 'Service', myTeam)).toBe(true)
+    expect(authz.validateWithCasl('delete', 'Service', myTeam)).toBe(true)
+  })
+
+  test('Team member cannot CRUD another team resource', () => {
+    expect(authz.validateWithCasl('create', 'Service', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('read', 'Service', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('update', 'Service', otherTeam)).toBe(false)
+    expect(authz.validateWithCasl('delete', 'Service', otherTeam)).toBe(false)
+  })
+
+  test('Team member with no self-service permission cannot perform custom self-service action', () => {
+    sessionTeam.authz = { [myTeam]: { deniedAttributes: { Policy: ['editSecurityPolicies'] } } }
+    expect(() => authz.hasSelfService(myTeam, 'editSecurityPolicies')).not.toThrow()
+    sessionTeam.authz = {}
+  })
+
+  test('Team member with no self-service permission cannot perform custom self-service action in another team', () => {
+    sessionTeam.authz = { [otherTeam]: { deniedAttributes: { Policy: ['editSecurityPolicies'] } } }
+    expect(() => authz.hasSelfService(myTeam, 'editSecurityPolicies')).not.toThrow()
+    sessionTeam.authz = {}
+  })
+
+  test('Team member with self-service permission can perform allowed self-service action', () => {
+    expect(() => authz.hasSelfService(myTeam, 'read')).not.toThrow()
+  })
+})

src/authz.test.ts

@@ -7,7 +7,6 @@ import Authz, { getTeamSelfServiceAuthz } from 'src/authz'
 import { HttpError } from 'src/error'
 import { OpenApiRequestExt } from 'src/otomi-models'
 import OtomiStack from 'src/otomi-stack'
-import { cleanEnv } from 'src/validators'
 import { RepoService } from '../services/RepoService'
 import { getSessionStack } from './session'
 
@@ -54,15 +53,20 @@ export function authorize(req: OpenApiRequestExt, res, next, authz: Authz, repoS
   authz.init(user)
 
   let valid
-  if (action === 'read' && schemaName === 'Kubecfg') valid = authz.hasSelfService(teamId, 'downloadKubeconfig')
-  else if (action === 'read' && schemaName === 'DockerConfig')
-    valid = authz.hasSelfService(teamId, 'downloadDockerLogin')
-  else if (action === 'create' && schemaName === 'Cloudtty') valid = authz.hasSelfService(teamId, 'useCloudShell')
-  else if (action === 'update' && schemaName === 'Policy') valid = authz.hasSelfService(teamId, 'editSecurityPolicies')
-  else valid = authz.validateWithCasl(action, schemaName, teamId)
-  const env = cleanEnv({})
-  // TODO: Debug purpose only for removal of license
-  if (!env.isDev && !valid) {
+  const isTeamMember = !user.isPlatformAdmin && user.teams.includes(teamId)
+  if (isTeamMember) {
+    const permissionMap: Record<string, string> = {
+      'read:Kubecfg': 'downloadKubeconfig',
+      'read:DockerConfig': 'downloadDockerLogin',
+      'create:Cloudtty': 'useCloudShell',
+      'update:Policy': 'editSecurityPolicies',
+    }
+    const key = `${action}:${schemaName}`
+    const permission = permissionMap[key]
+    valid = permission ? authz.hasSelfService(teamId, permission) : authz.validateWithCasl(action, schemaName, teamId)
+  } else valid = authz.validateWithCasl(action, schemaName, teamId)
+
+  if (!valid) {
     throw new HttpError(403, `User not allowed to perform "${action}" on "${schemaName}" resource`)
   }
 

src/middleware/authz.ts

@@ -1929,7 +1929,7 @@ paths:
     get:
       operationId: getAplCodeRepo
       description: Get a code repo from a given team
-      x-aclSchema: Coderepo
+      x-aclSchema: CodeRepo
       responses:
         <<: *DefaultGetResponses
         '200':

src/openapi/api.yaml

@@ -106,10 +106,10 @@ Team:
       - create-any
       - update-any
     teamAdmin:
-      - read-any
+      - read
       - update
     teamMember:
-      - read-any
+      - read
       - update
   type: object
   x-externalDocsPath: docs/for-ops/console/teams