Add Jira permission check in heartbeat (fixes #105) (#165)

leplatrem · Bryan Sieber · web-flow · commit 4f37ebc97265 · 2022-08-02T21:55:17.000+02:00
* Fetch permissions in heartbeat * Obtain projects permissions in parallel calls * Updating call to jira_client as get_permissions * Updating tests * Refactor: fetch and validation are now separate functions; JIRA_REQUIRED_PERMISSIONS changed to an env var. * Use custom Jira client to avoid waiting for release * Fix linting and mocking * Manage list of required permissions at action module level (#177) * Manage list of required permissions at action module level * Fix list of missing permissions * Use atlassian-python-api @ master instead of release + inherited class Co-authored-by: Bryan Sieber <bsieber@mozilla.com>
diff --git a/jbi/actions/README.md b/jbi/actions/README.md
@@ -13,6 +13,8 @@ Let's create a `new_action`!
    ```python
    from jbi import ActionResult, Operation
 
+   JIRA_REQUIRED_PERMISSIONS = {"CREATE_ISSUES"}
+
    def init(jira_project_key, optional_param=42):
 
        def execute(payload) -> ActionResult:
@@ -28,6 +30,7 @@ Let's create a `new_action`!
    1. The returned `ActionResult` features a boolean to indicate whether something was performed or not, along with a `Dict` (used as a response to the WebHook endpoint).
 
 1. Use the `payload` to perform the desired processing!
+1. List the required Jira permissions to be set on projects that will use this action in the `JIRA_REQUIRED_PERMISSIONS` constant. The list of built-in permissions is [available on Atlanssian API docs](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permission-schemes/#built-in-permissions).
 1. Use the available service calls from `jbi/services.py` (or make new ones)
 1. Update the `README.md` to document your action
 1. Now the action `jbi.actions.my_team_actions` can be used in the YAML configuration, under the `module` key.
diff --git a/jbi/actions/default.py b/jbi/actions/default.py
@@ -16,6 +16,13 @@
 
 logger = logging.getLogger(__name__)
 
+JIRA_REQUIRED_PERMISSIONS = {
+    "ADD_COMMENTS",
+    "CREATE_ISSUES",
+    "DELETE_ISSUES",
+    "EDIT_ISSUES",
+}
+
 
 def init(jira_project_key, **kwargs):
     """Function that takes required and optional params and returns a callable object"""
diff --git a/jbi/actions/default_with_assignee_and_status.py b/jbi/actions/default_with_assignee_and_status.py
@@ -10,12 +10,18 @@
 import logging
 
 from jbi import Operation
+from jbi.actions.default import (
+    JIRA_REQUIRED_PERMISSIONS as DEFAULT_JIRA_REQUIRED_PERMISSIONS,
+)
 from jbi.actions.default import DefaultExecutor
 from jbi.bugzilla import BugzillaBug, BugzillaWebhookRequest
 
 logger = logging.getLogger(__name__)
 
 
+JIRA_REQUIRED_PERMISSIONS = DEFAULT_JIRA_REQUIRED_PERMISSIONS
+
+
 def init(status_map=None, **kwargs):
     """Function that takes required and optional params and returns a callable object"""
     return AssigneeAndStatusExecutor(status_map=status_map or {}, **kwargs)
diff --git a/jbi/models.py b/jbi/models.py
@@ -25,6 +25,7 @@ class Action(YamlModel):
     allow_private: bool = False
     parameters: dict = {}
     _caller: Callable = PrivateAttr(default=None)
+    _required_jira_permissions: Set[str] = PrivateAttr(default=None)
 
     @property
     def caller(self) -> Callable:
@@ -35,6 +36,15 @@ def caller(self) -> Callable:
             self._caller = initialized
         return self._caller
 
+    @property
+    def required_jira_permissions(self) -> Set[str]:
+        """Return the required Jira permissions for this action to be executed."""
+        if not self._required_jira_permissions:
+            action_module: ModuleType = importlib.import_module(self.module)
+            perms = getattr(action_module, "JIRA_REQUIRED_PERMISSIONS")
+            self._required_jira_permissions = perms
+        return self._required_jira_permissions
+
     @root_validator
     def validate_action_config(cls, values):  # pylint: disable=no-self-argument
         """Validate action: exists, has init function, and has expected params"""
diff --git a/jbi/services.py b/jbi/services.py
@@ -1,4 +1,5 @@
 """Services and functions that can be used to create custom actions"""
+import concurrent.futures
 import logging
 from typing import Dict, List
 
@@ -112,6 +113,7 @@ def _jira_check_health(actions: Actions) -> ServiceHealth:
     health: ServiceHealth = {
         "up": is_up,
         "all_projects_are_visible": is_up and _all_jira_projects_visible(jira, actions),
+        "all_projects_have_permissions": _all_jira_projects_permissions(jira, actions),
     }
     return health
 
@@ -127,6 +129,68 @@ def _all_jira_projects_visible(jira, actions: Actions) -> bool:
     return not missing_projects
 
 
+def _all_jira_projects_permissions(jira, actions: Actions):
+    """Fetches and validates that required permissions exist for the configured projects"""
+    all_projects_perms = _fetch_jira_project_permissions(actions, jira)
+    return _validate_jira_permissions(all_projects_perms)
+
+
+def _fetch_jira_project_permissions(actions, jira):
+    """Fetches permissions for the configured projects"""
+    required_perms_by_project = {
+        action.parameters["jira_project_key"]: action.required_jira_permissions
+        for action in actions
+        if "jira_project_key" in action.parameters
+    }
+
+    all_projects_perms = {}
+    # Query permissions for all configured projects in parallel threads.
+    with concurrent.futures.ThreadPoolExecutor(max_workers=4) as executor:
+        futures_to_projects = {
+            executor.submit(
+                jira.get_permissions,
+                project_key=project_key,
+                permissions=",".join(required_permissions),
+            ): project_key
+            for project_key, required_permissions in required_perms_by_project.items()
+        }
+        # Obtain futures' results unordered.
+        for future in concurrent.futures.as_completed(futures_to_projects):
+            project_key = futures_to_projects[future]
+            response = future.result()
+            all_projects_perms[project_key] = (
+                required_perms_by_project[project_key],
+                response["permissions"],
+            )
+    return all_projects_perms
+
+
+def _validate_jira_permissions(all_projects_perms):
+    """Validates permissions for the configured projects"""
+    misconfigured = []
+    for project_key, (required_perms, obtained_perms) in all_projects_perms.items():
+        missing = required_perms - set(obtained_perms.keys())
+        not_given = set(
+            entry["key"]
+            for entry in obtained_perms.values()
+            if not entry["havePermission"]
+        )
+        if missing | not_given:
+            misconfigured.append((project_key, missing | not_given))
+    for project_key, missing in misconfigured:
+        logger.error(
+            "Configured credentials don't have permissions %s on Jira project %s",
+            ",".join(missing),
+            project_key,
+            extra={
+                "jira": {
+                    "project": project_key,
+                }
+            },
+        )
+    return not misconfigured
+
+
 def jbi_service_health_map(actions: Actions):
     """Returns dictionary of health check's for Bugzilla and Jira Services"""
     return {
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -11,7 +11,7 @@ fastapi = "^0.79.0"
 pydantic = {version = "^1.9.1", extras = ["dotenv", "email"]}
 uvicorn = {extras = ["standard"], version = "^0.18.2"}
 python-bugzilla = "^3.2.0"
-atlassian-python-api = "^3.25.0"
+atlassian-python-api = { git = "https://github.com/atlassian-api/atlassian-python-api.git", rev = "82293a2ac9bfa" }
 dockerflow = "2022.7.0"
 Jinja2 = "^3.1.2"
 pydantic-yaml = {extras = ["pyyaml","ruamel"], version = "^0.8.0"}
diff --git a/tests/unit/test_router.py b/tests/unit/test_router.py
@@ -135,6 +135,7 @@ def test_read_heartbeat_all_services_fail(anon_client, mocked_jira, mocked_bugzi
         "jira": {
             "up": False,
             "all_projects_are_visible": False,
+            "all_projects_have_permissions": False,
         },
         "bugzilla": {
             "up": False,
@@ -154,6 +155,7 @@ def test_read_heartbeat_jira_services_fails(anon_client, mocked_jira, mocked_bug
         "jira": {
             "up": False,
             "all_projects_are_visible": False,
+            "all_projects_have_permissions": False,
         },
         "bugzilla": {
             "up": True,
@@ -176,6 +178,7 @@ def test_read_heartbeat_bugzilla_services_fails(
         "jira": {
             "up": True,
             "all_projects_are_visible": True,
+            "all_projects_have_permissions": False,
         },
         "bugzilla": {
             "up": False,
@@ -188,6 +191,14 @@ def test_read_heartbeat_success(anon_client, mocked_jira, mocked_bugzilla):
     mocked_bugzilla().logged_in = True
     mocked_jira().get_server_info.return_value = {}
     mocked_jira().projects.return_value = [{"key": "DevTest"}]
+    mocked_jira().get_permissions.return_value = {
+        "permissions": {
+            "ADD_COMMENTS": {"havePermission": True},
+            "CREATE_ISSUES": {"havePermission": True},
+            "EDIT_ISSUES": {"havePermission": True},
+            "DELETE_ISSUES": {"havePermission": True},
+        },
+    }
 
     resp = anon_client.get("/__heartbeat__")
 
@@ -196,6 +207,7 @@ def test_read_heartbeat_success(anon_client, mocked_jira, mocked_bugzilla):
         "jira": {
             "up": True,
             "all_projects_are_visible": True,
+            "all_projects_have_permissions": True,
         },
         "bugzilla": {
             "up": True,
@@ -215,6 +227,35 @@ def test_jira_heartbeat_visible_projects(anon_client, mocked_jira, mocked_bugzil
         "jira": {
             "up": True,
             "all_projects_are_visible": False,
+            "all_projects_have_permissions": False,
+        },
+        "bugzilla": {
+            "up": True,
+        },
+    }
+
+
+def test_jira_heartbeat_missing_permissions(anon_client, mocked_jira, mocked_bugzilla):
+    """/__heartbeat__ fails if configured projects don't match."""
+    mocked_bugzilla().logged_in = True
+    mocked_jira().get_server_info.return_value = {}
+    mocked_jira().get_project_permission_scheme.return_value = {
+        "permissions": {
+            "ADD_COMMENTS": {"havePermission": True},
+            "CREATE_ISSUES": {"havePermission": True},
+            "EDIT_ISSUES": {"havePermission": False},
+            "DELETE_ISSUES": {"havePermission": True},
+        },
+    }
+
+    resp = anon_client.get("/__heartbeat__")
+
+    assert resp.status_code == 503
+    assert resp.json() == {
+        "jira": {
+            "up": True,
+            "all_projects_are_visible": False,
+            "all_projects_have_permissions": False,
         },
         "bugzilla": {
             "up": True,
@@ -227,6 +268,14 @@ def test_head_heartbeat(anon_client, mocked_jira, mocked_bugzilla):
     mocked_bugzilla().logged_in = True
     mocked_jira().get_server_info.return_value = {}
     mocked_jira().projects.return_value = [{"key": "DevTest"}]
+    mocked_jira().get_permissions.return_value = {
+        "permissions": {
+            "ADD_COMMENTS": {"havePermission": True},
+            "CREATE_ISSUES": {"havePermission": True},
+            "EDIT_ISSUES": {"havePermission": True},
+            "DELETE_ISSUES": {"havePermission": True},
+        },
+    }
 
     resp = anon_client.head("/__heartbeat__")
 
