Skip to content

Commit

Permalink
fix(Deployment): Checks for subscription and access to cres and infra…
Browse files Browse the repository at this point in the history 
…s should be done as owner of the deployment
  • Loading branch information
@0xbase12
0xbase12 committed Nov 22, 2024
1 parent e5619a8 commit b73b630
Show file tree
Hide file tree
Showing 8 changed files with 75 additions and 77 deletions.
25 changes: 19 additions & 6 deletions code/src/com/sixsq/nuvla/auth/utils.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,36 +2,49 @@
(:require
[clojure.string :as str]))


(def ^{:doc "Internal administrator identity for database queries."}
internal-identity
{:user-id "internal"
:active-claim "group/nuvla-admin"
:claims #{"group/nuvla-admin" "group/nuvla-user" "group/nuvla-anon"}})

(defn get-internal-request
[]
{:nuvla/authn internal-identity})

(defn get-owner-authn
[{:keys [owner] :as _resource}]
{:claims #{owner "group/nuvla-user" "group/nuvla-anon"}
:user-id owner
:active-claim owner})

(defn get-owner-request
[resource]
{:nuvla/authn (get-owner-authn resource)})

(defn get-resource-id-authn
[{id :id :as _resource}]
{:claims #{id "group/nuvla-user" "group/nuvla-anon"}
:user-id id
:active-claim id})

(defn current-authentication
"Extracts the current authentication from the ring request."
[{:keys [nuvla/authn] :as _request}]
(select-keys authn [:user-id :active-claim :claims]))


(defn current-user-id
[request]
(:user-id (current-authentication request)))


(defn current-active-claim
[request]
(:active-claim (current-authentication request)))


(defn current-session-id
[request]
(->> request
current-authentication
:claims
(filter #(str/starts-with? % "session/"))
first))


12 changes: 6 additions & 6 deletions code/src/com/sixsq/nuvla/server/resources/deployment.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,9 +297,9 @@ a container orchestration engine.
deployment (-> (crud/retrieve-by-id-as-admin id)
(u/throw-cannot-do-action-invalid-state utils/can-start? "start")
(utils/throw-when-payment-required request)
(utils/throw-can-not-access-registries-creds request)
(utils/throw-can-not-access-helm-repo-cred request)
(utils/throw-can-not-access-helm-repo-url request))
utils/throw-can-not-access-registries-creds
utils/throw-can-not-access-helm-repo-cred
utils/throw-can-not-access-helm-repo-url)
stopped? (= (:state deployment) "STOPPED")
user-rights? (get-in deployment [:module :content :requires-user-rights])
data? (some? (:data deployment))
Expand Down Expand Up @@ -384,9 +384,9 @@ a container orchestration engine.
(u/throw-cannot-do-action-invalid-state
utils/can-update? "update_deployment")
(utils/throw-when-payment-required request)
(utils/throw-can-not-access-registries-creds request)
(utils/throw-can-not-access-helm-repo-cred request)
(utils/throw-can-not-access-helm-repo-url request))
utils/throw-can-not-access-registries-creds
utils/throw-can-not-access-helm-repo-cred
utils/throw-can-not-access-helm-repo-url)
new (-> current
(assoc :state "UPDATING")
(edit-deployment request))]
Expand Down
34 changes: 16 additions & 18 deletions code/src/com/sixsq/nuvla/server/resources/deployment/utils.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,25 +175,25 @@
(resource-log/create-log id components acl opts)))

(defn throw-can-not-access-registries-creds
[{:keys [registries-credentials] :as resource} request]
[{:keys [registries-credentials] :as resource}]
(let [preselected-creds (-> resource
(get-in [:module :content :registries-credentials] [])
set)
creds-to-be-checked (set/difference (set registries-credentials) preselected-creds)]
(module-utils/throw-cannot-access-registries-credentials creds-to-be-checked request)
(module-utils/throw-cannot-access-registries-credentials creds-to-be-checked (auth/get-owner-request resource))
resource))


(defn throw-can-not-access-helm-repo-url
[resource request]
[resource]
(let [helm-repo-url (get-in resource [:module :content :helm-repo-url])]
(module-utils/throw-can-not-access-helm-repo-url helm-repo-url request)
(module-utils/throw-can-not-access-helm-repo-url helm-repo-url (auth/get-owner-request resource))
resource))

(defn throw-can-not-access-helm-repo-cred
[resource request]
[resource]
(let [cred (get-in resource [:module :content :helm-repo-cred])]
(module-utils/throw-can-not-access-helm-repo-cred cred request)
(module-utils/throw-can-not-access-helm-repo-cred cred (auth/get-owner-request resource))
resource))


Expand Down Expand Up @@ -291,20 +291,18 @@
(seq files) (assoc :files files)))))

(defn throw-when-payment-required
[{{:keys [price] :as module} :module :as deployment} request]
[{{:keys [price] :as module} :module owner :owner :as deployment} request]
(if (or (nil? config-nuvla/*stripe-api-key*)
(a/is-admin? (auth/current-authentication request))
(let [active-claim (auth/current-active-claim request)]
(or
(a/can-edit-data? module request)
(case (:status (payment/active-claim->subscription active-claim))
("active" "past_due") true
"trialing" (or (nil? price)
(:follow-customer-trial price)
(-> active-claim
payment/active-claim->s-customer
payment/can-pay?))
false))))
(a/can-edit-data? module request)
(case (:status (payment/active-claim->subscription owner))
("active" "past_due") true
"trialing" (or (nil? price)
(:follow-customer-trial price)
(-> owner
payment/active-claim->s-customer
payment/can-pay?))
false))
deployment
(payment/throw-payment-required)))

Expand Down
40 changes: 10 additions & 30 deletions code/src/com/sixsq/nuvla/server/resources/deployment_set.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,26 +111,6 @@ These resources represent a deployment set that regroups deployments.
;; CRUD operations
;;

(defn get-owner-authn
[{:keys [owner] :as _resource}]
{:claims #{owner "group/nuvla-user"}
:user-id owner
:active-claim owner})

(defn get-owner-request
[resource]
{:nuvla/authn (get-owner-authn resource)})

(defn get-dg-authn
[{dg-id :id :as _resource}]
{:claims [dg-id "group/nuvla-user"]
:user-id dg-id
:active-claim dg-id})

(defn get-internal-request
[]
{:nuvla/authn auth/internal-identity})

(defn load-resource-throw-not-allowed-action
[{{:keys [uuid]} :params :as request}]
(-> (str resource-type "/" uuid)
Expand All @@ -143,7 +123,7 @@ These resources represent a deployment set that regroups deployments.
(divergence-map (load-resource-throw-not-allowed-action request) request))
([{:keys [applications-sets] :as deployment-set} _request]
(when (seq applications-sets)
(let [owner-request (get-owner-request deployment-set)
(let [owner-request (auth/get-owner-request deployment-set)
applications-sets (-> deployment-set
utils/get-applications-sets-href
(crud/get-resource-throw-nok owner-request))
Expand Down Expand Up @@ -182,7 +162,7 @@ These resources represent a deployment set that regroups deployments.

(defn create-module-apps-set
[{:keys [owner modules] :as resource} request]
(let [modules-data (mapv #(retrieve-module-as % (get-owner-authn resource))
(let [modules-data (mapv #(retrieve-module-as % (auth/get-owner-authn resource))
(distinct modules))]
(create-module
{:path (str module-utils/project-apps-sets "/" (u/rand-uuid))
Expand Down Expand Up @@ -215,7 +195,7 @@ These resources represent a deployment set that regroups deployments.
If :fleet is not specified, it is computed by querying edges satisfying the :fleet-filter.
If both :fleet and :fleet-filter are specified, they are stored as-is, no consistency check is made."
[{:keys [fleet fleet-filter overwrites] :as resource}]
(let [owner-authn (get-owner-authn resource)
(let [owner-authn (auth/get-owner-authn resource)
owner-request {:nuvla/authn owner-authn}
apps-set-id (create-module-apps-set resource owner-request)
fleet (or fleet (map :id (some-> fleet-filter (utils/query-nuvlaboxes-as owner-authn))))]
Expand Down Expand Up @@ -266,10 +246,10 @@ These resources represent a deployment set that regroups deployments.
(defn check-edges-permissions
[{:keys [id] :as resource}]
(let [fleet (get-in resource [:applications-sets 0 :overwrites 0 :fleet])
missing-edges (utils/get-missing-edges resource (get-internal-request))
missing-edges (utils/get-missing-edges resource (auth/get-internal-request))
not-deleted-edges (set/difference (set fleet) (set missing-edges))
cimi-filter (str "id=['" (str/join "','" not-deleted-edges) "']")
retrieved-fleet (utils/query-nuvlaboxes-as cimi-filter (get-owner-authn resource))]
retrieved-fleet (utils/query-nuvlaboxes-as cimi-filter (auth/get-owner-authn resource))]
(when (not= (count not-deleted-edges) (count retrieved-fleet))
(throw (r/ex-response "All edges must be visible to DG owner" 403 id)))
resource))
Expand All @@ -278,7 +258,7 @@ These resources represent a deployment set that regroups deployments.
[{:keys [id] :as resource}]
(let [apps (get-in resource [:applications-sets 0 :overwrites 0 :applications])
cimi-filter (str "id=['" (str/join "','" (map :id apps)) "']")
retrieved-apps (utils/query-modules-as cimi-filter (get-owner-authn resource))]
retrieved-apps (utils/query-modules-as cimi-filter (auth/get-owner-authn resource))]
(when (not= (count apps) (count retrieved-apps))
(throw (r/ex-response (str "All apps must be visible to DG owner : "
(mapv :id apps)
Expand Down Expand Up @@ -316,8 +296,8 @@ These resources represent a deployment set that regroups deployments.

(defn authn-info-payload
[resource]
{:dg-owner-authn-info (get-owner-authn resource)
:dg-authn-info (get-dg-authn resource)})
{:dg-owner-authn-info (auth/get-owner-authn resource)
:dg-authn-info (auth/get-resource-id-authn resource)})

(defn action-bulk
[{:keys [id] :as resource} {{:keys [action]} :params :as request}]
Expand Down Expand Up @@ -361,7 +341,7 @@ These resources represent a deployment set that regroups deployments.
(defmethod crud/do-action [resource-type utils/action-plan]
[request]
(let [deployment-set (load-resource-throw-not-allowed-action request)
owner-request (get-owner-request deployment-set)
owner-request (auth/get-owner-request deployment-set)
applications-sets (-> deployment-set
utils/get-applications-sets-href
(crud/get-resource-throw-nok owner-request))]
Expand All @@ -370,7 +350,7 @@ These resources represent a deployment set that regroups deployments.
(defmethod crud/do-action [resource-type utils/action-check-requirements]
[request]
(let [deployment-set (load-resource-throw-not-allowed-action request)
owner-request (get-owner-request deployment-set)
owner-request (auth/get-owner-request deployment-set)
applications-sets (-> deployment-set
utils/get-applications-sets-href
(crud/get-resource-throw-nok owner-request))]
Expand Down
2 changes: 1 addition & 1 deletion code/src/com/sixsq/nuvla/server/resources/deployment_set/utils.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,7 +406,7 @@

(defn query-nuvlaboxes
[cimi-filter request]
(query-nuvlaboxes-as cimi-filter (:nuvla/authn request)))
(query-nuvlaboxes-as cimi-filter (auth/current-authentication request)))

(defn get-missing-edges
[deployment-set request]
Expand Down
2 changes: 1 addition & 1 deletion code/test/com/sixsq/nuvla/server/resources/deployment/utils_test.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,4 +114,4 @@
[m-a m-b] {:arg1 [m-a m-b] :arg2 [m-a (assoc m-b :value "any")]})))

(deftest throw-can-not-access-helm-repo-cred
(is (= (t/throw-can-not-access-helm-repo-cred {} {}) {})))
(is (= (t/throw-can-not-access-helm-repo-cred {}) {})))
35 changes: 21 additions & 14 deletions code/test/com/sixsq/nuvla/server/resources/deployment_set_lifecycle_test.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,6 @@
(def app6-id "module/64e8d02d-1b40-46d0-b1d8-2093024fc1d2")
(def app7-id "module/1cefb94b-c527-4b8a-be5f-802b131c1a9e")

(def all-apps
(mapv (fn [app-id] {:id app-id}) [app1-id app2-id app3-id app4-id app5-id app6-id app7-id]))

(def dep-apps-sets [{:id app5-id,
:version 11,
:overwrites
Expand Down Expand Up @@ -178,6 +175,14 @@
:manage ["group/nuvla-admin"],
:edit-meta ["group/nuvla-admin"]}})

(defn read-payload
[payload]
(-> payload
json/read-str
(update-in ["authn-info" "claims"] set)
(update-in ["dg-authn-info" "claims"] set)
(update-in ["dg-owner-authn-info" "claims"] set)))

(deftest plan-test
(is (= (utils/plan u-deployment-set u-applications-sets-v11)
#{{:app-set "set-1"
Expand Down Expand Up @@ -329,18 +334,20 @@

dep-set-url (str p/service-context resource-id)
job-payload {"authn-info" {"active-claim" "user/jane"
"claims" ["group/nuvla-anon"
"user/jane"
"group/nuvla-user"
session-id]
"claims" #{"group/nuvla-anon"
"user/jane"
"group/nuvla-user"
session-id}
"user-id" "user/jane"}
"dg-authn-info" {"active-claim" resource-id
"claims" [resource-id
"group/nuvla-user"]
"claims" #{resource-id
"group/nuvla-user"
"group/nuvla-anon"}
"user-id" resource-id}
"dg-owner-authn-info" {"active-claim" "user/jane"
"claims" ["user/jane"
"group/nuvla-user"]
"claims" #{"group/nuvla-anon"
"user/jane"
"group/nuvla-user"}
"user-id" "user/jane"}}]

(testing "user query should see one document"
Expand Down Expand Up @@ -614,7 +621,7 @@
(ltu/is-status 200)
(ltu/is-key-value :href :target-resource resource-id)
(ltu/is-key-value :action "bulk_deployment_set_update")
(ltu/is-key-value json/read-str :payload job-payload))))
(ltu/is-key-value read-payload :payload job-payload))))

(testing "edit action is not allowed in a transitional state"
(with-redefs [crud/get-resource-throw-nok
Expand Down Expand Up @@ -670,7 +677,7 @@
(ltu/is-status 200)
(ltu/is-key-value :href :target-resource resource-id)
(ltu/is-key-value :action "bulk_deployment_set_update")
(ltu/is-key-value json/read-str :payload job-payload))
(ltu/is-key-value read-payload :payload job-payload))
(testing "cancel action will cancel the running job"
(let [cancel-op-url (-> session-user
(request dep-set-url)
Expand Down Expand Up @@ -739,7 +746,7 @@
(ltu/is-status 200)
(ltu/is-key-value :href :target-resource resource-id)
(ltu/is-key-value :action "bulk_deployment_set_stop")
(ltu/is-key-value json/read-str :payload job-payload))
(ltu/is-key-value read-payload :payload job-payload))
(-> session-user
(request dep-set-url)
ltu/body->edn
Expand Down
2 changes: 1 addition & 1 deletion code/test/com/sixsq/nuvla/server/resources/module_lifecycle_test.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -657,7 +657,7 @@
(lifecycle-test-module module-spec/subtype-app-helm valid-application)))

(deftest throw-can-not-access-helm-repo-cred
(is (= (t/throw-can-not-access-helm-repo-cred {} {}) {})))
(is (= (t/throw-can-not-access-helm-repo-cred {}) {})))

(deftest bad-methods
(let [resource-uri (str p/service-context (u/new-resource-id module/resource-type))]
Expand Down

0 comments on commit b73b630

Please sign in to comment.