Skip to content

Commit

Permalink
fix: default permissions for gh-team-allowlist. (#1974)
Browse files Browse the repository at this point in the history
* Fix default permissions for gh-team-allowlist.

* Fix broken links.
  • Loading branch information
nishkrishnan authored Jan 4, 2022
1 parent 1f44d2f commit b7b28b8
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 8 deletions.
5 changes: 0 additions & 5 deletions cmd/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,6 @@ const (
DefaultBitbucketBaseURL = bitbucketcloud.BaseURL
DefaultDataDir = "~/.atlantis"
DefaultGHHostname = "github.com"
DefaultGHTeamAllowlist = ""
DefaultGitlabHostname = "gitlab.com"
DefaultLogLevel = "info"
DefaultParallelPoolSize = 15
Expand Down Expand Up @@ -211,7 +210,6 @@ var stringFlags = map[string]stringFlag{
"and allows the 'devops' team to perform any operation. If this argument is not provided, the default value (*:*) " +
"will be used and the default behavior will be to not check permissions " +
"and to allow users from any team to perform any operation.",
defaultValue: DefaultGHTeamAllowlist,
},
GHUserFlag: {
description: "GitHub username of API user.",
Expand Down Expand Up @@ -663,9 +661,6 @@ func (s *ServerCmd) setDefaults(c *server.UserConfig) {
if c.VCSStatusName == "" {
c.VCSStatusName = DefaultVCSStatusName
}
if c.GithubTeamAllowlist == "" {
c.GithubTeamAllowlist = DefaultGHTeamAllowlist
}
if c.TFEHostname == "" {
c.TFEHostname = DefaultTFEHostname
}
Expand Down
4 changes: 2 additions & 2 deletions runatlantis.io/docs/troubleshooting-https.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ When using a self-signed certificate for Atlantis (with flags `--ssl-cert-file`
there are a few considerations.

Atlantis uses the web server from the standard Go library,
the method name is [ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS).
the method name is [ListenAndServeTLS](https://pkg.go.dev/net/http#ListenAndServeTLS).

`ListenAndServeTLS` acts identically to [ListenAndServe](https://golang.org/pkg/net/http/#ListenAndServe),
`ListenAndServeTLS` acts identically to [ListenAndServe](https://pkg.go.dev/net/http#ListenAndServe),
except that it expects HTTPS connections.
Additionally, files containing a certificate and matching private key for the server must be provided.
If the certificate is signed by a certificate authority,
Expand Down
2 changes: 1 addition & 1 deletion server/events/command_runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ func (c *DefaultCommandRunner) commentUserDoesNotHavePermissions(baseRepo models

// checkUserPermissions checks if the user has permissions to execute the command
func (c *DefaultCommandRunner) checkUserPermissions(repo models.Repo, user models.User, cmd *CommentCommand) (bool, error) {
if c.TeamAllowlistChecker == nil || len(c.TeamAllowlistChecker.rules) == 0 {
if c.TeamAllowlistChecker == nil || !c.TeamAllowlistChecker.HasRules() {
// allowlist restriction is not enabled
return true, nil
}
Expand Down
36 changes: 36 additions & 0 deletions server/events/command_runner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,42 @@ func TestRunCommentCommand_GithubPullParseErr(t *testing.T) {
vcsClient.VerifyWasCalledOnce().CreateComment(fixtures.GithubRepo, fixtures.Pull.Num, "`Error: extracting required fields from comment data: err`", "")
}

func TestRunCommentCommand_TeamAllowListChecker(t *testing.T) {
t.Run("nil checker", func(t *testing.T) {
vcsClient := setup(t)
// by default these are false so don't need to reset
ch.TeamAllowlistChecker = nil
var pull github.PullRequest
modelPull := models.PullRequest{
BaseRepo: fixtures.GithubRepo,
State: models.OpenPullState,
}
When(githubGetter.GetPullRequest(fixtures.GithubRepo, fixtures.Pull.Num)).ThenReturn(&pull, nil)
When(eventParsing.ParseGithubPull(&pull)).ThenReturn(modelPull, modelPull.BaseRepo, fixtures.GithubRepo, nil)

ch.RunCommentCommand(fixtures.GithubRepo, nil, nil, fixtures.User, fixtures.Pull.Num, &events.CommentCommand{Name: models.PlanCommand})
vcsClient.VerifyWasCalled(Never()).GetTeamNamesForUser(fixtures.GithubRepo, fixtures.User)
vcsClient.VerifyWasCalledOnce().CreateComment(fixtures.GithubRepo, modelPull.Num, "Ran Plan for 0 projects:\n\n\n\n", "plan")
})

t.Run("no rules", func(t *testing.T) {
vcsClient := setup(t)
// by default these are false so don't need to reset
ch.TeamAllowlistChecker = &events.TeamAllowlistChecker{}
var pull github.PullRequest
modelPull := models.PullRequest{
BaseRepo: fixtures.GithubRepo,
State: models.OpenPullState,
}
When(githubGetter.GetPullRequest(fixtures.GithubRepo, fixtures.Pull.Num)).ThenReturn(&pull, nil)
When(eventParsing.ParseGithubPull(&pull)).ThenReturn(modelPull, modelPull.BaseRepo, fixtures.GithubRepo, nil)

ch.RunCommentCommand(fixtures.GithubRepo, nil, nil, fixtures.User, fixtures.Pull.Num, &events.CommentCommand{Name: models.PlanCommand})
vcsClient.VerifyWasCalled(Never()).GetTeamNamesForUser(fixtures.GithubRepo, fixtures.User)
vcsClient.VerifyWasCalledOnce().CreateComment(fixtures.GithubRepo, modelPull.Num, "Ran Plan for 0 projects:\n\n\n\n", "plan")
})
}

func TestRunCommentCommand_ForkPRDisabled(t *testing.T) {
t.Log("if a command is run on a forked pull request and this is disabled atlantis should" +
" comment saying that this is not allowed")
Expand Down
4 changes: 4 additions & 0 deletions server/events/team_allowlist_checker.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ func NewTeamAllowlistChecker(allowlist string) (*TeamAllowlistChecker, error) {
}, nil
}

func (checker *TeamAllowlistChecker) HasRules() bool {
return len(checker.rules) > 0
}

// IsCommandAllowedForTeam returns true if the team is allowed to execute the command
// and false otherwise.
func (checker *TeamAllowlistChecker) IsCommandAllowedForTeam(team string, command string) bool {
Expand Down
7 changes: 7 additions & 0 deletions server/events/team_allowlist_checker_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,13 @@ func TestNewTeamAllowListChecker(t *testing.T) {
Ok(t, err)
}

func TestNewTeamAllowListCheckerEmpty(t *testing.T) {
allowlist := ``
checker, err := events.NewTeamAllowlistChecker(allowlist)
Ok(t, err)
Equals(t, false, checker.HasRules())
}

func TestIsCommandAllowedForTeam(t *testing.T) {
allowlist := `bob:plan, dave:apply, connie:plan, connie:apply`
checker, err := events.NewTeamAllowlistChecker(allowlist)
Expand Down

0 comments on commit b7b28b8

Please sign in to comment.