From ce2b99223acc6ce9523bbf588668cadf16077011 Mon Sep 17 00:00:00 2001 From: Henry Muru Paenga Date: Wed, 15 Nov 2023 19:21:11 +1300 Subject: [PATCH] fix: Check user permissions on autoplan (#3742) * Check user permissions on autoplan --------- Co-authored-by: PePe Amengual --- .../events/events_controller_e2e_test.go | 4 ++-- server/events/command_runner.go | 16 +++++++++++++--- server/events/command_runner_test.go | 8 ++++---- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/server/controllers/events/events_controller_e2e_test.go b/server/controllers/events/events_controller_e2e_test.go index d1e8280f9a..e56c2c4131 100644 --- a/server/controllers/events/events_controller_e2e_test.go +++ b/server/controllers/events/events_controller_e2e_test.go @@ -1363,7 +1363,7 @@ func setupE2E(t *testing.T, repoDir string, opt setupOption) (events_controllers conftextExec := policy.NewConfTestExecutorWorkflow(logger, binDir, &NoopTFDownloader{}) - // swapping out version cache to something that always returns local contest + // swapping out version cache to something that always returns local conftest // binary conftextExec.VersionCache = &LocalConftestCache{} @@ -1763,7 +1763,7 @@ func mkSubDirs(t *testing.T) (string, string, string) { // Will fail test if conftest isn't in path func ensureRunningConftest(t *testing.T) { - // use `conftest` command instead `contest$version`, so tests may fail on the environment cause the output logs may become change by version. + // use `conftest` command instead `conftest$version`, so tests may fail on the environment cause the output logs may become change by version. t.Logf("conftest check may fail depends on conftest version. please use latest stable conftest.") _, err := exec.LookPath(conftestCommand) if err != nil { diff --git a/server/events/command_runner.go b/server/events/command_runner.go index 085d846a9a..e9e44b864f 100644 --- a/server/events/command_runner.go +++ b/server/events/command_runner.go @@ -153,6 +153,16 @@ func (c *DefaultCommandRunner) RunAutoplanCommand(baseRepo models.Repo, headRepo timer := scope.Timer(metrics.ExecutionTimeMetric).Start() defer timer.Stop() + // Check if the user who triggered the autoplan has permissions to run 'plan'. + ok, err := c.checkUserPermissions(baseRepo, user, "plan") + if err != nil { + c.Logger.Err("Unable to check user permissions: %s", err) + return + } + if !ok { + return + } + ctx := &command.Context{ User: user, Log: log, @@ -227,7 +237,7 @@ func (c *DefaultCommandRunner) commentUserDoesNotHavePermissions(baseRepo models } // checkUserPermissions checks if the user has permissions to execute the command -func (c *DefaultCommandRunner) checkUserPermissions(repo models.Repo, user models.User, cmd *CommentCommand) (bool, error) { +func (c *DefaultCommandRunner) checkUserPermissions(repo models.Repo, user models.User, cmdName string) (bool, error) { if c.TeamAllowlistChecker == nil || !c.TeamAllowlistChecker.HasRules() { // allowlist restriction is not enabled return true, nil @@ -236,7 +246,7 @@ func (c *DefaultCommandRunner) checkUserPermissions(repo models.Repo, user model if err != nil { return false, err } - ok := c.TeamAllowlistChecker.IsCommandAllowedForAnyTeam(teams, cmd.Name.String()) + ok := c.TeamAllowlistChecker.IsCommandAllowedForAnyTeam(teams, cmdName) if !ok { return false, nil } @@ -278,7 +288,7 @@ func (c *DefaultCommandRunner) RunCommentCommand(baseRepo models.Repo, maybeHead defer timer.Stop() // Check if the user who commented has the permissions to execute the 'plan' or 'apply' commands - ok, err := c.checkUserPermissions(baseRepo, user, cmd) + ok, err := c.checkUserPermissions(baseRepo, user, cmd.Name.String()) if err != nil { c.Logger.Err("Unable to check user permissions: %s", err) return diff --git a/server/events/command_runner_test.go b/server/events/command_runner_test.go index 8f1a3a77c5..3905e45e30 100644 --- a/server/events/command_runner_test.go +++ b/server/events/command_runner_test.go @@ -271,7 +271,7 @@ func TestRunCommentCommand_GithubPullErr(t *testing.T) { t.Log("if getting the github pull request fails an error should be logged") vcsClient := setup(t) When(githubGetter.GetPullRequest(testdata.GithubRepo, testdata.Pull.Num)).ThenReturn(nil, errors.New("err")) - ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, nil, testdata.User, testdata.Pull.Num, nil) + ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, nil, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.Plan}) vcsClient.VerifyWasCalledOnce().CreateComment(testdata.GithubRepo, testdata.Pull.Num, "`Error: making pull request API call to GitHub: err`", "") } @@ -279,7 +279,7 @@ func TestRunCommentCommand_GitlabMergeRequestErr(t *testing.T) { t.Log("if getting the gitlab merge request fails an error should be logged") vcsClient := setup(t) When(gitlabGetter.GetMergeRequest(testdata.GitlabRepo.FullName, testdata.Pull.Num)).ThenReturn(nil, errors.New("err")) - ch.RunCommentCommand(testdata.GitlabRepo, &testdata.GitlabRepo, nil, testdata.User, testdata.Pull.Num, nil) + ch.RunCommentCommand(testdata.GitlabRepo, &testdata.GitlabRepo, nil, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.Plan}) vcsClient.VerifyWasCalledOnce().CreateComment(testdata.GitlabRepo, testdata.Pull.Num, "`Error: making merge request API call to GitLab: err`", "") } @@ -290,7 +290,7 @@ func TestRunCommentCommand_GithubPullParseErr(t *testing.T) { When(githubGetter.GetPullRequest(testdata.GithubRepo, testdata.Pull.Num)).ThenReturn(&pull, nil) When(eventParsing.ParseGithubPull(&pull)).ThenReturn(testdata.Pull, testdata.GithubRepo, testdata.GitlabRepo, errors.New("err")) - ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, nil, testdata.User, testdata.Pull.Num, nil) + ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, nil, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.Plan}) vcsClient.VerifyWasCalledOnce().CreateComment(testdata.GithubRepo, testdata.Pull.Num, "`Error: extracting required fields from comment data: err`", "") } @@ -1188,7 +1188,7 @@ func TestRunCommentCommand_DrainNotOngoing(t *testing.T) { t.Log("if drain is not ongoing then remove ongoing operation must be called even if panic occurred") setup(t) When(githubGetter.GetPullRequest(testdata.GithubRepo, testdata.Pull.Num)).ThenPanic("panic test - if you're seeing this in a test failure this isn't the failing test") - ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, nil, testdata.User, testdata.Pull.Num, nil) + ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, nil, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.Plan}) githubGetter.VerifyWasCalledOnce().GetPullRequest(testdata.GithubRepo, testdata.Pull.Num) Equals(t, 0, drainer.GetStatus().InProgressOps) }