fix(Deployment): Checks for subscription and access to cres and infras should be done as owner of the deployment

khaled basbous · khaled basbous · commit b73b6306b018 · 2024-11-22T14:57:27.000+01:00
diff --git a/code/src/com/sixsq/nuvla/auth/utils.clj b/code/src/com/sixsq/nuvla/auth/utils.clj
@@ -2,36 +2,49 @@
   (:require
     [clojure.string :as str]))
 
-
 (def ^{:doc "Internal administrator identity for database queries."}
   internal-identity
   {:user-id      "internal"
    :active-claim "group/nuvla-admin"
    :claims       #{"group/nuvla-admin" "group/nuvla-user" "group/nuvla-anon"}})
 
+(defn get-internal-request
+  []
+  {:nuvla/authn internal-identity})
+
+(defn get-owner-authn
+  [{:keys [owner] :as _resource}]
+  {:claims       #{owner "group/nuvla-user" "group/nuvla-anon"}
+   :user-id      owner
+   :active-claim owner})
+
+(defn get-owner-request
+  [resource]
+  {:nuvla/authn (get-owner-authn resource)})
+
+(defn get-resource-id-authn
+  [{id :id :as _resource}]
+  {:claims       #{id "group/nuvla-user" "group/nuvla-anon"}
+   :user-id      id
+   :active-claim id})
 
 (defn current-authentication
   "Extracts the current authentication from the ring request."
   [{:keys [nuvla/authn] :as _request}]
   (select-keys authn [:user-id :active-claim :claims]))
 
-
 (defn current-user-id
   [request]
   (:user-id (current-authentication request)))
 
-
 (defn current-active-claim
   [request]
   (:active-claim (current-authentication request)))
 
-
 (defn current-session-id
   [request]
   (->> request
        current-authentication
        :claims
        (filter #(str/starts-with? % "session/"))
        first))
-
-
diff --git a/code/src/com/sixsq/nuvla/server/resources/deployment.clj b/code/src/com/sixsq/nuvla/server/resources/deployment.clj
@@ -297,9 +297,9 @@ a container orchestration engine.
           deployment     (-> (crud/retrieve-by-id-as-admin id)
                              (u/throw-cannot-do-action-invalid-state utils/can-start? "start")
                              (utils/throw-when-payment-required request)
-                             (utils/throw-can-not-access-registries-creds request)
-                             (utils/throw-can-not-access-helm-repo-cred request)
-                             (utils/throw-can-not-access-helm-repo-url request))
+                             utils/throw-can-not-access-registries-creds
+                             utils/throw-can-not-access-helm-repo-cred
+                             utils/throw-can-not-access-helm-repo-url)
           stopped?       (= (:state deployment) "STOPPED")
           user-rights?   (get-in deployment [:module :content :requires-user-rights])
           data?          (some? (:data deployment))
@@ -384,9 +384,9 @@ a container orchestration engine.
                       (u/throw-cannot-do-action-invalid-state
                         utils/can-update? "update_deployment")
                       (utils/throw-when-payment-required request)
-                      (utils/throw-can-not-access-registries-creds request)
-                      (utils/throw-can-not-access-helm-repo-cred request)
-                      (utils/throw-can-not-access-helm-repo-url request))
+                      utils/throw-can-not-access-registries-creds
+                      utils/throw-can-not-access-helm-repo-cred
+                      utils/throw-can-not-access-helm-repo-url)
           new     (-> current
                       (assoc :state "UPDATING")
                       (edit-deployment request))]
diff --git a/code/src/com/sixsq/nuvla/server/resources/deployment/utils.clj b/code/src/com/sixsq/nuvla/server/resources/deployment/utils.clj
@@ -175,25 +175,25 @@
     (resource-log/create-log id components acl opts)))
 
 (defn throw-can-not-access-registries-creds
-  [{:keys [registries-credentials] :as resource} request]
+  [{:keys [registries-credentials] :as resource}]
   (let [preselected-creds   (-> resource
                                 (get-in [:module :content :registries-credentials] [])
                                 set)
         creds-to-be-checked (set/difference (set registries-credentials) preselected-creds)]
-    (module-utils/throw-cannot-access-registries-credentials creds-to-be-checked request)
+    (module-utils/throw-cannot-access-registries-credentials creds-to-be-checked (auth/get-owner-request resource))
     resource))
 
 
 (defn throw-can-not-access-helm-repo-url
-  [resource request]
+  [resource]
   (let [helm-repo-url (get-in resource [:module :content :helm-repo-url])]
-    (module-utils/throw-can-not-access-helm-repo-url helm-repo-url request)
+    (module-utils/throw-can-not-access-helm-repo-url helm-repo-url (auth/get-owner-request resource))
     resource))
 
 (defn throw-can-not-access-helm-repo-cred
-  [resource request]
+  [resource]
   (let [cred (get-in resource [:module :content :helm-repo-cred])]
-    (module-utils/throw-can-not-access-helm-repo-cred cred request)
+    (module-utils/throw-can-not-access-helm-repo-cred cred (auth/get-owner-request resource))
     resource))
 
 
@@ -291,20 +291,18 @@
                      (seq files) (assoc :files files)))))
 
 (defn throw-when-payment-required
-  [{{:keys [price] :as module} :module :as deployment} request]
+  [{{:keys [price] :as module} :module owner :owner :as deployment} request]
   (if (or (nil? config-nuvla/*stripe-api-key*)
           (a/is-admin? (auth/current-authentication request))
-          (let [active-claim (auth/current-active-claim request)]
-            (or
-              (a/can-edit-data? module request)
-              (case (:status (payment/active-claim->subscription active-claim))
-                ("active" "past_due") true
-                "trialing" (or (nil? price)
-                               (:follow-customer-trial price)
-                               (-> active-claim
-                                   payment/active-claim->s-customer
-                                   payment/can-pay?))
-                false))))
+          (a/can-edit-data? module request)
+          (case (:status (payment/active-claim->subscription owner))
+            ("active" "past_due") true
+            "trialing" (or (nil? price)
+                           (:follow-customer-trial price)
+                           (-> owner
+                               payment/active-claim->s-customer
+                               payment/can-pay?))
+            false))
     deployment
     (payment/throw-payment-required)))
 
diff --git a/code/src/com/sixsq/nuvla/server/resources/deployment_set.clj b/code/src/com/sixsq/nuvla/server/resources/deployment_set.clj
@@ -111,26 +111,6 @@ These resources represent a deployment set that regroups deployments.
 ;; CRUD operations
 ;;
 
-(defn get-owner-authn
-  [{:keys [owner] :as _resource}]
-  {:claims       #{owner "group/nuvla-user"}
-   :user-id      owner
-   :active-claim owner})
-
-(defn get-owner-request
-  [resource]
-  {:nuvla/authn (get-owner-authn resource)})
-
-(defn get-dg-authn
-  [{dg-id :id :as _resource}]
-  {:claims       [dg-id "group/nuvla-user"]
-   :user-id      dg-id
-   :active-claim dg-id})
-
-(defn get-internal-request
-  []
-  {:nuvla/authn auth/internal-identity})
-
 (defn load-resource-throw-not-allowed-action
   [{{:keys [uuid]} :params :as request}]
   (-> (str resource-type "/" uuid)
@@ -143,7 +123,7 @@ These resources represent a deployment set that regroups deployments.
    (divergence-map (load-resource-throw-not-allowed-action request) request))
   ([{:keys [applications-sets] :as deployment-set} _request]
    (when (seq applications-sets)
-     (let [owner-request     (get-owner-request deployment-set)
+     (let [owner-request     (auth/get-owner-request deployment-set)
            applications-sets (-> deployment-set
                                  utils/get-applications-sets-href
                                  (crud/get-resource-throw-nok owner-request))
@@ -182,7 +162,7 @@ These resources represent a deployment set that regroups deployments.
 
 (defn create-module-apps-set
   [{:keys [owner modules] :as resource} request]
-  (let [modules-data (mapv #(retrieve-module-as % (get-owner-authn resource))
+  (let [modules-data (mapv #(retrieve-module-as % (auth/get-owner-authn resource))
                            (distinct modules))]
     (create-module
       {:path    (str module-utils/project-apps-sets "/" (u/rand-uuid))
@@ -215,7 +195,7 @@ These resources represent a deployment set that regroups deployments.
    If :fleet is not specified, it is computed by querying edges satisfying the :fleet-filter.
    If both :fleet and :fleet-filter are specified, they are stored as-is, no consistency check is made."
   [{:keys [fleet fleet-filter overwrites] :as resource}]
-  (let [owner-authn   (get-owner-authn resource)
+  (let [owner-authn   (auth/get-owner-authn resource)
         owner-request {:nuvla/authn owner-authn}
         apps-set-id   (create-module-apps-set resource owner-request)
         fleet         (or fleet (map :id (some-> fleet-filter (utils/query-nuvlaboxes-as owner-authn))))]
@@ -266,10 +246,10 @@ These resources represent a deployment set that regroups deployments.
 (defn check-edges-permissions
   [{:keys [id] :as resource}]
   (let [fleet             (get-in resource [:applications-sets 0 :overwrites 0 :fleet])
-        missing-edges     (utils/get-missing-edges resource (get-internal-request))
+        missing-edges     (utils/get-missing-edges resource (auth/get-internal-request))
         not-deleted-edges (set/difference (set fleet) (set missing-edges))
         cimi-filter       (str "id=['" (str/join "','" not-deleted-edges) "']")
-        retrieved-fleet   (utils/query-nuvlaboxes-as cimi-filter (get-owner-authn resource))]
+        retrieved-fleet   (utils/query-nuvlaboxes-as cimi-filter (auth/get-owner-authn resource))]
     (when (not= (count not-deleted-edges) (count retrieved-fleet))
       (throw (r/ex-response "All edges must be visible to DG owner" 403 id)))
     resource))
@@ -278,7 +258,7 @@ These resources represent a deployment set that regroups deployments.
   [{:keys [id] :as resource}]
   (let [apps           (get-in resource [:applications-sets 0 :overwrites 0 :applications])
         cimi-filter    (str "id=['" (str/join "','" (map :id apps)) "']")
-        retrieved-apps (utils/query-modules-as cimi-filter (get-owner-authn resource))]
+        retrieved-apps (utils/query-modules-as cimi-filter (auth/get-owner-authn resource))]
     (when (not= (count apps) (count retrieved-apps))
       (throw (r/ex-response (str "All apps must be visible to DG owner : "
                                  (mapv :id apps)
@@ -316,8 +296,8 @@ These resources represent a deployment set that regroups deployments.
 
 (defn authn-info-payload
   [resource]
-  {:dg-owner-authn-info (get-owner-authn resource)
-   :dg-authn-info       (get-dg-authn resource)})
+  {:dg-owner-authn-info (auth/get-owner-authn resource)
+   :dg-authn-info       (auth/get-resource-id-authn resource)})
 
 (defn action-bulk
   [{:keys [id] :as resource} {{:keys [action]} :params :as request}]
@@ -361,7 +341,7 @@ These resources represent a deployment set that regroups deployments.
 (defmethod crud/do-action [resource-type utils/action-plan]
   [request]
   (let [deployment-set    (load-resource-throw-not-allowed-action request)
-        owner-request     (get-owner-request deployment-set)
+        owner-request     (auth/get-owner-request deployment-set)
         applications-sets (-> deployment-set
                               utils/get-applications-sets-href
                               (crud/get-resource-throw-nok owner-request))]
@@ -370,7 +350,7 @@ These resources represent a deployment set that regroups deployments.
 (defmethod crud/do-action [resource-type utils/action-check-requirements]
   [request]
   (let [deployment-set    (load-resource-throw-not-allowed-action request)
-        owner-request     (get-owner-request deployment-set)
+        owner-request     (auth/get-owner-request deployment-set)
         applications-sets (-> deployment-set
                               utils/get-applications-sets-href
                               (crud/get-resource-throw-nok owner-request))]
diff --git a/code/src/com/sixsq/nuvla/server/resources/deployment_set/utils.clj b/code/src/com/sixsq/nuvla/server/resources/deployment_set/utils.clj
@@ -406,7 +406,7 @@
 
 (defn query-nuvlaboxes
   [cimi-filter request]
-  (query-nuvlaboxes-as cimi-filter (:nuvla/authn request)))
+  (query-nuvlaboxes-as cimi-filter (auth/current-authentication request)))
 
 (defn get-missing-edges
   [deployment-set request]
diff --git a/code/test/com/sixsq/nuvla/server/resources/deployment/utils_test.clj b/code/test/com/sixsq/nuvla/server/resources/deployment/utils_test.clj
@@ -114,4 +114,4 @@
       [m-a m-b] {:arg1 [m-a m-b] :arg2 [m-a (assoc m-b :value "any")]})))
 
 (deftest throw-can-not-access-helm-repo-cred
-  (is (= (t/throw-can-not-access-helm-repo-cred {} {}) {})))
+  (is (= (t/throw-can-not-access-helm-repo-cred {}) {})))
diff --git a/code/test/com/sixsq/nuvla/server/resources/deployment_set_lifecycle_test.clj b/code/test/com/sixsq/nuvla/server/resources/deployment_set_lifecycle_test.clj
@@ -39,9 +39,6 @@
 (def app6-id "module/64e8d02d-1b40-46d0-b1d8-2093024fc1d2")
 (def app7-id "module/1cefb94b-c527-4b8a-be5f-802b131c1a9e")
 
-(def all-apps
-  (mapv (fn [app-id] {:id app-id}) [app1-id app2-id app3-id app4-id app5-id app6-id app7-id]))
-
 (def dep-apps-sets [{:id      app5-id,
                      :version 11,
                      :overwrites
@@ -178,6 +175,14 @@
     :manage    ["group/nuvla-admin"],
     :edit-meta ["group/nuvla-admin"]}})
 
+(defn read-payload
+  [payload]
+  (-> payload
+      json/read-str
+      (update-in ["authn-info" "claims"] set)
+      (update-in ["dg-authn-info" "claims"] set)
+      (update-in ["dg-owner-authn-info" "claims"] set)))
+
 (deftest plan-test
   (is (= (utils/plan u-deployment-set u-applications-sets-v11)
          #{{:app-set     "set-1"
@@ -329,18 +334,20 @@
 
             dep-set-url (str p/service-context resource-id)
             job-payload {"authn-info"          {"active-claim" "user/jane"
-                                                "claims"       ["group/nuvla-anon"
-                                                                "user/jane"
-                                                                "group/nuvla-user"
-                                                                session-id]
+                                                "claims"       #{"group/nuvla-anon"
+                                                                 "user/jane"
+                                                                 "group/nuvla-user"
+                                                                 session-id}
                                                 "user-id"      "user/jane"}
                          "dg-authn-info"       {"active-claim" resource-id
-                                                "claims"       [resource-id
-                                                                "group/nuvla-user"]
+                                                "claims"       #{resource-id
+                                                                 "group/nuvla-user"
+                                                                 "group/nuvla-anon"}
                                                 "user-id"      resource-id}
                          "dg-owner-authn-info" {"active-claim" "user/jane"
-                                                "claims"       ["user/jane"
-                                                                "group/nuvla-user"]
+                                                "claims"       #{"group/nuvla-anon"
+                                                                 "user/jane"
+                                                                 "group/nuvla-user"}
                                                 "user-id"      "user/jane"}}]
 
         (testing "user query should see one document"
@@ -614,7 +621,7 @@
                 (ltu/is-status 200)
                 (ltu/is-key-value :href :target-resource resource-id)
                 (ltu/is-key-value :action "bulk_deployment_set_update")
-                (ltu/is-key-value json/read-str :payload job-payload))))
+                (ltu/is-key-value read-payload :payload job-payload))))
 
         (testing "edit action is not allowed in a transitional state"
           (with-redefs [crud/get-resource-throw-nok
@@ -670,7 +677,7 @@
                 (ltu/is-status 200)
                 (ltu/is-key-value :href :target-resource resource-id)
                 (ltu/is-key-value :action "bulk_deployment_set_update")
-                (ltu/is-key-value json/read-str :payload job-payload))
+                (ltu/is-key-value read-payload :payload job-payload))
             (testing "cancel action will cancel the running job"
               (let [cancel-op-url (-> session-user
                                       (request dep-set-url)
@@ -739,7 +746,7 @@
                 (ltu/is-status 200)
                 (ltu/is-key-value :href :target-resource resource-id)
                 (ltu/is-key-value :action "bulk_deployment_set_stop")
-                (ltu/is-key-value json/read-str :payload job-payload))
+                (ltu/is-key-value read-payload :payload job-payload))
             (-> session-user
                 (request dep-set-url)
                 ltu/body->edn
diff --git a/code/test/com/sixsq/nuvla/server/resources/module_lifecycle_test.clj b/code/test/com/sixsq/nuvla/server/resources/module_lifecycle_test.clj
@@ -657,7 +657,7 @@
     (lifecycle-test-module module-spec/subtype-app-helm valid-application)))
 
 (deftest throw-can-not-access-helm-repo-cred
-  (is (= (t/throw-can-not-access-helm-repo-cred {} {}) {})))
+  (is (= (t/throw-can-not-access-helm-repo-cred {}) {})))
 
 (deftest bad-methods
   (let [resource-uri (str p/service-context (u/new-resource-id module/resource-type))]
