Esempio n. 1
0
func (s *ProvisionSuite) TestGrantServiceAccessToTeam(c *check.C) {
	t := &auth.Team{Name: "blaaaa"}
	s.conn.Teams().Insert(t)
	defer s.conn.Teams().Remove(bson.M{"name": t.Name})
	se := service.Service{Name: "my_service", OwnerTeams: []string{s.team.Name}}
	err := se.Create()
	c.Assert(err, check.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	u := fmt.Sprintf("/services/%s/team/%s", se.Name, t.Name)
	recorder, request := s.makeRequest("PUT", u, "", c)
	s.m.ServeHTTP(recorder, request)
	c.Assert(recorder.Code, check.Equals, http.StatusOK)
	err = se.Get()
	c.Assert(err, check.IsNil)
	c.Assert(*t, HasAccessTo, se)
	c.Assert(eventtest.EventDesc{
		Target: serviceTarget("my_service"),
		Owner:  s.token.GetUserName(),
		Kind:   "service.update.grant-access",
		StartCustomData: []map[string]interface{}{
			{"name": ":service", "value": "my_service"},
			{"name": ":team", "value": t.Name},
		},
	}, eventtest.HasEvent)
}
Esempio n. 2
0
func (s *ProvisionSuite) TestGrantServiceAccessToTeam(c *check.C) {
	t := &auth.Team{Name: "blaaaa"}
	s.conn.Teams().Insert(t)
	defer s.conn.Teams().Remove(bson.M{"name": t.Name})
	se := service.Service{Name: "my_service", OwnerTeams: []string{s.team.Name}}
	err := se.Create()
	c.Assert(err, check.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	url := fmt.Sprintf("/services/%s/team/%s", se.Name, t.Name)
	request, err := http.NewRequest("PUT", url, nil)
	c.Assert(err, check.IsNil)
	reqAuth := "bearer " + s.token.GetValue()
	request.Header.Set("Authorization", reqAuth)
	recorder := httptest.NewRecorder()
	m := RunServer(true)
	m.ServeHTTP(recorder, request)
	c.Assert(recorder.Code, check.Equals, http.StatusOK)
	err = se.Get()
	c.Assert(err, check.IsNil)
	c.Assert(*t, HasAccessTo, se)
	action := rectest.Action{
		Action: "grant-service-access",
		User:   s.user.Email,
		Extra:  []interface{}{"service=" + se.Name, "team=" + t.Name},
	}
	c.Assert(action, rectest.IsRecorded)
}
Esempio n. 3
0
func getService(name string) (service.Service, error) {
	s := service.Service{Name: name}
	err := s.Get()
	if err != nil {
		return s, &errors.HTTP{Code: http.StatusNotFound, Message: "Service not found"}
	}
	return s, err
}
Esempio n. 4
0
func getServiceByOwner(name string, u *auth.User) (service.Service, error) {
	s := service.Service{Name: name}
	err := s.Get()
	if err != nil {
		return s, &errors.HTTP{Code: http.StatusNotFound, Message: "Service not found"}
	}
	if !auth.CheckUserAccess(s.OwnerTeams, u) {
		msg := "This user does not have access to this service"
		return s, &errors.HTTP{Code: http.StatusForbidden, Message: msg}
	}
	return s, err
}
Esempio n. 5
0
func (s *ProvisionSuite) TestRevokeServiceAccessFromTeamRemovesTeamFromService(c *check.C) {
	se := service.Service{Name: "my_service", OwnerTeams: []string{s.team.Name}, Teams: []string{s.team.Name, "other-team"}}
	err := se.Create()
	c.Assert(err, check.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	u := fmt.Sprintf("/services/%s/team/%s", se.Name, s.team.Name)
	recorder, request := s.makeRequest("DELETE", u, "", c)
	s.m.ServeHTTP(recorder, request)
	c.Assert(recorder.Code, check.Equals, http.StatusOK)
	err = se.Get()
	c.Assert(err, check.IsNil)
	c.Assert(*s.team, check.Not(HasAccessTo), se)
	action := rectest.Action{
		Action: "revoke-service-access",
		User:   s.user.Email,
		Extra:  []interface{}{"service=" + se.Name, "team=" + s.team.Name},
	}
	c.Assert(action, rectest.IsRecorded)
}
Esempio n. 6
0
func (s *ProvisionSuite) TestRevokeServiceAccessFromTeamRemovesTeamFromService(c *gocheck.C) {
	t := &auth.Team{Name: "alle-da"}
	se := service.Service{Name: "my_service", Teams: []string{s.team.Name, t.Name}}
	err := se.Create()
	c.Assert(err, gocheck.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	url := fmt.Sprintf("/services/%s/%s?:service=%s&:team=%s", se.Name, s.team.Name, se.Name, s.team.Name)
	request, err := http.NewRequest("DELETE", url, nil)
	c.Assert(err, gocheck.IsNil)
	recorder := httptest.NewRecorder()
	err = revokeServiceAccess(recorder, request, s.token)
	c.Assert(err, gocheck.IsNil)
	err = se.Get()
	c.Assert(err, gocheck.IsNil)
	c.Assert(*s.team, gocheck.Not(HasAccessTo), se)
	action := testing.Action{
		Action: "revoke-service-access",
		User:   s.user.Email,
		Extra:  []interface{}{"service=" + se.Name, "team=" + s.team.Name},
	}
	c.Assert(action, testing.IsRecorded)
}
Esempio n. 7
0
func (s *ProvisionSuite) TestRevokeServiceAccessFromTeamRemovesTeamFromService(c *check.C) {
	se := service.Service{Name: "my_service", OwnerTeams: []string{s.team.Name}, Teams: []string{s.team.Name, "other-team"}}
	err := se.Create()
	c.Assert(err, check.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	u := fmt.Sprintf("/services/%s/team/%s", se.Name, s.team.Name)
	recorder, request := s.makeRequest("DELETE", u, "", c)
	s.m.ServeHTTP(recorder, request)
	c.Assert(recorder.Code, check.Equals, http.StatusOK)
	err = se.Get()
	c.Assert(err, check.IsNil)
	c.Assert(*s.team, check.Not(HasAccessTo), se)
	c.Assert(eventtest.EventDesc{
		Target: serviceTarget("my_service"),
		Owner:  s.token.GetUserName(),
		Kind:   "service.update.revoke-access",
		StartCustomData: []map[string]interface{}{
			{"name": ":service", "value": "my_service"},
			{"name": ":team", "value": s.team.Name},
		},
	}, eventtest.HasEvent)
}
Esempio n. 8
0
func (s *ProvisionSuite) TestGrantServiceAccessToTeam(c *gocheck.C) {
	t := &auth.Team{Name: "blaaaa"}
	s.conn.Teams().Insert(t)
	defer s.conn.Teams().Remove(bson.M{"name": t.Name})
	se := service.Service{Name: "my_service", Teams: []string{s.team.Name}}
	err := se.Create()
	c.Assert(err, gocheck.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	url := fmt.Sprintf("/services/%s/%s?:service=%s&:team=%s", se.Name, t.Name, se.Name, t.Name)
	request, err := http.NewRequest("PUT", url, nil)
	c.Assert(err, gocheck.IsNil)
	recorder := httptest.NewRecorder()
	err = grantServiceAccess(recorder, request, s.token)
	c.Assert(err, gocheck.IsNil)
	err = se.Get()
	c.Assert(err, gocheck.IsNil)
	c.Assert(*s.team, HasAccessTo, se)
	action := testing.Action{
		Action: "grant-service-access",
		User:   s.user.Email,
		Extra:  []interface{}{"service=" + se.Name, "team=" + t.Name},
	}
	c.Assert(action, testing.IsRecorded)
}
func (s *ProvisionSuite) TestRevokeServiceAccessFromTeamRemovesTeamFromService(c *check.C) {
	t := &auth.Team{Name: "alle-da"}
	se := service.Service{Name: "my_service", Teams: []string{s.team.Name, t.Name}}
	err := se.Create()
	c.Assert(err, check.IsNil)
	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
	url := fmt.Sprintf("/services/%s/team/%s", se.Name, s.team.Name)
	request, err := http.NewRequest("DELETE", url, nil)
	c.Assert(err, check.IsNil)
	request.Header.Set("Authorization", "bearer "+s.token.GetValue())
	recorder := httptest.NewRecorder()
	m := RunServer(true)
	m.ServeHTTP(recorder, request)
	c.Assert(recorder.Code, check.Equals, http.StatusOK)
	err = se.Get()
	c.Assert(err, check.IsNil)
	c.Assert(*s.team, check.Not(HasAccessTo), se)
	action := rectest.Action{
		Action: "revoke-service-access",
		User:   s.user.Email,
		Extra:  []interface{}{"service=" + se.Name, "team=" + s.team.Name},
	}
	c.Assert(action, rectest.IsRecorded)
}
Esempio n. 10
0
func setAllowed(evt *event.Event) (err error) {
	defer func() {
		if err != nil {
			fmt.Printf("setting global context to evt %q: %s\n", evt.String(), err)
			err = nil
		}
	}()
	switch evt.Target.Type {
	case event.TargetTypeApp:
		var a *app.App
		a, err = app.GetByName(evt.Target.Value)
		if err != nil {
			evt.Allowed = event.Allowed(permission.PermAppReadEvents)
			if evt.Cancelable {
				evt.Allowed = event.Allowed(permission.PermAppUpdateEvents)
			}
			return err
		}
		ctxs := append(permission.Contexts(permission.CtxTeam, a.Teams),
			permission.Context(permission.CtxApp, a.Name),
			permission.Context(permission.CtxPool, a.Pool),
		)
		evt.Allowed = event.Allowed(permission.PermAppReadEvents, ctxs...)
		if evt.Cancelable {
			evt.Allowed = event.Allowed(permission.PermAppUpdateEvents, ctxs...)
		}
	case event.TargetTypeTeam:
		evt.Allowed = event.Allowed(permission.PermTeamReadEvents, permission.Context(permission.CtxTeam, evt.Target.Value))
	case event.TargetTypeService:
		s := service.Service{Name: evt.Target.Value}
		err = s.Get()
		if err != nil {
			evt.Allowed = event.Allowed(permission.PermServiceReadEvents)
			return err
		}
		evt.Allowed = event.Allowed(permission.PermServiceReadEvents,
			append(permission.Contexts(permission.CtxTeam, s.OwnerTeams),
				permission.Context(permission.CtxService, s.Name),
			)...,
		)
	case event.TargetTypeServiceInstance:
		v := strings.SplitN(evt.Target.Value, "/", 2)
		if len(v) != 2 {
			evt.Allowed = event.Allowed(permission.PermServiceInstanceReadEvents)
			return nil
		}
		var si *service.ServiceInstance
		si, err = service.GetServiceInstance(v[0], v[1])
		if err != nil {
			evt.Allowed = event.Allowed(permission.PermServiceInstanceReadEvents)
			return err
		}
		evt.Allowed = event.Allowed(permission.PermServiceReadEvents,
			append(permission.Contexts(permission.CtxTeam, si.Teams),
				permission.Context(permission.CtxServiceInstance, evt.Target.Value),
			)...,
		)
	case event.TargetTypePool:
		evt.Allowed = event.Allowed(permission.PermPoolReadEvents, permission.Context(permission.CtxPool, evt.Target.Value))
	case event.TargetTypeUser:
		evt.Allowed = event.Allowed(permission.PermUserReadEvents, permission.Context(permission.CtxUser, evt.Target.Value))
	case event.TargetTypeIaas:
		evt.Allowed = event.Allowed(permission.PermMachineReadEvents, permission.Context(permission.CtxIaaS, evt.Target.Value))
	case event.TargetTypeContainer:
		var provisioners []provision.Provisioner
		provisioners, err = provision.Registry()
		if err != nil {
			return err
		}
		var a provision.App
		for _, p := range provisioners {
			if finderProv, ok := p.(provision.UnitFinderProvisioner); ok {
				a, err = finderProv.GetAppFromUnitID(evt.Target.Value)
				_, isNotFound := err.(*provision.UnitNotFoundError)
				if err == nil || !isNotFound {
					break
				}
			}
		}
		if err != nil {
			return err
		}
		evt.Allowed = event.Allowed(permission.PermAppReadEvents,
			append(permission.Contexts(permission.CtxTeam, a.GetTeamsName()),
				permission.Context(permission.CtxApp, a.GetName()),
				permission.Context(permission.CtxPool, a.GetPool()),
			)...,
		)
	case event.TargetTypeNode:
		var provisioners []provision.Provisioner
		provisioners, err = provision.Registry()
		if err != nil {
			return err
		}
		var ctxs []permission.PermissionContext
		for _, p := range provisioners {
			if nodeProvisioner, ok := p.(provision.NodeProvisioner); ok {
				var nodes []provision.Node
				nodes, err = nodeProvisioner.ListNodes([]string{evt.Target.Value})
				if err != nil {
					return err
				}
				ctxs = append(ctxs, permission.Context(permission.CtxPool, nodes[0].Pool()))
			}
		}
		evt.Allowed = event.Allowed(permission.PermPoolReadEvents, ctxs...)
	case event.TargetTypeRole:
		evt.Allowed = event.Allowed(permission.PermRoleReadEvents)
	default:
		evt.Allowed = event.Allowed(permission.PermDebug)
	}
	return nil
}