Exemplo n.º 1
0
func (si *ServiceInstance) Revoke(teamName string) error {
	team, err := auth.GetTeam(teamName)
	if err != nil {
		return err
	}
	return si.update(bson.M{"$pull": bson.M{"teams": team.Name}})
}
Exemplo n.º 2
0
func addUserToTeam(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	teamName := r.URL.Query().Get(":team")
	email := r.URL.Query().Get(":user")
	u, err := t.User()
	if err != nil {
		return err
	}
	rec.Log(u.Email, "add-user-to-team", "team="+teamName, "user="+email)
	conn, err := db.Conn()
	if err != nil {
		return err
	}
	defer conn.Close()
	team, err := auth.GetTeam(teamName)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
	}
	if !team.ContainsUser(u) {
		msg := fmt.Sprintf("You are not authorized to add new users to the team %s", team.Name)
		return &errors.HTTP{Code: http.StatusForbidden, Message: msg}
	}
	user, err := auth.GetUserByEmail(email)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: "User not found"}
	}
	actions := []*action.Action{
		&addUserToTeamInRepositoryAction,
		&addUserToTeamInDatabaseAction,
	}
	pipeline := action.NewPipeline(actions...)
	return pipeline.Execute(user, team)
}
Exemplo n.º 3
0
func removeUserFromTeam(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	email := r.URL.Query().Get(":user")
	teamName := r.URL.Query().Get(":team")
	u, err := t.User()
	if err != nil {
		return err
	}
	rec.Log(u.Email, "remove-user-from-team", "team="+teamName, "user="+email)
	conn, err := db.Conn()
	if err != nil {
		return err
	}
	defer conn.Close()
	team, err := auth.GetTeam(teamName)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
	}
	if !team.ContainsUser(u) {
		msg := fmt.Sprintf("You are not authorized to remove a member from the team %s", team.Name)
		return &errors.HTTP{Code: http.StatusUnauthorized, Message: msg}
	}
	if len(team.Users) == 1 {
		msg := "You can not remove this user from this team, because it is the last user within the team, and a team can not be orphaned"
		return &errors.HTTP{Code: http.StatusForbidden, Message: msg}
	}
	user, err := auth.GetUserByEmail(email)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: err.Error()}
	}
	err = removeUserFromTeamInDatabase(user, team)
	if err != nil {
		return err
	}
	return removeUserFromTeamInRepository(user, team)
}
Exemplo n.º 4
0
func revokeServiceAccess(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	serviceName := r.URL.Query().Get(":service")
	s, err := getService(serviceName)
	if err != nil {
		return err
	}
	allowed := permission.Check(t, permission.PermServiceUpdateRevokeAccess,
		append(permission.Contexts(permission.CtxTeam, s.OwnerTeams),
			permission.Context(permission.CtxService, s.Name),
		)...,
	)
	if !allowed {
		return permission.ErrUnauthorized
	}
	teamName := r.URL.Query().Get(":team")
	team, err := auth.GetTeam(teamName)
	if err != nil {
		if err == auth.ErrTeamNotFound {
			return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
		}
		return err
	}
	if len(s.Teams) < 2 {
		msg := "You can not revoke the access from this team, because it is the unique team with access to this service, and a service can not be orphaned"
		return &errors.HTTP{Code: http.StatusForbidden, Message: msg}
	}
	rec.Log(t.GetUserName(), "revoke-service-access", "service="+serviceName, "team="+teamName)
	err = s.RevokeAccess(team)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: err.Error()}
	}
	return s.Update()
}
Exemplo n.º 5
0
func setTeamOwner(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	if r.Body == nil {
		return &errors.HTTP{Code: http.StatusBadRequest, Message: "You must provide a team name."}
	}
	defer r.Body.Close()
	b, err := ioutil.ReadAll(r.Body)
	if err != nil {
		return err
	}
	teamName := string(b)
	team, err := auth.GetTeam(teamName)
	if err != nil {
		return err
	}
	u, err := t.User()
	if err != nil {
		return err
	}
	a, err := getAppFromContext(r.URL.Query().Get(":app"), u, r)
	if err != nil {
		return err
	}
	err = a.SetTeamOwner(team, u)
	if err != nil {
		return err
	}
	return nil
}
Exemplo n.º 6
0
func grantServiceAccess(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	serviceName := r.URL.Query().Get(":service")
	s, err := getService(serviceName)
	if err != nil {
		return err
	}
	allowed := permission.Check(t, permission.PermServiceUpdateGrantAccess,
		append(permission.Contexts(permission.CtxTeam, s.OwnerTeams),
			permission.Context(permission.CtxService, s.Name),
		)...,
	)
	if !allowed {
		return permission.ErrUnauthorized
	}
	teamName := r.URL.Query().Get(":team")
	team, err := auth.GetTeam(teamName)
	if err != nil {
		if err == auth.ErrTeamNotFound {
			return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
		}
		return err
	}
	rec.Log(t.GetUserName(), "grant-service-access", "service="+serviceName, "team="+teamName)
	err = s.GrantAccess(team)
	if err != nil {
		return &errors.HTTP{Code: http.StatusConflict, Message: err.Error()}
	}
	return s.Update()
}
Exemplo n.º 7
0
func getTeam(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	teamName := r.URL.Query().Get(":name")
	_, err := auth.GetTeam(teamName)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
	}
	permsForTeam := permission.PermissionRegistry.PermissionsWithContextType(permission.CtxTeam)
	var permissions []string
	for _, p := range permsForTeam {
		if permission.Check(t, p, permission.Context(permission.CtxTeam, teamName)) {
			permissions = append(permissions, p.FullName())
		}
	}
	if len(permissions) == 0 {
		return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
	}
	rec.Log(t.GetUserName(), "get-team", teamName)
	result := map[string]interface{}{
		"name":        teamName,
		"permissions": permissions,
	}
	w.Header().Set("Content-Type", "application/json")
	b, err := json.Marshal(result)
	if err != nil {
		return err
	}
	n, err := w.Write(b)
	if err != nil {
		return err
	}
	if n != len(b) {
		return &errors.HTTP{Code: http.StatusInternalServerError, Message: "Failed to write response body."}
	}
	return nil
}
Exemplo n.º 8
0
Arquivo: app.go Projeto: botvs/tsuru
// Update changes informations of the application.
func (app *App) Update(updateData App, w io.Writer) error {
	description := updateData.Description
	planName := updateData.Plan.Name
	poolName := updateData.Pool
	teamOwner := updateData.TeamOwner
	if description != "" {
		app.Description = description
	}
	if poolName != "" {
		app.Pool = poolName
		_, err := app.GetPoolForApp(app.Pool)
		if err != nil {
			return err
		}
	}
	conn, err := db.Conn()
	if err != nil {
		return err
	}
	defer conn.Close()
	if planName != "" {
		plan, err := findPlanByName(planName)
		if err != nil {
			return err
		}
		var oldPlan Plan
		oldPlan, app.Plan = app.Plan, *plan
		actions := []*action.Action{
			&moveRouterUnits,
			&saveApp,
			&restartApp,
			&removeOldBackend,
		}
		err = action.NewPipeline(actions...).Execute(app, &oldPlan, w)
		if err != nil {
			return err
		}
	}
	if teamOwner != "" {
		team, err := auth.GetTeam(teamOwner)
		if err != nil {
			return err
		}
		app.TeamOwner = team.Name
		err = app.validateTeamOwner()
		if err != nil {
			return err
		}
		app.Grant(team)
	}
	return conn.Apps().Update(bson.M{"name": app.Name}, app)
}
Exemplo n.º 9
0
func getTeam(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	teamName := r.URL.Query().Get(":name")
	user, err := t.User()
	if err != nil {
		return err
	}
	rec.Log(user.Email, "get-team", teamName)
	team, err := auth.GetTeam(teamName)
	if err != nil {
		return &errors.HTTP{Code: http.StatusNotFound, Message: "Team not found"}
	}
	if !team.ContainsUser(user) {
		return &errors.HTTP{Code: http.StatusForbidden, Message: "User is not member of this team"}
	}
	w.Header().Set("Content-Type", "application/json")
	return json.NewEncoder(w).Encode(team)
}
Exemplo n.º 10
0
func (app *App) ValidateTeamOwner(user *auth.User) error {
	if _, err := auth.GetTeam(app.TeamOwner); err == auth.ErrTeamNotFound {
		return err
	}
	if user.IsAdmin() {
		return nil
	}
	teams, err := user.Teams()
	if err != nil {
		return err
	}
	for _, t := range teams {
		if t.Name == app.TeamOwner {
			return nil
		}
	}
	errorMsg := fmt.Sprintf("You can not set %s team as app's owner. Please set one of your teams as app's owner.", app.TeamOwner)
	return stderr.New(errorMsg)
}
Exemplo n.º 11
0
// title: revoke access to a service
// path: /services/{service}/team/{team}
// method: DELETE
// responses:
//   200: Access revoked
//   400: Team not found
//   401: Unauthorized
//   404: Service not found
//   409: Team does not has access to this service
func revokeServiceAccess(w http.ResponseWriter, r *http.Request, t auth.Token) (err error) {
	r.ParseForm()
	serviceName := r.URL.Query().Get(":service")
	s, err := getService(serviceName)
	if err != nil {
		return err
	}
	allowed := permission.Check(t, permission.PermServiceUpdateRevokeAccess,
		contextsForServiceProvision(&s)...,
	)
	if !allowed {
		return permission.ErrUnauthorized
	}
	teamName := r.URL.Query().Get(":team")
	team, err := auth.GetTeam(teamName)
	if err != nil {
		if err == auth.ErrTeamNotFound {
			return &errors.HTTP{Code: http.StatusBadRequest, Message: "Team not found"}
		}
		return err
	}
	if len(s.Teams) < 2 {
		msg := "You can not revoke the access from this team, because it is the unique team with access to this service, and a service can not be orphaned"
		return &errors.HTTP{Code: http.StatusForbidden, Message: msg}
	}
	evt, err := event.New(&event.Opts{
		Target:     serviceTarget(s.Name),
		Kind:       permission.PermServiceUpdateRevokeAccess,
		Owner:      t,
		CustomData: event.FormToCustomData(r.Form),
		Allowed:    event.Allowed(permission.PermServiceReadEvents, contextsForServiceProvision(&s)...),
	})
	if err != nil {
		return err
	}
	defer func() { evt.Done(err) }()
	err = s.RevokeAccess(team)
	if err != nil {
		return &errors.HTTP{Code: http.StatusConflict, Message: err.Error()}
	}
	return s.Update()
}
Exemplo n.º 12
0
Arquivo: app.go Projeto: Endika/tsuru
func setTeamOwner(w http.ResponseWriter, r *http.Request, t auth.Token) error {
	if r.Body == nil {
		return &errors.HTTP{Code: http.StatusBadRequest, Message: "You must provide a team name."}
	}
	defer r.Body.Close()
	b, err := ioutil.ReadAll(r.Body)
	if err != nil {
		return err
	}
	teamName := string(b)
	team, err := auth.GetTeam(teamName)
	if err != nil {
		return err
	}
	a, err := app.GetByName(r.URL.Query().Get(":app"))
	if err != nil {
		return err
	}
	canSetTeamOwner := permission.Check(t, permission.PermAppUpdateTeamowner,
		append(permission.Contexts(permission.CtxTeam, a.Teams),
			permission.Context(permission.CtxApp, a.Name),
			permission.Context(permission.CtxPool, a.Pool),
		)...,
	)
	if !canSetTeamOwner {
		return &errors.HTTP{
			Code:    http.StatusForbidden,
			Message: permission.ErrUnauthorized.Error(),
		}
	}
	u, err := t.User()
	if err != nil {
		return err
	}
	err = a.SetTeamOwner(team, u)
	if err != nil {
		return err
	}
	return nil
}
Exemplo n.º 13
0
// title: grant access to a service
// path: /services/{service}/team/{team}
// method: PUT
// responses:
//   200: Service updated
//   400: Team not found
//   401: Unauthorized
//   404: Service not found
//   409: Team already has access to this service
func grantServiceAccess(w http.ResponseWriter, r *http.Request, t auth.Token) (err error) {
	r.ParseForm()
	serviceName := r.URL.Query().Get(":service")
	s, err := getService(serviceName)
	if err != nil {
		return err
	}
	allowed := permission.Check(t, permission.PermServiceUpdateGrantAccess,
		contextsForServiceProvision(&s)...,
	)
	if !allowed {
		return permission.ErrUnauthorized
	}
	teamName := r.URL.Query().Get(":team")
	team, err := auth.GetTeam(teamName)
	if err != nil {
		if err == auth.ErrTeamNotFound {
			return &errors.HTTP{Code: http.StatusBadRequest, Message: "Team not found"}
		}
		return err
	}
	evt, err := event.New(&event.Opts{
		Target:     serviceTarget(s.Name),
		Kind:       permission.PermServiceUpdateGrantAccess,
		Owner:      t,
		CustomData: event.FormToCustomData(r.Form),
		Allowed:    event.Allowed(permission.PermServiceReadEvents, contextsForServiceProvision(&s)...),
	})
	if err != nil {
		return err
	}
	defer func() { evt.Done(err) }()
	err = s.GrantAccess(team)
	if err != nil {
		return &errors.HTTP{Code: http.StatusConflict, Message: err.Error()}
	}
	return s.Update()
}
Exemplo n.º 14
0
Arquivo: app.go Projeto: botvs/tsuru
func (app *App) validateTeamOwner() error {
	_, err := auth.GetTeam(app.TeamOwner)
	return err
}