Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor env permissions + modify getTrustAccount #1712

Merged
merged 2 commits into from
Dec 3, 2024
Merged

Refactor env permissions + modify getTrustAccount #1712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1e0d54f
Refactor env permissions + modify getTrustAccount
dlpzx Nov 21, 2024
827f263
Remove getPlatformAuthorSession API call
dlpzx Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions backend/dataall/core/environment/api/queries.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@

getTrustAccount = gql.QueryField(
name='getTrustAccount',
args=[gql.Argument(name='organizationUri', type=gql.NonNullableType(gql.String))],
type=gql.String,
resolver=get_trust_account,
test_scope='Environment',
Expand Down
27 changes: 13 additions & 14 deletions backend/dataall/core/environment/api/resolvers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,8 @@
log = logging.getLogger()


def get_trust_account(context: Context, source, **kwargs):
current_account = SessionHelper.get_account()
print('current_account = ', current_account)
return current_account
def get_trust_account(context: Context, source, organizationUri):
return EnvironmentService.get_trust_account(uri=organizationUri)


def create_environment(context: Context, source, input={}):
Expand Down Expand Up @@ -203,8 +201,7 @@ def resolve_user_role(context: Context, source: Environment):


def list_environment_group_permissions(context, source, environmentUri: str = None, groupUri: str = None):
with context.engine.scoped_session() as session:
return EnvironmentService.list_group_permissions(session=session, uri=environmentUri, group_uri=groupUri)
return EnvironmentService.list_group_permissions(uri=environmentUri, group_uri=groupUri)


@is_feature_enabled('core.features.env_aws_actions')
Expand All @@ -214,12 +211,12 @@ def get_environment_assume_role_url(
environmentUri: str = None,
groupUri: str = None,
):
return EnvironmentService.get_environment_assume_role_url(environmentUri=environmentUri, groupUri=groupUri)
return EnvironmentService.get_environment_assume_role_url(uri=environmentUri, groupUri=groupUri)


@is_feature_enabled('core.features.env_aws_actions')
def generate_environment_access_token(context, source, environmentUri: str = None, groupUri: str = None):
credentials = EnvironmentService.generate_environment_access_token(environmentUri=environmentUri, groupUri=groupUri)
credentials = EnvironmentService.generate_environment_access_token(uri=environmentUri, groupUri=groupUri)
return json.dumps(credentials)


Expand All @@ -245,31 +242,33 @@ def delete_environment(context: Context, source, environmentUri: str = None, del


def enable_subscriptions(context: Context, source, environmentUri: str = None, input: dict = None):
EnvironmentService.enable_subscriptions(environmentUri, input)
EnvironmentService.enable_subscriptions(uri=environmentUri, input=input)
StackService.deploy_stack(targetUri=environmentUri)
return True


def disable_subscriptions(context: Context, source, environmentUri: str = None):
EnvironmentService.disable_subscriptions(environmentUri)
EnvironmentService.disable_subscriptions(uri=environmentUri)
StackService.deploy_stack(targetUri=environmentUri)
return True


def get_pivot_role_template(context: Context, source, organizationUri=None):
return EnvironmentService.get_template_from_resource_bucket(organizationUri, 'pivot_role_prefix')
return EnvironmentService.get_template_from_resource_bucket(uri=organizationUri, template_name='pivot_role_prefix')


def get_cdk_exec_policy_template(context: Context, source, organizationUri=None):
return EnvironmentService.get_template_from_resource_bucket(organizationUri, 'cdk_exec_policy_prefix')
return EnvironmentService.get_template_from_resource_bucket(
uri=organizationUri, template_name='cdk_exec_policy_prefix'
)


def get_external_id(context: Context, source, organizationUri=None):
return EnvironmentService.get_external_id(organizationUri)
return EnvironmentService.get_external_id(uri=organizationUri)


def get_pivot_role_name(context: Context, source, organizationUri=None):
return EnvironmentService.get_pivot_role(organizationUri)
return EnvironmentService.get_pivot_role(uri=organizationUri)


def resolve_environment(context, source, **kwargs):
Expand Down
146 changes: 50 additions & 96 deletions backend/dataall/core/environment/services/environment_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ def validate_org_group(org_uri, group, session):

class EnvironmentService:
@staticmethod
def validate_permissions(session, uri, g_permissions, group):
def _validate_permissions(session, uri, g_permissions, group):
"""
g_permissions: coming from frontend = ENVIRONMENT_INVITATION_REQUEST

Expand All @@ -160,15 +160,15 @@ def validate_permissions(session, uri, g_permissions, group):
)

@staticmethod
def get_pivot_role_as_part_of_environment():
def _get_pivot_role_as_part_of_environment():
ssm_param = ParameterStoreManager.get_parameter_value(
region=os.getenv('AWS_REGION', 'eu-west-1'),
parameter_path=f"/dataall/{os.getenv('envname', 'local')}/pivotRole/enablePivotRoleAutoCreate",
)
return ssm_param == 'True'

@staticmethod
def check_cdk_resources(account_id, region, data) -> str:
def _check_cdk_resources(account_id, region, data) -> str:
"""
Check if all necessary cdk resources exists in the account
:return : pivot role name
Expand All @@ -181,7 +181,7 @@ def check_cdk_resources(account_id, region, data) -> str:

log.info('Checking cdk resources for environment.')

pivot_role_as_part_of_environment = EnvironmentService.get_pivot_role_as_part_of_environment()
pivot_role_as_part_of_environment = EnvironmentService._get_pivot_role_as_part_of_environment()
log.info(f'Pivot role as part of environment = {pivot_role_as_part_of_environment}')

cdk_look_up_role_arn = SessionHelper.get_cdk_look_up_role_arn(accountid=account_id, region=region)
Expand Down Expand Up @@ -216,14 +216,19 @@ def check_cdk_resources(account_id, region, data) -> str:

return cdk_role_name

@staticmethod
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_trust_account(uri):
return SessionHelper.get_account()

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def create_environment(uri, data=None):
context = get_context()
with context.db_engine.scoped_session() as session:
EnvironmentRequestValidationService.validate_creation_params(data, uri, session)
cdk_role_name = EnvironmentService.check_cdk_resources(data.get('AwsAccountId'), data.get('region'), data)
cdk_role_name = EnvironmentService._check_cdk_resources(data.get('AwsAccountId'), data.get('region'), data)
env = Environment(
organizationUri=data.get('organizationUri'),
label=data.get('label', 'Unnamed'),
Expand Down Expand Up @@ -323,7 +328,7 @@ def update_environment(uri, data=None):
with get_context().db_engine.scoped_session() as session:
environment = EnvironmentService.get_environment_by_uri(session, uri)
previous_resource_prefix = environment.resourcePrefix
EnvironmentService.check_cdk_resources(
EnvironmentService._check_cdk_resources(
account_id=environment.AwsAccountId, region=environment.region, data=data
)

Expand Down Expand Up @@ -366,7 +371,7 @@ def invite_group(uri, data=None) -> (Environment, EnvironmentGroup):
group: str = data['groupUri']

with get_context().db_engine.scoped_session() as session:
EnvironmentService.validate_permissions(session, uri, data['permissions'], group)
EnvironmentService._validate_permissions(session, uri, data['permissions'], group)

environment = EnvironmentService.get_environment_by_uri(session, uri)

Expand Down Expand Up @@ -493,7 +498,7 @@ def update_group_permissions(uri, data=None):
group = data['groupUri']

with get_context().db_engine.scoped_session() as session:
EnvironmentService.validate_permissions(session, uri, data['permissions'], group)
EnvironmentService._validate_permissions(session, uri, data['permissions'], group)

environment = EnvironmentService.get_environment_by_uri(session, uri)

Expand Down Expand Up @@ -521,7 +526,7 @@ def update_group_permissions(uri, data=None):

@staticmethod
@ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS)
def list_group_permissions(session, uri, group_uri):
def list_group_permissions(uri, group_uri):
# the permission checked
with get_context().db_engine.scoped_session() as session:
return EnvironmentService.list_group_permissions_internal(session, uri, group_uri)
Expand Down Expand Up @@ -924,7 +929,7 @@ def get_boolean_env_param(session, env: Environment, param: str) -> bool:
return param is not None and param.value.lower() == 'true'

@staticmethod
def is_user_invited(uri):
def _is_user_invited(uri):
context = get_context()
with context.db_engine.scoped_session() as session:
return EnvironmentRepository.is_user_invited_to_environment(session=session, groups=context.groups, uri=uri)
Expand All @@ -935,23 +940,17 @@ def resolve_user_role(environment: Environment):
return EnvironmentPermission.Owner.value
elif environment.SamlGroupName in get_context().groups:
return EnvironmentPermission.Admin.value
elif EnvironmentService.is_user_invited(environment.environmentUri):
elif EnvironmentService._is_user_invited(environment.environmentUri):
return EnvironmentPermission.Invited.value
return EnvironmentPermission.NotInvited.value

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def enable_subscriptions(environmentUri: str = None, input: dict = None):
@ResourcePolicyService.has_resource_permission(ENABLE_ENVIRONMENT_SUBSCRIPTIONS)
def enable_subscriptions(uri, input: dict = None):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
environment = EnvironmentService.get_environment_by_uri(session, uri)
if input.get('producersTopicArn'):
environment.subscriptionsProducersTopicName = input.get('producersTopicArn')
environment.subscriptionsProducersTopicImported = True
Expand All @@ -977,17 +976,11 @@ def enable_subscriptions(environmentUri: str = None, input: dict = None):

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def disable_subscriptions(environment_uri: str = None):
@ResourcePolicyService.has_resource_permission(ENABLE_ENVIRONMENT_SUBSCRIPTIONS)
def disable_subscriptions(uri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environment_uri,
permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
environment = EnvironmentService.get_environment_by_uri(session, environment_uri)
environment = EnvironmentService.get_environment_by_uri(session, uri)

environment.subscriptionsConsumersTopicName = None
environment.subscriptionsConsumersTopicImported = False
Expand Down Expand Up @@ -1039,20 +1032,11 @@ def _get_environment_group_aws_session(session, username, groups, environment, g

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def get_environment_assume_role_url(
environmentUri: str = None,
groupUri: str = None,
):
@ResourcePolicyService.has_resource_permission(CREDENTIALS_ENVIRONMENT)
def get_environment_assume_role_url(uri, groupUri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=CREDENTIALS_ENVIRONMENT,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
environment = EnvironmentService.get_environment_by_uri(session, uri)
url = SessionHelper.get_console_access_url(
EnvironmentService._get_environment_group_aws_session(
session=session,
Expand All @@ -1067,17 +1051,11 @@ def get_environment_assume_role_url(

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def generate_environment_access_token(environmentUri: str = None, groupUri: str = None):
@ResourcePolicyService.has_resource_permission(CREDENTIALS_ENVIRONMENT)
def generate_environment_access_token(uri, groupUri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=CREDENTIALS_ENVIRONMENT,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
environment = EnvironmentService.get_environment_by_uri(session, uri)
c = EnvironmentService._get_environment_group_aws_session(
session=session,
username=context.username,
Expand All @@ -1092,16 +1070,8 @@ def generate_environment_access_token(environmentUri: str = None, groupUri: str
}

@staticmethod
def get_pivot_role(organization_uri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organization_uri,
permission_name=GET_ORGANIZATION,
)
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_pivot_role(uri):
pivot_role_name = SessionHelper.get_delegation_role_name(region='<REGION>')
if not pivot_role_name:
raise exceptions.AWSResourceNotFound(
Expand All @@ -1111,47 +1081,31 @@ def get_pivot_role(organization_uri):
return pivot_role_name

@staticmethod
def get_external_id(organization_uri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organization_uri,
permission_name=GET_ORGANIZATION,
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_external_id(uri):
external_id = SessionHelper.get_external_id_secret()
if not external_id:
raise exceptions.AWSResourceNotFound(
action='GET_EXTERNAL_ID',
message='External Id could not be found on AWS Secretsmanager',
)
external_id = SessionHelper.get_external_id_secret()
if not external_id:
raise exceptions.AWSResourceNotFound(
action='GET_EXTERNAL_ID',
message='External Id could not be found on AWS Secretsmanager',
)
return external_id
return external_id

@staticmethod
def get_template_from_resource_bucket(organization_uri, template_name):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organization_uri,
permission_name=GET_ORGANIZATION,
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_template_from_resource_bucket(uri, template_name):
envname = os.getenv('envname', 'local')
region = os.getenv('AWS_REGION', 'eu-central-1')

resource_bucket = Parameter().get_parameter(env=envname, path='s3/resources_bucket_name')
template_key = Parameter().get_parameter(env=envname, path=f's3/{template_name}')
if not resource_bucket or not template_key:
raise AWSResourceNotFound(
action='GET_TEMPLATE',
message=f'{template_name} Yaml template file could not be found on Amazon S3 bucket',
)
envname = os.getenv('envname', 'local')
region = os.getenv('AWS_REGION', 'eu-central-1')

resource_bucket = Parameter().get_parameter(env=envname, path='s3/resources_bucket_name')
template_key = Parameter().get_parameter(env=envname, path=f's3/{template_name}')
if not resource_bucket or not template_key:
raise AWSResourceNotFound(
action='GET_TEMPLATE',
message=f'{template_name} Yaml template file could not be found on Amazon S3 bucket',
)

return S3_client.get_presigned_url(region, resource_bucket, template_key)
return S3_client.get_presigned_url(region, resource_bucket, template_key)

@staticmethod
@ResourcePolicyService.has_resource_permission(environment_permissions.GET_ENVIRONMENT)
Expand Down
3 changes: 1 addition & 2 deletions backend/dataall/core/groups/api/resolvers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@
def resolve_group_environment_permissions(context, source, environmentUri):
if not source:
return None
with context.engine.scoped_session() as session:
return EnvironmentService.list_group_permissions(session=session, uri=environmentUri, group_uri=source.groupUri)
return EnvironmentService.list_group_permissions(uri=environmentUri, group_uri=source.groupUri)


def resolve_group_tenant_permissions(context, source):
Expand Down
Loading
Loading