fix(api): don't change workflow permission for as-code (#6090)

fsamin · web-flow · commit b9151b42e573 · 2022-02-16T17:12:45.000+01:00
diff --git a/engine/api/ascode.go b/engine/api/ascode.go
@@ -130,6 +130,10 @@ func (api *API) postPerformImportAsCodeHandler() service.Handler {
 		key := vars[permProjectKey]
 		uuid := vars["uuid"]
 
+		if isService(ctx) {
+			return sdk.ErrForbidden
+		}
+
 		if uuid == "" {
 			return sdk.NewErrorFrom(sdk.ErrWrongRequest, "invalid given operation uuid")
 		}
diff --git a/engine/api/workflow/dao.go b/engine/api/workflow/dao.go
@@ -352,7 +352,7 @@ func Insert(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store cache.St
 			return sdk.WrapError(err, "Unable to update workflow")
 		}
 	} else {
-		log.Debug(ctx, "postWorkflowHandler> inherit permissions from project")
+		log.Debug(ctx, "inherit permissions from project")
 		for _, gp := range proj.ProjectGroups {
 			if err := group.AddWorkflowGroup(ctx, db, w, gp); err != nil {
 				return sdk.WrapError(err, "Cannot add group %s", gp.Group.Name)
diff --git a/engine/api/workflow/repository.go b/engine/api/workflow/repository.go
@@ -125,7 +125,7 @@ func extractWorkflow(ctx context.Context, db *gorp.DbMap, store cache.Store, p *
 	if err != nil {
 		return nil, allMsgs, err
 	}
-	msgPush, workflowPushed, _, secrets, err := Push(ctx, db, store, p, data, opt, consumer, decryptFunc)
+	msgPush, workflowPushed, _, secrets, err := Push(ctx, db, store, p, data, opt, &consumer, decryptFunc)
 	// Filter workflow push message if generated from template
 	for i := range msgPush {
 		if wti != nil && msgPush[i].ID == sdk.MsgWorkflowDeprecatedVersion.ID {
diff --git a/engine/api/workflow/workflow_importer.go b/engine/api/workflow/workflow_importer.go
@@ -18,7 +18,7 @@ import (
 )
 
 //Import is able to create a new workflow and all its components
-func Import(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store cache.Store, proj sdk.Project, oldW, w *sdk.Workflow, u sdk.Identifiable, force bool, msgChan chan<- sdk.Message) error {
+func Import(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store cache.Store, proj sdk.Project, oldW, w *sdk.Workflow, u sdk.Identifiable, opts ImportOptions, msgChan chan<- sdk.Message) error {
 	ctx, end := telemetry.Span(ctx, "workflow.Import")
 	defer end()
 
@@ -29,6 +29,30 @@ func Import(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store cache.St
 		w.WorkflowData.Node.Context = &sdk.NodeContext{}
 	}
 
+	// If the import is not done by a direct user (ie. from a hook or if the content is coming from a repository)
+	// We don't take permission in account and we only keep permission of the oldWorkflow or projet permission
+	if opts.HookUUID != "" || opts.RepositoryName != "" {
+		log.Info(ctx, "Import is perform from 'as-code', we don't take groups in account (hookUUID=%q, repository=%q)", opts.HookUUID, opts.RepositoryName)
+		// reset permissions at the workflow level
+		w.Groups = nil
+		if oldW != nil {
+			w.Groups = oldW.Groups
+		}
+		// reset permissions at the node level
+		w.VisitNode(func(n *sdk.Node, w *sdk.Workflow) {
+			n.Groups = nil
+			if oldW != nil {
+				oldN := oldW.WorkflowData.NodeByName(n.Name)
+				if oldN != nil {
+					n.Groups = oldN.Groups
+				}
+			}
+		})
+	} else {
+		// The import is triggered by a user, we have to check the groups
+		// FIXME: call the same function than the handlers
+	}
+
 	// create the workflow if not exists
 	if oldW == nil {
 		if err := Insert(ctx, db, store, proj, w); err != nil {
@@ -44,11 +68,11 @@ func Import(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store cache.St
 		w.Icon = oldW.Icon
 	}
 
-	if !force {
+	if !opts.Force {
 		return sdk.NewErrorFrom(sdk.ErrAlreadyExist, "workflow exists")
 	}
 
-	if force && oldW != nil && oldW.FromRepository != "" && w.FromRepository == "" {
+	if opts.Force && oldW != nil && oldW.FromRepository != "" && w.FromRepository == "" {
 		if err := detachResourceFromRepository(db, proj.ID, oldW, msgChan); err != nil {
 			return err
 		}
diff --git a/engine/api/workflow/workflow_importer_test.go b/engine/api/workflow/workflow_importer_test.go
@@ -483,7 +483,7 @@ func TestImport(t *testing.T) {
 				}
 			}
 
-			if err := workflow.Import(context.TODO(), db, cache, *proj, wf, tt.args.w, u, tt.args.force, nil); err != nil {
+			if err := workflow.Import(context.TODO(), db, cache, *proj, wf, tt.args.w, u, workflow.ImportOptions{Force: tt.args.force}, nil); err != nil {
 				if !tt.wantErr {
 					t.Errorf("Import() error = %v, wantErr %v", err, tt.wantErr)
 				} else {
diff --git a/engine/api/workflow/workflow_parser.go b/engine/api/workflow/workflow_parser.go
@@ -204,7 +204,7 @@ func ParseAndImport(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store
 		}
 	}(&msgList)
 
-	globalError := Import(ctx, db, store, proj, oldW, w, u, opts.Force, msgChan)
+	globalError := Import(ctx, db, store, proj, oldW, w, u, opts, msgChan)
 	close(msgChan)
 	done.Wait()
 
diff --git a/engine/api/workflow_ascode_test.go b/engine/api/workflow_ascode_test.go
diff --git a/engine/api/workflow_import.go b/engine/api/workflow_import.go

Original file line number	Diff line number	Diff line change
`@@ -352,7 +352,7 @@ func Insert(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store cache.St`
`352`	`352`	`return sdk.WrapError(err, "Unable to update workflow")`
`353`	`353`	`}`
`354`	`354`	`} else {`
`355`		`- log.Debug(ctx, "postWorkflowHandler> inherit permissions from project")`
	`355`	`+ log.Debug(ctx, "inherit permissions from project")`
`356`	`356`	`for _, gp := range proj.ProjectGroups {`
`357`	`357`	`if err := group.AddWorkflowGroup(ctx, db, w, gp); err != nil {`
`358`	`358`	`return sdk.WrapError(err, "Cannot add group %s", gp.Group.Name)`
Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ func extractWorkflow(ctx context.Context, db gorp.DbMap, store cache.Store, p `
`125`	`125`	`if err != nil {`
`126`	`126`	`return nil, allMsgs, err`
`127`	`127`	`}`
`128`		`- msgPush, workflowPushed, _, secrets, err := Push(ctx, db, store, p, data, opt, consumer, decryptFunc)`
	`128`	`+ msgPush, workflowPushed, _, secrets, err := Push(ctx, db, store, p, data, opt, &consumer, decryptFunc)`
`129`	`129`	`// Filter workflow push message if generated from template`
`130`	`130`	`for i := range msgPush {`
`131`	`131`	`if wti != nil && msgPush[i].ID == sdk.MsgWorkflowDeprecatedVersion.ID {`
Original file line number	Diff line number	Diff line change
`@@ -483,7 +483,7 @@ func TestImport(t *testing.T) {`
`483`	`483`	`}`
`484`	`484`	`}`
`485`	`485`
`486`		`- if err := workflow.Import(context.TODO(), db, cache, *proj, wf, tt.args.w, u, tt.args.force, nil); err != nil {`
	`486`	`+ if err := workflow.Import(context.TODO(), db, cache, *proj, wf, tt.args.w, u, workflow.ImportOptions{Force: tt.args.force}, nil); err != nil {`
`487`	`487`	`if !tt.wantErr {`
`488`	`488`	`t.Errorf("Import() error = %v, wantErr %v", err, tt.wantErr)`
`489`	`489`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ func ParseAndImport(ctx context.Context, db gorpmapper.SqlExecutorWithTx, store`
`204`	`204`	`}`
`205`	`205`	`}(&msgList)`
`206`	`206`
`207`		`- globalError := Import(ctx, db, store, proj, oldW, w, u, opts.Force, msgChan)`
	`207`	`+ globalError := Import(ctx, db, store, proj, oldW, w, u, opts, msgChan)`
`208`	`208`	`close(msgChan)`
`209`	`209`	`done.Wait()`
`210`	`210`