fix(api): permission on worker that are no more linked to an hatchery (#5303)

richardlt · web-flow · commit dae0ac7c4ef4 · 2020-07-07T14:19:10.000+02:00
diff --git a/engine/api/ascode/pull_request.go b/engine/api/ascode/pull_request.go
@@ -51,7 +51,7 @@ func UpdateAsCodeResult(ctx context.Context, db *gorp.DbMap, store cache.Store,
 		if err != nil {
 			globalErr = err
 		}
-		sdk.GoRoutine(context.Background(), fmt.Sprintf("UpdateAsCodeResult-pusblish-as-code-event-%s", asCodeEvent.ID), func(ctx context.Context) {
+		sdk.GoRoutine(context.Background(), fmt.Sprintf("UpdateAsCodeResult-pusblish-as-code-event-%d", asCodeEvent.ID), func(ctx context.Context) {
 			event.PublishAsCodeEvent(ctx, proj.Key, workflowHolder.Name, *asCodeEvent, u)
 		})
 	}
diff --git a/engine/api/worker.go b/engine/api/worker.go
@@ -153,8 +153,11 @@ func (api *API) disableWorkerHandler() service.Handler {
 			if err != nil {
 				return sdk.WrapError(sdk.ErrForbidden, "Cannot disable a worker from this hatchery: %v", err)
 			}
-			if wk.HatcheryID != nil && *wk.HatcheryID != hatcherySrv.ID {
-				return sdk.WrapError(sdk.ErrForbidden, "Cannot disable a worker from hatchery (expected: %d/actual: %d)", wk.HatcheryID, hatcherySrv.ID)
+			if wk.HatcheryID == nil {
+				return sdk.WrapError(sdk.ErrForbidden, "hatchery %d cannot disable worker %s started by %s that is no more linked to an hatchery", hatcherySrv.ID, wk.ID, wk.HatcheryName)
+			}
+			if *wk.HatcheryID != hatcherySrv.ID {
+				return sdk.WrapError(sdk.ErrForbidden, "cannot disable a worker from hatchery (expected: %d/actual: %d)", *wk.HatcheryID, hatcherySrv.ID)
 			}
 		}
 
diff --git a/engine/cdn/cdn_log.go b/engine/cdn/cdn_log.go
@@ -213,12 +213,15 @@ func (s *Service) handleServiceLog(ctx context.Context, hatcheryID int64, hatche
 	_, ok = logCache.Get(workerCacheKey)
 	if !ok {
 		// Verify that the worker has been spawn by this hatchery
-		w, err := worker.LoadWorkerByName(ctx, s.Db, workerName)
+		wk, err := worker.LoadWorkerByName(ctx, s.Db, workerName)
 		if err != nil {
 			return err
 		}
-		if w.HatcheryID != nil && *w.HatcheryID != signature.Service.HatcheryID {
-			return sdk.WrapError(sdk.ErrWrongRequest, "hatchery and worker does not match")
+		if wk.HatcheryID == nil {
+			return sdk.WrapError(sdk.ErrWrongRequest, "hatchery %d cannot send service log for worker %s started by %s that is no more linked to an hatchery", signature.Service.HatcheryID, wk.ID, wk.HatcheryName)
+		}
+		if *wk.HatcheryID != signature.Service.HatcheryID {
+			return sdk.WrapError(sdk.ErrWrongRequest, "cannot send service log for worker %s from hatchery (expected: %d/actual: %d)", wk.ID, *wk.HatcheryID, signature.Service.HatcheryID)
 		}
 		logCache.Set(workerCacheKey, true, gocache.DefaultExpiration)
 	}

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ func UpdateAsCodeResult(ctx context.Context, db *gorp.DbMap, store cache.Store,`
`51`	`51`	`if err != nil {`
`52`	`52`	`globalErr = err`
`53`	`53`	`}`
`54`		`- sdk.GoRoutine(context.Background(), fmt.Sprintf("UpdateAsCodeResult-pusblish-as-code-event-%s", asCodeEvent.ID), func(ctx context.Context) {`
	`54`	`+ sdk.GoRoutine(context.Background(), fmt.Sprintf("UpdateAsCodeResult-pusblish-as-code-event-%d", asCodeEvent.ID), func(ctx context.Context) {`
`55`	`55`	`event.PublishAsCodeEvent(ctx, proj.Key, workflowHolder.Name, *asCodeEvent, u)`
`56`	`56`	`})`
`57`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -153,8 +153,11 @@ func (api *API) disableWorkerHandler() service.Handler {`
`153`	`153`	`if err != nil {`
`154`	`154`	`return sdk.WrapError(sdk.ErrForbidden, "Cannot disable a worker from this hatchery: %v", err)`
`155`	`155`	`}`
`156`		`- if wk.HatcheryID != nil && *wk.HatcheryID != hatcherySrv.ID {`
`157`		`- return sdk.WrapError(sdk.ErrForbidden, "Cannot disable a worker from hatchery (expected: %d/actual: %d)", wk.HatcheryID, hatcherySrv.ID)`
	`156`	`+ if wk.HatcheryID == nil {`
	`157`	`+ return sdk.WrapError(sdk.ErrForbidden, "hatchery %d cannot disable worker %s started by %s that is no more linked to an hatchery", hatcherySrv.ID, wk.ID, wk.HatcheryName)`
	`158`	`+ }`
	`159`	`+ if *wk.HatcheryID != hatcherySrv.ID {`
	`160`	`+ return sdk.WrapError(sdk.ErrForbidden, "cannot disable a worker from hatchery (expected: %d/actual: %d)", *wk.HatcheryID, hatcherySrv.ID)`
`158`	`161`	`}`
`159`	`162`	`}`
`160`	`163`
Original file line number	Diff line number	Diff line change
`@@ -213,12 +213,15 @@ func (s *Service) handleServiceLog(ctx context.Context, hatcheryID int64, hatche`
`213`	`213`	`_, ok = logCache.Get(workerCacheKey)`
`214`	`214`	`if !ok {`
`215`	`215`	`// Verify that the worker has been spawn by this hatchery`
`216`		`- w, err := worker.LoadWorkerByName(ctx, s.Db, workerName)`
	`216`	`+ wk, err := worker.LoadWorkerByName(ctx, s.Db, workerName)`
`217`	`217`	`if err != nil {`
`218`	`218`	`return err`
`219`	`219`	`}`
`220`		`- if w.HatcheryID != nil && *w.HatcheryID != signature.Service.HatcheryID {`
`221`		`- return sdk.WrapError(sdk.ErrWrongRequest, "hatchery and worker does not match")`
	`220`	`+ if wk.HatcheryID == nil {`
	`221`	`+ return sdk.WrapError(sdk.ErrWrongRequest, "hatchery %d cannot send service log for worker %s started by %s that is no more linked to an hatchery", signature.Service.HatcheryID, wk.ID, wk.HatcheryName)`
	`222`	`+ }`
	`223`	`+ if *wk.HatcheryID != signature.Service.HatcheryID {`
	`224`	`+ return sdk.WrapError(sdk.ErrWrongRequest, "cannot send service log for worker %s from hatchery (expected: %d/actual: %d)", wk.ID, *wk.HatcheryID, signature.Service.HatcheryID)`
`222`	`225`	`}`
`223`	`226`	`logCache.Set(workerCacheKey, true, gocache.DefaultExpiration)`
`224`	`227`	`}`