fix(api): check rbac permission before deleting hatchery and region (#6428)

Author: sguiheux

engine/api/rbac/dao_rbac.go

@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/go-gorp/gorp"
+	"github.com/lib/pq"
 	"github.com/rockbears/log"
 
 	"github.com/ovh/cds/engine/api/database/gorpmapping"
@@ -22,6 +23,11 @@ func LoadRBACByID(ctx context.Context, db gorp.SqlExecutor, id string, opts ...L
 	return get(ctx, db, gorpmapping.NewQuery(query).Args(id), opts...)
 }
 
+func LoadRBACByIDs(ctx context.Context, db gorp.SqlExecutor, IDs sdk.StringSlice, opts ...LoadOptionFunc) ([]sdk.RBAC, error) {
+	query := `SELECT * FROM rbac WHERE id = ANY ($1)`
+	return getAll(ctx, db, gorpmapping.NewQuery(query).Args(pq.StringArray(IDs)), opts...)
+}
+
 // Insert a RBAC permission in database
 func Insert(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rb *sdk.RBAC) error {
 	if err := sdk.IsValidRBAC(rb); err != nil {
@@ -94,6 +100,32 @@ func Delete(_ context.Context, db gorpmapper.SqlExecutorWithTx, rb sdk.RBAC) err
 	return nil
 }
 
+func getAll(ctx context.Context, db gorp.SqlExecutor, q gorpmapping.Query, opts ...LoadOptionFunc) ([]sdk.RBAC, error) {
+	var rs []sdk.RBAC
+	var rbacsDB []rbac
+	if err := gorpmapping.GetAll(ctx, db, q, &rbacsDB); err != nil {
+		return nil, err
+	}
+
+	for _, rbac := range rbacsDB {
+		isValid, err := gorpmapping.CheckSignature(rbac, rbac.Signature)
+		if err != nil {
+			return nil, sdk.WrapError(err, "error when checking signature for rbac %s", rbac.ID)
+		}
+		if !isValid {
+			log.Error(ctx, "rbac.get> rbac %s (%s) data corrupted", rbac.Name, rbac.ID)
+			continue
+		}
+		for _, f := range opts {
+			if err := f(ctx, db, &rbac); err != nil {
+				return nil, err
+			}
+		}
+		rs = append(rs, rbac.RBAC)
+	}
+	return rs, nil
+}
+
 func get(ctx context.Context, db gorp.SqlExecutor, q gorpmapping.Query, opts ...LoadOptionFunc) (*sdk.RBAC, error) {
 	var r sdk.RBAC
 	var rbacDB rbac

engine/api/rbac/dao_rbac_hatchery.go

@@ -3,6 +3,10 @@ package rbac
 import (
 	"context"
 
+	"github.com/go-gorp/gorp"
+	"github.com/ovh/cds/sdk"
+	"github.com/rockbears/log"
+
 	"github.com/ovh/cds/engine/api/database/gorpmapping"
 	"github.com/ovh/cds/engine/gorpmapper"
 )
@@ -13,3 +17,54 @@ func insertRBACHatchery(ctx context.Context, db gorpmapper.SqlExecutorWithTx, rb
 	}
 	return nil
 }
+
+func getAllRBACHatchery(ctx context.Context, db gorp.SqlExecutor, q gorpmapping.Query) ([]rbacHatchery, error) {
+	var rbacHatcheries []rbacHatchery
+	if err := gorpmapping.GetAll(ctx, db, q, &rbacHatcheries); err != nil {
+		return nil, err
+	}
+
+	hatcheriesFiltered := make([]rbacHatchery, 0, len(rbacHatcheries))
+	for _, rbacHatch := range rbacHatcheries {
+		isValid, err := gorpmapping.CheckSignature(rbacHatch, rbacHatch.Signature)
+		if err != nil {
+			return nil, sdk.WrapError(err, "error when checking signature for rbac_hatchery %d", rbacHatch.ID)
+		}
+		if !isValid {
+			log.Error(ctx, "rbac.getAllRBACHatchery> rbac_hatchery %d data corrupted", rbacHatch.ID)
+			continue
+		}
+		hatcheriesFiltered = append(hatcheriesFiltered, rbacHatch)
+	}
+	return hatcheriesFiltered, nil
+}
+
+func LoadRBACByHatcheryID(ctx context.Context, db gorp.SqlExecutor, hatcheryID string) ([]sdk.RBAC, error) {
+	query := gorpmapping.NewQuery(`SELECT * FROM rbac_hatchery WHERE hatchery_id = $1`).Args(hatcheryID)
+	rbHatcheries, err := getAllRBACHatchery(ctx, db, query)
+	if err != nil {
+		return nil, err
+	}
+	rbacIDs := make(sdk.StringSlice, 0)
+	for _, rh := range rbHatcheries {
+		rbacIDs = append(rbacIDs, rh.RbacID)
+	}
+	rbacIDs.Unique()
+
+	return LoadRBACByIDs(ctx, db, rbacIDs, LoadOptions.All)
+
+}
+
+func loadRBacIDsByHatcheryRegionID(ctx context.Context, db gorp.SqlExecutor, regionID string) ([]string, error) {
+	query := gorpmapping.NewQuery(`SELECT * FROM rbac_hatchery WHERE region_id = $1`).Args(regionID)
+	rbHatcheries, err := getAllRBACHatchery(ctx, db, query)
+	if err != nil {
+		return nil, err
+	}
+	rbacIDs := make(sdk.StringSlice, 0)
+	for _, rh := range rbHatcheries {
+		rbacIDs = append(rbacIDs, rh.RbacID)
+	}
+	rbacIDs.Unique()
+	return rbacIDs, nil
+}

engine/api/rbac/dao_rbac_region.go

@@ -57,7 +57,6 @@ func getAllRBACRegions(ctx context.Context, db gorp.SqlExecutor, q gorpmapping.Q
 
 func LoadRegionIDsByRoleAndUserID(ctx context.Context, db gorp.SqlExecutor, role string, userID string) ([]sdk.RBACRegion, error) {
 	// Get rbac_region_groups
-
 	rbacRegionGroups, err := loadRBACRegionGroupsByUserID(ctx, db, userID)
 	if err != nil {
 		return nil, err
@@ -105,3 +104,24 @@ func loadRBACRegionOnAllUsers(ctx context.Context, db gorp.SqlExecutor, role str
 	q := gorpmapping.NewQuery("SELECT * from rbac_region WHERE role = $1 AND all_users = true").Args(role)
 	return getAllRBACRegions(ctx, db, q)
 }
+
+func LoadRBACByRegionID(ctx context.Context, db gorp.SqlExecutor, regionID string) ([]sdk.RBAC, error) {
+	query := gorpmapping.NewQuery(`SELECT * FROM rbac_region WHERE region_id = $1`).Args(regionID)
+	rbRegions, err := getAllRBACRegions(ctx, db, query)
+	if err != nil {
+		return nil, err
+	}
+	rbacIDs := make(sdk.StringSlice, 0)
+	for _, rg := range rbRegions {
+		rbacIDs = append(rbacIDs, rg.RbacID)
+	}
+
+	ids, err := loadRBacIDsByHatcheryRegionID(ctx, db, regionID)
+	if err != nil {
+		return nil, err
+	}
+	rbacIDs = append(rbacIDs, ids...)
+	rbacIDs.Unique()
+	return LoadRBACByIDs(ctx, db, rbacIDs, LoadOptions.All)
+
+}

engine/api/rbac/loader.go

@@ -20,12 +20,14 @@ var LoadOptions = struct {
 	LoadRBACProject  LoadOptionFunc
 	LoadRBACHatchery LoadOptionFunc
 	LoadRBACRegion   LoadOptionFunc
+	All              LoadOptionFunc
 }{
 	Default:          loadDefault,
 	LoadRBACGlobal:   loadRBACGlobal,
 	LoadRBACProject:  loadRBACProject,
 	LoadRBACHatchery: loadRBACHatchery,
 	LoadRBACRegion:   loadRBACRegion,
+	All:              loadAll,
 }
 
 func loadDefault(ctx context.Context, db gorp.SqlExecutor, rbac *rbac) error {
@@ -38,6 +40,22 @@ func loadDefault(ctx context.Context, db gorp.SqlExecutor, rbac *rbac) error {
 	return nil
 }
 
+func loadAll(ctx context.Context, db gorp.SqlExecutor, rbac *rbac) error {
+	if err := loadRBACGlobal(ctx, db, rbac); err != nil {
+		return err
+	}
+	if err := loadRBACProject(ctx, db, rbac); err != nil {
+		return err
+	}
+	if err := loadRBACRegion(ctx, db, rbac); err != nil {
+		return err
+	}
+	if err := loadRBACHatchery(ctx, db, rbac); err != nil {
+		return err
+	}
+	return nil
+}
+
 func loadRBACProject(ctx context.Context, db gorp.SqlExecutor, rbac *rbac) error {
 	query := "SELECT * FROM rbac_project WHERE rbac_id = $1"
 	var rbacProjects []rbacProject

engine/api/v2_hatchery.go

@@ -10,6 +10,7 @@ import (
 	"github.com/ovh/cds/engine/api/authentication"
 	hatch_auth "github.com/ovh/cds/engine/api/authentication/hatchery"
 	"github.com/ovh/cds/engine/api/hatchery"
+	"github.com/ovh/cds/engine/api/rbac"
 	"github.com/ovh/cds/engine/service"
 	"github.com/ovh/cds/sdk"
 )
@@ -150,7 +151,12 @@ func (api *API) deleteHatcheryHandler() ([]service.RbacChecker, service.Handler)
 			vars := mux.Vars(req)
 			hatcheryIdentifier := vars["hatcheryIdentifier"]
 
-			reg, err := api.getHatcheryByIdentifier(ctx, hatcheryIdentifier)
+			hatch, err := api.getHatcheryByIdentifier(ctx, hatcheryIdentifier)
+			if err != nil {
+				return err
+			}
+
+			hatcheryPermissions, err := rbac.LoadRBACByHatcheryID(ctx, api.mustDB(), hatch.ID)
 			if err != nil {
 				return err
 			}
@@ -161,7 +167,28 @@ func (api *API) deleteHatcheryHandler() ([]service.RbacChecker, service.Handler)
 			}
 			defer tx.Rollback() // nolint
 
-			if err := hatchery.Delete(tx, reg.ID); err != nil {
+			// Remove all permissions on this hatchery
+			for _, rbacPerm := range hatcheryPermissions {
+				rbacHatcheries := make([]sdk.RBACHatchery, 0)
+				for _, h := range rbacPerm.Hatcheries {
+					if h.HatcheryID != hatch.ID {
+						rbacHatcheries = append(rbacHatcheries, h)
+					}
+				}
+				rbacPerm.Hatcheries = rbacHatcheries
+
+				if rbacPerm.IsEmpty() {
+					if err := rbac.Delete(ctx, tx, rbacPerm); err != nil {
+						return err
+					}
+				} else {
+					if err := rbac.Update(ctx, tx, &rbacPerm); err != nil {
+						return err
+					}
+				}
+			}
+
+			if err := hatchery.Delete(tx, hatch.ID); err != nil {
 				return err
 			}
 			return sdk.WithStack(tx.Commit())

engine/api/v2_hatchery_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/ovh/cds/engine/api/region"
 	"net/http/httptest"
 	"testing"
 	"time"
@@ -67,6 +68,7 @@ func Test_crudHatchery(t *testing.T) {
 	api, db, _ := newTestAPI(t)
 
 	db.Exec("DELETE FROM hatchery")
+	db.Exec("DELETE FROM rbac")
 
 	u, pass := assets.InsertLambdaUser(t, db)
 
@@ -123,6 +125,23 @@ global:
 	require.NoError(t, json.Unmarshal(wSignin.Body.Bytes(), &authSigninResponse))
 	require.NotEmpty(t, authSigninResponse.Token)
 
+	reg := sdk.Region{Name: sdk.RandomString(10)}
+	require.NoError(t, region.Insert(context.TODO(), db, &reg))
+
+	// Add RBAC
+	r1 := fmt.Sprintf(`name: perm-hatchery-only
+hatcheries:
+  - role: %s
+    hatchery: %s
+    region: %s
+`, sdk.HatcheryRoleSpawn, hatcheryGet.Name, reg.Name)
+	var rbac1 sdk.RBAC
+	require.NoError(t, yaml.Unmarshal([]byte(r1), &rbac1))
+	rLoader := NewRBACLoader(db)
+	rLoader.FillRBACWithIDs(context.TODO(), &rbac1)
+
+	require.NoError(t, rbac.Insert(context.TODO(), db, &rbac1))
+
 	// Then Delete hatchery
 	uriDelete := api.Router.GetRouteV2("DELETE", api.deleteHatcheryHandler, map[string]string{"hatcheryIdentifier": h.Name})
 	test.NotEmpty(t, uriDelete)
@@ -142,4 +161,9 @@ global:
 	var hs []sdk.Hatchery
 	require.NoError(t, json.Unmarshal(wList.Body.Bytes(), &hs))
 	require.Len(t, hs, 0)
+
+	// Check rbac deletion
+	_, err := rbac.LoadRBACByName(context.TODO(), db, rbac1.Name, rbac.LoadOptions.All)
+	require.Error(t, err)
+	require.True(t, sdk.ErrorIs(err, sdk.ErrNotFound))
 }

engine/api/v2_rbac.go

@@ -267,7 +267,7 @@ func (rl *RBACLoader) fillRBACRegionWithNames(ctx context.Context, rbacRegion *s
 	rbacRegion.RBACGroupsName = make([]string, 0, len(rbacRegion.RBACGroupsIDs))
 	for _, groupID := range rbacRegion.RBACGroupsIDs {
 		groupName := rl.groupCache[groupID]
-		if groupID == 0 {
+		if groupName == "" {
 			groupDB, err := group.LoadByID(ctx, rl.db, groupID)
 			if err != nil {
 				return err

engine/api/v2_region.go

@@ -108,12 +108,45 @@ func (api *API) deleteRegionHandler() ([]service.RbacChecker, service.Handler) {
 				return err
 			}
 
+			rbacRegions, err := rbac.LoadRBACByRegionID(ctx, api.mustDB(), reg.ID)
+			if err != nil {
+				return err
+			}
+
 			tx, err := api.mustDB().Begin()
 			if err != nil {
 				return sdk.WithStack(err)
 			}
 			defer tx.Rollback() // nolint
 
+			for _, rbacPerm := range rbacRegions {
+				rbacPermRegions := make([]sdk.RBACRegion, 0)
+				for _, r := range rbacPerm.Regions {
+					if r.RegionID != reg.ID {
+						rbacPermRegions = append(rbacPermRegions, r)
+					}
+				}
+				rbacPerm.Regions = rbacPermRegions
+
+				rbacPermHatcheries := make([]sdk.RBACHatchery, 0)
+				for _, h := range rbacPerm.Hatcheries {
+					if h.RegionID != reg.ID {
+						rbacPermHatcheries = append(rbacPermHatcheries, h)
+					}
+				}
+				rbacPerm.Hatcheries = rbacPermHatcheries
+
+				if rbacPerm.IsEmpty() {
+					if err := rbac.Delete(ctx, tx, rbacPerm); err != nil {
+						return err
+					}
+				} else {
+					if err := rbac.Update(ctx, tx, &rbacPerm); err != nil {
+						return err
+					}
+				}
+			}
+
 			if err := region.Delete(tx, reg.ID); err != nil {
 				return err
 			}