fix sae env auth bugs

Signed-off-by: Patrick Zhao <[email protected]>
koderover · Dec 3, 2024 · f52d65b · f52d65b
1 parent 9e3ea14
commit f52d65b
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 40 deletions.
diff --git a/pkg/microservice/aslan/core/environment/handler/environment.go b/pkg/microservice/aslan/core/environment/handler/environment.go
@@ -2934,13 +2934,13 @@ func DeleteSAEEnv(c *gin.Context) {
 
 		if production {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
+				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.Delete {
 				ctx.UnAuthorized = true
 				return
 			}
 		} else {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
+				!ctx.Resources.ProjectAuthInfo[projectKey].Env.Delete {
 				ctx.UnAuthorized = true
 				return
 			}
@@ -2992,31 +2992,33 @@ func ListSAEApps(c *gin.Context) {
 		ctx.RespErr = e.ErrInvalidParam.AddDesc("pageSize must be a number")
 	}
 
-	permitted := false
+	if !ctx.Resources.IsSystemAdmin {
+		if _, ok := ctx.Resources.ProjectAuthInfo[projectKey]; !ok {
+			ctx.UnAuthorized = true
+			return
+		}
 
-	if ctx.Resources.IsSystemAdmin {
-		permitted = true
-	} else if projectedAuthInfo, ok := ctx.Resources.ProjectAuthInfo[projectKey]; ok {
-		if projectedAuthInfo.IsProjectAdmin {
-			permitted = true
-		} else if projectedAuthInfo.Env.View ||
-			projectedAuthInfo.Workflow.Execute {
-			permitted = true
-		} else if collaborationViewEnvPermitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView); err != nil && collaborationViewEnvPermitted {
-			permitted = true
+		if production {
+			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
+				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.View {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionView)
+				if err != nil || !permitted {
+					ctx.UnAuthorized = true
+					return
+				}
+			}
 		} else {
-			collaborationAuthorizedEdit, err := internalhandler.CheckPermissionGivenByCollaborationMode(ctx.UserID, projectKey, types.ResourceTypeWorkflow, types.WorkflowActionRun)
-			if err == nil && collaborationAuthorizedEdit {
-				permitted = true
+			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
+				!ctx.Resources.ProjectAuthInfo[projectKey].Env.View {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionView)
+				if err != nil || !permitted {
+					ctx.UnAuthorized = true
+					return
+				}
 			}
 		}
 	}
 
-	if !permitted {
-		ctx.UnAuthorized = true
-		return
-	}
-
 	ctx.Resp, ctx.RespErr = service.ListSAEApps(regionID, namespace, projectKey, envName, production, appName, isAddApp, int32(currentPage), int32(pageSize), ctx.Logger)
 }
 
@@ -3330,17 +3332,17 @@ func RollbackSAEApp(c *gin.Context) {
 
 		if production {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
 				}
 			}
 		} else {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].Env.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
@@ -3713,17 +3715,17 @@ func AbortSAEChangeOrder(c *gin.Context) {
 
 		if production {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
 				}
 			}
 		} else {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].Env.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
@@ -3769,17 +3771,17 @@ func RollbackSAEChangeOrder(c *gin.Context) {
 
 		if production {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
 				}
 			}
 		} else {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].Env.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
@@ -3825,17 +3827,17 @@ func ConfirmSAEPipelineBatch(c *gin.Context) {
 
 		if production {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].ProductionEnv.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.ProductionEnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return
 				}
 			}
 		} else {
 			if !ctx.Resources.ProjectAuthInfo[projectKey].IsProjectAdmin &&
-				!ctx.Resources.ProjectAuthInfo[projectKey].Env.EditConfig {
-				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionEditConfig)
+				!ctx.Resources.ProjectAuthInfo[projectKey].Env.ManagePods {
+				permitted, err := internalhandler.GetCollaborationModePermission(ctx.UserID, projectKey, types.ResourceTypeEnvironment, envName, types.EnvActionManagePod)
 				if err != nil || !permitted {
 					ctx.UnAuthorized = true
 					return

diff --git a/pkg/microservice/aslan/core/environment/handler/router.go b/pkg/microservice/aslan/core/environment/handler/router.go
@@ -226,9 +226,9 @@ func (*Router) Inject(router *gin.RouterGroup) {
 		environments.GET("sae/namespace", ListSAENamespaces)
 		environments.POST("sae/:name/app", AddSAEServiceToEnv)
 		environments.PUT("sae/:name/app", DeleteSAEServiceFromEnv)
+		environments.POST("sae/:name/app/:appID/serviceBind", BindSAEAppToService)
 		environments.GET("sae/:name/app/:appID/versions", ListSAEAppVersion)
 		environments.POST("sae/:name/app/:appID/restart", RestartSAEApp)
-		environments.POST("sae/:name/app/:appID/serviceBind", BindSAEAppToService)
 		environments.POST("sae/:name/app/:appID/rescale", RescaleSAEApp)
 		environments.POST("sae/:name/app/:appID/rollback", RollbackSAEApp)
 		environments.GET("sae/:name/app/:appID/instance", ListSAEAppInstances)

diff --git a/pkg/microservice/aslan/core/environment/service/sae_env.go b/pkg/microservice/aslan/core/environment/service/sae_env.go
@@ -219,7 +219,7 @@ func DeleteSAEEnv(username string, projectName, envName string, production bool,
 		saeRequest := &sae.UntagResourcesRequest{
 			RegionId:     tea.String(env.RegionID),
 			ResourceType: tea.String("application"),
-			TagKeys:      tea.String(fmt.Sprintf(`["%s","%s"]`, setting.SAEZadigProjectTagKey, setting.SAEZadigEnvTagKey)),
+			TagKeys:      tea.String(fmt.Sprintf(`["%s","%s","%s","%s"]`, setting.SAEZadigProjectTagKey, setting.SAEZadigEnvTagKey, setting.SAEZadigServiceTagKey, setting.SAEZadigServiceModuleTagKey)),
 			ResourceIds:  tea.String(resourceIds),
 		}
 		saeResp, err := saeClient.UntagResources(saeRequest)
@@ -1305,7 +1305,7 @@ func DelSAEAppFromEnv(username string, projectName, envName string, production b
 		saeRequest := &sae.UntagResourcesRequest{
 			RegionId:     tea.String(env.RegionID),
 			ResourceType: tea.String("application"),
-			TagKeys:      tea.String(fmt.Sprintf(`["%s","%s"]`, setting.SAEZadigProjectTagKey, setting.SAEZadigEnvTagKey)),
+			TagKeys:      tea.String(fmt.Sprintf(`["%s","%s","%s","%s"]`, setting.SAEZadigProjectTagKey, setting.SAEZadigEnvTagKey, setting.SAEZadigServiceTagKey, setting.SAEZadigServiceModuleTagKey)),
 			ResourceIds:  tea.String(resourceIds),
 		}
 		saeResp, err := saeClient.UntagResources(saeRequest)