Added necessary rbacs for invite_users and get_project_members API (#…

…4697)

* Added necessary rbacs for invite_users and get_project_members API

Signed-off-by: Saranya-jena <[email protected]>

* fixed imports

Signed-off-by: Saranya-jena <[email protected]>

* fixed UTs

Signed-off-by: Saranya-jena <[email protected]>

* fixed imports

Signed-off-by: Saranya-jena <[email protected]>

* fixed UTs

Signed-off-by: Saranya-jena <[email protected]>

* resolved review comments

Signed-off-by: Saranya-jena <[email protected]>

---------

Signed-off-by: Saranya-jena <[email protected]>

chaoscenter/authentication/api/handlers/rest/project_handler.go

@@ -84,14 +84,17 @@ func GetUserWithProject(service services.ApplicationService) gin.HandlerFunc {
 func GetProject(service services.ApplicationService) gin.HandlerFunc {
  return func(c *gin.Context) {
  projectID := c.Param("project_id")
+ userRole := c.MustGet("role").(string)
 
- err := validations.RbacValidator(c.MustGet("uid").(string), projectID,
- validations.MutationRbacRules["getProject"], string(entities.AcceptedInvitation), service)
- if err != nil {
- log.Warn(err)
- c.JSON(utils.ErrorStatusCodes[utils.ErrUnauthorized],
- presenter.CreateErrorResponse(utils.ErrUnauthorized))
- return
+ if userRole != string(entities.RoleAdmin) {
+ err := validations.RbacValidator(c.MustGet("uid").(string), projectID,
+ validations.MutationRbacRules["getProject"], string(entities.AcceptedInvitation), service)
+ if err != nil {
+ log.Warn(err)
+ c.JSON(utils.ErrorStatusCodes[utils.ErrUnauthorized],
+ presenter.CreateErrorResponse(utils.ErrUnauthorized))
+ return
+ }
  }
 
  project, err := service.GetProjectByProjectID(projectID)
@@ -186,6 +189,18 @@ func GetActiveProjectMembers(service services.ApplicationService) gin.HandlerFun
  return func(c *gin.Context) {
  projectID := c.Param("project_id")
  state := c.Param("state")
+ role := c.MustGet("role").(string)
+ if role != string(entities.RoleAdmin) {
+ err := validations.RbacValidator(c.MustGet("uid").(string), projectID,
+ validations.MutationRbacRules["getProject"], string(entities.AcceptedInvitation), service)
+ if err != nil {
+ log.Warn(err)
+ c.JSON(utils.ErrorStatusCodes[utils.ErrUnauthorized],
+ presenter.CreateErrorResponse(utils.ErrUnauthorized))
+ return
+ }
+ }
+
  members, err := service.GetProjectMembers(projectID, state)
  if err != nil {
  c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError))

chaoscenter/authentication/api/handlers/rest/project_handler_test.go

@@ -140,10 +140,11 @@ func TestGetProjectsByUserID(t *testing.T) {
 func TestGetProject(t *testing.T) {
  gin.SetMode(gin.TestMode)
  t.Run("unauthorized request to Project", func(t *testing.T) {
- projectID := "testUserID"
+ projectID := "testProjectID"
  w := httptest.NewRecorder()
  ctx := GetTestGinContext(w)
  ctx.Set("uid", projectID)
+ ctx.Set("role", string(entities.RoleUser))
  service := new(mocks.MockedApplicationService)
  project := &entities.Project{
  ID: "testProjectID",
@@ -166,6 +167,7 @@ func TestGetProject(t *testing.T) {
  w := httptest.NewRecorder()
  ctx := GetTestGinContext(w)
  ctx.Set("uid", projectID)
+ ctx.Set("role", string(entities.RoleAdmin))
  service := new(mocks.MockedApplicationService)
  project := &entities.Project{
  ID: "testProjectID",

chaoscenter/authentication/api/handlers/rest/user_handlers.go

@@ -4,6 +4,8 @@ import (
  "net/http"
  "time"
 
+ "github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/validations"
+
  "github.com/litmuschaos/litmus/chaoscenter/authentication/api/presenter"
  "github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/entities"
  "github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/services"
@@ -219,6 +221,15 @@ func InviteUsers(service services.ApplicationService) gin.HandlerFunc {
  c.JSON(utils.ErrorStatusCodes[utils.ErrInvalidRequest], presenter.CreateErrorResponse(utils.ErrInvalidRequest))
  return
  }
+ err := validations.RbacValidator(c.MustGet("uid").(string), projectID,
+ validations.MutationRbacRules["sendInvitation"], string(entities.AcceptedInvitation), service)
+ if err != nil {
+ log.Warn(err)
+ c.JSON(utils.ErrorStatusCodes[utils.ErrUnauthorized],
+ presenter.CreateErrorResponse(utils.ErrUnauthorized))
+ return
+ }
+
  projectMembers, err := service.GetProjectMembers(projectID, "all")
 
  var uids []string

chaoscenter/authentication/api/handlers/rest/user_handlers_test.go

@@ -13,6 +13,8 @@ import (
  "strings"
  "testing"
 
+ "go.mongodb.org/mongo-driver/bson/primitive"
+
  "github.com/gin-gonic/gin"
  "github.com/litmuschaos/litmus/chaoscenter/authentication/api/handlers/rest"
  "github.com/litmuschaos/litmus/chaoscenter/authentication/api/mocks"
@@ -271,12 +273,62 @@ func TestInviteUsers(t *testing.T) {
  t.Run(tt.name, func(t *testing.T) {
  w := httptest.NewRecorder()
  c, _ := gin.CreateTestContext(w)
+ c.Set("uid", tt.projectID)
  c.Params = gin.Params{
  {"project_id", tt.projectID},
  }
-
+ user := &entities.User{
+ ID: "testUserID",
+ Name: "Test User",
+ }
+ project := &entities.Project{
+ ID: "testProjectID",
+ Name: "Test Project",
+ }
+ projects := []*entities.Project{
+ {
+ ID: "testProjectID",
+ Name: "Test Project",
+ },
+ }
+ expectedFilter := primitive.D{
+ primitive.E{
+ Key: "_id",
+ Value: tt.projectID,
+ },
+ primitive.E{
+ Key: "members",
+ Value: primitive.D{
+ primitive.E{
+ Key: "$elemMatch",
+ Value: primitive.D{
+ primitive.E{
+ Key: "user_id",
+ Value: tt.projectID,
+ },
+ primitive.E{
+ Key: "role",
+ Value: primitive.D{
+ primitive.E{
+ Key: "$in",
+ Value: []string{"Owner"},
+ },
+ },
+ },
+ primitive.E{
+ Key: "invitation",
+ Value: "Accepted",
+ },
+ },
+ },
+ },
+ },
+ }
  tt.given()
 
+ service.On("GetProjectByProjectID", "").Return(project, nil)
+ service.On("GetUser", tt.projectID).Return(user, nil)
+ service.On("GetProjects", expectedFilter).Return(projects, nil)
  rest.InviteUsers(service)(c)
 
  assert.Equal(t, tt.expectedCode, w.Code)

chaoscenter/graphql/server/go.mod

@@ -18,7 +18,6 @@ require (
  github.com/litmuschaos/chaos-operator v0.0.0-20240601063404-e96a7ee7f1f7
  github.com/litmuschaos/chaos-scheduler v0.0.0-20220714173615-d7513d616a71
  github.com/mrz1836/go-sanitize v1.3.2
- github.com/openshift/origin v0.0.0-20160503220234-8f127d736703
  github.com/pkg/errors v0.9.1
  github.com/sirupsen/logrus v1.9.3
  github.com/stretchr/testify v1.9.0

chaoscenter/graphql/server/go.sum

@@ -944,7 +944,6 @@ github.com/opencontainers/selinux v1.3.1-0.20190929122143-5215b1806f52/go.mod h1
 github.com/openebs/maya v1.12.1/go.mod h1:E9CmKbURtsthTyASz0piTxljLmGxjbaJ3aFhtWEko2Y=
 github.com/openshift/api v0.0.0-20190924102528-32369d4db2ad/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY=
 github.com/openshift/client-go v0.0.0-20190923180330-3b6373338c9b/go.mod h1:6rzn+JTr7+WYS2E1TExP4gByoABxMznR6y2SnUIkmxk=
-github.com/openshift/origin v0.0.0-20160503220234-8f127d736703 h1:KLVRXtjLhZHVtrcdnuefaI2Bf182EEiTfEVDHokoyng=
 github.com/openshift/origin v0.0.0-20160503220234-8f127d736703/go.mod h1:0Rox5r9C8aQn6j1oAOQ0c1uC86mYbUFObzjBRvUKHII=
 github.com/openshift/prom-label-proxy v0.1.1-0.20191016113035-b8153a7f39f1/go.mod h1:p5MuxzsYP1JPsNGwtjtcgRHHlGziCJJfztff91nNixw=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=

chaoscenter/graphql/server/server.go

@@ -11,7 +11,6 @@ import (
  "github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb"
  dbSchemaChaosHub "github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/database/mongodb/chaos_hub"
  "github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/projects"
- "github.com/openshift/origin/Godeps/_workspace/src/github.com/Sirupsen/logrus"
 
  "context"
  "fmt"
@@ -122,7 +121,7 @@ func main() {
 
  enableIntrospection, err := strconv.ParseBool(utils.Config.EnableGQLIntrospection)
  if err != nil {
- logrus.Errorf("unable to parse boolean value %v", err)
+ log.Errorf("unable to parse boolean value %v", err)
  } else if err == nil && enableIntrospection == true {
  srv.Use(extension.Introspection{})
  }