disable fetching configuration unless you have rbac for it

michaeljguarino · michaeljguarino · commit c0578ba2905a · 2022-12-09T19:38:08.000-05:00
diff --git a/assets/src/components/Configuration.js b/assets/src/components/Configuration.js
@@ -2,7 +2,7 @@ import React, { useCallback, useContext, useEffect, useMemo, useState } from 're
 import { useHistory, useParams } from 'react-router-dom'
 import { useMutation, useQuery } from 'react-apollo'
 
-import { Button } from 'forge-core'
+import { Button, GqlError } from 'forge-core'
 
 import { Box, Text } from 'grommet'
 
@@ -366,9 +366,9 @@ export default function Configuration() {
   const { repo } = useParams()
   const { setBreadcrumbs } = useContext(BreadcrumbsContext)
   const { setOnChange } = useContext(InstallationContext)
-  const { data } = useQuery(APPLICATION_Q, {
+  const { data, error } = useQuery(APPLICATION_Q, {
     variables: { name: repo },
-    fetchPolicy: 'cache-and-network',
+    fetchPolicy: 'network-only',
   })
   const onCompleted = useCallback(() => {
     history.push('/') 
@@ -396,8 +396,19 @@ export default function Configuration() {
     )
   }
 
+  if (error) {
+    return (
+      <Box fill>
+        <GqlError 
+          error={error} 
+          header="Cannot access configuration for this app"
+        />
+      </Box>
+    )
+  }
+
   return (
-    <EditConfiguration 
+    <EditConfiguration
       application={data.application} 
       overlays={data.configurationOverlays.map(({ metadata, ...rest }) => {
         const labels = metadata.labels.reduce((acc, { name, value }) => ({ ...acc, [name]: value }), {})
diff --git a/lib/console.ex b/lib/console.ex
@@ -5,6 +5,15 @@ defmodule Console do
 
   def demo_project?(), do: conf(:is_demo_project, false)
 
+  def deep_get(map, keys, def \\ nil)
+  def deep_get(map, [key], def), do: Map.get(map, key, def)
+  def deep_get(map, [key | keys], def) do
+    case Map.fetch(map, key) do
+      {:ok, %{} = val} -> deep_get(val, keys, def)
+      _ -> def
+    end
+  end
+
   def rand_str(size \\ 32) do
     :crypto.strong_rand_bytes(size)
     |> Base.url_encode64()
diff --git a/lib/console/graphql/kubernetes/application.ex b/lib/console/graphql/kubernetes/application.ex
@@ -1,5 +1,6 @@
 defmodule Console.GraphQl.Kubernetes.Application do
   use Console.GraphQl.Schema.Base
+  alias Console.Middleware.{Rbac}
   alias Console.GraphQl.Resolvers.{Plural, Kubecost, License}
 
   object :application do
@@ -25,7 +26,10 @@ defmodule Console.GraphQl.Kubernetes.Application do
         end)
     end
 
-    field :configuration, :configuration, resolve: &Plural.resolve_configuration/3
+    field :configuration, :configuration do
+      middleware Rbac, perm: :configure, field: [:metadata, :name]
+      resolve &Plural.resolve_configuration/3
+    end
   end
 
   object :cost_analysis do
diff --git a/lib/console/graphql/middleware/rbac.ex b/lib/console/graphql/middleware/rbac.ex
@@ -7,17 +7,18 @@ defmodule Console.Middleware.Rbac do
   @dummy "!!invalid!!"
 
   def call(%{context: %{current_user: %User{roles: %{admin: true}}}} = res, _), do: res
-  def call(%{arguments: args, context: %{current_user: %User{} = user}} = res, opts) do
+  def call(%{context: %{current_user: %User{} = user}} = res, opts) do
     perm = Keyword.get(opts, :perm)
-    arg  = Keyword.get(opts, :arg)
-    repo = arg_fetch(args, arg)
+    repo = fetch(res, Map.new(opts))
 
     case Rbac.validate(user, repo, perm) do
       true -> res
       _ -> put_result(res, {:error, "forbidden"})
     end
   end
 
-  defp arg_fetch(%{} = args, arg) when is_atom(arg), do: Map.get(args, arg, @dummy)
-  defp arg_fetch(%{} = args, [_ | _] = path), do: get_in(args, path) || @dummy
+  defp fetch(%{source: %{} = source}, %{field: arg}) when is_atom(arg), do: Map.get(source, arg, @dummy)
+  defp fetch(%{source: %{} = source}, %{field: [_ | _] = path}), do: Console.deep_get(source, path, @dummy)
+  defp fetch(%{arguments: %{} = args}, %{arg: arg}) when is_atom(arg), do: Map.get(args, arg, @dummy)
+  defp fetch(%{arguments: %{} = args}, %{arg: [_ | _] = path}), do: get_in(args, path) || @dummy
 end
diff --git a/test/console/graphql/queries/plural_queries_test.exs b/test/console/graphql/queries/plural_queries_test.exs
@@ -294,6 +294,74 @@ defmodule Console.GraphQl.PluralQueriesTest do
       assert app["name"] == "app"
       assert app["spec"]["descriptor"]["type"] == "app"
     end
+
+    test "admins can sideload configuration by name" do
+      user = insert(:user, roles: %{admin: true})
+      expect(Kazan, :run, fn _ -> {:ok, application("app")} end)
+      expect(Console.Deployer, :file, 2, fn _ -> {:ok, "found"} end)
+
+      {:ok, %{data: %{"application" => app}}} = run_query("""
+        query App($name: String!) {
+          application(name: $name) {
+            name
+            spec { descriptor { type } }
+            configuration {
+              terraform
+              helm
+            }
+          }
+        }
+      """, %{"name" => "app"}, %{current_user: user})
+
+      assert app["name"] == "app"
+      assert app["spec"]["descriptor"]["type"] == "app"
+      assert app["configuration"]["helm"] == "found"
+      assert app["configuration"]["terraform"] == "found"
+    end
+
+    test "users w/ rbac can sideload configuration by name" do
+      user = insert(:user)
+      setup_rbac(user, ["app"], configure: true)
+      expect(Kazan, :run, fn _ -> {:ok, application("app")} end)
+      expect(Console.Deployer, :file, 2, fn _ -> {:ok, "found"} end)
+
+      {:ok, %{data: %{"application" => app}}} = run_query("""
+        query App($name: String!) {
+          application(name: $name) {
+            name
+            spec { descriptor { type } }
+            configuration {
+              terraform
+              helm
+            }
+          }
+        }
+      """, %{"name" => "app"}, %{current_user: user})
+
+      assert app["name"] == "app"
+      assert app["spec"]["descriptor"]["type"] == "app"
+      assert app["configuration"]["helm"] == "found"
+      assert app["configuration"]["terraform"] == "found"
+    end
+
+    test "users w/o rbac cannot sideload configuration by name" do
+      user = insert(:user)
+      setup_rbac(user, ["other-app"], configure: true)
+      expect(Kazan, :run, fn _ -> {:ok, application("app")} end)
+
+      {:ok, %{errors: [_ | _]}} = run_query("""
+        query App($name: String!) {
+          application(name: $name) {
+            name
+            spec { descriptor { type } }
+            configuration {
+              terraform
+              helm
+            }
+          }
+        }
+      """, %{"name" => "app"}, %{current_user: user})
+    end
   end
 
   defp as_connection(nodes) do
diff --git a/test/support/factory.ex b/test/support/factory.ex
@@ -133,4 +133,9 @@ defmodule Console.Factory do
       heartbeat: Timex.now()
     }
   end
+
+  def setup_rbac(user, repos \\ ["*"], perms) do
+    role = insert(:role, repositories: repos, permissions: Map.new(perms))
+    insert(:role_binding, role: role, user: user)
+  end
 end
diff --git a/test/test_helper.exs b/test/test_helper.exs
@@ -14,6 +14,7 @@ Mimic.copy(HTTPoison)
 Mimic.copy(Kazan.Watcher)
 Mimic.copy(Console.Kubernetes.PodExec)
 Mimic.copy(Kazan.Server)
+Mimic.copy(File)
 
 ExUnit.start()
 Ecto.Adapters.SQL.Sandbox.mode(Console.Repo, :manual)
