From 8001bee241ef7759ea5b3d606f310cdb826cffa4 Mon Sep 17 00:00:00 2001 From: Abdul Azeez Date: Mon, 10 Jan 2022 12:47:31 +0530 Subject: [PATCH] Abdul/infra editor actions (#6508) * editor actions added Signed-off-by: Abdul-Az * infra_editor test cases Signed-off-by: Abdul-Az * test cases fix Signed-off-by: Abdul-Az * infra editor actions update Signed-off-by: Abdul-Az * editor role fix Signed-off-by: Abdul-Az * test cases fix Signed-off-by: Abdul-Az --- .../sql/79_infra_editor_update.up.sql | 12 ++- components/authz-service/storage/storage.go | 6 +- .../api/iam/infra_editor_actions.spec.ts | 74 +++++++++++++++++-- 3 files changed, 82 insertions(+), 10 deletions(-) diff --git a/components/authz-service/storage/postgres/migration/sql/79_infra_editor_update.up.sql b/components/authz-service/storage/postgres/migration/sql/79_infra_editor_update.up.sql index 191d8233a80..480bc2afc57 100644 --- a/components/authz-service/storage/postgres/migration/sql/79_infra_editor_update.up.sql +++ b/components/authz-service/storage/postgres/migration/sql/79_infra_editor_update.up.sql @@ -5,8 +5,16 @@ UPDATE iam_roles actions = '{ infra:*:list, infra:*:get, - infra:*:create, - infra:*:update, + infra:infraServersOrgsRoles:create, + infra:infraServersOrgsRoles:update, + infra:infraServersOrgsClient:create, + infra:infraServersOrgsClient:update, + infra:infraServersOrgsDataBags:create, + infra:infraServersOrgsDataBagsItem:create, + infra:infraServersOrgsDataBagsItem:update, + infra:infraServersOrgsEnvironments:create, + infra:infraServersOrgsEnvironments:update, + infra:infraServersOrgsNodes:update, compliance:*, event:*, ingest:*, diff --git a/components/authz-service/storage/storage.go b/components/authz-service/storage/storage.go index a05cc85235a..d759b9cf832 100644 --- a/components/authz-service/storage/storage.go +++ b/components/authz-service/storage/storage.go @@ -92,7 +92,7 @@ func DefaultPolicies() ([]Policy, error) { return nil, err } - // editor policy statements + // editor allow policy statements s3, err := NewStatement(Allow, constants.EditorRoleID, []string{}, []string{"*"}, []string{}) if err != nil { return nil, err @@ -110,6 +110,10 @@ func DefaultPolicies() ([]Policy, error) { return nil, err } + if err != nil { + return nil, err + } + typeManaged, err := NewType("chef-managed") if err != nil { return nil, err diff --git a/e2e/cypress/integration/api/iam/infra_editor_actions.spec.ts b/e2e/cypress/integration/api/iam/infra_editor_actions.spec.ts index eff34f1e505..5a14d806523 100644 --- a/e2e/cypress/integration/api/iam/infra_editor_actions.spec.ts +++ b/e2e/cypress/integration/api/iam/infra_editor_actions.spec.ts @@ -20,8 +20,16 @@ describe('Infra Editor Policy', () => { actions: [ 'infra:*:list', 'infra:*:get', - 'infra:*:create', - 'infra:*:update', + 'infra:infraServersOrgsRoles:create', + 'infra:infraServersOrgsRoles:update', + 'infra:infraServersOrgsClient:create', + 'infra:infraServersOrgsClient:update', + 'infra:infraServersOrgsDataBags:create', + 'infra:infraServersOrgsDataBagsItem:create', + 'infra:infraServersOrgsDataBagsItem:update', + 'infra:infraServersOrgsEnvironments:create', + 'infra:infraServersOrgsEnvironments:update', + 'infra:infraServersOrgsNodes:update', 'compliance:*', 'event:*', 'ingest:*', @@ -32,7 +40,8 @@ describe('Infra Editor Policy', () => { 'applications:*' ], projects: ['*'] - }] + } + ] }; @@ -47,8 +56,16 @@ describe('Infra Editor Policy', () => { actions: [ 'infra:*:list', 'infra:*:get', - 'infra:*:create', - 'infra:*:update', + 'infra:infraServersOrgsRoles:create', + 'infra:infraServersOrgsRoles:update', + 'infra:infraServersOrgsClient:create', + 'infra:infraServersOrgsClient:update', + 'infra:infraServersOrgsDataBags:create', + 'infra:infraServersOrgsDataBagsItem:create', + 'infra:infraServersOrgsDataBagsItem:update', + 'infra:infraServersOrgsEnvironments:create', + 'infra:infraServersOrgsEnvironments:update', + 'infra:infraServersOrgsNodes:update', 'compliance:*', 'event:*', 'ingest:*', @@ -59,7 +76,8 @@ describe('Infra Editor Policy', () => { 'applications:*' ], projects: ['*'] - }] + } + ] }; before(() => { @@ -180,4 +198,46 @@ describe('Infra Editor Policy', () => { assert.equal(resp.status, 403); }); }); -}); \ No newline at end of file + + it('create infra server post returns 403 when infraServers create actions is denied', () => { + cy.request({ + headers: { 'api-token': withInfraEditorActionToken }, + method: 'POST', + url: '/api/v0/infra/servers', + body: { + fqdn: 'a2-dev.test', + id: `${cypressPrefix}-test-${Cypress.moment().format('MMDDYYhhmm')}`, + ip_address: '127.0.0.1', + name: 'test4' + }, + failOnStatusCode: false + }).then((resp) => { + assert.equal(resp.status, 403); + }); + }); + + it('infra server orgs post returns 403 when infraServers orgs create actions is denied', () => { + const serverID = `chef-server-dev-test-${Cypress.moment().format('MMDDYYhhmm')}`; + const orgID = `chef-org-dev-${Cypress.moment().format('MMDDYYhhmm')}`; + const orgName = '4thcoffee'; + const adminUser = 'chefadmin'; + // using dummy admin key value for creating the org + const adminKey = 'Dummy--admin--key'; + cy.request({ + headers: { 'api-token': withInfraEditorActionToken, + 'content-type': 'application/json+lax' }, + method: 'POST', + body: { + id: `${orgID}-test-1`, + server_id: serverID, + name: orgName, + admin_user: adminUser, + admin_key: adminKey + }, + failOnStatusCode: false, + url: `/api/v0/infra/servers/${serverID}/orgs` + }).then((resp) => { + assert.equal(resp.status, 403); + }); + }) +}); \ No newline at end of file