Commit 415efdcf authored by Diego Molteni's avatar Diego Molteni
Browse files

fixed data group

parent 79a6d3d4
Pipeline #33571 passed with stages
in 6 minutes and 42 seconds
......@@ -62,9 +62,9 @@ export class AuthGroups {
for (const member of members) {
// DE allows to rm all so we may want to follow. For now exclude the requestor
if (member.email !== userEmail) {
await DESEntitlement.removeUserFromGroup(userToken, group, dataPartition, member.email,
appkey);
if (member.email !== userEmail && !member.email.startsWith('users.data.root')) {
await DESEntitlement.removeUserFromGroup(
userToken, group, dataPartition, member.email,appkey);
}
}
......
......@@ -18,8 +18,6 @@ import { v4 as uuidv4 } from 'uuid';
import { Config } from '../../cloud';
import { TenantGroups } from '../tenant';
export class SubprojectGroups {
public static groupPrefix(tenantName: string, subprojectName: string): string {
......@@ -59,4 +57,12 @@ export class SubprojectGroups {
return Config.DATAGROUPS_PREFIX + '.' + tenant + '.' + subproject + '.' + uuidv4() + '.viewer' + '@' + esd;
}
public static serviceGroupNameRegExp(tenant: string, subproject: string): RegExp {
return new RegExp(SubprojectGroups.groupPrefix(tenant, subproject));
}
public static dataGroupNameRegExp(tenant: string, subproject: string): RegExp {
return new RegExp(Config.DATAGROUPS_PREFIX + '.' + tenant + '.' + subproject);
}
}
......@@ -239,8 +239,6 @@ export class SubProjectHandler {
// delete the subproject
private static async delete(req: expRequest, tenant: TenantModel) {
// init journalClient client
const journalClient = JournalFactoryTenantClient.get(tenant);
......@@ -270,14 +268,23 @@ export class SubProjectHandler {
storage.deleteFiles(subproject.gcs_bucket),
]);
const serviceGroupRegex = SubprojectGroups.serviceGroupNameRegExp(tenant.name, subproject.name);
const subprojectServiceGroups = subproject.acls.admins.filter((group) => group.match(serviceGroupRegex))
const dataGroupRegex = SubprojectGroups.dataGroupNameRegExp(tenant.name, subproject.name);
const adminSubprojectDataGroups = subproject.acls.admins.filter((group) => group.match(dataGroupRegex))
const viewerSuprojectDataGroups = subproject.acls.viewers.filter(group => group.match(dataGroupRegex))
const subprojectDataGroups = adminSubprojectDataGroups.concat(viewerSuprojectDataGroups)
if (FeatureFlags.isEnabled(Feature.AUTHORIZATION)) {
// clear by removing all MEMBER users the 3 subproject groups
await AuthGroups.clearGroup(req.headers.authorization, SubprojectGroups.serviceAdminGroup(tenant.name,
subproject.name, tenant.esd), tenant.esd, req[Config.DE_FORWARD_APPKEY]);
await AuthGroups.clearGroup(req.headers.authorization, SubprojectGroups.serviceEditorGroup(tenant.name,
subproject.name, tenant.esd), tenant.esd, req[Config.DE_FORWARD_APPKEY]);
await AuthGroups.clearGroup(req.headers.authorization, SubprojectGroups.serviceViewerGroup(tenant.name,
subproject.name, tenant.esd), tenant.esd, req[Config.DE_FORWARD_APPKEY]);
for(const group of subprojectServiceGroups) {
await AuthGroups.clearGroup(
req.headers.authorization, group, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
for(const group of subprojectDataGroups) {
await AuthGroups.clearGroup(
req.headers.authorization, group, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
}
// delete the bucket resource (to perform after files deletions)
......
......@@ -74,11 +74,6 @@ export class UserHandler {
if (sdPath.subproject) {
const serviceGroupRegex = new RegExp('service.seistore.' + Config.SERVICE_ENV
+ '.' + sdPath.tenant + '.' + sdPath.subproject)
const dataGroupRegex = new RegExp(Config.DATAGROUPS_PREFIX + '.' + sdPath.tenant + '.' + sdPath.subproject)
const journalClient = JournalFactoryTenantClient.get(tenant);
const spkey = journalClient.createKey({
namespace: Config.SEISMIC_STORE_NS + '-' + tenant.name,
......@@ -87,57 +82,53 @@ export class UserHandler {
const subproject = await SubProjectDAO.get(journalClient, tenant.name, sdPath.subproject, spkey);
const serviceGroupRegex = SubprojectGroups.serviceGroupNameRegExp(tenant.name, subproject.name);
const subprojectServiceGroups = subproject.acls.admins.filter((group) => group.match(serviceGroupRegex))
const dataGroupRegex = SubprojectGroups.dataGroupNameRegExp(tenant.name, subproject.name);
const adminSubprojectDataGroups = subproject.acls.admins.filter((group) => group.match(dataGroupRegex))
const viewerSuprojectDataGroups = subproject.acls.viewers.filter(group => group.match(dataGroupRegex))
const subprojectDataGroups = adminSubprojectDataGroups.concat(viewerSuprojectDataGroups)
if (subprojectServiceGroups.length > 0) {
if (userGroupRole === AuthRoles.admin) {
// First rm the user from the groups since the user can be exclus Owner or Member
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(req.headers.authorization, SubprojectGroups.serviceAdminGroup(
tenant.name, sdPath.subproject, tenant.esd), userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(req.headers.authorization, SubprojectGroups.serviceEditorGroup(
tenant.name, sdPath.subproject, tenant.esd), userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(req.headers.authorization, SubprojectGroups.serviceViewerGroup(
tenant.name, sdPath.subproject, tenant.esd), userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
await AuthGroups.addUserToGroup(req.headers.authorization,
SubprojectGroups.serviceAdminGroup(tenant.name,
sdPath.subproject, tenant.esd), userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY], 'OWNER');
await AuthGroups.addUserToGroup(req.headers.authorization,
SubprojectGroups.serviceEditorGroup(tenant.name,
sdPath.subproject, tenant.esd), userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY], 'OWNER');
await AuthGroups.addUserToGroup(req.headers.authorization,
SubprojectGroups.serviceViewerGroup(tenant.name,
sdPath.subproject, tenant.esd), userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY], 'OWNER');
// rm the user from the groups since the user can be OWNER or Member
for(const group of subprojectServiceGroups) {
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(
req.headers.authorization, group, userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
}
// add the user as OWNER for all service groups
for(const group of subprojectServiceGroups) {
await AuthGroups.addUserToGroup(
req.headers.authorization, group, userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY], 'OWNER');
}
} else if (userGroupRole === AuthRoles.editor) {
await AuthGroups.addUserToGroup(
req.headers.authorization,
SubprojectGroups.serviceEditorGroup(tenant.name, sdPath.subproject, tenant.esd),
userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
// add the user as member for all editor service groups
for(const group of subprojectServiceGroups) {
if(group.indexOf('.editor@') !== -1) {
await AuthGroups.addUserToGroup(
req.headers.authorization, group,
userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
}
} else if (userGroupRole === AuthRoles.viewer) {
await AuthGroups.addUserToGroup(
req.headers.authorization,
SubprojectGroups.serviceViewerGroup(tenant.name, sdPath.subproject, tenant.esd),
userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
// add the user as member for all viewer service groups
for(const group of subprojectServiceGroups) {
if(group.indexOf('.viewer@') !== -1) {
await AuthGroups.addUserToGroup(
req.headers.authorization, group,
userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
}
} else { throw (Error.make(Error.Status.UNKNOWN, 'Internal Server Error')); }
......@@ -145,18 +136,56 @@ export class UserHandler {
if (subprojectDataGroups.length > 0) {
if (userGroupRole !== AuthRoles.viewer) {
// rm the user from the groups since the user can be OWNER or Member
for(const datagroup of subprojectDataGroups) {
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(
req.headers.authorization, datagroup, userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
}
// add the user as OWNER for all service groups
for(const datagroup of subprojectDataGroups) {
await AuthGroups.addUserToGroup(
req.headers.authorization, datagroup, userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY], 'OWNER');
}
} else {
// add user to viewer group
for(const datagroup of subprojectDataGroups) {
if(datagroup.indexOf('.viewer@') !== -1) {
await AuthGroups.addUserToGroup(
req.headers.authorization, datagroup, userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
}
}
for (const datagroup of subprojectDataGroups) {
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(req.headers.authorization, datagroup, userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
if (userGroupRole === AuthRoles.admin || userGroupRole === AuthRoles.editor) {
if (userGroupRole !== AuthRoles.viewer) {
// First rm the user from the groups since the user can be exclus Owner or Member
await this.doNotThrowIfNotMember(
AuthGroups.removeUserFromGroup(
req.headers.authorization, datagroup, userEmail,
tenant.esd, req[Config.DE_FORWARD_APPKEY]));
// add user as owner of the
await AuthGroups.addUserToGroup(req.headers.authorization,
datagroup, userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY], 'OWNER');
} else {
await AuthGroups.addUserToGroup(req.headers.authorization,
if(datagroup.indexOf('.viewer@') !== -1) {
await AuthGroups.addUserToGroup(req.headers.authorization,
datagroup, userEmail, tenant.esd, req[Config.DE_FORWARD_APPKEY]);
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment