gateway: move all the authn/authz logic from api to action

agola-io · alessandro-sorint · Aug 23, 2022 · Dec 15, 2022 · 881081d6ec98ab08902aa89738ff523ddca75d2d
commit 881081d6ec98ab08902aa89738ff523ddca75d2d
diff --git a/internal/services/gateway/action/project.go b/internal/services/gateway/action/project.go
@@ -104,7 +104,7 @@ func (h *ActionHandler) CreateProject(ctx context.Context, req *CreateProjectReq
 		return nil, util.NewAPIError(util.ErrBadRequest, errors.Errorf("project %q already exists", projectPath))
 	}
 
-	gitSource, rs, la, err := h.GetUserGitSource(ctx, req.RemoteSourceName, curUserID)
+	gitSource, rs, la, err := h.GetUserGitSource(ctx, req.RemoteSourceName)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to create gitsource client")
 	}
@@ -225,8 +225,6 @@ func (h *ActionHandler) UpdateProject(ctx context.Context, projectRef string, re
 }
 
 func (h *ActionHandler) ProjectUpdateRepoLinkedAccount(ctx context.Context, projectRef string) (*csapitypes.Project, error) {
-	curUserID := common.CurrentUserID(ctx)
-
 	p, _, err := h.configstoreClient.GetProject(ctx, projectRef)
 	if err != nil {
 		return nil, util.NewAPIError(util.KindFromRemoteError(err), errors.Wrapf(err, "failed to get project %q", projectRef))
@@ -240,7 +238,7 @@ func (h *ActionHandler) ProjectUpdateRepoLinkedAccount(ctx context.Context, proj
 		return nil, util.NewAPIError(util.ErrForbidden, errors.Errorf("user not authorized"))
 	}
 
-	gitsource, _, la, err := h.GetUserGitSource(ctx, p.RemoteSourceID, curUserID)
+	gitsource, _, la, err := h.GetUserGitSource(ctx, p.RemoteSourceID)
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to create gitsource client")
 	}
@@ -420,8 +418,6 @@ func (h *ActionHandler) DeleteProject(ctx context.Context, projectRef string) er
 }
 
 func (h *ActionHandler) ProjectCreateRun(ctx context.Context, projectRef, branch, tag, refName, commitSHA string) error {
-	curUserID := common.CurrentUserID(ctx)
-
 	p, _, err := h.configstoreClient.GetProject(ctx, projectRef)
 	if err != nil {
 		return util.NewAPIError(util.KindFromRemoteError(err), errors.Wrapf(err, "failed to get project %q", projectRef))
@@ -435,7 +431,7 @@ func (h *ActionHandler) ProjectCreateRun(ctx context.Context, projectRef, branch
 		return util.NewAPIError(util.ErrForbidden, errors.Errorf("user not authorized"))
 	}
 
-	gitSource, rs, _, err := h.GetUserGitSource(ctx, p.RemoteSourceID, curUserID)
+	gitSource, rs, _, err := h.GetUserGitSource(ctx, p.RemoteSourceID)
 	if err != nil {
 		return errors.Wrapf(err, "failed to create gitsource client")
 	}
@@ -602,7 +598,7 @@ func (h *ActionHandler) RefreshRemoteRepositoryInfo(ctx context.Context, project
 		return nil, util.NewAPIError(util.ErrForbidden, errors.Errorf("user not authorized"))
 	}
 
-	gitSource, _, _, err := h.GetUserGitSource(ctx, p.RemoteSourceID, common.CurrentUserID(ctx))
+	gitSource, _, _, err := h.GetUserGitSource(ctx, p.RemoteSourceID)
 	if err != nil {
 		return nil, util.NewAPIError(util.KindFromRemoteError(err), errors.Wrapf(err, "failed to get remote source %q", p.RemoteSourceID))
 	}

diff --git a/internal/services/gateway/action/projectgroup.go b/internal/services/gateway/action/projectgroup.go
@@ -19,6 +19,7 @@ import (
 	"path"
 
 	"agola.io/agola/internal/errors"
+	"agola.io/agola/internal/services/gateway/common"
 	"agola.io/agola/internal/util"
 	csapitypes "agola.io/agola/services/configstore/api/types"
 	cstypes "agola.io/agola/services/configstore/types"
@@ -49,13 +50,17 @@ func (h *ActionHandler) GetProjectGroupProjects(ctx context.Context, projectGrou
 }
 
 type CreateProjectGroupRequest struct {
-	CurrentUserID string
-	Name          string
-	ParentRef     string
-	Visibility    cstypes.Visibility
+	Name       string
+	ParentRef  string
+	Visibility cstypes.Visibility
 }
 
 func (h *ActionHandler) CreateProjectGroup(ctx context.Context, req *CreateProjectGroupRequest) (*csapitypes.ProjectGroup, error) {
+	userID := common.CurrentUserID(ctx)
+	if userID == "" {
+		return nil, util.NewAPIError(util.ErrBadRequest, errors.Errorf("user not authenticated"))
+	}
+
 	if !util.ValidateName(req.Name) {
 		return nil, util.NewAPIError(util.ErrBadRequest, errors.Errorf("invalid projectGroup name %q", req.Name))
 	}
@@ -73,9 +78,9 @@ func (h *ActionHandler) CreateProjectGroup(ctx context.Context, req *CreateProje
 		return nil, util.NewAPIError(util.ErrForbidden, errors.Errorf("user not authorized"))
 	}
 
-	user, _, err := h.configstoreClient.GetUser(ctx, req.CurrentUserID)
+	user, _, err := h.configstoreClient.GetUser(ctx, userID)
 	if err != nil {
-		return nil, util.NewAPIError(util.KindFromRemoteError(err), errors.Wrapf(err, "failed to get user %q", req.CurrentUserID))
+		return nil, util.NewAPIError(util.KindFromRemoteError(err), errors.Wrapf(err, "failed to get user %q", userID))
 	}
 
 	parentRef := req.ParentRef

diff --git a/internal/services/gateway/action/user.go b/internal/services/gateway/action/user.go
@@ -57,7 +57,7 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context, userRef string) (*Pr
 		return nil, errors.Errorf("user not logged in")
 	}
 
-	user, _, err := h.configstoreClient.GetUser(ctx, userRef)
+	user, _, err := h.configstoreClient.GetUser(ctx, common.CurrentUserID(ctx))
 	if err != nil {
 		return nil, util.NewAPIError(util.KindFromRemoteError(err), err)
 	}
@@ -87,12 +87,13 @@ func (h *ActionHandler) GetUser(ctx context.Context, userRef string) (*cstypes.U
 	return user, nil
 }
 
-func (h *ActionHandler) GetUserOrgs(ctx context.Context, userRef string) ([]*csapitypes.UserOrgsResponse, error) {
-	if !common.IsUserLogged(ctx) {
-		return nil, errors.Errorf("user not logged in")
+func (h *ActionHandler) GetUserOrgs(ctx context.Context) ([]*csapitypes.UserOrgsResponse, error) {
+	userID := common.CurrentUserID(ctx)
+	if userID == "" {
+		return nil, errors.Errorf("user not authenticated")
 	}
 
-	orgs, _, err := h.configstoreClient.GetUserOrgs(ctx, userRef)
+	orgs, _, err := h.configstoreClient.GetUserOrgs(ctx, userID)
 	if err != nil {
 		return nil, util.NewAPIError(util.KindFromRemoteError(err), err)
 	}
@@ -1020,15 +1021,20 @@ func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunReq
 	return h.CreateRuns(ctx, creq)
 }
 
-func (h *ActionHandler) GetUserGitSource(ctx context.Context, remoteSourceRef, userRef string) (gitsource.GitSource, *cstypes.RemoteSource, *cstypes.LinkedAccount, error) {
+func (h *ActionHandler) GetUserGitSource(ctx context.Context, remoteSourceRef string) (gitsource.GitSource, *cstypes.RemoteSource, *cstypes.LinkedAccount, error) {
+	userID := common.CurrentUserID(ctx)
+	if userID == "" {
+		return nil, nil, nil, errors.Errorf("user not authenticated")
+	}
+
 	rs, _, err := h.configstoreClient.GetRemoteSource(ctx, remoteSourceRef)
 	if err != nil {
 		return nil, nil, nil, errors.Wrapf(err, "failed to get remote source %q", remoteSourceRef)
 	}
 
-	linkedAccounts, _, err := h.configstoreClient.GetUserLinkedAccounts(ctx, userRef)
+	linkedAccounts, _, err := h.configstoreClient.GetUserLinkedAccounts(ctx, userID)
 	if err != nil {
-		return nil, nil, nil, errors.Wrapf(err, "failed to get user %q linked accounts", userRef)
+		return nil, nil, nil, errors.Wrapf(err, "failed to get user %q linked accounts", userID)
 	}
 
 	var la *cstypes.LinkedAccount

diff --git a/internal/services/gateway/api/projectgroup.go b/internal/services/gateway/api/projectgroup.go
@@ -19,9 +19,7 @@ import (
 	"net/http"
 	"net/url"
 
-	"agola.io/agola/internal/errors"
 	"agola.io/agola/internal/services/gateway/action"
-	"agola.io/agola/internal/services/gateway/common"
 	"agola.io/agola/internal/util"
 	csapitypes "agola.io/agola/services/configstore/api/types"
 	cstypes "agola.io/agola/services/configstore/types"
@@ -50,17 +48,10 @@ func (h *CreateProjectGroupHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	userID := common.CurrentUserID(ctx)
-	if userID == "" {
-		util.HTTPError(w, util.NewAPIError(util.ErrBadRequest, errors.Errorf("user not authenticated")))
-		return
-	}
-
 	creq := &action.CreateProjectGroupRequest{
-		Name:          req.Name,
-		ParentRef:     req.ParentRef,
-		Visibility:    cstypes.Visibility(req.Visibility),
-		CurrentUserID: userID,
+		Name:       req.Name,
+		ParentRef:  req.ParentRef,
+		Visibility: cstypes.Visibility(req.Visibility),
 	}
 
 	projectGroup, err := h.ah.CreateProjectGroup(ctx, creq)

diff --git a/internal/services/gateway/api/remoterepo.go b/internal/services/gateway/api/remoterepo.go
@@ -20,7 +20,6 @@ import (
 	"agola.io/agola/internal/errors"
 	gitsource "agola.io/agola/internal/gitsources"
 	"agola.io/agola/internal/services/gateway/action"
-	"agola.io/agola/internal/services/gateway/common"
 	"agola.io/agola/internal/util"
 	csclient "agola.io/agola/services/configstore/client"
 	gwapitypes "agola.io/agola/services/gateway/api/types"
@@ -53,13 +52,7 @@ func (h *UserRemoteReposHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
 	vars := mux.Vars(r)
 	remoteSourceRef := vars["remotesourceref"]
 
-	userID := common.CurrentUserID(ctx)
-	if userID == "" {
-		util.HTTPError(w, util.NewAPIError(util.ErrBadRequest, errors.Errorf("user not authenticated")))
-		return
-	}
-
-	gitsource, _, _, err := h.ah.GetUserGitSource(ctx, remoteSourceRef, userID)
+	gitsource, _, _, err := h.ah.GetUserGitSource(ctx, remoteSourceRef)
 	if err != nil {
 		util.HTTPError(w, err)
 		h.log.Err(err).Send()

diff --git a/internal/services/gateway/api/user.go b/internal/services/gateway/api/user.go
@@ -632,13 +632,7 @@ func NewUserOrgsHandler(log zerolog.Logger, ah *action.ActionHandler) *UserOrgsH
 func (h *UserOrgsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	userID := common.CurrentUserID(ctx)
-	if userID == "" {
-		util.HTTPError(w, util.NewAPIError(util.ErrBadRequest, errors.Errorf("user not authenticated")))
-		return
-	}
-
-	userOrgs, err := h.ah.GetUserOrgs(ctx, userID)
+	userOrgs, err := h.ah.GetUserOrgs(ctx)
 	if util.HTTPError(w, err) {
 		h.log.Err(err).Send()
 		return