Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Commit

Permalink
Merge pull request #1001 from spotify/guard-check-role
Browse files Browse the repository at this point in the history 
Guard checkRole
  • Loading branch information
@honnix
honnix authored Aug 5, 2022
2 parents 7149885 + 095fe2e commit f9cf238
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 2 deletions.
28 changes: 26 additions & 2 deletions styx-service-common/src/main/java/com/spotify/styx/api/ServiceAccountUsageAuthorizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,8 +224,7 @@ public ServiceAccountUsageAuthorizationResult checkServiceAccountUsageAuthorizat
final Supplier<String> projectIdSupplier = Suppliers.memoize(() -> serviceAccountProjectId(serviceAccount));

return checkIsPrincipalBlacklisted(principalEmail)
.or(() -> checkRole(serviceAccount, principalEmail, projectIdSupplier))
.or(() -> checkIsPrincipalAdmin(principalEmail))
.or(() -> checkRoleOrIsPrincipalAdmin(serviceAccount, principalEmail, projectIdSupplier))
.orElseGet(() -> deny(serviceAccount, principalEmail, projectIdSupplier));
}

Expand All @@ -238,6 +237,31 @@ private Optional<ServiceAccountUsageAuthorizationResult> checkIsPrincipalBlackli
.build());
}

private Optional<ServiceAccountUsageAuthorizationResult> checkRoleOrIsPrincipalAdmin(String serviceAccount,
String principalEmail,
Supplier<String> projectIdSupplier) {

Optional<ServiceAccountUsageAuthorizationResult> result = Optional.empty();
RuntimeException checkRoleException = null;

try {
result = checkRole(serviceAccount, principalEmail, projectIdSupplier);
} catch (RuntimeException e) {
checkRoleException = e;
}

if (result.isPresent()) {
return result;
}

result = checkIsPrincipalAdmin(principalEmail);

if (result.isEmpty() && checkRoleException != null) {
throw checkRoleException;
}
return result;
}

private Optional<ServiceAccountUsageAuthorizationResult> checkIsPrincipalAdmin(
String principalEmail) {
return memberStatus(principalEmail, administrators)
Expand Down
12 changes: 12 additions & 0 deletions ...-service-common/src/test/java/com/spotify/styx/api/ServiceAccountUsageAuthorizerTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,6 +357,18 @@ public void shouldAuthorizeIfPrincipalIsAdminViaGroup(String serviceAccount) thr
assertCachedSuccess(() -> sut.authorizeServiceAccountUsage(WORKFLOW_ID, serviceAccount, idToken));
}

@Parameters({SERVICE_ACCOUNT, MANAGED_SERVICE_ACCOUNT})
@Test
public void shouldAuthorizeIfPrincipalIsAdminViaGroupEvenCheckRoleFails(String serviceAccount) throws IOException {
final Throwable cause = googleJsonResponseException(418);
var errorRequest = mock(Directory.Members.HasMember.class);
doThrow(cause).when(errorRequest).execute();
doReturn(errorRequest).when(members).hasMember(PROJECT_ADMINS_GROUP_EMAIL, PRINCIPAL_EMAIL);
doReturn(isMember).when(members).hasMember(STYX_ADMINS_GROUP_EMAIL, PRINCIPAL_EMAIL);
assertCachedSuccess(() -> sut.authorizeServiceAccountUsage(WORKFLOW_ID, serviceAccount, idToken));
}


@Parameters({SERVICE_ACCOUNT, MANAGED_SERVICE_ACCOUNT})
@Test
public void shouldAuthorizeIfPrincipalHasUserRoleOnProjectViaGroup(String serviceAccount) throws IOException {
Expand Down

0 comments on commit f9cf238

Please sign in to comment.