Skip to content

Commit

Permalink
Refactor env permissions + modify getTrustAccount (#1712)
Browse files Browse the repository at this point in the history 
### Feature or Bugfix
- Refactoring
- Feature

### Detail
- Add permissions to getTrustedAccount API
- Remove usage of central account in administrator view dashboard tab
- refactor environment Service functions to use decorator for resource
policies
- Added LINK_ENVIRONMENT permissions instead of GET_ORGANIZATION to
`get_pivot_role`, `get_external_id`, `get_pivot_role_template`

### Testing:
- [X] CICD deployment completes
- Add permissions to getTrustedAccount API
- [X] in environment creation form view we can get the trusted account
- Remove usage of central account in administrator view dashboard tab
    - [X] admin view renders without issue
- refactor environment Service functions to use decorator for resource
policies
    - [X] enable_subscriptions with unauthorized user = unauthorized
    - [X] enable_subscriptions with authorized user = success
    - [X] disable_subscriptions with unauthorized user = unauthorized
    - [X] disable_subscriptions with authorized user = success
- [X] get environment assume role url with unauthorized user =
unauthorized -- it throws error of user does not belong to group
- [X] get environment assume role url with authorized user = success
- [X] get environment access token with unauthorized user = unauthorized
    - [X] get environment access token with authorized user = success
- Added LINK_ENVIRONMENT permissions instead of GET_ORGANIZATION to
`get_pivot_role`, `get_external_id`, `get_pivot_role_template`
- [X] Now we get an Unauthorized error message when LINK_ENVIRONMENT
permissions are missing before hitting the create Environment button
### Relates
- <URL or Ticket>

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
  • Loading branch information
@dlpzx
dlpzx authored Dec 3, 2024
1 parent 08f24f2 commit 32d02ad
Show file tree
Hide file tree
Showing 17 changed files with 91 additions and 213 deletions.
1 change: 1 addition & 0 deletions backend/dataall/core/environment/api/queries.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@

getTrustAccount = gql.QueryField(
name='getTrustAccount',
args=[gql.Argument(name='organizationUri', type=gql.NonNullableType(gql.String))],
type=gql.String,
resolver=get_trust_account,
test_scope='Environment',
Expand Down
27 changes: 13 additions & 14 deletions backend/dataall/core/environment/api/resolvers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,8 @@
log = logging.getLogger()


def get_trust_account(context: Context, source, **kwargs):
current_account = SessionHelper.get_account()
print('current_account = ', current_account)
return current_account
def get_trust_account(context: Context, source, organizationUri):
return EnvironmentService.get_trust_account(uri=organizationUri)


def create_environment(context: Context, source, input={}):
Expand Down Expand Up @@ -203,8 +201,7 @@ def resolve_user_role(context: Context, source: Environment):


def list_environment_group_permissions(context, source, environmentUri: str = None, groupUri: str = None):
with context.engine.scoped_session() as session:
return EnvironmentService.list_group_permissions(session=session, uri=environmentUri, group_uri=groupUri)
return EnvironmentService.list_group_permissions(uri=environmentUri, group_uri=groupUri)


@is_feature_enabled('core.features.env_aws_actions')
Expand All @@ -214,12 +211,12 @@ def get_environment_assume_role_url(
environmentUri: str = None,
groupUri: str = None,
):
return EnvironmentService.get_environment_assume_role_url(environmentUri=environmentUri, groupUri=groupUri)
return EnvironmentService.get_environment_assume_role_url(uri=environmentUri, groupUri=groupUri)


@is_feature_enabled('core.features.env_aws_actions')
def generate_environment_access_token(context, source, environmentUri: str = None, groupUri: str = None):
credentials = EnvironmentService.generate_environment_access_token(environmentUri=environmentUri, groupUri=groupUri)
credentials = EnvironmentService.generate_environment_access_token(uri=environmentUri, groupUri=groupUri)
return json.dumps(credentials)


Expand All @@ -245,31 +242,33 @@ def delete_environment(context: Context, source, environmentUri: str = None, del


def enable_subscriptions(context: Context, source, environmentUri: str = None, input: dict = None):
EnvironmentService.enable_subscriptions(environmentUri, input)
EnvironmentService.enable_subscriptions(uri=environmentUri, input=input)
StackService.deploy_stack(targetUri=environmentUri)
return True


def disable_subscriptions(context: Context, source, environmentUri: str = None):
EnvironmentService.disable_subscriptions(environmentUri)
EnvironmentService.disable_subscriptions(uri=environmentUri)
StackService.deploy_stack(targetUri=environmentUri)
return True


def get_pivot_role_template(context: Context, source, organizationUri=None):
return EnvironmentService.get_template_from_resource_bucket(organizationUri, 'pivot_role_prefix')
return EnvironmentService.get_template_from_resource_bucket(uri=organizationUri, template_name='pivot_role_prefix')


def get_cdk_exec_policy_template(context: Context, source, organizationUri=None):
return EnvironmentService.get_template_from_resource_bucket(organizationUri, 'cdk_exec_policy_prefix')
return EnvironmentService.get_template_from_resource_bucket(
uri=organizationUri, template_name='cdk_exec_policy_prefix'
)


def get_external_id(context: Context, source, organizationUri=None):
return EnvironmentService.get_external_id(organizationUri)
return EnvironmentService.get_external_id(uri=organizationUri)


def get_pivot_role_name(context: Context, source, organizationUri=None):
return EnvironmentService.get_pivot_role(organizationUri)
return EnvironmentService.get_pivot_role(uri=organizationUri)


def resolve_environment(context, source, **kwargs):
Expand Down
146 changes: 50 additions & 96 deletions backend/dataall/core/environment/services/environment_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ def validate_org_group(org_uri, group, session):

class EnvironmentService:
@staticmethod
def validate_permissions(session, uri, g_permissions, group):
def _validate_permissions(session, uri, g_permissions, group):
"""
g_permissions: coming from frontend = ENVIRONMENT_INVITATION_REQUEST
Expand All @@ -160,15 +160,15 @@ def validate_permissions(session, uri, g_permissions, group):
)

@staticmethod
def get_pivot_role_as_part_of_environment():
def _get_pivot_role_as_part_of_environment():
ssm_param = ParameterStoreManager.get_parameter_value(
region=os.getenv('AWS_REGION', 'eu-west-1'),
parameter_path=f"/dataall/{os.getenv('envname', 'local')}/pivotRole/enablePivotRoleAutoCreate",
)
return ssm_param == 'True'

@staticmethod
def check_cdk_resources(account_id, region, data) -> str:
def _check_cdk_resources(account_id, region, data) -> str:
"""
Check if all necessary cdk resources exists in the account
:return : pivot role name
Expand All @@ -181,7 +181,7 @@ def check_cdk_resources(account_id, region, data) -> str:

log.info('Checking cdk resources for environment.')

pivot_role_as_part_of_environment = EnvironmentService.get_pivot_role_as_part_of_environment()
pivot_role_as_part_of_environment = EnvironmentService._get_pivot_role_as_part_of_environment()
log.info(f'Pivot role as part of environment = {pivot_role_as_part_of_environment}')

cdk_look_up_role_arn = SessionHelper.get_cdk_look_up_role_arn(accountid=account_id, region=region)
Expand Down Expand Up @@ -216,14 +216,19 @@ def check_cdk_resources(account_id, region, data) -> str:

return cdk_role_name

@staticmethod
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_trust_account(uri):
return SessionHelper.get_account()

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def create_environment(uri, data=None):
context = get_context()
with context.db_engine.scoped_session() as session:
EnvironmentRequestValidationService.validate_creation_params(data, uri, session)
cdk_role_name = EnvironmentService.check_cdk_resources(data.get('AwsAccountId'), data.get('region'), data)
cdk_role_name = EnvironmentService._check_cdk_resources(data.get('AwsAccountId'), data.get('region'), data)
env = Environment(
organizationUri=data.get('organizationUri'),
label=data.get('label', 'Unnamed'),
Expand Down Expand Up @@ -323,7 +328,7 @@ def update_environment(uri, data=None):
with get_context().db_engine.scoped_session() as session:
environment = EnvironmentService.get_environment_by_uri(session, uri)
previous_resource_prefix = environment.resourcePrefix
EnvironmentService.check_cdk_resources(
EnvironmentService._check_cdk_resources(
account_id=environment.AwsAccountId, region=environment.region, data=data
)

Expand Down Expand Up @@ -366,7 +371,7 @@ def invite_group(uri, data=None) -> (Environment, EnvironmentGroup):
group: str = data['groupUri']

with get_context().db_engine.scoped_session() as session:
EnvironmentService.validate_permissions(session, uri, data['permissions'], group)
EnvironmentService._validate_permissions(session, uri, data['permissions'], group)

environment = EnvironmentService.get_environment_by_uri(session, uri)

Expand Down Expand Up @@ -493,7 +498,7 @@ def update_group_permissions(uri, data=None):
group = data['groupUri']

with get_context().db_engine.scoped_session() as session:
EnvironmentService.validate_permissions(session, uri, data['permissions'], group)
EnvironmentService._validate_permissions(session, uri, data['permissions'], group)

environment = EnvironmentService.get_environment_by_uri(session, uri)

Expand Down Expand Up @@ -521,7 +526,7 @@ def update_group_permissions(uri, data=None):

@staticmethod
@ResourcePolicyService.has_resource_permission(environment_permissions.LIST_ENVIRONMENT_GROUP_PERMISSIONS)
def list_group_permissions(session, uri, group_uri):
def list_group_permissions(uri, group_uri):
# the permission checked
with get_context().db_engine.scoped_session() as session:
return EnvironmentService.list_group_permissions_internal(session, uri, group_uri)
Expand Down Expand Up @@ -924,7 +929,7 @@ def get_boolean_env_param(session, env: Environment, param: str) -> bool:
return param is not None and param.value.lower() == 'true'

@staticmethod
def is_user_invited(uri):
def _is_user_invited(uri):
context = get_context()
with context.db_engine.scoped_session() as session:
return EnvironmentRepository.is_user_invited_to_environment(session=session, groups=context.groups, uri=uri)
Expand All @@ -935,23 +940,17 @@ def resolve_user_role(environment: Environment):
return EnvironmentPermission.Owner.value
elif environment.SamlGroupName in get_context().groups:
return EnvironmentPermission.Admin.value
elif EnvironmentService.is_user_invited(environment.environmentUri):
elif EnvironmentService._is_user_invited(environment.environmentUri):
return EnvironmentPermission.Invited.value
return EnvironmentPermission.NotInvited.value

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def enable_subscriptions(environmentUri: str = None, input: dict = None):
@ResourcePolicyService.has_resource_permission(ENABLE_ENVIRONMENT_SUBSCRIPTIONS)
def enable_subscriptions(uri, input: dict = None):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
environment = EnvironmentService.get_environment_by_uri(session, uri)
if input.get('producersTopicArn'):
environment.subscriptionsProducersTopicName = input.get('producersTopicArn')
environment.subscriptionsProducersTopicImported = True
Expand All @@ -977,17 +976,11 @@ def enable_subscriptions(environmentUri: str = None, input: dict = None):

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def disable_subscriptions(environment_uri: str = None):
@ResourcePolicyService.has_resource_permission(ENABLE_ENVIRONMENT_SUBSCRIPTIONS)
def disable_subscriptions(uri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environment_uri,
permission_name=ENABLE_ENVIRONMENT_SUBSCRIPTIONS,
)
environment = EnvironmentService.get_environment_by_uri(session, environment_uri)
environment = EnvironmentService.get_environment_by_uri(session, uri)

environment.subscriptionsConsumersTopicName = None
environment.subscriptionsConsumersTopicImported = False
Expand Down Expand Up @@ -1039,20 +1032,11 @@ def _get_environment_group_aws_session(session, username, groups, environment, g

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def get_environment_assume_role_url(
environmentUri: str = None,
groupUri: str = None,
):
@ResourcePolicyService.has_resource_permission(CREDENTIALS_ENVIRONMENT)
def get_environment_assume_role_url(uri, groupUri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=CREDENTIALS_ENVIRONMENT,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
environment = EnvironmentService.get_environment_by_uri(session, uri)
url = SessionHelper.get_console_access_url(
EnvironmentService._get_environment_group_aws_session(
session=session,
Expand All @@ -1067,17 +1051,11 @@ def get_environment_assume_role_url(

@staticmethod
@TenantPolicyService.has_tenant_permission(MANAGE_ENVIRONMENTS)
def generate_environment_access_token(environmentUri: str = None, groupUri: str = None):
@ResourcePolicyService.has_resource_permission(CREDENTIALS_ENVIRONMENT)
def generate_environment_access_token(uri, groupUri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=environmentUri,
permission_name=CREDENTIALS_ENVIRONMENT,
)
environment = EnvironmentService.get_environment_by_uri(session, environmentUri)
environment = EnvironmentService.get_environment_by_uri(session, uri)
c = EnvironmentService._get_environment_group_aws_session(
session=session,
username=context.username,
Expand All @@ -1092,16 +1070,8 @@ def generate_environment_access_token(environmentUri: str = None, groupUri: str
}

@staticmethod
def get_pivot_role(organization_uri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organization_uri,
permission_name=GET_ORGANIZATION,
)
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_pivot_role(uri):
pivot_role_name = SessionHelper.get_delegation_role_name(region='<REGION>')
if not pivot_role_name:
raise exceptions.AWSResourceNotFound(
Expand All @@ -1111,47 +1081,31 @@ def get_pivot_role(organization_uri):
return pivot_role_name

@staticmethod
def get_external_id(organization_uri):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organization_uri,
permission_name=GET_ORGANIZATION,
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_external_id(uri):
external_id = SessionHelper.get_external_id_secret()
if not external_id:
raise exceptions.AWSResourceNotFound(
action='GET_EXTERNAL_ID',
message='External Id could not be found on AWS Secretsmanager',
)
external_id = SessionHelper.get_external_id_secret()
if not external_id:
raise exceptions.AWSResourceNotFound(
action='GET_EXTERNAL_ID',
message='External Id could not be found on AWS Secretsmanager',
)
return external_id
return external_id

@staticmethod
def get_template_from_resource_bucket(organization_uri, template_name):
context = get_context()
with context.db_engine.scoped_session() as session:
ResourcePolicyService.check_user_resource_permission(
session=session,
username=context.username,
groups=context.groups,
resource_uri=organization_uri,
permission_name=GET_ORGANIZATION,
@ResourcePolicyService.has_resource_permission(LINK_ENVIRONMENT)
def get_template_from_resource_bucket(uri, template_name):
envname = os.getenv('envname', 'local')
region = os.getenv('AWS_REGION', 'eu-central-1')

resource_bucket = Parameter().get_parameter(env=envname, path='s3/resources_bucket_name')
template_key = Parameter().get_parameter(env=envname, path=f's3/{template_name}')
if not resource_bucket or not template_key:
raise AWSResourceNotFound(
action='GET_TEMPLATE',
message=f'{template_name} Yaml template file could not be found on Amazon S3 bucket',
)
envname = os.getenv('envname', 'local')
region = os.getenv('AWS_REGION', 'eu-central-1')

resource_bucket = Parameter().get_parameter(env=envname, path='s3/resources_bucket_name')
template_key = Parameter().get_parameter(env=envname, path=f's3/{template_name}')
if not resource_bucket or not template_key:
raise AWSResourceNotFound(
action='GET_TEMPLATE',
message=f'{template_name} Yaml template file could not be found on Amazon S3 bucket',
)

return S3_client.get_presigned_url(region, resource_bucket, template_key)
return S3_client.get_presigned_url(region, resource_bucket, template_key)

@staticmethod
@ResourcePolicyService.has_resource_permission(environment_permissions.GET_ENVIRONMENT)
Expand Down
3 changes: 1 addition & 2 deletions backend/dataall/core/groups/api/resolvers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@
def resolve_group_environment_permissions(context, source, environmentUri):
if not source:
return None
with context.engine.scoped_session() as session:
return EnvironmentService.list_group_permissions(session=session, uri=environmentUri, group_uri=source.groupUri)
return EnvironmentService.list_group_permissions(uri=environmentUri, group_uri=source.groupUri)


def resolve_group_tenant_permissions(context, source):
Expand Down
Loading

0 comments on commit 32d02ad

Please sign in to comment.