fix(api): permission on worker that are no more linked to an hatchery (…

…#5303)
ovh · Jul 7, 2020 · dae0ac7 · dae0ac7
1 parent c6150a2
commit dae0ac7
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/engine/api/ascode/pull_request.go b/engine/api/ascode/pull_request.go
@@ -51,7 +51,7 @@ func UpdateAsCodeResult(ctx context.Context, db *gorp.DbMap, store cache.Store,
 		if err != nil {
 			globalErr = err
 		}
-		sdk.GoRoutine(context.Background(), fmt.Sprintf("UpdateAsCodeResult-pusblish-as-code-event-%s", asCodeEvent.ID), func(ctx context.Context) {
+		sdk.GoRoutine(context.Background(), fmt.Sprintf("UpdateAsCodeResult-pusblish-as-code-event-%d", asCodeEvent.ID), func(ctx context.Context) {
 			event.PublishAsCodeEvent(ctx, proj.Key, workflowHolder.Name, *asCodeEvent, u)
 		})
 	}

diff --git a/engine/api/worker.go b/engine/api/worker.go
@@ -153,8 +153,11 @@ func (api *API) disableWorkerHandler() service.Handler {
 			if err != nil {
 				return sdk.WrapError(sdk.ErrForbidden, "Cannot disable a worker from this hatchery: %v", err)
 			}
-			if wk.HatcheryID != nil && *wk.HatcheryID != hatcherySrv.ID {
-				return sdk.WrapError(sdk.ErrForbidden, "Cannot disable a worker from hatchery (expected: %d/actual: %d)", wk.HatcheryID, hatcherySrv.ID)
+			if wk.HatcheryID == nil {
+				return sdk.WrapError(sdk.ErrForbidden, "hatchery %d cannot disable worker %s started by %s that is no more linked to an hatchery", hatcherySrv.ID, wk.ID, wk.HatcheryName)
+			}
+			if *wk.HatcheryID != hatcherySrv.ID {
+				return sdk.WrapError(sdk.ErrForbidden, "cannot disable a worker from hatchery (expected: %d/actual: %d)", *wk.HatcheryID, hatcherySrv.ID)
 			}
 		}
 

diff --git a/engine/cdn/cdn_log.go b/engine/cdn/cdn_log.go
@@ -213,12 +213,15 @@ func (s *Service) handleServiceLog(ctx context.Context, hatcheryID int64, hatche
 	_, ok = logCache.Get(workerCacheKey)
 	if !ok {
 		// Verify that the worker has been spawn by this hatchery
-		w, err := worker.LoadWorkerByName(ctx, s.Db, workerName)
+		wk, err := worker.LoadWorkerByName(ctx, s.Db, workerName)
 		if err != nil {
 			return err
 		}
-		if w.HatcheryID != nil && *w.HatcheryID != signature.Service.HatcheryID {
-			return sdk.WrapError(sdk.ErrWrongRequest, "hatchery and worker does not match")
+		if wk.HatcheryID == nil {
+			return sdk.WrapError(sdk.ErrWrongRequest, "hatchery %d cannot send service log for worker %s started by %s that is no more linked to an hatchery", signature.Service.HatcheryID, wk.ID, wk.HatcheryName)
+		}
+		if *wk.HatcheryID != signature.Service.HatcheryID {
+			return sdk.WrapError(sdk.ErrWrongRequest, "cannot send service log for worker %s from hatchery (expected: %d/actual: %d)", wk.ID, *wk.HatcheryID, signature.Service.HatcheryID)
 		}
 		logCache.Set(workerCacheKey, true, gocache.DefaultExpiration)
 	}