feat(api): do not consider service as admin or maintainer

engine/api/action.go

@@ -214,6 +214,10 @@ func (api *API) getActionHandler() service.Handler {
 
 func (api *API) putActionHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+		if isService(ctx) {
+			return sdk.WithStack(sdk.ErrForbidden)
+		}
+
 		vars := mux.Vars(r)
 
 		groupName := vars["permGroupName"]
@@ -307,6 +311,10 @@ func (api *API) putActionHandler() service.Handler {
 
 func (api *API) deleteActionHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+		if isService(ctx) {
+			return sdk.WithStack(sdk.ErrForbidden)
+		}
+
 		vars := mux.Vars(r)
 
 		groupName := vars["permGroupName"]
@@ -425,6 +433,10 @@ func (api *API) getActionAuditHandler() service.Handler {
 
 func (api *API) postActionAuditRollbackHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+		if isService(ctx) {
+			return sdk.WithStack(sdk.ErrForbidden)
+		}
+
 		vars := mux.Vars(r)
 
 		groupName := vars["permGroupName"]

engine/api/api_helper.go

@@ -85,6 +85,14 @@ func isHatchery(ctx context.Context) bool {
 	return c.Service != nil && c.Service.Type == sdk.TypeHatchery
 }
 
+func isHatcheryShared(ctx context.Context) bool {
+	c := getAPIConsumer(ctx)
+	if c == nil {
+		return false
+	}
+	return isHatchery(ctx) && c.GroupIDs.Contains(group.SharedInfraGroup.ID)
+}
+
 func isCDN(ctx context.Context) bool {
 	c := getAPIConsumer(ctx)
 	if c == nil {

engine/api/api_routes.go

@@ -168,7 +168,7 @@ func (api *API) InitRouter() {
 	r.Handle("/project/{permProjectKey}/variable/{name}/audit", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getVariableAuditInProjectHandler))
 	r.Handle("/project/{permProjectKey}/applications", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getApplicationsHandler), r.POST(api.addApplicationHandler))
 	r.Handle("/project/{permProjectKey}/integrations", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getProjectIntegrationsHandler), r.POST(api.postProjectIntegrationHandler))
-	r.Handle("/project/{permProjectKey}/integrations/{integrationName}", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getProjectIntegrationHandler), r.PUT(api.putProjectIntegrationHandler), r.DELETE(api.deleteProjectIntegrationHandler))
+	r.Handle("/project/{permProjectKeyWithHooksAllowed}/integrations/{integrationName}", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getProjectIntegrationHandler), r.PUT(api.putProjectIntegrationHandler), r.DELETE(api.deleteProjectIntegrationHandler))
 	r.Handle("/project/{permProjectKey}/integrations/{integrationName}/workerhooks", Scopes(sdk.AuthConsumerScopeProject, sdk.AuthConsumerScopeRunExecution), r.GET(api.getProjectIntegrationWorkerHookHandler), r.POST(api.postProjectIntegrationWorkerHookHandler))
 	r.Handle("/project/{permProjectKey}/notifications", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getProjectNotificationsHandler, DEPRECATED))
 	r.Handle("/project/{permProjectKey}/keys", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getKeysInProjectHandler), r.POST(api.addKeyInProjectHandler))
@@ -223,7 +223,7 @@ func (api *API) InitRouter() {
 
 	r.Handle("/project/{key}/type/{type}/access", Scope(sdk.AuthConsumerScopeService), r.GET(api.getProjectAccessHandler))
 	r.Handle("/project/{permProjectKey}/workflows", Scope(sdk.AuthConsumerScopeProject), r.POST(api.postWorkflowHandler), r.GET(api.getWorkflowsHandler))
-	r.Handle("/project/{key}/workflows/{permWorkflowName}", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getWorkflowHandler), r.PUT(api.putWorkflowHandler), r.DELETE(api.deleteWorkflowHandler))
+	r.Handle("/project/{key}/workflows/{permWorkflowNameAdvanced}", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getWorkflowHandler), r.PUT(api.putWorkflowHandler), r.DELETE(api.deleteWorkflowHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/delete/dependencies", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getWorkflowDependenciesHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/retention/maxruns", Scope(sdk.AuthConsumerScopeProject), r.POST(api.postWorkflowMaxRunHandler, service.OverrideAuth(api.authAdminMiddleware)))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/retention/dryrun", Scope(sdk.AuthConsumerScopeProject), r.POST(api.postWorkflowRetentionPolicyDryRun))
@@ -265,7 +265,7 @@ func (api *API) InitRouter() {
 
 	// Workflows run
 	r.Handle("/project/{permProjectKey}/runs", Scope(sdk.AuthConsumerScopeProject), r.GET(api.getWorkflowAllRunsHandler))
-	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getWorkflowRunsHandler), r.POSTEXECUTE(api.postWorkflowRunHandler))
+	r.Handle("/project/{key}/workflows/{permWorkflowNameAdvanced}/runs", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getWorkflowRunsHandler), r.POSTEXECUTE(api.postWorkflowRunHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs/branch/{branch}", Scope(sdk.AuthConsumerScopeRun), r.DELETE(api.deleteWorkflowRunsBranchHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs/latest", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getLatestWorkflowRunHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs/tags", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getWorkflowRunTagsHandler))
@@ -289,7 +289,7 @@ func (api *API) InitRouter() {
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/hook/triggers/condition", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getWorkflowTriggerHookConditionHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/triggers/condition", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getWorkflowTriggerConditionHandler))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs/{number}/nodes/{nodeRunID}/release", Scope(sdk.AuthConsumerScopeRunExecution), r.POSTEXECUTE(api.releaseApplicationWorkflowHandler, MaintenanceAware()))
-	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs/{number}/hooks/{hookRunID}/callback", Scope(sdk.AuthConsumerScopeRun), r.POST(api.postWorkflowJobHookCallbackHandler, MaintenanceAware()))
+	r.Handle("/project/{key}/workflows/{permWorkflowNameAdvanced}/runs/{number}/hooks/{hookRunID}/callback", Scope(sdk.AuthConsumerScopeRun), r.POST(api.postWorkflowJobHookCallbackHandler, MaintenanceAware()))
 	r.Handle("/project/{key}/workflows/{permWorkflowName}/runs/{number}/hooks/{hookRunID}/details", Scope(sdk.AuthConsumerScopeRun), r.GET(api.getWorkflowJobHookDetailsHandler))
 
 	// Environment

engine/api/auth_builtin.go

@@ -133,6 +133,8 @@ func (api *API) postAuthBuiltinSigninHandler() service.Handler {
 		if hasService {
 			ctx = context.WithValue(ctx, cdslog.AuthServiceName, srv.Name)
 			SetTracker(w, cdslog.AuthServiceName, srv.Name)
+			ctx = context.WithValue(ctx, cdslog.AuthServiceType, srv.Type)
+			SetTracker(w, cdslog.AuthServiceType, srv.Type)
 
 			if err := api.serviceRegister(ctx, tx, &srv); err != nil {
 				return err

engine/api/bookmark_test.go

@@ -82,8 +82,8 @@ func Test_postUserFavoriteHandler(t *testing.T) {
 	assert.True(t, pRes.Favorite, "project favorite flag should be set")
 
 	uri = api.Router.GetRoute(http.MethodGet, api.getWorkflowHandler, map[string]string{
-		"key":              proj.Key,
-		"permWorkflowName": wkf.Name,
+		"key":                      proj.Key,
+		"permWorkflowNameAdvanced": wkf.Name,
 	})
 	req = assets.NewJWTAuthentifiedRequest(t, jwt, http.MethodGet, uri, nil)
 	w = httptest.NewRecorder()

engine/api/download/download_test.go

@@ -7,6 +7,9 @@ import (
 )
 
 func TestInit(t *testing.T) {
+	if os.Getenv("CI") != "1" {
+		t.Skip("Skip download test when not running on CI")
+	}
 	tmpDir1, _ := os.MkdirTemp(os.TempDir(), "download1")
 	tmpDir2, _ := os.MkdirTemp(os.TempDir(), "download2")
 	defer os.RemoveAll(tmpDir1)

engine/api/group.go

@@ -119,6 +119,10 @@ func (api *API) postGroupHandler() service.Handler {
 
 func (api *API) putGroupHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
+		if isService(ctx) {
+			return sdk.WithStack(sdk.ErrForbidden)
+		}
+
 		vars := mux.Vars(r)
 		groupName := vars["permGroupName"]
 

engine/api/project_integration.go

@@ -17,15 +17,15 @@ import (
 func (api *API) getProjectIntegrationHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 		vars := mux.Vars(r)
-		projectKey := vars[permProjectKey]
+		projectKey := vars["permProjectKeyWithHooksAllowed"]
 		integrationName := vars["integrationName"]
 
 		var integ sdk.ProjectIntegration
 		var err error
 
 		clearPassword := service.FormBool(r, "clearPassword")
 		if clearPassword {
-			if !isService(ctx) && !isWorker(ctx) {
+			if !isHooks(ctx) && !isWorker(ctx) {
 				return sdk.WithStack(sdk.ErrForbidden)
 			}
 			integ, err = integration.LoadProjectIntegrationByNameWithClearPassword(ctx, api.mustDB(), projectKey, integrationName)
@@ -52,7 +52,7 @@ func (api *API) getProjectIntegrationHandler() service.Handler {
 func (api *API) putProjectIntegrationHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 		vars := mux.Vars(r)
-		projectKey := vars[permProjectKey]
+		projectKey := vars["permProjectKeyWithHooksAllowed"]
 		integrationName := vars["integrationName"]
 
 		var projectIntegration sdk.ProjectIntegration
@@ -141,7 +141,7 @@ func (api *API) putProjectIntegrationHandler() service.Handler {
 func (api *API) deleteProjectIntegrationHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 		vars := mux.Vars(r)
-		projectKey := vars[permProjectKey]
+		projectKey := vars["permProjectKeyWithHooksAllowed"]
 		integrationName := vars["integrationName"]
 
 		p, err := project.Load(ctx, api.mustDB(), projectKey, project.LoadOptions.WithIntegrations)

engine/api/project_integration_test.go

@@ -49,7 +49,7 @@ func TestAddUpdateAndDeleteProjectIntegration(t *testing.T) {
 	pp.ProjectID = proj.ID
 
 	vars = map[string]string{}
-	vars[permProjectKey] = proj.Key
+	vars["permProjectKeyWithHooksAllowed"] = proj.Key
 	vars["integrationName"] = "kafkaTest"
 	uri = router.GetRoute("PUT", api.putProjectIntegrationHandler, vars)
 	req = assets.NewAuthentifiedRequest(t, u, pass, "PUT", uri, pp)
@@ -60,7 +60,7 @@ func TestAddUpdateAndDeleteProjectIntegration(t *testing.T) {
 
 	// GET integration
 	vars = map[string]string{}
-	vars[permProjectKey] = proj.Key
+	vars["permProjectKeyWithHooksAllowed"] = proj.Key
 	vars["integrationName"] = pp.Name
 	uri = router.GetRoute("GET", api.getProjectIntegrationHandler, vars)
 
@@ -72,7 +72,7 @@ func TestAddUpdateAndDeleteProjectIntegration(t *testing.T) {
 
 	// DELETE integration
 	vars = map[string]string{}
-	vars[permProjectKey] = proj.Key
+	vars["permProjectKeyWithHooksAllowed"] = proj.Key
 	vars["integrationName"] = pp.Name
 	uri = router.GetRoute("DELETE", api.deleteProjectIntegrationHandler, vars)
 	req = assets.NewAuthentifiedRequest(t, u, pass, "DELETE", uri, nil)

engine/api/router_middleware_auth.go

@@ -157,6 +157,8 @@ func (api *API) authOptionalMiddleware(ctx context.Context, w http.ResponseWrite
 	if consumer.Service != nil {
 		ctx = context.WithValue(ctx, cdslog.AuthServiceName, consumer.Service.Name)
 		SetTracker(w, cdslog.AuthServiceName, consumer.Service.Name)
+		ctx = context.WithValue(ctx, cdslog.AuthServiceType, consumer.Service.Type)
+		SetTracker(w, cdslog.AuthServiceType, consumer.Service.Type)
 	}
 
 	// Add worker for consumer if exists