ovh · yesnault · Apr 17, 2023 · Apr 12, 2023
@@ -77,20 +77,27 @@ func isWorker(ctx context.Context) bool {
 	return c.AuthConsumerUser.Worker != nil
 }
 
-func isHatchery(ctx context.Context) bool {
+func isHatchery(ctx context.Context) (bool, error) {
 	c := getUserConsumer(ctx)
 	if c == nil {
-		return false
+		return false, nil
+	}
+	if c.AuthConsumerUser.ServiceType != nil && c.AuthConsumerUser.Service == nil {
+		return false, sdk.WrapError(sdk.ErrUnauthorized, "consumer was created for a service of type %q that can't be loaded", *c.AuthConsumerUser.ServiceType)
 	}
-	return c.AuthConsumerUser.Service != nil && c.AuthConsumerUser.Service.Type == sdk.TypeHatchery
+	if c.AuthConsumerUser.Service == nil || c.AuthConsumerUser.Service.Type != sdk.TypeHatchery {
+		return false, nil
+	}
+	return true, nil
 }
 
-func isHatcheryShared(ctx context.Context) bool {
+func isHatcheryShared(ctx context.Context) (bool, error) {
 	c := getUserConsumer(ctx)
 	if c == nil {
-		return false
+		return false, nil
 	}
-	return isHatchery(ctx) && c.AuthConsumerUser.GroupIDs.Contains(group.SharedInfraGroup.ID)
+	isHatchery, err := isHatchery(ctx)
+	return isHatchery && c.AuthConsumerUser.GroupIDs.Contains(group.SharedInfraGroup.ID), err
 }
 
 func isCDN(ctx context.Context) bool {

@@ -89,7 +89,11 @@ func (api *API) checkJobIDPermissions(ctx context.Context, w http.ResponseWriter
 		return nil
 	}
 	if perm == sdk.PermissionRead {
-		if isHatcheryShared(ctx) || isMaintainer(ctx) {
+		isShared, err := isHatcheryShared(ctx)
+		if err != nil {
+			return err
+		}
+		if isShared || isMaintainer(ctx) {
 			return nil
 		}
 	} else {
@@ -356,7 +360,9 @@ func (api *API) checkGroupPermissions(ctx context.Context, w http.ResponseWriter
 
 	if permissionValue > sdk.PermissionRead {
 		// Hatcheries started for "shared.infra" group are granted for group "shared.infra"
-		if isHatcheryShared(ctx) {
+		if ok, err := isHatcheryShared(ctx); err != nil {
+			return err
+		} else if ok {
 			return nil
 		}
 		// Only group administror or CDS administrator can update a group or its dependencies
@@ -369,7 +375,9 @@ func (api *API) checkGroupPermissions(ctx context.Context, w http.ResponseWriter
 		}
 	} else {
 		// Hatcheries started for "shared.infra" group are granted for group "shared.infra"
-		if isHatcheryShared(ctx) {
+		if ok, err := isHatcheryShared(ctx); err != nil {
+			return err
+		} else if ok {
 			return nil
 		}
 		if !isGroupMember(ctx, g) && !isMaintainer(ctx) { // Only group member or CDS maintainer can get a group or its dependencies
@@ -594,7 +602,7 @@ func (api *API) checkSessionPermissions(ctx context.Context, w http.ResponseWrit
 	}
 
 	authConsumer := getUserConsumer(ctx)
-	
+
 	session, err := authentication.LoadSessionByID(ctx, api.mustDB(), sessionID)
 	if err != nil {
 		return sdk.NewErrorWithStack(err, sdk.WrapError(sdk.ErrForbidden, "not authorized for session %s", sessionID))

@@ -152,8 +152,9 @@ func (api *API) getWorkerHandler() service.Handler {
 func (api *API) getWorkersHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 		var workers []sdk.Worker
-		var err error
-		if isHatchery(ctx) {
+		if ok, err := isHatchery(ctx); err != nil {
+			return err
+		} else if ok {
 			workers, err = worker.LoadAllByHatcheryID(ctx, api.mustDB(), getUserConsumer(ctx).AuthConsumerUser.Service.ID)
 			if err != nil {
 				return err

@@ -257,8 +257,11 @@ func (api *API) getWorkerModelsHandler() service.Handler {
 			return service.WriteJSON(w, models, http.StatusOK)
 		}
 
-		var err error
-		if ok := isHatchery(ctx); ok && len(consumer.AuthConsumerUser.GroupIDs) > 0 {
+		hatchery, err := isHatchery(ctx)
+		if err != nil {
+			return err
+		}
+		if hatchery && len(consumer.AuthConsumerUser.GroupIDs) > 0 {
 			models, err = workermodel.LoadAllByGroupIDs(ctx, api.mustDB(), consumer.GetGroupIDs(), &filter, workermodel.LoadOptions.Default)
 		} else if isMaintainer(ctx) {
 			models, err = workermodel.LoadAll(ctx, api.mustDB(), &filter, workermodel.LoadOptions.Default)

@@ -14,7 +14,9 @@ import (
 
 func (api *API) putBookWorkerModelHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
-		if !isHatchery(ctx) {
+		if ok, err := isHatchery(ctx); err != nil {
+			return err
+		} else if !ok {
 			return sdk.WithStack(sdk.ErrForbidden)
 		}
 
@@ -93,7 +95,11 @@ func (api *API) putSpawnErrorWorkerModelHandler() service.Handler {
 func (api *API) getWorkerModelsEnabledHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 		// this handler should only answer to an hatchery
-		if !isHatchery(ctx) && !isMaintainer(ctx) {
+		hatchery, err := isHatchery(ctx)
+		if err != nil {
+			return err
+		}
+		if !hatchery && !isMaintainer(ctx) {
 			return sdk.WithStack(sdk.ErrForbidden)
 		}
 
@@ -118,7 +124,11 @@ func (api *API) getWorkerModelsEnabledHandler() service.Handler {
 func (api *API) getWorkerModelSecretHandler() service.Handler {
 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
 		// this handler should only answer to an hatchery
-		if !isHatchery(ctx) && !isMaintainer(ctx) {
+		hatchery, err := isHatchery(ctx)
+		if err != nil {
+			return err
+		}
+		if !hatchery && !isMaintainer(ctx) {
 			return sdk.WithStack(sdk.ErrForbidden)
 		}
 

@@ -254,7 +254,9 @@ func (api *API) postBookWorkflowJobHandler() service.Handler {
 			return err
 		}
 
-		if ok := isHatchery(ctx); !ok {
+		if ok, err := isHatchery(ctx); err != nil {
+			return err
+		} else if !ok {
 			return sdk.WithStack(sdk.ErrForbidden)
 		}
 
@@ -300,7 +302,9 @@ func (api *API) deleteBookWorkflowJobHandler() service.Handler {
 			return err
 		}
 
-		if ok := isHatchery(ctx); !ok {
+		if ok, err := isHatchery(ctx); err != nil {
+			return err
+		} else if !ok {
 			return sdk.WithStack(sdk.ErrForbidden)
 		}
 
@@ -383,7 +387,11 @@ func (api *API) postSpawnInfosWorkflowJobHandler() service.Handler {
 			return sdk.WrapError(err, "invalid id")
 		}
 
-		if ok := isHatchery(ctx) || isWorker(ctx); !ok {
+		hatchery, err := isHatchery(ctx)
+		if err != nil {
+			return err
+		}
+		if ok := hatchery || isWorker(ctx); !ok {
 			return sdk.WithStack(sdk.ErrForbidden)
 		}
 
@@ -433,7 +441,9 @@ func (api *API) postWorkflowJobResultHandler() service.Handler {
 			}
 		}
 
-		if isHatchery(ctx) {
+		if ok, err := isHatchery(ctx); err != nil {
+			return err
+		} else if ok {
 			hatch, err = services.LoadByID(ctx, api.mustDBWithCtx(ctx), getUserConsumer(ctx).AuthConsumerUser.Service.ID)
 			if err != nil {
 				return err