fix: [CODE-2942]: space level permission checks for status checks and webhooks (#3167)

2025-05-30 19:23:07 +00:00 · 2024-12-16 22:19:47 +00:00 · 2024-12-16 22:19:47 +00:00 · 096b86da47
commit 096b86da47
parent 4a44636ca7
6 changed files with 33 additions and 39 deletions
--- a/app/api/controller/check/controller.go
+++ b/app/api/controller/check/controller.go
@ -19,6 +19,7 @@ import (
 	"fmt"

 	apiauth "github.com/harness/gitness/app/api/auth"
+	"github.com/harness/gitness/app/api/controller/space"
 	"github.com/harness/gitness/app/api/usererror"
 	"github.com/harness/gitness/app/auth"
 	"github.com/harness/gitness/app/auth/authz"
@ -84,17 +85,5 @@ func (c *Controller) getSpaceCheckAccess(
 	spaceRef string,
 	permission enum.Permission,
 ) (*types.Space, error) {
-	space, err := c.spaceStore.FindByRef(ctx, spaceRef)
-	if err != nil {
-		return nil, fmt.Errorf("parent space not found: %w", err)
-	}
-
-	scope := &types.Scope{SpacePath: space.Path}
-	resource := &types.Resource{Type: enum.ResourceTypeRepo}
-	err = apiauth.Check(ctx, c.authorizer, session, scope, resource, permission)
-	if err != nil {
-		return nil, fmt.Errorf("auth check failed: %w", err)
-	}
-
-	return space, nil
+	return space.GetSpaceCheckAuth(ctx, c.spaceStore, c.authorizer, session, spaceRef, permission)
 }
--- a/app/api/controller/space/controller.go
+++ b/app/api/controller/space/controller.go
@ -151,17 +151,7 @@ func (c *Controller) getSpaceCheckAuth(
 	spaceRef string,
 	permission enum.Permission,
 ) (*types.Space, error) {
-	space, err := c.spaceStore.FindByRef(ctx, spaceRef)
-	if err != nil {
-		return nil, fmt.Errorf("parent space not found: %w", err)
-	}
-
-	err = apiauth.CheckSpace(ctx, c.authorizer, session, space, permission)
-	if err != nil {
-		return nil, fmt.Errorf("auth check failed: %w", err)
-	}
-
-	return space, nil
+	return GetSpaceCheckAuth(ctx, c.spaceStore, c.authorizer, session, spaceRef, permission)
 }

 func (c *Controller) getSpaceCheckAuthRepoCreation(
--- a/app/api/controller/space/helper.go
+++ b/app/api/controller/space/helper.go
@ -18,11 +18,37 @@ import (
 	"context"
 	"fmt"

+	apiauth "github.com/harness/gitness/app/api/auth"
+	"github.com/harness/gitness/app/auth"
+	"github.com/harness/gitness/app/auth/authz"
 	"github.com/harness/gitness/app/services/publicaccess"
+	"github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 )

+// GetSpaceCheckAuth checks whether the user has the requested permission on the provided space and returns the space.
+func GetSpaceCheckAuth(
+	ctx context.Context,
+	spaceStore store.SpaceStore,
+	authorizer authz.Authorizer,
+	session *auth.Session,
+	spaceRef string,
+	permission enum.Permission,
+) (*types.Space, error) {
+	space, err := spaceStore.FindByRef(ctx, spaceRef)
+	if err != nil {
+		return nil, fmt.Errorf("space not found: %w", err)
+	}
+
+	err = apiauth.CheckSpace(ctx, authorizer, session, space, permission)
+	if err != nil {
+		return nil, fmt.Errorf("auth check failed: %w", err)
+	}
+
+	return space, nil
+}
+
 func GetSpaceOutput(
 	ctx context.Context,
 	publicAccess publicaccess.Service,
--- a/app/api/controller/webhook/controller.go
+++ b/app/api/controller/webhook/controller.go
@ -19,6 +19,7 @@ import (
 	"fmt"

 	apiauth "github.com/harness/gitness/app/api/auth"
+	"github.com/harness/gitness/app/api/controller/space"
 	"github.com/harness/gitness/app/auth"
 	"github.com/harness/gitness/app/auth/authz"
 	"github.com/harness/gitness/app/services/webhook"
@ -80,17 +81,5 @@ func (c *Controller) getSpaceCheckAccess(
 	spaceRef string,
 	permission enum.Permission,
 ) (*types.Space, error) {
-	space, err := c.spaceStore.FindByRef(ctx, spaceRef)
-	if err != nil {
-		return nil, fmt.Errorf("parent space not found: %w", err)
-	}
-
-	scope := &types.Scope{SpacePath: space.Path}
-	resource := &types.Resource{Type: enum.ResourceTypeRepo}
-	err = apiauth.Check(ctx, c.authorizer, session, scope, resource, permission)
-	if err != nil {
-		return nil, fmt.Errorf("auth check failed: %w", err)
-	}
-
-	return space, nil
+	return space.GetSpaceCheckAuth(ctx, c.spaceStore, c.authorizer, session, spaceRef, permission)
 }
--- a/app/api/controller/webhook/repo_retrigger_execution.go
+++ b/app/api/controller/webhook/repo_retrigger_execution.go
@ -31,7 +31,7 @@ func (c *Controller) RetriggerExecutionRepo(
 	webhookIdentifier string,
 	webhookExecutionID int64,
 ) (*types.WebhookExecution, error) {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoEdit)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to the repo: %w", err)
 	}
--- a/app/api/controller/webhook/space_retrigger_execution.go
+++ b/app/api/controller/webhook/space_retrigger_execution.go
@ -31,7 +31,7 @@ func (c *Controller) RetriggerExecutionSpace(
 	webhookIdentifier string,
 	webhookExecutionID int64,
 ) (*types.WebhookExecution, error) {
-	space, err := c.getSpaceCheckAccess(ctx, session, spaceRef, enum.PermissionSpaceView)
+	space, err := c.getSpaceCheckAccess(ctx, session, spaceRef, enum.PermissionSpaceEdit)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to space: %w", err)
 	}