drone/app/api/controller/space/create.go

// Copyright 2023 Harness, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package space

import (
	"context"
	"fmt"
	"strconv"
	"strings"
	"time"

	apiauth "github.com/harness/gitness/app/api/auth"
	"github.com/harness/gitness/app/api/usererror"
	"github.com/harness/gitness/app/auth"
	"github.com/harness/gitness/app/bootstrap"
	"github.com/harness/gitness/app/paths"
	"github.com/harness/gitness/types"
	"github.com/harness/gitness/types/check"
	"github.com/harness/gitness/types/enum"
)

var (
	errParentIDNegative = usererror.BadRequest(
		"Parent ID has to be either zero for a root space or greater than zero for a child space.")
)

type CreateInput struct {
	ParentRef   string `json:"parent_ref"`
	UID         string `json:"uid"`
	Description string `json:"description"`
	IsPublic    bool   `json:"is_public"`
}

// Create creates a new space.
//
//nolint:gocognit // refactor if required
func (c *Controller) Create(
	ctx context.Context,
	session *auth.Session,
	in *CreateInput,
) (*types.Space, error) {
	parentID, err := c.getSpaceCheckAuthSpaceCreation(ctx, session, in.ParentRef)
	if err != nil {
		return nil, err
	}

	if err := c.sanitizeCreateInput(in); err != nil {
		return nil, fmt.Errorf("failed to sanitize input: %w", err)
	}
	var space *types.Space
	err = c.tx.WithTx(ctx, func(ctx context.Context) error {
		space, err = c.createSpaceInnerInTX(ctx, session, parentID, in)
		return err
	})
	if err != nil {
		return nil, err
	}

	return space, nil
}

func (c *Controller) createSpaceInnerInTX(
	ctx context.Context,
	session *auth.Session,
	parentID int64,
	in *CreateInput,
) (*types.Space, error) {
	spacePath := in.UID
	if parentID > 0 {
		// (re-)read parent path in transaction to ensure correctness
		parentPath, err := c.spacePathStore.FindPrimaryBySpaceID(ctx, parentID)
		if err != nil {
			return nil, fmt.Errorf("failed to find primary path for parent '%d': %w", parentID, err)
		}
		spacePath = paths.Concatinate(parentPath.Value, in.UID)

		// ensure path is within accepted depth!
		err = check.PathDepth(spacePath, true)
		if err != nil {
			return nil, fmt.Errorf("path is invalid: %w", err)
		}
	}

	now := time.Now().UnixMilli()
	space := &types.Space{
		Version:     0,
		ParentID:    parentID,
		UID:         in.UID,
		Description: in.Description,
		IsPublic:    in.IsPublic,
		Path:        spacePath,
		CreatedBy:   session.Principal.ID,
		Created:     now,
		Updated:     now,
	}
	err := c.spaceStore.Create(ctx, space)
	if err != nil {
		return nil, fmt.Errorf("space creation failed: %w", err)
	}

	pathSegment := &types.SpacePathSegment{
		UID:       space.UID,
		IsPrimary: true,
		SpaceID:   space.ID,
		ParentID:  parentID,
		CreatedBy: space.CreatedBy,
		Created:   now,
		Updated:   now,
	}
	err = c.spacePathStore.InsertSegment(ctx, pathSegment)
	if err != nil {
		return nil, fmt.Errorf("failed to insert primary path segment: %w", err)
	}

	// add space membership to top level space only (as the user doesn't have inherited permissions already)
	if parentID == 0 {
		membership := &types.Membership{
			MembershipKey: types.MembershipKey{
				SpaceID:     space.ID,
				PrincipalID: session.Principal.ID,
			},
			Role: enum.MembershipRoleSpaceOwner,

			// membership has been created by the system
			CreatedBy: bootstrap.NewSystemServiceSession().Principal.ID,
			Created:   now,
			Updated:   now,
		}
		err = c.membershipStore.Create(ctx, membership)
		if err != nil {
			return nil, fmt.Errorf("failed to make user owner of the space: %w", err)
		}
	}

	return space, nil
}

func (c *Controller) getSpaceCheckAuthSpaceCreation(
	ctx context.Context,
	session *auth.Session,
	parentRef string,
) (int64, error) {
	parentRefAsID, err := strconv.ParseInt(parentRef, 10, 64)
	if (parentRefAsID <= 0 && err == nil) || (len(strings.TrimSpace(parentRef)) == 0) {
		// TODO: Restrict top level space creation - should be move to authorizer?
		if session == nil {
			return 0, fmt.Errorf("anonymous user not allowed to create top level spaces: %w", usererror.ErrUnauthorized)
		}

		return 0, nil
	}

	parentSpace, err := c.spaceStore.FindByRef(ctx, parentRef)
	if err != nil {
		return 0, fmt.Errorf("failed to get parent space: %w", err)
	}

	// create is a special case - check permission without specific resource
	scope := &types.Scope{SpacePath: parentSpace.Path}
	resource := &types.Resource{
		Type: enum.ResourceTypeSpace,
		Name: "",
	}
	if err = apiauth.Check(ctx, c.authorizer, session, scope, resource, enum.PermissionSpaceCreate); err != nil {
		return 0, fmt.Errorf("authorization failed: %w", err)
	}

	return parentSpace.ID, nil
}

func (c *Controller) sanitizeCreateInput(in *CreateInput) error {
	if len(in.ParentRef) > 0 && !c.nestedSpacesEnabled {
		// TODO (Nested Spaces): Remove once support is added
		return errNestedSpacesNotSupported
	}

	parentRefAsID, err := strconv.ParseInt(in.ParentRef, 10, 64)
	if err == nil && parentRefAsID < 0 {
		return errParentIDNegative
	}

	isRoot := false
	if (err == nil && parentRefAsID == 0) || (len(strings.TrimSpace(in.ParentRef)) == 0) {
		isRoot = true
	}

	if err := c.uidCheck(in.UID, isRoot); err != nil {
		return err
	}

	in.Description = strings.TrimSpace(in.Description)
	if err := check.Description(in.Description); err != nil {
		return err
	}

	return nil
}