mirror of https://github.com/harness/drone.git
167 lines
4.4 KiB
Go
167 lines
4.4 KiB
Go
// Copyright 2022 Harness Inc. All rights reserved.
|
|
// Use of this source code is governed by the Polyform Free Trial License
|
|
// that can be found in the LICENSE.md file for this repository.
|
|
|
|
package space
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
apiauth "github.com/harness/gitness/internal/api/auth"
|
|
"github.com/harness/gitness/internal/api/usererror"
|
|
"github.com/harness/gitness/internal/auth"
|
|
"github.com/harness/gitness/internal/bootstrap"
|
|
"github.com/harness/gitness/internal/paths"
|
|
"github.com/harness/gitness/store/database/dbtx"
|
|
"github.com/harness/gitness/types"
|
|
"github.com/harness/gitness/types/check"
|
|
"github.com/harness/gitness/types/enum"
|
|
)
|
|
|
|
var (
|
|
errParentIDNegative = usererror.BadRequest(
|
|
"Parent ID has to be either zero for a root space or greater than zero for a child space.")
|
|
)
|
|
|
|
type CreateInput struct {
|
|
ParentID int64 `json:"parent_id"`
|
|
UID string `json:"uid"`
|
|
Description string `json:"description"`
|
|
IsPublic bool `json:"is_public"`
|
|
}
|
|
|
|
// Create creates a new space.
|
|
func (c *Controller) Create(ctx context.Context, session *auth.Session, in *CreateInput) (*types.Space, error) {
|
|
if err := c.checkAuthSpaceCreation(ctx, session, in.ParentID); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := c.sanitizeCreateInput(in); err != nil {
|
|
return nil, fmt.Errorf("failed to sanitize input: %w", err)
|
|
}
|
|
|
|
var space *types.Space
|
|
err := dbtx.New(c.db).WithTx(ctx, func(ctx context.Context) error {
|
|
spacePath := in.UID
|
|
if in.ParentID > 0 {
|
|
// lock parent space path to ensure it doesn't get updated while we setup new space
|
|
parentPath, err := c.pathStore.FindPrimaryWithLock(ctx, enum.PathTargetTypeSpace, in.ParentID)
|
|
if err != nil {
|
|
return usererror.BadRequest("Parent not found")
|
|
}
|
|
spacePath = paths.Concatinate(parentPath.Value, in.UID)
|
|
|
|
// ensure path is within accepted depth!
|
|
err = check.PathDepth(spacePath, true)
|
|
if err != nil {
|
|
return fmt.Errorf("path is invalid: %w", err)
|
|
}
|
|
}
|
|
|
|
now := time.Now().UnixMilli()
|
|
space = &types.Space{
|
|
Version: 0,
|
|
ParentID: in.ParentID,
|
|
UID: in.UID,
|
|
Path: spacePath,
|
|
Description: in.Description,
|
|
IsPublic: in.IsPublic,
|
|
CreatedBy: session.Principal.ID,
|
|
Created: now,
|
|
Updated: now,
|
|
}
|
|
err := c.spaceStore.Create(ctx, space)
|
|
if err != nil {
|
|
return fmt.Errorf("space creation failed: %w", err)
|
|
}
|
|
|
|
path := &types.Path{
|
|
Version: 0,
|
|
Value: space.Path,
|
|
IsPrimary: true,
|
|
TargetType: enum.PathTargetTypeSpace,
|
|
TargetID: space.ID,
|
|
CreatedBy: space.CreatedBy,
|
|
Created: now,
|
|
Updated: now,
|
|
}
|
|
err = c.pathStore.Create(ctx, path)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create path: %w", err)
|
|
}
|
|
|
|
// add space membership to top level space only (as the user doesn't have inhereted permissions alraedy)
|
|
if in.ParentID == 0 {
|
|
membership := &types.Membership{
|
|
SpaceID: space.ID,
|
|
PrincipalID: session.Principal.ID,
|
|
Role: enum.MembershipRoleSpaceOwner,
|
|
|
|
// membership has been created by the system
|
|
CreatedBy: bootstrap.NewSystemServiceSession().Principal.ID,
|
|
Created: now,
|
|
Updated: now,
|
|
}
|
|
err = c.membershipStore.Create(ctx, membership)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to make user owner of the space: %w", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return space, nil
|
|
}
|
|
|
|
func (c *Controller) checkAuthSpaceCreation(ctx context.Context, session *auth.Session, parentID int64) error {
|
|
if parentID <= 0 {
|
|
// TODO: Restrict top level space creation.
|
|
if session == nil {
|
|
return usererror.ErrUnauthorized
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
parentSpace, err := c.spaceStore.Find(ctx, parentID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get parent space: %w", err)
|
|
}
|
|
|
|
// create is a special case - check permission without specific resource
|
|
scope := &types.Scope{SpacePath: parentSpace.Path}
|
|
resource := &types.Resource{
|
|
Type: enum.ResourceTypeSpace,
|
|
Name: "",
|
|
}
|
|
if err = apiauth.Check(ctx, c.authorizer, session, scope, resource, enum.PermissionSpaceCreate); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (c *Controller) sanitizeCreateInput(in *CreateInput) error {
|
|
if in.ParentID < 0 {
|
|
return errParentIDNegative
|
|
}
|
|
|
|
if err := c.uidCheck(in.UID, in.ParentID == 0); err != nil {
|
|
return err
|
|
}
|
|
|
|
in.Description = strings.TrimSpace(in.Description)
|
|
if err := check.Description(in.Description); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|