Merge pull request #452 from UffizziCloud/feature/451_separate_endpoi…

…nt_for_kubeconfig_update [451] added a separate endpoint
UffizziCloud · Aug 9, 2023 · 1c11c8f · 1c11c8f
2 parents 51faf19 + 1b56e2a
commit 1c11c8f
Show file tree

Hide file tree

Showing 7 changed files with 137 additions and 14 deletions.
diff --git a/core/app/controllers/concerns/uffizzi_core/dependency_injection_concern.rb b/core/app/controllers/concerns/uffizzi_core/dependency_injection_concern.rb
@@ -73,6 +73,12 @@ def controller_settings_service
     module_class(:controller_settings)
   end
 
+  def ci_module
+    return unless module_exists?(:ci_module)
+
+    module_class(:ci_module)
+  end
+
   private
 
   def module_exists?(module_name)

diff --git a/core/app/controllers/uffizzi_core/api/cli/v1/projects/clusters_controller.rb b/core/app/controllers/uffizzi_core/api/cli/v1/projects/clusters_controller.rb
@@ -9,8 +9,9 @@ class UffizziCore::Api::Cli::V1::Projects::ClustersController < UffizziCore::Api
 
   def index
     clusters = resource_project.clusters.enabled
+    return respond_with clusters if request_by_admin? || valid_request_from_ci_workflow?
 
-    respond_with clusters
+    respond_with clusters.deployed_by_user(current_user)
   end
 
   def create
@@ -37,7 +38,20 @@ def destroy
   private
 
   def resource_cluster
-    @resource_cluster ||= resource_project.clusters.enabled.find_by!(name: params[:name])
+    active_project_clusters = resource_project.clusters.enabled
+    @resource_cluster ||= if request_by_admin? || valid_request_from_ci_workflow?
+      active_project_clusters.find_by!(name: params[:name])
+    else
+      active_project_clusters.deployed_by_user(current_user).find_by!(name: params[:name])
+    end
+  end
+
+  def request_by_admin?
+    current_user.admin_access_to_project?(resource_project)
+  end
+
+  def valid_request_from_ci_workflow?
+    ci_module.valid_request_from_ci_workflow?(params)
   end
 
   def cluster_params

diff --git a/core/app/lib/uffizzi_core/concerns/models/user.rb b/core/app/lib/uffizzi_core/concerns/models/user.rb
@@ -53,7 +53,7 @@ def full_name
     end
 
     def admin_access_to_project?(project)
-      projects.by_ids(project).by_accounts(memberships.by_role_admin.select(:account_id)).exists?
+      project.user_projects.where(user_id: id, role: UffizziCore::UserProject.role.admin).exists?
     end
   end
 end
diff --git a/core/app/repositories/uffizzi_core/cluster_repo.rb b/core/app/repositories/uffizzi_core/cluster_repo.rb
@@ -6,5 +6,6 @@ module UffizziCore::ClusterRepo
   included do
     scope :deployed, -> { where(state: UffizziCore::Cluster::STATE_DEPLOYED) }
     scope :enabled, -> { where.not(state: UffizziCore::Cluster::STATE_DISABLED) }
+    scope :deployed_by_user, ->(user) { where(deployed_by: user) }
   end
 end
diff --git a/core/app/services/uffizzi_core/ci_service.rb b/core/app/services/uffizzi_core/ci_service.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class UffizziCore::CiService
+  class << self
+    def valid_request_from_ci_workflow?(_params)
+      false
+    end
+  end
+end
diff --git a/core/lib/uffizzi_core.rb b/core/lib/uffizzi_core.rb
@@ -33,6 +33,7 @@ module UffizziCore
     deployment_memory_module: 'UffizziCore::Deployment::MemoryService',
     template_memory_module: 'UffizziCore::Template::MemoryService',
     controller_settings: 'UffizziCore::ControllerSettingsService',
+    ci_module: 'UffizziCore::CiService',
   }
   mattr_accessor :table_names, default: {
     accounts: :uffizzi_core_accounts,

diff --git a/core/test/controllers/uffizzi_core/api/cli/v1/projects/clusters_controller_test.rb b/core/test/controllers/uffizzi_core/api/cli/v1/projects/clusters_controller_test.rb
@@ -4,30 +4,52 @@
 
 class UffizziCore::Api::Cli::V1::Projects::ClustersControllerTest < ActionController::TestCase
   setup do
-    @user = create(:user, :with_organizational_account)
-    account = @user.accounts.organizational.first
-    @project = create(:project, :with_members, members: [@user], account: account)
+    @admin = create(:user, :with_organizational_account)
+    @account = @admin.accounts.organizational.first
+    @project = create(:project, :with_members, members: [@admin], account: @account)
 
-    sign_in(@user)
+    @developer = create(:user)
+    create(:membership, :developer, account: @account, user: @developer)
+    create(:user_project, :developer, project: @project, user: @developer)
   end
 
   teardown do
     Sidekiq::Worker.clear_all
     Sidekiq::Testing.inline!
   end
 
-  test '#index' do
-    create(:cluster, project: @project, deployed_by: @user)
+  test '#index lists all clusters to admins' do
+    sign_in(@admin)
+
+    create(:cluster, project: @project, deployed_by: @developer)
+
+    params = {
+      project_slug: @project.slug,
+    }
+    get :index, params: params, format: :json
+
+    assert_response(:success)
+    data = JSON.parse(response.body)
+    assert_equal(1, data['clusters'].count)
+  end
+
+  test '#index only shows clusters deployed by the same user for non-adminss' do
+    create(:cluster, project: @project, deployed_by: @admin)
+    create(:cluster, project: @project, deployed_by: @developer)
+    sign_in(@developer)
 
     params = {
       project_slug: @project.slug,
     }
     get :index, params: params, format: :json
 
     assert_response(:success)
+    data = JSON.parse(response.body)
+    assert_equal(1, data['clusters'].count)
   end
 
   test '#create' do
+    sign_in(@admin)
     cluster_creation_data = json_fixture('files/controller/cluster_not_ready.json')
     params = {
       project_slug: @project.slug,
@@ -61,8 +83,9 @@ class UffizziCore::Api::Cli::V1::Projects::ClustersControllerTest < ActionContro
   end
 
   test '#create when enabled cluster with the same name exists' do
+    sign_in(@admin)
     name = 'test'
-    create(:cluster, project: @project, deployed_by: @user, name: name)
+    create(:cluster, project: @project, deployed_by: @admin, name: name)
 
     params = {
       project_slug: @project.slug,
@@ -83,6 +106,7 @@ class UffizziCore::Api::Cli::V1::Projects::ClustersControllerTest < ActionContro
   end
 
   test '#create with manifest' do
+    sign_in(@admin)
     manifest = File.read('test/fixtures/files/cluster/manifest.yml')
     cluster_creation_data = json_fixture('files/controller/cluster_not_ready.json')
     cluster_show_data = json_fixture('files/controller/cluster_ready.json')
@@ -118,8 +142,9 @@ class UffizziCore::Api::Cli::V1::Projects::ClustersControllerTest < ActionContro
     assert_requested(stubbed_get_cluster_request)
   end
 
-  test '#show' do
-    cluster = create(:cluster, project: @project, deployed_by: @user, name: 'test')
+  test '#show shows cluster created by the same developer' do
+    cluster = create(:cluster, project: @project, deployed_by: @developer, name: 'test')
+    sign_in(@developer)
 
     params = {
       project_slug: @project.slug,
@@ -131,8 +156,75 @@ class UffizziCore::Api::Cli::V1::Projects::ClustersControllerTest < ActionContro
     assert_response(:success)
   end
 
-  test '#destroy' do
-    cluster = create(:cluster, :deployed, project: @project, deployed_by: @user, name: 'test')
+  test '#show does not show cluster created by a different user to developer' do
+    sign_in(@developer)
+
+    cluster = create(:cluster, project: @project, deployed_by: @admin, name: 'test')
+
+    params = {
+      project_slug: @project.slug,
+      name: cluster.name,
+    }
+
+    get :show, params: params, format: :json
+
+    assert_response(:not_found)
+  end
+
+  test '#show shows clusters created by a different user to admin' do
+    sign_in(@admin)
+
+    cluster = create(:cluster, project: @project, deployed_by: @developer, name: 'test')
+
+    params = {
+      project_slug: @project.slug,
+      name: cluster.name,
+    }
+
+    get :show, params: params, format: :json
+
+    assert_response(:success)
+  end
+
+  test '#destroy developer can destroy a cluster created by him' do
+    sign_in(@developer)
+
+    cluster = create(:cluster, :deployed, project: @project, deployed_by: @developer, name: 'test')
+    stubbed_delete_namespace_request = stub_delete_namespace_request(cluster)
+
+    params = {
+      project_slug: @project.slug,
+      name: cluster.name,
+    }
+
+    delete :destroy, params: params, format: :json
+
+    assert_response(:success)
+    assert(cluster.reload.disabled?)
+    assert_requested(stubbed_delete_namespace_request)
+  end
+
+  test '#destroy developer cannot destroy a cluster created by other user' do
+    sign_in(@developer)
+
+    cluster = create(:cluster, :deployed, project: @project, deployed_by: @admin, name: 'test')
+    stubbed_delete_namespace_request = stub_delete_namespace_request(cluster)
+
+    params = {
+      project_slug: @project.slug,
+      name: cluster.name,
+    }
+
+    delete :destroy, params: params, format: :json
+
+    assert_response(:not_found)
+    refute_requested(stubbed_delete_namespace_request)
+  end
+
+  test '#destroy admin can destroy a cluster created by other user' do
+    sign_in(@admin)
+
+    cluster = create(:cluster, :deployed, project: @project, deployed_by: @developer, name: 'test')
     stubbed_delete_namespace_request = stub_delete_namespace_request(cluster)
 
     params = {