Merge pull request #525 from sgotti/gateway_unify_improve_handling_of_authenticated_user

gateway: unify/improve handling of authenticated user
2024-06-17 13:39:34 +02:00 · 2024-06-17 13:39:34 +02:00 · da97477779
parent ba28b00cf1 ef2e41601a
commit da97477779
5 changed files with 30 additions and 19 deletions
--- a/internal/services/gateway/action/org.go
+++ b/internal/services/gateway/action/org.go
@ -342,7 +342,7 @@ type OrgInvitationResponse struct {

 func (h *ActionHandler) GetOrgInvitations(ctx context.Context, orgRef string, limit int) ([]*cstypes.OrgInvitation, error) {
 	if !common.IsUserLogged(ctx) {
-		return nil, errors.Errorf("user not logged in")
+		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	org, _, err := h.configstoreClient.GetOrg(ctx, orgRef)
@ -373,7 +373,7 @@ type CreateOrgInvitationRequest struct {

 func (h *ActionHandler) CreateOrgInvitation(ctx context.Context, req *CreateOrgInvitationRequest) (*OrgInvitationResponse, error) {
 	if !common.IsUserLogged(ctx) {
-		return nil, errors.Errorf("user not logged in")
+		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	if h.organizationMemberAddingMode != OrganizationMemberAddingModeInvitation {
@ -484,9 +484,8 @@ func (h *ActionHandler) OrgInvitationAction(ctx context.Context, req *OrgInvitat
 }

 func (h *ActionHandler) DeleteOrgInvitation(ctx context.Context, orgRef string, userRef string) error {
-	userID := common.CurrentUserID(ctx)
-	if userID == "" {
-		return errors.Errorf("user not authenticated")
+	if !common.IsUserLogged(ctx) {
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	orgInvitation, _, err := h.configstoreClient.GetOrgInvitation(ctx, orgRef, userRef)
--- a/internal/services/gateway/action/project.go
+++ b/internal/services/gateway/action/project.go
@ -64,6 +64,9 @@ type CreateProjectRequest struct {
 }

 func (h *ActionHandler) CreateProject(ctx context.Context, req *CreateProjectRequest) (*csapitypes.Project, error) {
+	if !common.IsUserLogged(ctx) {
+		return nil, util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("user not authenticated"))
+	}
 	curUserID := common.CurrentUserID(ctx)

 	user, _, err := h.configstoreClient.GetUser(ctx, curUserID)
--- a/internal/services/gateway/action/run.go
+++ b/internal/services/gateway/action/run.go
@ -330,6 +330,11 @@ type RunTaskActionsRequest struct {
 }

 func (h *ActionHandler) RunTaskAction(ctx context.Context, req *RunTaskActionsRequest) error {
+	if !common.IsUserLogged(ctx) {
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+	}
+	curUserID := common.CurrentUserID(ctx)
+
 	canDoRunAction, groupID, err := h.CanAuthUserDoRunActions(ctx, req.GroupType, req.Ref, actionTypeTaskAction)
 	if err != nil {
 		return errors.Wrapf(err, "failed to determine permissions")
@ -347,11 +352,6 @@ func (h *ActionHandler) RunTaskAction(ctx context.Context, req *RunTaskActionsRe

 	runID := runResp.Run.ID

-	curUserID := common.CurrentUserID(ctx)
-	if curUserID == "" {
-		return util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("no logged in user"))
-	}
-
 	switch req.ActionType {
 	case RunTaskActionTypeApprove:
 		rt, ok := runResp.Run.Tasks[req.TaskID]
--- a/internal/services/gateway/action/user.go
+++ b/internal/services/gateway/action/user.go
@ -59,7 +59,6 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context) (*PrivateUserRespons
 	if !common.IsUserLogged(ctx) {
 		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}
-
 	userID := common.CurrentUserID(ctx)

 	user, _, err := h.configstoreClient.GetUser(ctx, userID)
@ -82,7 +81,7 @@ func (h *ActionHandler) GetCurrentUser(ctx context.Context) (*PrivateUserRespons

 func (h *ActionHandler) GetUser(ctx context.Context, userRef string) (*cstypes.User, error) {
 	if !common.IsUserLoggedOrAdmin(ctx) {
-		return nil, errors.Errorf("user not logged in")
+		return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	user, _, err := h.configstoreClient.GetUser(ctx, userRef)
@ -257,6 +256,10 @@ type CreateUserTokenRequest struct {
 }

 func (h *ActionHandler) CreateUserToken(ctx context.Context, req *CreateUserTokenRequest) (string, error) {
+	if !common.IsUserLoggedOrAdmin(ctx) {
+		return "", util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+	}
+
 	isAdmin := common.IsUserAdmin(ctx)
 	userID := common.CurrentUserID(ctx)

@ -738,10 +741,13 @@ func (h *ActionHandler) HandleRemoteSourceAuth(ctx context.Context, remoteSource
 			return nil, APIErrorFromRemoteError(err, util.WithAPIErrorMsg("failed to get user %q", req.UserRef))
 		}

-		curUserID := common.CurrentUserID(ctx)
-
 		// user must be already logged in the create a linked account and can create a
 		// linked account only on itself.
+		if !common.IsUserLogged(ctx) {
+			return nil, util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+		}
+		curUserID := common.CurrentUserID(ctx)
+
 		if user.ID != curUserID {
 			return nil, util.NewAPIError(util.ErrBadRequest, util.WithAPIErrorMsg("logged in user cannot create linked account for another user"))
 		}
@ -1003,7 +1009,7 @@ func (h *ActionHandler) DeleteUser(ctx context.Context, userRef string) error {

 func (h *ActionHandler) DeleteUserLA(ctx context.Context, userRef, laID string) error {
 	if !common.IsUserLoggedOrAdmin(ctx) {
-		return errors.Errorf("user not logged in")
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	isAdmin := common.IsUserAdmin(ctx)
@ -1027,7 +1033,7 @@ func (h *ActionHandler) DeleteUserLA(ctx context.Context, userRef, laID string)

 func (h *ActionHandler) DeleteUserToken(ctx context.Context, userRef, tokenName string) error {
 	if !common.IsUserLoggedOrAdmin(ctx) {
-		return errors.Errorf("user not logged in")
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
 	}

 	isAdmin := common.IsUserAdmin(ctx)
@ -1063,6 +1069,11 @@ type UserCreateRunRequest struct {
 }

 func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunRequest) error {
+	if !common.IsUserLogged(ctx) {
+		return util.NewAPIError(util.ErrForbidden, util.WithAPIErrorMsg("user not authenticated"))
+	}
+	curUserID := common.CurrentUserID(ctx)
+
 	prRefRegexes := []*regexp.Regexp{}
 	for _, res := range req.PullRequestRefRegexes {
 		re, err := regexp.Compile(res)
@ -1072,8 +1083,6 @@ func (h *ActionHandler) UserCreateRun(ctx context.Context, req *UserCreateRunReq
 		prRefRegexes = append(prRefRegexes, re)
 	}

-	curUserID := common.CurrentUserID(ctx)
-
 	user, _, err := h.configstoreClient.GetUser(ctx, curUserID)
 	if err != nil {
 		return APIErrorFromRemoteError(err, util.WithAPIErrorMsg("failed to get user %q", curUserID))
--- a/tests/auth_test.go
+++ b/tests/auth_test.go
@ -227,7 +227,7 @@ func TestCookieAuth(t *testing.T) {
 	}, nil)
 	testutil.NilError(t, err)

-	// Test auth passing recevied login response cookies
+	// Test auth passing received login response cookies
 	authCookieName := common.AuthCookieName(false)
 	secondaryAuthCookieName := common.SecondaryAuthCookieName()
 	cookies := resp.Cookies()