Merge pull request #4185 from varshavaradarajan/stage-approval-validation

Validate the users and roles defined in stage authorization in the context of the pipeline using the template. (#4176)

Author: maheshp

common/src/test/java/com/thoughtworks/go/domain/ApprovalTest.java

@@ -81,7 +81,7 @@ public void shouldFailValidateWhenUsersWithoutOperatePermissionOnGroupAreAuthori
 
         AdminUser user = approval.getAuthConfig().getUsers().get(0);
         assertThat(user.errors().isEmpty(), is(false));
-        assertThat(user.errors().on("name"), is("User \"not-present\" who is not authorized to operate pipeline group can not be authorized to approve stage"));
+        assertThat(user.errors().on("name"), is("User \"not-present\" who is not authorized to operate pipeline group `defaultGroup` can not be authorized to approve stage"));
     }
 
     @Test
@@ -196,7 +196,7 @@ public void validate_shouldNotAllow_UserInApprovalListButNotInOperationList() {
 
         AdminUser user = approval.getAuthConfig().getUsers().get(0);
         assertThat(user.errors().isEmpty(), is(false));
-        assertThat(user.errors().on("name"), is("User \"not-present\" who is not authorized to operate pipeline group can not be authorized to approve stage"));
+        assertThat(user.errors().on("name"), is("User \"not-present\" who is not authorized to operate pipeline group `defaultGroup` can not be authorized to approve stage"));
     }
 
     @Test
@@ -215,7 +215,7 @@ public void validate_shouldNotAllowRoleInApprovalListButNotInOperationList() thr
 
         AdminRole user = approval.getAuthConfig().getRoles().get(0);
         assertThat(user.errors().isEmpty(), is(false));
-        assertThat(user.errors().on("name"), is("Role \"not-present\" who is not authorized to operate pipeline group can not be authorized to approve stage"));
+        assertThat(user.errors().on("name"), is("Role \"not-present\" who is not authorized to operate pipeline group `defaultGroup` can not be authorized to approve stage"));
     }
 
     @Test

config/config-api/src/main/java/com/thoughtworks/go/config/AdminRole.java

@@ -93,7 +93,12 @@ public void validate(ValidationContext validationContext) {
         }
         SecurityConfig securityConfig = validationContext.getServerSecurityConfig();
         if (!securityConfig.isRoleExist(this.name)) {
-            configErrors.add(NAME, String.format("Role \"%s\" does not exist.", this.name));
+            if(validationContext.isWithinPipelines()) {
+                configErrors.add(NAME, String.format("Role \"%s\" defined for `%s` does not exist.", this.name, validationContext.getPipeline().getName()));
+            }
+            else {
+                configErrors.add(NAME, String.format("Role \"%s\" does not exist.", this.name));
+            }
         }
     }
 

config/config-api/src/main/java/com/thoughtworks/go/config/Approval.java

@@ -113,6 +113,11 @@ public void setType(String type) {
     public boolean validateTree(ValidationContext validationContext) {
         validate(validationContext);
         boolean isValid = errors.isEmpty();
+        isValid = validateAuthConfig(validationContext, isValid);
+        return isValid;
+    }
+
+    private boolean validateAuthConfig(ValidationContext validationContext, boolean isValid) {
         for (Admin admin : authConfig) {
             admin.validate(validationContext);
             authConfig.errors().addAll(admin.errors());
@@ -125,6 +130,10 @@ public void validate(ValidationContext validationContext) {
         if (!isValidTypeValue()) {
             errors.add(TYPE, String.format("You have defined approval type as '%s'. Approval can only be of the type '%s' or '%s'.", type, MANUAL, SUCCESS));
         }
+        validateOperatePermissions(validationContext);
+    }
+
+    private void validateOperatePermissions(ValidationContext validationContext) {
         if (validationContext.isWithinPipelines()) {
             PipelineConfigs group = validationContext.getPipelineGroup();
             if (!group.hasOperationPermissionDefined()) {
@@ -143,7 +152,7 @@ public void validate(ValidationContext validationContext) {
                 boolean approverIsNotAGroupOperator = !groupOperators.has(approver, roles.memberRoles(approver));
 
                 if (approverIsNotAnAdmin && approverIsNotAGroupOperator) {
-                    approver.addError(String.format("%s \"%s\" who is not authorized to operate pipeline group can not be authorized to approve stage", approver.describe(), approver, group.getGroup()));
+                    approver.addError(String.format("%s \"%s\" who is not authorized to operate pipeline group `%s` can not be authorized to approve stage", approver.describe(), approver, group.getGroup()));
                 }
             }
         }
@@ -164,6 +173,10 @@ public ConfigErrors errors() {
         return errors;
     }
 
+    public List<ConfigErrors> getAllErrors() {
+        return ErrorCollector.getAllErrors(this);
+    }
+
     public void addError(String fieldName, String message) {
         errors.add(fieldName, message);
     }

config/config-api/src/main/java/com/thoughtworks/go/config/PipelineTemplateConfig.java

@@ -85,9 +85,10 @@ private void validateDependencies(CruiseConfig preprocessedConfig) {
         ParamsConfig paramsConfig = this.referredParams();
         for (CaseInsensitiveString pipelineName : pipelineNames) {
             PipelineConfig pipelineConfig = preprocessedConfig.getPipelineConfigByName(pipelineName);
-            PipelineConfigSaveValidationContext contextForStages = PipelineConfigSaveValidationContext.forChain(false, "", preprocessedConfig, pipelineConfig);
+            PipelineConfigs pipelineGroup = preprocessedConfig.findGroupOfPipeline(pipelineConfig);
+            PipelineConfigSaveValidationContext contextForStages = PipelineConfigSaveValidationContext.forChain(false, pipelineGroup.getGroup(), preprocessedConfig, pipelineConfig);
             validateParams(pipelineConfig, paramsConfig);
-            validateFetchTasksAndElasticProfileId(pipelineConfig, contextForStages);
+            validatePartsOfPipelineConfig(pipelineConfig, contextForStages);
             validateDependenciesOfDownstreams(pipelineConfig, contextForStages);
         }
     }
@@ -98,17 +99,27 @@ private void validateDependenciesOfDownstreams(PipelineConfig pipelineConfig, Pi
         this.errors().addAll(pipelineConfig.errors());
     }
 
-    private void validateFetchTasksAndElasticProfileId(PipelineConfig pipelineConfig, PipelineConfigSaveValidationContext contextForStages) {
+    private void validatePartsOfPipelineConfig(PipelineConfig pipelineConfig, PipelineConfigSaveValidationContext contextForStages) {
         for (StageConfig stageConfig : pipelineConfig.getStages()) {
-            PipelineConfigSaveValidationContext contextForJobs = contextForStages.withParent(stageConfig);
+            PipelineConfigSaveValidationContext contextForChildren = contextForStages.withParent(stageConfig);
+            validateStageApprovalAuthorization(stageConfig, contextForChildren);
             for (JobConfig jobConfig : stageConfig.getJobs()) {
-                PipelineConfigSaveValidationContext contextForTasks = contextForJobs.withParent(jobConfig);
+                PipelineConfigSaveValidationContext contextForTasks = contextForChildren.withParent(jobConfig);
                 validateFetchTasks(jobConfig, contextForTasks);
                 validateElasticProfileId(jobConfig, contextForTasks);
             }
         }
     }
 
+    private void validateStageApprovalAuthorization(StageConfig stageConfig, PipelineConfigSaveValidationContext contextForChildren) {
+        Approval approval = stageConfig.getApproval();
+        if (!approval.validateTree(contextForChildren)) {
+            for (ConfigErrors errors : approval.getAllErrors()) {
+                this.errors().addAll(errors);
+            }
+        }
+    }
+
     private void validateElasticProfileId(JobConfig jobConfig, PipelineConfigSaveValidationContext preprocessedConfig) {
         String elasticProfileId = jobConfig.getElasticProfileId();
         if (elasticProfileId != null && !preprocessedConfig.isValidProfileId(elasticProfileId)) {

config/config-api/src/test/java/com/thoughtworks/go/config/AdminRoleTest.java

@@ -54,15 +54,16 @@ public void shouldThrowExceptionIfRoleNameInPipelinesAuthorizationDoesNotExist_C
     }
 
     @Test
-    public void shouldAddValidationErrorIfRoleNameInPipelinesAuthorizationDoesNotExist_PipelineConfigSaveValidationContext()  {
+    public void shouldAddValidationErrorWithPipelineNameIfRoleNameInPipelinesAuthorizationDoesNotExist_PipelineConfigSaveValidationContext()  {
         AdminRole role = new AdminRole(new CaseInsensitiveString("role2"));
         PipelineConfig pipelineConfig = new PipelineConfig();
+        pipelineConfig.setName("foo");
         PipelineConfigs pipelinesConfig = new BasicPipelineConfigs(new Authorization(new ViewConfig(role)), pipelineConfig);
         CruiseConfig config = new BasicCruiseConfig(pipelinesConfig);
         role.validate(PipelineConfigSaveValidationContext.forChain(true, "group",config, pipelineConfig));
         ConfigErrors errors = role.errors();
         assertThat(errors.isEmpty(), is(false));
-        assertThat(errors.on(AdminRole.NAME), is("Role \"role2\" does not exist."));
+        assertThat(errors.on(AdminRole.NAME), is("Role \"role2\" defined for `foo` does not exist."));
     }
 
     @Test

config/config-api/src/test/java/com/thoughtworks/go/config/PipelineTemplateConfigTest.java

@@ -214,6 +214,44 @@ public void shouldValidateFetchTasksOfATemplateInTheContextOfPipelinesUsingTheTe
         assertThat(template.errors().getAllOn("pipeline"), is(Arrays.asList("\"pipeline :: stage :: defaultJob\" tries to fetch artifact from pipeline \"non-existent-pipeline\" which does not exist.")));
     }
 
+    @Test
+    public void shouldValidateStageApprovalAuthorizationOfATemplateInTheContextOfPipelinesUsingTheTemplate() throws Exception {
+        JobConfig jobConfig = new JobConfig(new CaseInsensitiveString("defaultJob"));
+        JobConfigs jobConfigs = new JobConfigs(jobConfig);
+        StageConfig stageConfig = StageConfigMother.custom("stage", jobConfigs);
+        stageConfig.setApproval(new Approval(new AuthConfig(new AdminRole(new CaseInsensitiveString("non-existent-role")))));
+        PipelineTemplateConfig template = PipelineTemplateConfigMother.createTemplate("template", stageConfig);
+        PipelineConfig pipelineConfig = PipelineConfigMother.pipelineConfigWithTemplate("pipeline", "template");
+        pipelineConfig.usingTemplate(template);
+        BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig();
+        cruiseConfig.addTemplate(template);
+        cruiseConfig.addPipelineWithoutValidation("group", pipelineConfig);
+
+        template.validateTree(ConfigSaveValidationContext.forChain(cruiseConfig), cruiseConfig, false);
+
+        assertThat(template.errors().getAllOn("name"), is(Arrays.asList("Role \"non-existent-role\" defined for `pipeline` does not exist.")));
+    }
+
+    @Test
+    public void shouldValidateStagePermissionsOfATemplateStageInTheContextOfPipelineUsingTheTemplate() {
+        StageConfig stageConfig = StageConfigMother.custom("stage", new JobConfigs(new JobConfig(new CaseInsensitiveString("defaultJob"))));
+        stageConfig.setApproval(new Approval(new AuthConfig(new AdminUser(new CaseInsensitiveString("non-admin-non-operate")))));
+        PipelineTemplateConfig template = PipelineTemplateConfigMother.createTemplate("template", stageConfig);
+        PipelineConfig pipelineConfig = PipelineConfigMother.pipelineConfigWithTemplate("pipeline", "template");
+        pipelineConfig.usingTemplate(template);
+        BasicCruiseConfig cruiseConfig = GoConfigMother.defaultCruiseConfig();
+        cruiseConfig.addTemplate(template);
+        cruiseConfig.addPipelineWithoutValidation("group", pipelineConfig);
+        PipelineConfigs group = cruiseConfig.findGroup("group");
+        group.setAuthorization(new Authorization(new ViewConfig(), new OperationConfig(new AdminUser(new CaseInsensitiveString("foo"))), new AdminsConfig()));
+        cruiseConfig.server().security().securityAuthConfigs().add(new SecurityAuthConfig());
+        cruiseConfig.server().security().adminsConfig().add(new AdminUser(new CaseInsensitiveString("super-admin")));
+
+        template.validateTree(ConfigSaveValidationContext.forChain(cruiseConfig), cruiseConfig, false);
+
+        assertThat(template.errors().getAllOn("name"), is(Arrays.asList("User \"non-admin-non-operate\" who is not authorized to operate pipeline group `group` can not be authorized to approve stage")));
+    }
+
     @Test
     public void shouldValidateTemplateStageUsedInDownstreamPipelines() {
         JobConfig jobConfigWithExecTask = new JobConfig(new CaseInsensitiveString("defaultJob"));