Merge e3bfab7 into 6d151a8

square · Jul 14, 2022 · 8dd95a7 · 8dd95a7
2 parents 6d151a8 + e3bfab7
commit 8dd95a7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 8 deletions.
diff --git a/server/src/main/java/keywhiz/service/resources/automation/v2/BackfillRowHmacResource.java b/server/src/main/java/keywhiz/service/resources/automation/v2/BackfillRowHmacResource.java
@@ -27,6 +27,8 @@
 import keywhiz.log.Event;
 import keywhiz.log.EventTag;
 import keywhiz.service.crypto.RowHmacGenerator;
+import keywhiz.service.permissions.Action;
+import keywhiz.service.permissions.PermissionCheck;
 import org.jooq.DSLContext;
 import org.jooq.Result;
 import org.slf4j.Logger;
@@ -51,15 +53,18 @@ public class BackfillRowHmacResource {
   private final DSLContext jooq;
   private final RowHmacGenerator rowHmacGenerator;
   private final AuditLog auditLog;
+  private final PermissionCheck permissionCheck;
 
   @Inject
   public BackfillRowHmacResource(
       DSLContext jooq,
       RowHmacGenerator rowHmacGenerator,
-      AuditLog auditLog) {
+      AuditLog auditLog,
+      PermissionCheck permissionCheck) {
     this.jooq = jooq;
     this.rowHmacGenerator = rowHmacGenerator;
     this.auditLog = auditLog;
+    this.permissionCheck = permissionCheck;
   }
 
   /**
@@ -83,6 +88,8 @@ public void backfillSecretRowHmacByName(
     }
 
     SecretsRecord row = maybeRow.get();
+    permissionCheck.checkAllowedOrThrow(automationClient, Action.UPDATE, row);
+
     String oldHmac = row.getRowHmac();
 
     if (oldHmac != null && !force) {
@@ -119,7 +126,9 @@ public void backfillSecretRowHmacByName(
   @POST
   @Consumes(APPLICATION_JSON)
   @Produces(APPLICATION_JSON)
-  public void backfillSecretsRowHmac(@PathParam("cursor_start") Long cursorStart,
+  public void backfillSecretsRowHmac(
+      @Auth AutomationClient automationClient,
+      @PathParam("cursor_start") Long cursorStart,
       @PathParam("max_rows") Long maxRows) {
     logger.info("backfill-secrets: processing secrets");
     long cursor;
@@ -144,6 +153,8 @@ public void backfillSecretsRowHmac(@PathParam("cursor_start") Long cursorStart,
       }
 
       for (var row : rows) {
+        permissionCheck.checkAllowedOrThrow(automationClient, Action.UPDATE, row);
+
         cursor = row.getId();
         if (!row.getRowHmac().isEmpty()) {
           continue;
@@ -172,7 +183,9 @@ public void backfillSecretsRowHmac(@PathParam("cursor_start") Long cursorStart,
   @POST
   @Consumes(APPLICATION_JSON)
   @Produces(APPLICATION_JSON)
-  public void backfillSecretsContentRowHmac(@PathParam("cursor_start") Long cursorStart,
+  public void backfillSecretsContentRowHmac(
+      @Auth AutomationClient automationClient,
+      @PathParam("cursor_start") Long cursorStart,
       @PathParam("max_rows") Long maxRows) {
     logger.info("backfill-secrets-content: processing secrets content");
     long cursor;
@@ -197,6 +210,8 @@ public void backfillSecretsContentRowHmac(@PathParam("cursor_start") Long cursor
       }
 
       for (var row : rows) {
+        permissionCheck.checkAllowedOrThrow(automationClient, Action.UPDATE, row);
+
         cursor = row.getId();
 
         String rowHmac = rowHmacGenerator.computeRowHmac(SECRETS_CONTENT.getName(),
@@ -222,7 +237,9 @@ public void backfillSecretsContentRowHmac(@PathParam("cursor_start") Long cursor
   @POST
   @Consumes(APPLICATION_JSON)
   @Produces(APPLICATION_JSON)
-  public void backfillClientsRowHmac(@PathParam("cursor_start") Long cursorStart,
+  public void backfillClientsRowHmac(
+      @Auth AutomationClient automationClient,
+      @PathParam("cursor_start") Long cursorStart,
       @PathParam("max_rows") Long maxRows) {
     logger.info("backfill-clients: processing clients");
     long cursor;
@@ -247,6 +264,8 @@ public void backfillClientsRowHmac(@PathParam("cursor_start") Long cursorStart,
       }
 
       for (var row : rows) {
+        permissionCheck.checkAllowedOrThrow(automationClient, Action.UPDATE, row);
+
         cursor = row.getId();
 
         String rowHmac = rowHmacGenerator.computeRowHmac(CLIENTS.getName(),
@@ -272,7 +291,9 @@ public void backfillClientsRowHmac(@PathParam("cursor_start") Long cursorStart,
   @POST
   @Consumes(APPLICATION_JSON)
   @Produces(APPLICATION_JSON)
-  public void backfillMembershipsRowHmac(@PathParam("cursor_start") Long cursorStart,
+  public void backfillMembershipsRowHmac(
+      @Auth AutomationClient automationClient,
+      @PathParam("cursor_start") Long cursorStart,
       @PathParam("max_rows") Long maxRows) {
     logger.info("backfill-memberships: processing memberships");
     long cursor;
@@ -297,6 +318,8 @@ public void backfillMembershipsRowHmac(@PathParam("cursor_start") Long cursorSta
       }
 
       for (var row : rows) {
+        permissionCheck.checkAllowedOrThrow(automationClient, Action.UPDATE, row);
+
         cursor = row.getId();
 
         String rowHmac = rowHmacGenerator.computeRowHmac(MEMBERSHIPS.getName(),
@@ -322,7 +345,9 @@ public void backfillMembershipsRowHmac(@PathParam("cursor_start") Long cursorSta
   @POST
   @Consumes(APPLICATION_JSON)
   @Produces(APPLICATION_JSON)
-  public void backfillAccessgrantsRowHmac(@PathParam("cursor_start") Long cursorStart,
+  public void backfillAccessgrantsRowHmac(
+      @Auth AutomationClient automationClient,
+      @PathParam("cursor_start") Long cursorStart,
       @PathParam("max_rows") Long maxRows) {
     logger.info("backfill-accessgrants: processing accessgrants");
     long cursor;
@@ -347,6 +372,8 @@ public void backfillAccessgrantsRowHmac(@PathParam("cursor_start") Long cursorSt
       }
 
       for (var row : rows) {
+        permissionCheck.checkAllowedOrThrow(automationClient, Action.UPDATE, row);
+
         cursor = row.getId();
 
         String rowHmac = rowHmacGenerator.computeRowHmac(ACCESSGRANTS.getName(),

diff --git a/...er/src/test/java/keywhiz/service/resources/automation/v2/BackfillRowHmacResourceTest.java b/...er/src/test/java/keywhiz/service/resources/automation/v2/BackfillRowHmacResourceTest.java
@@ -2,6 +2,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
@@ -15,6 +16,7 @@
 import keywhiz.log.Event;
 import keywhiz.log.EventTag;
 import keywhiz.service.crypto.RowHmacGenerator;
+import keywhiz.service.permissions.PermissionCheck;
 import keywhiz.test.TestDSLContexts;
 import org.jooq.DSLContext;
 import org.junit.Before;
@@ -29,13 +31,16 @@ public class BackfillRowHmacResourceTest {
   private RowHmacGenerator rowHmacGenerator;
   @Mock
   private AuditLog auditLog;
+  @Mock
+  private PermissionCheck permissionCheck;
 
   @Captor
   private ArgumentCaptor<Event> eventCaptor;
 
   @Before
   public void before() {
     MockitoAnnotations.initMocks(this);
+    doNothing().when(permissionCheck).checkAllowedOrThrow(any(), any(), any());
   }
 
   @Test
@@ -49,7 +54,7 @@ public void backfillSecretHmacByNameHandlesNullOldHmac() {
 
     when(rowHmacGenerator.computeRowHmac(any(), any())).thenReturn("newHmac");
 
-    BackfillRowHmacResource resource = new BackfillRowHmacResource(context, rowHmacGenerator, auditLog);
+    BackfillRowHmacResource resource = new BackfillRowHmacResource(context, rowHmacGenerator, auditLog, permissionCheck);
 
     String clientName = UUID.randomUUID().toString();
     String secretName = UUID.randomUUID().toString();
@@ -73,7 +78,7 @@ public void backfillSecretHmacByNameWritesToAuditLog() {
 
     DSLContext context = TestDSLContexts.returning(record);
 
-    BackfillRowHmacResource resource = new BackfillRowHmacResource(context, rowHmacGenerator, auditLog);
+    BackfillRowHmacResource resource = new BackfillRowHmacResource(context, rowHmacGenerator, auditLog, permissionCheck);
 
     String clientName = UUID.randomUUID().toString();
     String secretName = UUID.randomUUID().toString();