api: fix permission checking in createServiceInstance

Returning the proper error message when the user doesn't have permission to create service instances for any team.
tsuru · Nov 26, 2015 · 655bac3 · 655bac3
1 parent 07e8f7c
commit 655bac3
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 3 deletions.
diff --git a/api/service_consumption.go b/api/service_consumption.go
@@ -45,9 +45,22 @@ func createServiceInstance(w http.ResponseWriter, r *http.Request, t auth.Token)
 		TeamOwner: body["owner"],
 	}
 	if instance.TeamOwner == "" {
-		teamContexts := permission.ContextsForPermission(t, permission.PermServiceCreate, permission.CtxTeam)
-		if len(teamContexts) == 1 {
-			instance.TeamOwner = teamContexts[0].Value
+		allContexts := permission.ContextsForPermission(t, permission.PermServiceInstanceCreate)
+		teams := make([]string, 0, len(allContexts))
+		for _, ctx := range allContexts {
+			if ctx.CtxType == permission.CtxGlobal {
+				teams = nil
+				break
+			}
+			if ctx.CtxType == permission.CtxTeam {
+				teams = append(teams, ctx.Value)
+			}
+		}
+		if teams != nil && len(teams) == 0 {
+			return permission.ErrUnauthorized
+		}
+		if len(teams) == 1 {
+			instance.TeamOwner = teams[0]
 		}
 	}
 	if instance.TeamOwner == "" {

diff --git a/api/service_consumption_test.go b/api/service_consumption_test.go
@@ -124,6 +124,41 @@ func (s *ConsumptionSuite) TestCreateInstanceWithPlan(c *check.C) {
 	s.conn.ServiceInstances().Update(bson.M{"name": si.Name}, si)
 	c.Assert(si.Name, check.Equals, "brainSQL")
 	c.Assert(si.ServiceName, check.Equals, "mysql")
+	c.Assert(si.Teams, check.DeepEquals, []string{s.team.Name})
+}
+
+func (s *ConsumptionSuite) TestCreateInstanceWithPlanImplicitTeam(c *check.C) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(`{"DATABASE_HOST":"localhost"}`))
+	}))
+	defer ts.Close()
+	se := service.Service{
+		Name:     "mysql",
+		Teams:    []string{s.team.Name},
+		Endpoint: map[string]string{"production": ts.URL},
+	}
+	se.Create()
+	defer s.conn.Services().Remove(bson.M{"_id": se.Name})
+	params := map[string]string{
+		"name":         "brainSQL",
+		"service_name": "mysql",
+		"plan":         "small",
+	}
+	recorder, request := makeRequestToCreateInstanceHandler(params, c)
+	request.Header.Set("Content-Type", "application/json")
+	err := createServiceInstance(recorder, request, s.token)
+	c.Assert(err, check.IsNil)
+	var si service.ServiceInstance
+	err = s.conn.ServiceInstances().Find(bson.M{
+		"name":         "brainSQL",
+		"service_name": "mysql",
+		"plan_name":    "small",
+	}).One(&si)
+	c.Assert(err, check.IsNil)
+	s.conn.ServiceInstances().Update(bson.M{"name": si.Name}, si)
+	c.Assert(si.Name, check.Equals, "brainSQL")
+	c.Assert(si.ServiceName, check.Equals, "mysql")
+	c.Assert(si.Teams, check.DeepEquals, []string{s.team.Name})
 }
 
 func (s *ConsumptionSuite) TestCreateInstanceHandlerSavesServiceInstanceInDb(c *check.C) {
@@ -220,6 +255,18 @@ func (s *ConsumptionSuite) TestCreateInstanceHandlerIgnoresTeamAuthIfServiceIsNo
 	c.Assert(si.Teams, check.DeepEquals, []string{s.team.Name})
 }
 
+func (s *ConsumptionSuite) TestCreateInstanceHandlerNoPermission(c *check.C) {
+	token := customUserWithPermission(c, "cantdoanything")
+	srvc := service.Service{Name: "mysql"}
+	err := srvc.Create()
+	c.Assert(err, check.IsNil)
+	defer s.conn.Services().Remove(bson.M{"_id": "mysql"})
+	params := map[string]string{"name": "brainSQL", "service_name": "mysql"}
+	recorder, request := makeRequestToCreateInstanceHandler(params, c)
+	err = createServiceInstance(recorder, request, token)
+	c.Assert(err, check.Equals, permission.ErrUnauthorized)
+}
+
 func (s *ConsumptionSuite) TestCreateInstanceHandlerReturnsErrorWhenServiceDoesntExists(c *check.C) {
 	params := map[string]string{
 		"name":         "brainSQL",