[GitHub] [openwhisk] ningyougang commented on a change in pull request #4058: Add protect feature to avoid update or delete actions by mistake

Tue, 08 Sep 2020 00:44:09 -0700 


ningyougang commented on a change in pull request #4058:
URL: https://github.com/apache/openwhisk/pull/4058#discussion_r484716259



##########
File path: 
core/controller/src/main/scala/org/apache/openwhisk/core/entitlement/Entitlement.scala
##########
@@ -231,6 +234,157 @@ protected[core] abstract class EntitlementProvider(
       .getOrElse(Future.successful(()))
   }
 
+  /**
+   * Checks if action operation(get/write/execute) whether feasible
+   *
+   * @param operation the action operation, e.g. get/write/execute
+   * @param user the user who get/write/execute the action
+   * @param entityStore  store to write the action to
+   * @param entityName entityName
+   * @param permissions the passed permission code
+   * @return a promise that completes with success iff action operation is 
feasible
+   */
+  protected[core] def checkActionPermissions(
+    operation: String,
+    user: Identity,
+    entityStore: ArtifactStore[WhiskEntity],
+    entityName: FullyQualifiedEntityName,
+    get: (ArtifactStore[WhiskEntity], DocId, DocRevision, Boolean) => 
Future[WhiskAction],
+    permissions: Option[String] = None)(implicit transid: TransactionId): 
Future[Unit] = {
+    if (operation == "create") {
+      permissions
+        .map { value =>
+          if (WhiskAction.permissionList.contains(value)) {
+            Future.successful(())
+          } else {
+            val errorInfo =
+              s"give error permission code: ${value}, available permission is 
in ${WhiskAction.permissionList}"
+            Future.failed(RejectRequest(Forbidden, 
Some(ErrorResponse(errorInfo, transid))))
+          }
+        }
+        .getOrElse(Future.successful(()))
+    } else if (operation == "update") {
+      get(entityStore, entityName.toDocId, DocRevision.empty, true)
+        .flatMap { whiskAction =>
+          val currentPermissions = whiskAction.annotations
+            .get(WhiskAction.permissionsFieldName)
+            .map(value => value.convertTo[String])
+            .getOrElse(WhiskAction.defaultPermissions)
+
+          val errorInfo = s"have no permission to ${operation} this action"
+          permissions match {
+            case Some(value) =>
+              if (!WhiskAction.permissionList.contains(value)) {
+                val errorInfo =
+                  s"give error permission code: ${value}, available permission 
is in ${WhiskAction.permissionList}"
+                Future.failed(RejectRequest(Forbidden, 
Some(ErrorResponse(errorInfo, transid))))
+              } else {
+                val passedUpdatePermission = value.charAt(1)
+                if (passedUpdatePermission == 'w') { // make it to modifiable
+                  Future.successful(())
+                } else {
+                  val currentUpdatePermission = currentPermissions.charAt(1)
+                  if (currentUpdatePermission == '-') {
+                    Future.failed(RejectRequest(Forbidden, 
Some(ErrorResponse(errorInfo, transid))))
+                  } else {
+                    Future.successful(())
+                  }
+                }
+              }
+            case None =>
+              val currentUpdatePermission = currentPermissions.charAt(1)
+              if (currentUpdatePermission == '-') {
+                Future.failed(RejectRequest(Forbidden, 
Some(ErrorResponse(errorInfo, transid))))
+              } else {
+                Future.successful(())
+              }
+          }
+        }
+        .recoverWith {
+          case t: RejectRequest =>
+            Future.failed(t)
+          case _ =>
+            Future.successful(())

Review comment:
       In order to make some test cases successfully .e.g
   ```
    ./gradlew :tests:test 
--tests="org.apache.openwhisk.core.controller.test.PackageActionsApiTests"
    ./gradlew :tests:test 
--tests="org.apache.openwhisk.core.controller.test.ActionsApiTests"
   ```
   Need to add above recoverWith logic,  concrete content is
   * if the excpetion is `RejectRequest`, return `Future.failed(t)`  
   
      make normal logic passed
   * For some excpetion which generated by test above cases, should return 
`Future.successful(())`
     
      Make above tests cases passed, e.g. 
https://github.com/apache/openwhisk/blob/master/tests/src/test/scala/org/apache/openwhisk/core/controller/test/PackageActionsApiTests.scala#L130
      here, it will pass a package paramter to `get(entityStore, 
entityName.toDocId, DocRevision.empty, true)`'s second param, actually, this 
method needs `action`, so will throw NoDocument exception, in order to make the 
test case passed, need to make it return `Future.successful(())`




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to