From 92e7349cf99b06f1fb234bd361144ab7d7121b3f Mon Sep 17 00:00:00 2001 From: rick Date: Wed, 2 Dec 2020 14:07:55 +0800 Subject: [PATCH] Fix an issue which the pipeline owner cannot approve his pipeline Signed-off-by: rick --- go.mod | 2 ++ pkg/kapis/devops/v1alpha2/devops.go | 20 ++++++++++++++++---- pkg/kapis/devops/v1alpha2/handler.go | 4 ++-- pkg/kapis/devops/v1alpha2/register.go | 6 +++--- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 3da56712..97a4bea9 100644 --- a/go.mod +++ b/go.mod @@ -51,6 +51,7 @@ require ( github.com/kubernetes-csi/external-snapshotter/v2 v2.1.0 github.com/kubesphere/sonargo v0.0.2 github.com/lib/pq v1.2.0 // indirect + github.com/mitchellh/mapstructure v1.2.2 github.com/onsi/ginkgo v1.12.0 github.com/onsi/gomega v1.9.0 github.com/open-policy-agent/opa v0.18.0 @@ -80,6 +81,7 @@ require ( gopkg.in/src-d/go-git.v4 v4.11.0 gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c + gotest.tools v2.2.0+incompatible istio.io/api v0.0.0-20191111210003-35e06ef8d838 istio.io/client-go v0.0.0-20191113122552-9bd0ba57c3d2 k8s.io/api v0.17.5 diff --git a/pkg/kapis/devops/v1alpha2/devops.go b/pkg/kapis/devops/v1alpha2/devops.go index 58c85858..76022084 100644 --- a/pkg/kapis/devops/v1alpha2/devops.go +++ b/pkg/kapis/devops/v1alpha2/devops.go @@ -26,6 +26,7 @@ import ( "kubesphere.io/kubesphere/pkg/api" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/apiserver/request" + "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/models/devops" clientDevOps "kubesphere.io/kubesphere/pkg/simple/client/devops" "net/http" @@ -229,6 +230,17 @@ func (h *ProjectPipelineHandler) approvableCheck(nodes []clientDevOps.NodesDetai } } +func (h *ProjectPipelineHandler) createdBy(projectName string, pipelineName string, currentUserName string) bool { + if pipeline, err := h.devopsOperator.GetPipelineObj(projectName, pipelineName); err == nil { + if creator, ok := pipeline.Annotations[constants.CreatorAnnotationKey]; ok { + return creator == currentUserName + } + } else { + log.Error(fmt.Sprintf("cannot get pipeline %s/%s, error %#v", projectName, pipelineName, err)) + } + return false +} + func (h *ProjectPipelineHandler) getCurrentUser(req *restful.Request) (username, roleName string) { var userInfo user.Info var ok bool @@ -247,8 +259,10 @@ func (h *ProjectPipelineHandler) getCurrentUser(req *restful.Request) (username, func (h *ProjectPipelineHandler) hasSubmitPermission(req *restful.Request) (hasPermit bool, err error) { currentUserName, roleName := h.getCurrentUser(req) - // check if current user belong to the admin group, grant it if it's true - if roleName == iamv1alpha2.PlatformAdmin { + projectName := req.PathParameter("devops") + pipelineName := req.PathParameter("pipeline") + // check if current user belong to the admin group or he's the owner, grant it if it's true + if roleName == iamv1alpha2.PlatformAdmin || h.createdBy(projectName, pipelineName, currentUserName) { hasPermit = true return } @@ -261,8 +275,6 @@ func (h *ProjectPipelineHandler) hasSubmitPermission(req *restful.Request) (hasP PostForm: req.Request.PostForm, } - projectName := req.PathParameter("devops") - pipelineName := req.PathParameter("pipeline") runId := req.PathParameter("run") nodeId := req.PathParameter("node") stepId := req.PathParameter("step") diff --git a/pkg/kapis/devops/v1alpha2/handler.go b/pkg/kapis/devops/v1alpha2/handler.go index 35044a8b..56ea6147 100644 --- a/pkg/kapis/devops/v1alpha2/handler.go +++ b/pkg/kapis/devops/v1alpha2/handler.go @@ -36,9 +36,9 @@ type PipelineSonarHandler struct { pipelineSonarGetter devops.PipelineSonarGetter } -func NewProjectPipelineHandler(devopsClient devopsClient.Interface, amInterface am.AccessManagementInterface) ProjectPipelineHandler { +func NewProjectPipelineHandler(devopsClient devopsClient.Interface, ksInformers externalversions.SharedInformerFactory, amInterface am.AccessManagementInterface) ProjectPipelineHandler { return ProjectPipelineHandler{ - devopsOperator: devops.NewDevopsOperator(devopsClient, nil, nil, nil, nil), + devopsOperator: devops.NewDevopsOperator(devopsClient, nil, nil, ksInformers, nil), projectCredentialGetter: devops.NewProjectCredentialOperator(devopsClient), amInterface: amInterface, } diff --git a/pkg/kapis/devops/v1alpha2/register.go b/pkg/kapis/devops/v1alpha2/register.go index dcb30747..f659b6f6 100644 --- a/pkg/kapis/devops/v1alpha2/register.go +++ b/pkg/kapis/devops/v1alpha2/register.go @@ -50,7 +50,7 @@ var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"} func AddToContainer(container *restful.Container, ksInformers externalversions.SharedInformerFactory, devopsClient devops.Interface, sonarqubeClient sonarqube.SonarInterface, ksClient versioned.Interface, s3Client s3.Interface, endpoint string, amInterface am.AccessManagementInterface) error { ws := runtime.NewWebService(GroupVersion) - err := AddPipelineToWebService(ws, devopsClient, amInterface) + err := AddPipelineToWebService(ws, devopsClient, ksInformers, amInterface) if err != nil { return err } @@ -75,12 +75,12 @@ func AddToContainer(container *restful.Container, ksInformers externalversions.S return nil } -func AddPipelineToWebService(webservice *restful.WebService, devopsClient devops.Interface, amInterface am.AccessManagementInterface) error { +func AddPipelineToWebService(webservice *restful.WebService, devopsClient devops.Interface, ksInformers externalversions.SharedInformerFactory, amInterface am.AccessManagementInterface) error { projectPipelineEnable := devopsClient != nil if projectPipelineEnable { - projectPipelineHandler := NewProjectPipelineHandler(devopsClient, amInterface) + projectPipelineHandler := NewProjectPipelineHandler(devopsClient, ksInformers, amInterface) webservice.Route(webservice.GET("/devops/{devops}/credentials/{credential}/usage"). To(projectPipelineHandler.GetProjectCredentialUsage). -- GitLab