enhance(perm): skip access checks for personal org

go-vela · ecrupper · Mar 21, 2023 · Jan 6, 2023 · Mar 4, 2023 · Mar 4, 2023
commit e1f041ec24cadf2b2faf79ae17a78001237e95ec
@@ -78,7 +78,7 @@ func MustWorker() gin.HandlerFunc {
 
 		// validate claims as worker
 		switch {
-		case (strings.EqualFold(cl.Subject, "vela-worker") && strings.EqualFold(cl.TokenType, constants.ServerWorkerTokenType)):
+		case strings.EqualFold(cl.Subject, "vela-worker") && strings.EqualFold(cl.TokenType, constants.ServerWorkerTokenType):
 			return
 
 		default:
@@ -256,6 +256,15 @@ func MustSecretAdmin() gin.HandlerFunc {
 			}
 		case constants.SecretShared:
 			if n == "*" && m == "GET" {
+				// check if user is accessing shared secrets in personal org
+				if strings.EqualFold(o, u.GetName()) {
+					logger.WithFields(logrus.Fields{
+						"org":  o,
+						"user": u.GetName(),
+					}).Warnf("skipping gathering teams for user %s with org %s", u.GetName(), o)
+					return
+				}
+
 				logger.Debugf("gathering teams user %s is a member of in the org %s", u.GetName(), o)
 
 				teams, err := scm.FromContext(c).ListUsersTeamsForOrg(u, o)

@@ -20,8 +20,12 @@ func (c *client) OrgAccess(u *library.User, org string) (string, error) {
 		"user": u.GetName(),
 	}).Tracef("capturing %s access level to org %s", u.GetName(), org)
 
-	// if user is accessing personal org
+	// check if user is accessing personal org
 	if strings.EqualFold(org, *u.Name) {
+		c.Logger.WithFields(logrus.Fields{
+			"org":  org,
+			"user": u.GetName(),
+		}).Warnf("skipping access level check for user %s with org %s", u.GetName(), org)
 		//nolint:goconst // ignore making constant
 		return "admin", nil
 	}
@@ -51,6 +55,17 @@ func (c *client) RepoAccess(u *library.User, token, org, repo string) (string, e
 		"user": u.GetName(),
 	}).Tracef("capturing %s access level to repo %s/%s", u.GetName(), org, repo)
 
+	// check if user is accessing repo in personal org
+	if strings.EqualFold(org, *u.Name) {
+		c.Logger.WithFields(logrus.Fields{
+			"org":  org,
+			"repo": repo,
+			"user": u.GetName(),
+		}).Warnf("skipping access level check for user %s with repo %s/%s", u.GetName(), org, repo)
+		//nolint:goconst // ignore making constant
+		return "admin", nil
+	}
+
 	// create github oauth client with the given token
 	client := c.newClientToken(token)
 
@@ -71,6 +86,17 @@ func (c *client) TeamAccess(u *library.User, org, team string) (string, error) {
 		"user": u.GetName(),
 	}).Tracef("capturing %s access level to team %s/%s", u.GetName(), org, team)
 
+	// check if user is accessing team in personal org
+	if strings.EqualFold(org, *u.Name) {
+		c.Logger.WithFields(logrus.Fields{
+			"org":  org,
+			"team": team,
+			"user": u.GetName(),
+		}).Warnf("skipping access level check for user %s with team %s/%s", u.GetName(), org, team)
+		//nolint:goconst // ignore making constant
+		return "admin", nil
+	}
+
 	// create GitHub OAuth client with user's token
 	client := c.newClientToken(u.GetToken())
 	teams := []*github.Team{}

@@ -98,7 +98,7 @@ func (c *client) Disable(u *library.User, org, name string) error {
 		"org":  org,
 		"repo": name,
 		"user": u.GetName(),
-	}).Tracef("deleting repository webhook for %s/%s", org, name)
+	}).Tracef("deleting repository webhooks for %s/%s", org, name)
 
 	// create GitHub OAuth client with user's token
 	client := c.newClientToken(*u.Token)
@@ -132,6 +132,11 @@ func (c *client) Disable(u *library.User, org, name string) error {
 
 	// skip if we have no hook IDs
 	if len(ids) == 0 {
+		c.Logger.WithFields(logrus.Fields{
+			"org":  org,
+			"repo": name,
+			"user": u.GetName(),
+		}).Warnf("no repository webhooks matching %s/webhook found for %s/%s", c.config.ServerWebhookAddress, org, name)
 		return nil
 	}