screwdriver-api 8.0.80 → 8.0.81

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "screwdriver-api",
-  "version": "8.0.80",
+  "version": "8.0.81",
   "description": "API server for the Screwdriver.cd service",
   "main": "index.js",
   "scripts": {

package/plugins/pipelines/batchUpdateAdmins.js

@@ -1,12 +1,11 @@
 'use strict';
 
-const boom = require('@hapi/boom');
 const schema = require('screwdriver-data-schema');
 const joi = require('joi');
 const idSchema = schema.models.pipeline.base.extract('id');
 const scmContextSchema = schema.models.pipeline.base.extract('scmContext');
 const usernameSchema = schema.models.user.base.extract('username');
-const { updatePipelineAdmins } = require('./helper/updateAdmins');
+const { batchUpdatePipelineAdmins } = require('./helper/updateAdmins');
 
 module.exports = () => ({
     method: 'PUT',
@@ -17,35 +16,16 @@ module.exports = () => ({
         tags: ['api', 'pipelines'],
         auth: {
             strategies: ['token'],
-            scope: ['user', '!guest']
+            scope: ['user', '!guest', 'admin']
         },
         handler: async (request, h) => {
-            const { scmContext, username, scmUserId } = request.auth.credentials;
+            const { scmContext, username, scope } = request.auth.credentials;
             const { payload } = request;
+            const { userFactory } = request.server.app;
+            const isSDAdmin = scope.includes('admin');
+            const user = await userFactory.get({ username, scmContext });
 
-            const { bannerFactory } = request.server.app;
-
-            // Check token permissions
-            // Only SD cluster admins can update the admins
-            const scmDisplayName = bannerFactory.scm.getDisplayName({ scmContext });
-
-            const adminDetails = request.server.plugins.banners.screwdriverAdminDetails(
-                username,
-                scmDisplayName,
-                scmUserId
-            );
-
-            if (!adminDetails.isAdmin) {
-                throw boom.forbidden(
-                    `User ${username} does not have Screwdriver administrative privileges to update the admins for pipelines`
-                );
-            }
-
-            await Promise.all(
-                payload.map(e => {
-                    return updatePipelineAdmins(e, request.server);
-                })
-            );
+            await batchUpdatePipelineAdmins(payload, user, isSDAdmin, request.server);
 
             return h.response().code(204);
         },

package/plugins/pipelines/helper/updateAdmins.js

@@ -5,62 +5,120 @@ const logger = require('screwdriver-logger');
 
 /**
  * @typedef {import('screwdriver-models/lib/pipeline')} Pipeline
+ * @typedef {import('screwdriver-models/lib/user')} User
  */
 
 /**
- * Adds the users as admins for the specified pipeline
+ * /**
+ *  * Adds users as admins for the specified pipelines.
  *
- * @method updateBuildAndTriggerDownstreamJobs
- * @param   {Object}    config
- * @param   {Number}    config.id Pipeline id
- * @param   {Array}     [config.usernames] List of usernames to be added as admins to the pipeline
- * @param   {String}    config.scmContext SCM Context the users are associated with
- * @param   {Object}    server
- * @returns {Promise<Pipeline>} Updated pipeline
+ * @method batchUpdatePipelineAdmins
+ * @param {Object[]}    pipelineConfigs - List of pipeline configurations
+ * @param {number}      pipelineConfigs[].id - Pipeline ID.
+ * @param {string[]}    [pipelineConfigs[].usernames] - Usernames to be added as admins for the pipeline.
+ * @param {string}      pipelineConfigs[].scmContext - SCM context associated with the users.
+ * @param {User}        user - User performing the update.
+ * @param {boolean}     isSDAdmin - Whether the user is a Screwdriver admin.
+ * @param {Object}      server - Hapi server instance.
+ * @returns {Promise<Pipeline[]>} Resolves with the updated pipelines.
  */
-async function updatePipelineAdmins(config, server) {
+async function batchUpdatePipelineAdmins(pipelineConfigs, user, isSDAdmin, server) {
     const { pipelineFactory, userFactory } = server.app;
-    const { id, scmContext, usernames } = config;
 
-    const pipeline = await pipelineFactory.get({ id });
-
-    // check if pipeline exists
-    if (!pipeline) {
-        throw boom.notFound(`Pipeline ${id} does not exist`);
-    }
-    if (pipeline.state === 'DELETING') {
-        throw boom.conflict('This pipeline is being deleted.');
-    }
-
-    const users = await userFactory.list({
+    const pipelines = await pipelineFactory.list({
         params: {
-            username: usernames,
-            scmContext
+            id: pipelineConfigs.map(pc => pc.id)
         }
     });
 
-    const adminUsernamesForUpdate = [];
-    const newAdmins = new Set(pipeline.adminUserIds);
+    const pipelineIdToPipelineMap = pipelines.reduce((map, obj) => {
+        map[obj.id] = obj;
 
-    users.forEach(user => {
-        newAdmins.add(user.id);
-        adminUsernamesForUpdate.push(user.username);
-    });
+        return map;
+    }, {});
+
+    return Promise.all(
+        pipelineConfigs.map(async pc => {
+            const { id, scmContext, usernames } = pc;
+            const pipeline = pipelineIdToPipelineMap[id];
+
+            // check if pipeline exists
+            if (!pipeline) {
+                throw boom.notFound(`Pipeline ${id} does not exist`);
+            }
+
+            if (!isSDAdmin) {
+                await user
+                    .getPermissions(pipeline.scmUri)
+                    // check if user has admin access
+                    .then(permissions => {
+                        if (!permissions.admin) {
+                            throw boom.forbidden(
+                                `User ${user.username} does not have admin permission for the pipeline (id=${pipeline.id}) repo and is not allowed to update admins`
+                            );
+                        }
+                    });
+            }
+
+            // check if pipeline is being deleted
+            if (pipeline.state === 'DELETING') {
+                throw boom.conflict(`Skipped updating admins for pipeline (id=${pipeline.id}) as it is being deleted.`);
+            }
+
+            const users = await userFactory.list({
+                params: {
+                    username: usernames,
+                    scmContext
+                }
+            });
 
-    pipeline.adminUserIds = Array.from(newAdmins);
+            const adminUsernamesForUpdate = [];
+            const newAdmins = new Set(pipeline.adminUserIds);
 
-    try {
-        const updatedPipeline = await pipeline.update();
+            users.forEach(u => {
+                newAdmins.add(u.id);
+                adminUsernamesForUpdate.push(u.username);
+            });
 
-        logger.info(`Updated admins ${adminUsernamesForUpdate} for pipeline(id=${id})`);
+            pipeline.adminUserIds = Array.from(newAdmins);
 
-        return updatedPipeline;
-    } catch (err) {
-        logger.error(`Failed to update admins ${adminUsernamesForUpdate} for pipeline(id=${id}): ${err.message}`);
-        throw boom.internal(`Failed to update admins for pipeline ${id}`);
-    }
+            try {
+                const updatedPipeline = await pipeline.update();
+
+                logger.info(`Updated admins ${adminUsernamesForUpdate} for pipeline(id=${id})`);
+
+                return updatedPipeline;
+            } catch (err) {
+                logger.error(
+                    `Failed to update admins ${adminUsernamesForUpdate} for pipeline(id=${id}): ${err.message}`
+                );
+                throw boom.internal(`Failed to update admins for pipeline ${id}`);
+            }
+        })
+    );
+}
+
+/**
+ * /**
+ *  * Adds users as admins for the specified pipelines.
+ *
+ * @method updatePipelineAdmins
+ * @param {Object}      config - Pipeline configuration
+ * @param {number}      config.id - Pipeline ID.
+ * @param {string[]}    [config.usernames] - Usernames to be added as admins for the pipeline.
+ * @param {string}      config.scmContext - SCM context associated with the users.
+ * @param {User}        user - User performing the update.
+ * @param {boolean}     isSDAdmin - Whether the user is a Screwdriver admin.
+ * @param {Object}      server - Hapi server instance.
+ * @returns {Promise<Pipeline>} Resolves with the updated pipeline.
+ */
+async function updatePipelineAdmins(config, user, isSDAdmin, server) {
+    return batchUpdatePipelineAdmins([config], user, isSDAdmin, server).then(updatePipelines => {
+        return updatePipelines[0];
+    });
 }
 
 module.exports = {
+    batchUpdatePipelineAdmins,
     updatePipelineAdmins
 };

package/plugins/pipelines/updateAdmins.js

@@ -15,12 +15,11 @@ module.exports = () => ({
         tags: ['api', 'pipelines'],
         auth: {
             strategies: ['token'],
-            scope: ['user', '!guest', 'pipeline']
+            scope: ['user', '!guest', 'admin']
         },
         handler: async (request, h) => {
             const { id } = request.params;
-            const { scmContext, username, scmUserId, scope } = request.auth.credentials;
-            const isPipeline = scope.includes('pipeline');
+            const { scmContext, username, scope } = request.auth.credentials;
 
             const { usernames } = request.payload;
             const payloadScmContext = request.payload.scmContext;
@@ -31,31 +30,11 @@ module.exports = () => ({
                 throw boom.badRequest(`Payload must contain scmContext`);
             }
 
-            const { bannerFactory } = request.server.app;
+            const { userFactory } = request.server.app;
 
-            // Check token permissions
-            if (isPipeline) {
-                if (username !== id) {
-                    throw boom.forbidden(
-                        `User ${username} is not authorized to update admins for the pipeline (id=${id})`
-                    );
-                }
-            } else {
-                // Only SD cluster admins can update the admins
-                const scmDisplayName = bannerFactory.scm.getDisplayName({ scmContext });
+            const isSDAdmin = scope.includes('admin');
 
-                const adminDetails = request.server.plugins.banners.screwdriverAdminDetails(
-                    username,
-                    scmDisplayName,
-                    scmUserId
-                );
-
-                if (!adminDetails.isAdmin) {
-                    throw boom.forbidden(
-                        `User ${username} does not have Screwdriver administrative privileges to update the admins for the pipeline (id=${id})`
-                    );
-                }
-            }
+            const user = await userFactory.get({ username, scmContext });
 
             const updatedPipeline = await updatePipelineAdmins(
                 {
@@ -63,6 +42,8 @@ module.exports = () => ({
                     scmContext: payloadScmContext,
                     usernames
                 },
+                user,
+                isSDAdmin,
                 request.server
             );