Send an api request to confirm if user is admin

screwdriver-cd · Nov 16, 2018 · 87e7e5c · 87e7e5c
1 parent 826ff30
commit 87e7e5c
Show file tree

Hide file tree

Showing 5 changed files with 111 additions and 8 deletions.
diff --git a/config/custom-environment-variables.yaml b/config/custom-environment-variables.yaml
@@ -65,3 +65,4 @@ strategy:
 
 ecosystem:
     ui: ECOSYSTEM_UI
+    api: ECOSYSTEM_API
diff --git a/config/default.yaml b/config/default.yaml
@@ -73,3 +73,4 @@ strategy:
 
 ecosystem:
     ui: https://cd.screwdriver.cd
+    api: https://api.screwdriver.cd
diff --git a/package.json b/package.json
@@ -72,6 +72,7 @@
     "hoek": "^5.0.3",
     "inert": "^5.1.0",
     "joi": "13.1.2",
+    "request": "^2.88.0",
     "screwdriver-data-schema": "^18.11.5",
     "vision": "^5.3.0",
     "winston": "^2.2.0"

diff --git a/plugins/caches.js b/plugins/caches.js
@@ -4,6 +4,7 @@ const joi = require('joi');
 const boom = require('boom');
 const config = require('config');
 const AwsClient = require('../helpers/aws');
+const req = require('request');
 
 const SCHEMA_SCOPE_NAME = joi.string().valid(['events', 'jobs', 'pipelines']).label('Scope Name');
 const SCHEMA_SCOPE_ID = joi.number().integer().positive().label('Event/Job/Pipeline ID');
@@ -336,21 +337,43 @@ exports.plugin = {
             method: 'DELETE',
             path: '/caches/{scope}/{id}',
             handler: async (request, h) => {
+                if (strategyConfig.plugin !== 's3') {
+                    return h.response();
+                }
+
                 let cachePath;
+                const apiUrl = config.get('ecosystem.api');
+                const payload = {
+                    url: `${apiUrl}/v4/isAdmin`,
+                    method: 'GET',
+                    headers: {
+                        Authorization: `Bearer ${request.auth.token}`,
+                        'Content-Type': 'application/json'
+                    },
+                    json: true
+                };
 
                 switch (request.params.scope) {
                 case 'events': {
-                    break;
+                    return h.response();
                 }
                 case 'jobs': {
                     const jobIdParam = request.params.id;
 
+                    payload.qs = {
+                        jobId: jobIdParam
+                    };
+
                     cachePath = `jobs/${jobIdParam}/`;
                     break;
                 }
                 case 'pipelines': {
                     const pipelineIdParam = request.params.id;
 
+                    payload.qs = {
+                        pipelineId: pipelineIdParam
+                    };
+
                     cachePath = `pipelines/${pipelineIdParam}`;
                     break;
                 }
@@ -359,16 +382,26 @@ exports.plugin = {
                 }
 
                 try {
-                    await awsClient.invalidateCache(cachePath, (e) => {
-                        if (e) {
-                            console.log('Failed to invalidate cache: ', e);
+                    await req(payload, (err, response) => {
+                        if (!err && response.statusCode === 200) {
+                            return awsClient.invalidateCache(cachePath, (e) => {
+                                if (e) {
+                                    console.log('Failed to invalidate cache: ', e);
+                                }
+
+                                return Promise.resolve();
+                            });
+                        } else if (!err) {
+                            return Promise.reject(new Error('User cannot invalidate cache.'));
                         }
-                    });
 
-                    return h.response();
+                        return Promise.reject(err);
+                    });
                 } catch (err) {
-                    throw err;
+                    return boom.forbidden(err);
                 }
+
+                return h.response();
             },
             options: {
                 description: 'Invalidate cache folder',

diff --git a/test/plugins/caches.test.js b/test/plugins/caches.test.js
@@ -14,6 +14,7 @@ describe('events plugin test', () => {
     let plugin;
     let server;
     let awsClientMock;
+    let reqMock;
     let configMock;
 
     before(() => {
@@ -31,11 +32,17 @@ describe('events plugin test', () => {
         };
 
         awsClientMock = sinon.stub().returns({
-            updateLastModified: sinon.stub().yields(null)
+            updateLastModified: sinon.stub().yields(null),
+            invalidateCache: sinon.stub().yields(null)
+        });
+
+        reqMock = sinon.stub().yields(null, {
+            statusCode: 403
         });
 
         mockery.registerMock('../helpers/aws', awsClientMock);
         mockery.registerMock('config', configMock);
+        mockery.registerMock('request', reqMock);
 
         // eslint-disable-next-line global-require
         plugin = require('../../plugins/caches');
@@ -629,4 +636,64 @@ describe('events plugin test', () => {
             });
         }));
     });
+
+    describe('DELETE /caches/:scope/:id', () => {
+        let getOptions;
+        let putOptions;
+        let deleteOptions;
+
+        beforeEach(() => {
+            getOptions = {
+                headers: {
+                    'x-foo': 'bar'
+                },
+                credentials: {
+                    jobId: mockJobID,
+                    scope: ['build']
+                },
+                url: `/caches/jobs/${mockJobID}/foo`
+            };
+            putOptions = {
+                method: 'PUT',
+                payload: 'THIS IS A TEST',
+                headers: {
+                    'x-foo': 'bar',
+                    'content-type': 'text/plain',
+                    ignore: 'true'
+                },
+                credentials: {
+                    jobId: mockJobID,
+                    scope: ['build']
+                },
+                url: `/caches/jobs/${mockJobID}/foo`
+            };
+            deleteOptions = {
+                method: 'DELETE',
+                headers: {
+                    'x-foo': 'bar',
+                    'content-type': 'text/plain',
+                    ignore: 'true'
+                },
+                credentials: {
+                    username: 'testuser',
+                    scope: ['user']
+                },
+                url: `/caches/jobs/${mockJobID}`
+            };
+        });
+
+        it('Throws error if user cannot invalidate cache', () =>
+            server.inject(putOptions).then((postResponse) => {
+                assert.equal(postResponse.statusCode, 202);
+
+                return server.inject(getOptions).then((getResponse) => {
+                    assert.equal(getResponse.statusCode, 200);
+
+                    return server.inject(deleteOptions).then((deleteResponse) => {
+                        assert.equal(deleteResponse.statusCode, 403);
+                    });
+                });
+            })
+        );
+    });
 });