feat: Adding new manage job permission (#1552)

* feat: Adding new manage job permission

api/src/main/java/org/terrakube/api/plugin/state/RemoteTfeService.java

@@ -178,6 +178,21 @@ private boolean validateUserManageWorkspace(Organization organization, JwtAuthen
         return userWithManageWorkspace.get();
     }
 
+    private boolean validateUserManageJob(Organization organization, JwtAuthenticationToken currentUser) {
+        if (validateTerrakubeUser(currentUser))
+            return true;
+        List<String> userGroups = teamTokenService.getCurrentGroups(currentUser);
+        AtomicBoolean userWithManageWorkspace = new AtomicBoolean(false);
+        organization.getTeam().forEach(orgTeam -> {
+            userGroups.forEach(userTeam -> {
+                if (orgTeam.getName().equals(userTeam) && orgTeam.isManageJob()) {
+                    userWithManageWorkspace.set(true);
+                }
+            });
+        });
+        return userWithManageWorkspace.get();
+    }
+
     EntitlementData getOrgEntitlementSet(String organizationName, JwtAuthenticationToken currentUser) {
         Organization organization = organizationRepository.getOrganizationByName(organizationName);
 
@@ -304,6 +319,7 @@ WorkspaceData getWorkspace(String organizationName, String workspaceName, Map<St
             }
 
             boolean isManageWorkspace = validateUserManageWorkspace(workspace.get().getOrganization(), currentUser);
+            boolean isManageJob = validateUserManageJob(workspace.get().getOrganization(), currentUser);
 
             Map<String, Boolean> defaultAttributes = new HashMap<>();
             defaultAttributes.put("can-create-state-versions", isManageWorkspace);
@@ -312,9 +328,9 @@ WorkspaceData getWorkspace(String organizationName, String workspaceName, Map<St
             defaultAttributes.put("can-lock", isManageWorkspace);
             defaultAttributes.put("can-manage-run-tasks", isManageWorkspace);
             defaultAttributes.put("can-manage-tags", isManageWorkspace);
-            defaultAttributes.put("can-queue-apply", true);
+            defaultAttributes.put("can-queue-apply", isManageJob);
             defaultAttributes.put("can-queue-destroy", isManageWorkspace);
-            defaultAttributes.put("can-queue-run", true);
+            defaultAttributes.put("can-queue-run", isManageJob);
             defaultAttributes.put("can-read-settings", true);
             defaultAttributes.put("can-read-state-versions", isManageWorkspace);
             defaultAttributes.put("can-read-variable", true);

api/src/main/java/org/terrakube/api/plugin/token/team/TeamTokenController.java

@@ -70,6 +70,8 @@ public ResponseEntity<PermissionSet> getPermissions(Principal principal,
             permissions.setManageProvider(permissions.manageProvider || group.isManageProvider());
             permissions.setManageTemplate(permissions.manageTemplate || group.isManageTemplate());
             permissions.setManageVcs(permissions.manageVcs || group.isManageVcs());
+            permissions.setManageCollection(permissions.manageCollection || group.isManageCollection());
+            permissions.setManageJob(permissions.manageJob || group.isManageJob());
         });
         return new ResponseEntity<>(permissions, HttpStatus.ACCEPTED);
     }
@@ -120,5 +122,7 @@ private class PermissionSet {
         private boolean manageProvider;
         private boolean manageVcs;
         private boolean manageTemplate;
+        private boolean manageCollection;
+        private boolean manageJob;
     }
 }

api/src/main/java/org/terrakube/api/rs/checks/job/TeamManageJob.java

@@ -32,11 +32,11 @@ public boolean ok(Job job, RequestScope requestScope, Optional<ChangeSpec> optio
         boolean isServiceAccount = authenticatedUser.isServiceAccount(requestScope.getUser());
         for (Team team : teamList) {
             if (isServiceAccount){
-                if (groupService.isServiceMember(requestScope.getUser(), team.getName()) && team.isManageWorkspace()){
+                if (groupService.isServiceMember(requestScope.getUser(), team.getName()) && team.isManageJob()){
                     return true;
                 }
             } else {
-                if (groupService.isMember(requestScope.getUser(), team.getName()) && team.isManageWorkspace())
+                if (groupService.isMember(requestScope.getUser(), team.getName()) && team.isManageJob())
                     return true;
             }
         }

api/src/main/java/org/terrakube/api/rs/job/Job.java

@@ -30,7 +30,7 @@
 @LifeCycleHookBinding(operation = LifeCycleHookBinding.Operation.CREATE, phase = LifeCycleHookBinding.TransactionPhase.POSTCOMMIT, hook = JobManageHook.class)
 @LifeCycleHookBinding(operation = LifeCycleHookBinding.Operation.UPDATE, phase = LifeCycleHookBinding.TransactionPhase.POSTCOMMIT, hook = JobManageHook.class)
 @ReadPermission(expression = "team view job")
-@CreatePermission(expression = "team view job")
+@CreatePermission(expression = "team manage job")
 @UpdatePermission(expression = "team manage job OR user is a super service")
 @Include(rootLevel = false)
 @Getter

api/src/main/java/org/terrakube/api/rs/team/Team.java

@@ -46,6 +46,9 @@ public class Team {
     @Column(name = "manage_collection")
     private boolean manageCollection;
 
+    @Column(name = "manage_job")
+    private boolean manageJob;
+
     @Column(name = "manage_workspace")
     private boolean manageWorkspace;
 

api/src/main/resources/db/changelog/changelog.xml

@@ -68,4 +68,5 @@
     <include file="/db/changelog/local/changelog-2.24.0-lock-description.xml"/>
     <include file="/db/changelog/local/changelog-2.24.0-collection-data.xml"/>
     <include file="/db/changelog/local/changelog-2.24.0-collection-data-constraints.xml"/>
+    <include file="/db/changelog/local/changelog-2.24.0-manage-job.xml"/>
 </databaseChangeLog>

api/src/main/resources/db/changelog/local/changelog-2.24.0-manage-job.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.3.xsd">
+    <changeSet id="2-24-0-3" author="alfespa17@gmail.com">
+        <addColumn tableName="team">
+            <column name="manage_job" type="boolean" defaultValue="false"/>
+        </addColumn>
+        <update tableName="team">
+            <column name="manage_job" valueBoolean="false"/>
+        </update>
+    </changeSet>
+</databaseChangeLog>

api/src/test/java/org/terrakube/api/JobTests.java

@@ -2,10 +2,14 @@
 
 import org.hamcrest.core.IsEqual;
 import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.graphql.tester.AutoConfigureGraphQlTester;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.transaction.annotation.Transactional;
+import org.terrakube.api.repository.TeamRepository;
 import org.terrakube.api.rs.job.Job;
+import org.terrakube.api.rs.team.Team;
 import org.terrakube.api.rs.workspace.Workspace;
 
 import java.util.List;
@@ -17,6 +21,9 @@
 
 class JobTests extends ServerApplicationTests {
 
+    @Autowired
+    TeamRepository teamRepository;
+
     @Test
     void createJobAsOrgMember() {
         mockServer.reset();
@@ -28,6 +35,10 @@ void createJobAsOrgMember() {
                 response().withStatusCode(HttpStatus.ACCEPTED.value()).withBody("")
         );
 
+        Team team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(true);
+        teamRepository.save(team);
+
         given()
                 .headers("Authorization", "Bearer " + generatePAT("TERRAKUBE_DEVELOPERS"), "Content-Type", "application/vnd.api+json")
                 .body("{\n" +
@@ -54,6 +65,10 @@ void createJobAsOrgMember() {
                 .log()
                 .all()
                 .statusCode(HttpStatus.CREATED.value());
+
+        team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(false);
+        teamRepository.save(team);
     }
 
     @Test
@@ -67,6 +82,10 @@ void createJobLockedWorkspace() {
                 response().withStatusCode(HttpStatus.ACCEPTED.value()).withBody("")
         );
 
+        Team team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(true);
+        teamRepository.save(team);
+
         given()
                 .headers("Authorization", "Bearer " + generatePAT("TERRAKUBE_DEVELOPERS"), "Content-Type", "application/vnd.api+json")
                 .body("{\n" +
@@ -130,6 +149,10 @@ void createJobLockedWorkspace() {
                 .log()
                 .all()
                 .statusCode(HttpStatus.NO_CONTENT.value());
+
+        team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(false);
+        teamRepository.save(team);
     }
 
 }

api/src/test/java/org/terrakube/api/TfcApiTests.java

@@ -2,12 +2,21 @@
 
 import org.hamcrest.core.IsEqual;
 import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.graphql.tester.AutoConfigureGraphQlTester;
 import org.springframework.http.HttpStatus;
+import org.terrakube.api.repository.TeamRepository;
+import org.terrakube.api.rs.team.Team;
+
+import java.util.UUID;
 
 import static io.restassured.RestAssured.given;
 
 class TfcApiTests extends ServerApplicationTests {
 
+    @Autowired
+    TeamRepository teamRepository;
+
     @Test
     void ping() {
         given()
@@ -126,6 +135,10 @@ void getOrgInformationInvalidUser() {
 
     @Test
     void getWorkspace() {
+        Team team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(true);
+        teamRepository.save(team);
+
         given()
                 .headers("Authorization", "Bearer " + generatePAT("TERRAKUBE_DEVELOPERS"))
                 .when()
@@ -157,6 +170,10 @@ void getWorkspace() {
                 .log()
                 .all()
                 .statusCode(HttpStatus.OK.value());
+
+        team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(false);
+        teamRepository.save(team);
     }
 
     @Test
@@ -187,6 +204,10 @@ void getWorkspaceStateConsumers() {
 
     @Test
     void lockWorkspace() {
+        Team team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(true);
+        teamRepository.save(team);
+
         given()
                 .headers("Authorization", "Bearer " + generatePAT("TERRAKUBE_DEVELOPERS"))
                 .when()
@@ -228,10 +249,18 @@ void lockWorkspace() {
                 .log()
                 .all()
                 .statusCode(HttpStatus.CONFLICT.value());
+
+        team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(false);
+        teamRepository.save(team);
     }
 
     @Test
     void unlockWorkspace() {
+        Team team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(true);
+        teamRepository.save(team);
+
         given()
                 .headers("Authorization", "Bearer " + generatePAT("TERRAKUBE_DEVELOPERS"))
                 .when()
@@ -263,5 +292,9 @@ void unlockWorkspace() {
                 .log()
                 .all()
                 .statusCode(HttpStatus.OK.value());
+
+        team = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7")).get();
+        team.setManageJob(false);
+        teamRepository.save(team);
     }
 }