From 3738684209f6e88321d72c273faadef994c43802 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Thu, 27 Jun 2024 16:50:36 +1000 Subject: [PATCH] chore: remove all dangerous deleteAll and removeAll mutations --- Makefile | 5 - docs/interacting/rbac.md | 11 -- docs/ja/interacting/rbac.md | 11 -- .../api-data/00-clear-api-data.gql | 18 --- .../api-data-watcher-pusher/data-init-push.sh | 7 - services/api/src/mocks.js | 13 -- services/api/src/models/group.ts | 2 +- services/api/src/resolvers.js | 29 ----- .../api/src/resources/backup/resolvers.ts | 15 --- .../src/resources/environment/resolvers.ts | 21 --- services/api/src/resources/group/resolvers.ts | 24 ---- .../src/resources/notification/resolvers.ts | 78 ------------ .../api/src/resources/openshift/resolvers.ts | 19 --- .../api/src/resources/project/resolvers.ts | 27 ---- .../api/src/resources/sshKey/resolvers.ts | 27 +--- services/api/src/resources/user/resolvers.ts | 28 ---- services/api/src/typeDefs.js | 16 --- .../keycloak/lagoon-realm-base-import.json | 120 +----------------- .../startup-scripts/00-configure-lagoon.sh | 68 +++++++++- .../internal/lagoonclient/schema.graphql | 23 ---- 20 files changed, 71 insertions(+), 491 deletions(-) delete mode 100644 local-dev/api-data-watcher-pusher/api-data/00-clear-api-data.gql diff --git a/Makefile b/Makefile index 2535de9a46..08633ed4b8 100644 --- a/Makefile +++ b/Makefile @@ -76,9 +76,6 @@ PUBLISH_PLATFORM_ARCH := linux/amd64,linux/arm64 # Skip image scanning by default to make building images substantially faster SCAN_IMAGES := false -# Clear all data from the API on a retest run, usually to clear up after a failure. Set false to preserve -CLEAR_API_DATA ?= true - # Init the file that is used to hold the image tag cross-reference table $(shell >build.txt) $(shell >scan.txt) @@ -526,7 +523,6 @@ k3d/test: k3d/setup USE_CALICO_CNI=false \ LAGOON_SSH_PORTAL_LOADBALANCER=$(LAGOON_SSH_PORTAL_LOADBALANCER) \ LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD=enabled \ - CLEAR_API_DATA=$(CLEAR_API_DATA) \ && docker run --rm --network host --name ct-$(CI_BUILD_TAG) \ --volume "$$(pwd)/test-suite-run.ct.yaml:/etc/ct/ct.yaml" \ --volume "$$(pwd):/workdir" \ @@ -729,7 +725,6 @@ k3d/retest: USE_CALICO_CNI=false \ LAGOON_SSH_PORTAL_LOADBALANCER=$(LAGOON_SSH_PORTAL_LOADBALANCER) \ LAGOON_FEATURE_FLAG_DEFAULT_ROOTLESS_WORKLOAD=enabled \ - CLEAR_API_DATA=$(CLEAR_API_DATA) \ && docker run --rm --network host --name ct-$(CI_BUILD_TAG) \ --volume "$$(pwd)/test-suite-run.ct.yaml:/etc/ct/ct.yaml" \ --volume "$$(pwd):/workdir" \ diff --git a/docs/interacting/rbac.md b/docs/interacting/rbac.md index 31e77418fc..dd6ecf5f10 100644 --- a/docs/interacting/rbac.md +++ b/docs/interacting/rbac.md @@ -392,7 +392,6 @@ Here is a table that lists the roles and the access they have: | addKubernetes | kubernetes | add | | | updateKubernetes | kubernetes | update | | | deleteKubernetes | kubernetes | delete | | - | deleteAllKubernetes| kubernetes | deleteAll | | | getAllOpenshifts | openshift | viewAll | | | getAllProjects | project | viewAll | | | addSshKey | ssh\_key | add | userID | @@ -522,19 +521,10 @@ Here is a table that lists the roles and the access they have: | **Name** | **Resource** | **Scope** | **Attributes** | | :--- | :--- | :--- | :--- | - | deleteAllBackups | backup | deleteAll | | - | deleteAllEnvironments | environment | deleteAll | | | getEnvironmentStorageMonthBy
EnvironmentId | environment | storage | | | getEnvironmentHoursMonthBy
EnvironmentId | environment | storage | | | getEnvironmentHitsMonthBy
EnvironmentId | environment | storage | | - | deleteAllGroups | group | deleteAll | | - | deleteAllNotificationSlacks | notification | deleteAll | | - | removeAllNotificationsFrom
AllProjects | notification | removeAll | | | getAllOpenshifts | openshift | viewAll | | - | deleteAllProjects | project | deleteAll | | - | deleteAllSshKeys | ssh\_key | deleteAll | | - | removeAllSshKeysFromAllUsers | ssh\_key | removeAll | | - | deleteAllUsers | user | deleteAll | | | addOrUpdateEnvironment
Storage | environment | storage | | | addNotificationSlack | notification | add | | | updateNotificationSlack | notification | update | | @@ -542,7 +532,6 @@ Here is a table that lists the roles and the access they have: | addKubernetes | kubernetes | add | | | updateKubernetes | kubernetes | update | | | deleteKubernetes | kubernetes | delete | | - | deleteAllKubernetes| kubernetes | deleteAll | | | getAllProjects | project | viewAll | | | addSshKey | ssh\_key | add | userID | | updateSshKey | ssh\_key | update | userID | diff --git a/docs/ja/interacting/rbac.md b/docs/ja/interacting/rbac.md index adb472b7b8..ddf6448220 100644 --- a/docs/ja/interacting/rbac.md +++ b/docs/ja/interacting/rbac.md @@ -389,7 +389,6 @@ Lagoon バージョン 1.0 では、プロジェクトへのアクセス方法 | addKubernetes | kubernetes | add | | | updateKubernetes | kubernetes | update | | | deleteKubernetes | kubernetes | delete | | - | deleteAllKubernetes| kubernetes | deleteAll | | | getAllOpenshifts | openshift | viewAll | | | getAllProjects | project | viewAll | | | addSshKey | ssh\_key | add | userID | @@ -519,19 +518,10 @@ Lagoon バージョン 1.0 では、プロジェクトへのアクセス方法 | **名前** | **リソース** | **スコープ** | **属性** | | :--- | :--- | :--- | :--- | - | deleteAllBackups | backup | deleteAll | | - | deleteAllEnvironments | environment | deleteAll | | | getEnvironmentStorageMonthBy
EnvironmentId | environment | storage | | | getEnvironmentHoursMonthBy
EnvironmentId | environment | storage | | | getEnvironmentHitsMonthBy
EnvironmentId | environment | storage | | - | deleteAllGroups | group | deleteAll | | - | deleteAllNotificationSlacks | notification | deleteAll | | - | removeAllNotificationsFrom
AllProjects | notification | removeAll | | | getAllOpenshifts | openshift | viewAll | | - | deleteAllProjects | project | deleteAll | | - | deleteAllSshKeys | ssh\_key | deleteAll | | - | removeAllSshKeysFromAllUsers | ssh\_key | removeAll | | - | deleteAllUsers | user | deleteAll | | | addOrUpdateEnvironment
Storage | environment | storage | | | addNotificationSlack | notification | add | | | updateNotificationSlack | notification | update | | @@ -539,7 +529,6 @@ Lagoon バージョン 1.0 では、プロジェクトへのアクセス方法 | addKubernetes | kubernetes | add | | | updateKubernetes | kubernetes | update | | | deleteKubernetes | kubernetes | delete | | - | deleteAllKubernetes| kubernetes | deleteAll | | | getAllProjects | project | viewAll | | | addSshKey | ssh\_key | add | userID | | updateSshKey | ssh\_key | update | userID | diff --git a/local-dev/api-data-watcher-pusher/api-data/00-clear-api-data.gql b/local-dev/api-data-watcher-pusher/api-data/00-clear-api-data.gql deleted file mode 100644 index 551d34731f..0000000000 --- a/local-dev/api-data-watcher-pusher/api-data/00-clear-api-data.gql +++ /dev/null @@ -1,18 +0,0 @@ -mutation ClearApiData { - # Remove everything from API - - # First, remove all relations between entities... - RemoveAllNotificationsFromAllProjects: removeAllNotificationsFromAllProjects - RemoveAllSshKeysFromAllUsers: removeAllSshKeysFromAllUsers - - # ...then delete the entities themselves - DeleteAllEnvironments: deleteAllEnvironments - DeleteAllNotificationSlacks: deleteAllNotificationSlacks - DeleteAllNotificationRocketChats: deleteAllNotificationRocketChats - DeleteAllOpenshifts: deleteAllOpenshifts - DeleteAllProjects: deleteAllProjects - DeleteAllSshKeys: deleteAllSshKeys - DeleteAllUsers: deleteAllUsers - DeleteAllBackups: deleteAllBackups - DeleteAllGroups: deleteAllGroups -} diff --git a/local-dev/api-data-watcher-pusher/data-init-push.sh b/local-dev/api-data-watcher-pusher/data-init-push.sh index db6d03e85d..8c1cd0d154 100755 --- a/local-dev/api-data-watcher-pusher/data-init-push.sh +++ b/local-dev/api-data-watcher-pusher/data-init-push.sh @@ -3,7 +3,6 @@ # inject variables from environment into the GQL template envsubst '$GIT_HOST $GIT_PORT $INGRESS_IP $CONSOLE_URL $TOKEN' < /home/api-data/03-populate-api-data-ci-local-control-k8s.gql | sponge /home/api-data/03-populate-api-data-ci-local-control-k8s.gql -clear_gql_file_path="/home/api-data/00-clear-api-data.gql" populate_demo_lagoon_gql_file_path="/home/api-data/01-populate-api-data-lagoon-demo.gql" populate_demo_lagoon_org_gql_file_path="/home/api-data/02-populate-api-data-lagoon-demo-org.gql" populate_ci_local_control_k8s_gql_file_path="/home/api-data/03-populate-api-data-ci-local-control-k8s.gql" @@ -55,12 +54,6 @@ send_task_data() { # Waiting for the API to be ready wait_for_services -# Optionally clear *some* API data prior to reloading - not really necessary any more -if expr "$CLEAR_API_DATA" : '[Tt][Rr][Uu][Ee]' > /dev/null; then - echo "Clearing Lagoon data first" - send_graphql_query $clear_gql_file_path -fi - # Create the lagoon-demo project and associated users, groups, deployments, tasks etc send_graphql_query $populate_demo_lagoon_gql_file_path diff --git a/services/api/src/mocks.js b/services/api/src/mocks.js index 9112901fe0..f96f9b4d8a 100644 --- a/services/api/src/mocks.js +++ b/services/api/src/mocks.js @@ -643,52 +643,40 @@ mocks.Mutation = () => ({ addOrUpdateEnvironment: () => mocks.Environment(), updateEnvironment: () => mocks.Environment(), deleteEnvironment: () => faker.random.arrayElement(['success', `Error: unknown deploy type ${mocks.DeployType()}`]), - deleteAllEnvironments: () => 'success', addOrUpdateEnvironmentStorage: () => mocks.EnvironmentStorage(), addNotificationSlack: () => mocks.NotificationSlack(), updateNotificationSlack: () => mocks.NotificationSlack(), deleteNotificationSlack: () => faker.random.arrayElement(['success', "Can't delete notification linked to projects"]), - deleteAllNotificationSlacks: () => 'success', addNotificationRocketChat: () => mocks.NotificationRocketChat(), updateNotificationRocketChat: () => mocks.NotificationRocketChat(), deleteNotificationRocketChat: () => faker.random.arrayElement(['success', "Can't delete notification linked to projects"]), - deleteAllNotificationRocketChats: () => 'success', addNotificationMicrosoftTeams: () => mocks.NotificationMicrosoftTeams(), updateNotificationMicrosoftTeams: () => mocks.NotificationMicrosoftTeams(), deleteNotificationMicrosoftTeams: () => faker.random.arrayElement(['success', "Can't delete notification linked to projects"]), - deleteAllNotificationMicrosoftTeams: () => 'success', addNotificationEmail: () => mocks.NotificationEmail(), updateNotificationEmail: () => mocks.NotificationEmail(), deleteNotificationEmail: () => faker.random.arrayElement(['success', "Can't delete notification linked to projects"]), - deleteAllNotificationEmails: () => 'success', addNotificationToProject: () => mocks.Project(), removeNotificationFromProject: () => mocks.Project(), - removeAllNotificationsFromAllProjects: () => 'success', addOpenshift: () => mocks.Openshift(), updateOpenshift: () => mocks.Openshift(), deleteOpenshift: () => 'success', - deleteAllOpenshifts: () => 'success', addProject: () => mocks.Project(), updateProject: () => mocks.Project(), deleteProject: () => 'success', - deleteAllProjects: () => 'success', addSshKey: () => mocks.SshKey(), updateSshKey: () => mocks.SshKey(), deleteSshKey: () => 'success', deleteSshKeyById: () => 'success', - deleteAllSshKeys: () => 'success', - removeAllSshKeysFromAllUsers: () => 'success', addUser: () => mocks.User(), updateUser: () => mocks.User(), deleteUser: () => 'success', - deleteAllUsers: () => 'success', addDeployment: () => mocks.Deployment(), deleteDeployment: () => 'success', updateDeployment: () => mocks.Deployment(), cancelDeployment: () => faker.random.arrayElement(['success', 'Deployment not cancelled, reason: Too slow.']), addBackup: () => mocks.Backup(), deleteBackup: () => 'success', - deleteAllBackups: () => 'success', addRestore: () => mocks.Restore(), updateRestore: () => mocks.Restore(), addEnvVariable: () => mocks.EnvKeyValue(), @@ -714,7 +702,6 @@ mocks.Mutation = () => ({ addGroup: () => mocks.Group(), updateGroup: () => mocks.Group(), deleteGroup: () => 'success', - deleteAllGroups: () => 'success', addUserToGroup: () => mocks.Group(), removeUserFromGroup: () => mocks.Group(), addGroupsToProject: () => mocks.Project(), diff --git a/services/api/src/models/group.ts b/services/api/src/models/group.ts index 9c7f0117c0..bbbed3bcd1 100644 --- a/services/api/src/models/group.ts +++ b/services/api/src/models/group.ts @@ -258,7 +258,7 @@ export const Group = (clients: { // briefRepresentation pulls all the group information from keycloak including the attributes // this means we don't need to iterate over all the groups one by one anymore to get the full group information const fullGroups = await keycloakAdminClient.groups.find({briefRepresentation: false}); - // no need to transform, just return the full response, only the `allGroups` and `deleteAllGroups` resolvers use this + // no need to transform, just return the full response, only the `allGroups` resolvers use this // and the `sync-groups-opendistro-security` consumption of this helper sync script is going to // go away in the future when we move to the `lagoon-opensearch-sync` supporting service return fullGroups; diff --git a/services/api/src/resolvers.js b/services/api/src/resolvers.js index 333bffe2fc..b687bca5d7 100644 --- a/services/api/src/resolvers.js +++ b/services/api/src/resolvers.js @@ -117,7 +117,6 @@ const { getEnvironmentsByProjectId, updateEnvironment, getAllEnvironments, - deleteAllEnvironments, userCanSshToEnvironment, getEnvironmentUrl, getEnvironmentsByKubernetes, @@ -158,12 +157,6 @@ const { addNotificationEmail, updateNotificationEmail, deleteNotificationEmail, - deleteAllNotificationEmails, - deleteAllNotificationSlacks, - deleteAllNotificationMicrosoftTeams, - deleteAllNotificationRocketChats, - deleteAllNotificationWebhook, - removeAllNotificationsFromAllProjects, } = require('./resources/notification/resolvers'); const { @@ -175,7 +168,6 @@ const { getOpenshiftByEnvironmentId, getProjectUser, updateOpenshift, - deleteAllOpenshifts, getToken, getConsoleUrl, getMonitoringConfig, @@ -191,7 +183,6 @@ const { getProjectsByMetadata, getAllProjects, updateProject, - deleteAllProjects, getProjectUrl, updateProjectMetadata, removeProjectMetadataByKey, @@ -205,8 +196,6 @@ const { updateSshKey, deleteSshKey, deleteSshKeyById, - deleteAllSshKeys, - removeAllSshKeysFromAllUsers } = require('./resources/sshKey/resolvers'); const { @@ -219,7 +208,6 @@ const { removeUserFromOrganization, resetUserPassword, deleteUser, - deleteAllUsers, getAllUsers, getUserByEmail, } = require('./resources/user/resolvers'); @@ -234,7 +222,6 @@ const { getAllProjectsByGroupId, updateGroup, deleteGroup, - deleteAllGroups, addUserToGroup, removeUserFromGroup, addGroupsToProject, @@ -279,7 +266,6 @@ const { addBackup, getBackupsByEnvironmentId, deleteBackup, - deleteAllBackups, addRestore, getRestoreByBackupId, updateRestore, @@ -610,7 +596,6 @@ const resolvers = { addOrUpdateEnvironment, updateEnvironment, deleteEnvironment, - deleteAllEnvironments, addOrUpdateEnvironmentStorage, addOrUpdateStorageOnEnvironment: addOrUpdateEnvironmentStorage, addNotificationSlack, @@ -619,50 +604,38 @@ const resolvers = { addNotificationWebhook, updateNotificationWebhook, deleteNotificationWebhook, - deleteAllNotificationSlacks, - deleteAllNotificationWebhook, addNotificationRocketChat, updateNotificationRocketChat, deleteNotificationRocketChat, - deleteAllNotificationRocketChats, addNotificationMicrosoftTeams, updateNotificationMicrosoftTeams, deleteNotificationMicrosoftTeams, - deleteAllNotificationMicrosoftTeams, addNotificationEmail, updateNotificationEmail, deleteNotificationEmail, - deleteAllNotificationEmails, addNotificationToProject, removeNotificationFromProject, - removeAllNotificationsFromAllProjects, addOpenshift, updateOpenshift, deleteOpenshift, - deleteAllOpenshifts, addKubernetes: addOpenshift, updateKubernetes: updateOpenshift, deleteKubernetes: deleteOpenshift, - deleteAllKubernetes: deleteAllOpenshifts, addProject, updateProject, deleteProject, - deleteAllProjects, updateProjectMetadata, removeProjectMetadataByKey, addSshKey, updateSshKey, deleteSshKey, deleteSshKeyById, - deleteAllSshKeys, - removeAllSshKeysFromAllUsers, addUser, updateUser, addUserToOrganization, removeUserFromOrganization, resetUserPassword, deleteUser, - deleteAllUsers, addDeployment, deleteDeployment, updateDeployment, @@ -670,7 +643,6 @@ const resolvers = { bulkDeployEnvironmentLatest, addBackup, deleteBackup, - deleteAllBackups, addRestore, updateRestore, addEnvVariable, @@ -703,7 +675,6 @@ const resolvers = { addGroup, updateGroup, deleteGroup, - deleteAllGroups, addUserToGroup, removeUserFromGroup, addGroupsToProject, diff --git a/services/api/src/resources/backup/resolvers.ts b/services/api/src/resources/backup/resolvers.ts index a4924d1227..5d14712096 100644 --- a/services/api/src/resources/backup/resolvers.ts +++ b/services/api/src/resources/backup/resolvers.ts @@ -228,21 +228,6 @@ export const deleteBackup: ResolverFn = async ( return 'success'; }; -export const deleteAllBackups: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission, userActivityLogger } -) => { - await hasPermission('backup', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateBackup()); - - userActivityLogger(`User deleted all backups`); - - // TODO: Check rows for success - return 'success'; -}; - export const addRestore: ResolverFn = async ( root, { input: { id, backupId, status, restoreLocation, created, execute } }, diff --git a/services/api/src/resources/environment/resolvers.ts b/services/api/src/resources/environment/resolvers.ts index 7878a39d25..b8d923c34e 100644 --- a/services/api/src/resources/environment/resolvers.ts +++ b/services/api/src/resources/environment/resolvers.ts @@ -720,27 +720,6 @@ export const getAllEnvironments: ResolverFn = async ( return withK8s; }; -export const deleteAllEnvironments: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission, userActivityLogger } -) => { - await hasPermission('environment', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateEnvironment()); - - userActivityLogger(`User deleted all environments'`, { - project: '', - event: 'api:deleteAllEnvironments', - payload: { - args - } - }); - - // TODO: Check rows for success - return 'success'; -}; - // @deprecated in favor of addOrUpdateEnvironmentService and deleteEnvironmentService, will eventually be removed export const setEnvironmentServices: ResolverFn = async ( root, diff --git a/services/api/src/resources/group/resolvers.ts b/services/api/src/resources/group/resolvers.ts index d0526ccfc8..f91d138b54 100644 --- a/services/api/src/resources/group/resolvers.ts +++ b/services/api/src/resources/group/resolvers.ts @@ -510,30 +510,6 @@ export const deleteGroup: ResolverFn = async ( return 'success'; }; -export const deleteAllGroups: ResolverFn = async ( - _root, - _args, - { models, hasPermission } -) => { - await hasPermission('group', 'deleteAll'); - - const allGroups = await models.GroupModel.loadAllGroups(); - const groups = await models.GroupModel.transformKeycloakGroups(allGroups); - - let deleteErrors: String[] = []; - for (const group of groups) { - try { - await models.GroupModel.deleteGroup(group.id); - } catch (err) { - deleteErrors = [...deleteErrors, `${group.name} (${group.id})`]; - } - } - - return R.ifElse(R.isEmpty, R.always('success'), deleteErrors => { - throw new Error(`Could not delete groups: ${deleteErrors.join(', ')}`); - })(deleteErrors); -}; - export const addUserToGroup: ResolverFn = async ( _root, { input: { user: userInput, group: groupInput, role } }, diff --git a/services/api/src/resources/notification/resolvers.ts b/services/api/src/resources/notification/resolvers.ts index faa5980b79..e2c5a09427 100644 --- a/services/api/src/resources/notification/resolvers.ts +++ b/services/api/src/resources/notification/resolvers.ts @@ -696,84 +696,6 @@ export const updateNotificationSlack: ResolverFn = async ( return R.prop(0, rows); }; -export const deleteAllNotificationSlacks: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('notification', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateNotificationSlack()); - - // TODO: Check rows for success - return 'success'; -}; - -export const deleteAllNotificationEmails: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('notification', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateNotificationEmail()); - - // TODO: Check rows for success - return 'success'; -}; - -export const deleteAllNotificationRocketChats: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('notification', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateNotificationRocketchat()); - - // TODO: Check rows for success - return 'success'; -}; - -export const deleteAllNotificationMicrosoftTeams: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('notification', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateNotificationMicrosoftTeams()); - - // TODO: Check rows for success - return 'success'; -}; - -export const deleteAllNotificationWebhook: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission }, -) => { - await hasPermission('notification', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateNotificationWebhook()); - - // TODO: Check rows for success - return 'success'; -}; - -export const removeAllNotificationsFromAllProjects: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('notification', 'removeAll'); - - await query(sqlClientPool, Sql.truncateProjectNotification()); - - // TODO: Check rows for success - return 'success'; -}; - export const getAllNotifications: ResolverFn = async ( root, args, diff --git a/services/api/src/resources/openshift/resolvers.ts b/services/api/src/resources/openshift/resolvers.ts index 6e9aafc8c5..c3734dd34d 100644 --- a/services/api/src/resources/openshift/resolvers.ts +++ b/services/api/src/resources/openshift/resolvers.ts @@ -213,22 +213,3 @@ export const updateOpenshift: ResolverFn = async ( return R.prop(0, rows); }; - -export const deleteAllOpenshifts: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission, userActivityLogger } -) => { - await hasPermission('openshift', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateOpenshift()); - - userActivityLogger(`User deleted all openshifts`, { - project: '', - event: 'api:updateOpenshift', - payload: { } - }); - - // TODO: Check rows for success - return 'success'; -}; diff --git a/services/api/src/resources/project/resolvers.ts b/services/api/src/resources/project/resolvers.ts index 0735422ffd..c72c37f18c 100644 --- a/services/api/src/resources/project/resolvers.ts +++ b/services/api/src/resources/project/resolvers.ts @@ -920,33 +920,6 @@ export const updateProject: ResolverFn = async ( return Helpers(sqlClientPool).getProjectById(id); }; -export const deleteAllProjects: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission, userActivityLogger } -) => { - await hasPermission('project', 'deleteAll'); - - const projectNames = await Helpers(sqlClientPool).getAllProjectNames(); - - await query(sqlClientPool, Sql.truncateProject()); - - for (const name of projectNames) { - await KeycloakOperations.deleteGroup(name); - } - - userActivityLogger(`User deleted all projects`, { - project: '', - event: 'api:deleteAllProjects', - payload: { - ...args - } - }); - - // TODO: Check rows for success - return 'success'; -}; - export const removeProjectMetadataByKey: ResolverFn = async ( root, { input: { id, key } }, diff --git a/services/api/src/resources/sshKey/resolvers.ts b/services/api/src/resources/sshKey/resolvers.ts index 1e6cd88177..1126842b42 100644 --- a/services/api/src/resources/sshKey/resolvers.ts +++ b/services/api/src/resources/sshKey/resolvers.ts @@ -4,6 +4,7 @@ import { query, isPatchEmpty } from '../../util/db'; import { validateSshKey, getSshKeyFingerprint } from '.'; import { Sql } from './sql'; +const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false" const formatSshKey = ({ keyType, keyValue }) => `${keyType} ${keyValue}`; @@ -278,29 +279,3 @@ export const deleteSshKeyById: ResolverFn = async ( return 'success'; }; - -export const deleteAllSshKeys: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('ssh_key', 'deleteAll'); - - await query(sqlClientPool, Sql.truncateSshKey()); - - // TODO: Check rows for success - return 'success'; -}; - -export const removeAllSshKeysFromAllUsers: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - await hasPermission('ssh_key', 'removeAll'); - - await query(sqlClientPool, Sql.truncateUserSshKey()); - - // TODO: Check rows for success - return 'success'; -}; diff --git a/services/api/src/resources/user/resolvers.ts b/services/api/src/resources/user/resolvers.ts index d9e239217b..16bebc8a00 100644 --- a/services/api/src/resources/user/resolvers.ts +++ b/services/api/src/resources/user/resolvers.ts @@ -318,31 +318,3 @@ export const removeUserFromOrganization: ResolverFn = async ( return organizationData; }; - -export const deleteAllUsers: ResolverFn = async ( - _root, - _args, - { models, hasPermission }, -) => { - await hasPermission('user', 'deleteAll'); - - const users = await models.UserModel.loadAllUsers(); - - let deleteErrors: String[] = []; - for (const user of users) { - try { - await models.UserModel.deleteUser(user.id) - } catch (err) { - deleteErrors = [ - ...deleteErrors, - `${user.email} (${user.id})`, - ] - } - } - - return R.ifElse( - R.isEmpty, - R.always('success'), - deleteErrors => { throw new Error(`Could not delete users: ${deleteErrors.join(', ')}`) }, - )(deleteErrors); -}; diff --git a/services/api/src/typeDefs.js b/services/api/src/typeDefs.js index 134863a339..f0d944cd6d 100644 --- a/services/api/src/typeDefs.js +++ b/services/api/src/typeDefs.js @@ -2289,7 +2289,6 @@ const typeDefs = gql` addOrUpdateEnvironment(input: AddEnvironmentInput!): Environment updateEnvironment(input: UpdateEnvironmentInput!): Environment deleteEnvironment(input: DeleteEnvironmentInput!): String - deleteAllEnvironments: String """ Add or update Storage Information for Environment """ @@ -2304,7 +2303,6 @@ const typeDefs = gql` input: UpdateNotificationSlackInput! ): NotificationSlack deleteNotificationSlack(input: DeleteNotificationSlackInput!): String - deleteAllNotificationSlacks: String addNotificationRocketChat( input: AddNotificationRocketChatInput! ): NotificationRocketChat @@ -2314,7 +2312,6 @@ const typeDefs = gql` deleteNotificationRocketChat( input: DeleteNotificationRocketChatInput! ): String - deleteAllNotificationRocketChats: String addNotificationMicrosoftTeams( input: AddNotificationMicrosoftTeamsInput! ): NotificationMicrosoftTeams @@ -2324,7 +2321,6 @@ const typeDefs = gql` deleteNotificationMicrosoftTeams( input: DeleteNotificationMicrosoftTeamsInput! ): String - deleteAllNotificationMicrosoftTeams: String addNotificationWebhook( input: AddNotificationWebhookInput! ): NotificationWebhook @@ -2334,7 +2330,6 @@ const typeDefs = gql` deleteNotificationWebhook( input: DeleteNotificationWebhookInput! ): String - deleteAllNotificationWebhook: String addNotificationEmail( input: AddNotificationEmailInput! ): NotificationEmail @@ -2344,7 +2339,6 @@ const typeDefs = gql` deleteNotificationEmail( input: DeleteNotificationEmailInput! ): String - deleteAllNotificationEmails: String """ Connect previous created Notification to a Project """ @@ -2352,25 +2346,19 @@ const typeDefs = gql` removeNotificationFromProject( input: RemoveNotificationFromProjectInput! ): Project - removeAllNotificationsFromAllProjects: String addOpenshift(input: AddOpenshiftInput!): Openshift updateOpenshift(input: UpdateOpenshiftInput!): Openshift deleteOpenshift(input: DeleteOpenshiftInput!): String - deleteAllOpenshifts: String addKubernetes(input: AddKubernetesInput!): Kubernetes updateKubernetes(input: UpdateKubernetesInput!): Kubernetes deleteKubernetes(input: DeleteKubernetesInput!): String - deleteAllKubernetes: String addProject(input: AddProjectInput!): Project updateProject(input: UpdateProjectInput!): Project deleteProject(input: DeleteProjectInput!): String - deleteAllProjects: String addSshKey(input: AddSshKeyInput!): SshKey updateSshKey(input: UpdateSshKeyInput!): SshKey deleteSshKey(input: DeleteSshKeyInput!): String deleteSshKeyById(input: DeleteSshKeyByIdInput!): String - deleteAllSshKeys: String - removeAllSshKeysFromAllUsers: String addUser(input: AddUserInput!): User updateUser(input: UpdateUserInput!): User """ @@ -2385,7 +2373,6 @@ const typeDefs = gql` removeUserFromOrganization(input: addUserToOrganizationInput!): Organization resetUserPassword(input: ResetUserPasswordInput!): String deleteUser(input: DeleteUserInput!): String - deleteAllUsers: String addDeployment(input: AddDeploymentInput!): Deployment bulkDeployEnvironmentLatest(input: BulkDeploymentLatestInput!): String deleteDeployment(input: DeleteDeploymentInput!): String @@ -2404,7 +2391,6 @@ const typeDefs = gql` deleteFactReference(input: DeleteFactReferenceInput!): String deleteAllFactReferencesByFactId(input: DeleteFactReferencesByFactIdInput!): String deleteBackup(input: DeleteBackupInput!): String - deleteAllBackups: String addRestore(input: AddRestoreInput!): Restore updateRestore(input: UpdateRestoreInput!): Restore addEnvVariable(input: EnvVariableInput!): EnvKeyValue @deprecated(reason: "Use addOrUpdateEnvVariableByName instead") @@ -2446,7 +2432,6 @@ const typeDefs = gql` addGroup(input: AddGroupInput!): GroupInterface updateGroup(input: UpdateGroupInput!): GroupInterface deleteGroup(input: DeleteGroupInput!): String - deleteAllGroups: String addUserToGroup(input: UserGroupRoleInput!): GroupInterface removeUserFromGroup(input: UserGroupInput!): GroupInterface addGroupsToProject(input: ProjectGroupsInput): Project @@ -2461,7 +2446,6 @@ const typeDefs = gql` addDeployTargetConfig(input: AddDeployTargetConfigInput!): DeployTargetConfig @deprecated(reason: "Unstable API, subject to breaking changes in any release. Use at your own risk") updateDeployTargetConfig(input: UpdateDeployTargetConfigInput!): DeployTargetConfig @deprecated(reason: "Unstable API, subject to breaking changes in any release. Use at your own risk") deleteDeployTargetConfig(input: DeleteDeployTargetConfigInput!): String @deprecated(reason: "Unstable API, subject to breaking changes in any release. Use at your own risk") - deleteAllDeployTargetConfigs: String @deprecated(reason: "Unstable API, subject to breaking changes in any release. Use at your own risk") updateEnvironmentDeployTarget(environment: Int!, deployTarget: Int!): Environment """ Add an organization diff --git a/services/keycloak/lagoon-realm-base-import.json b/services/keycloak/lagoon-realm-base-import.json index 3d1fbe9a56..339ce49d06 100644 --- a/services/keycloak/lagoon-realm-base-import.json +++ b/services/keycloak/lagoon-realm-base-import.json @@ -847,9 +847,6 @@ { "name": "viewAll" }, - { - "name": "deleteAll" - }, { "name": "delete" }, @@ -883,9 +880,6 @@ { "name": "viewAll" }, - { - "name": "deleteAll" - }, { "name": "delete" } @@ -1012,18 +1006,12 @@ { "name": "add" }, - { - "name": "removeAll" - }, { "name": "view" }, { "name": "update" }, - { - "name": "deleteAll" - }, { "name": "delete" }, @@ -1045,9 +1033,6 @@ { "name": "view" }, - { - "name": "deleteAll" - }, { "name": "delete" } @@ -1102,15 +1087,9 @@ { "name": "add" }, - { - "name": "removeAll" - }, { "name": "update" }, - { - "name": "deleteAll" - }, { "name": "view:user" }, @@ -1141,9 +1120,6 @@ { "name": "viewAll" }, - { - "name": "deleteAll" - }, { "name": "delete" } @@ -1186,9 +1162,6 @@ { "name": "storage" }, - { - "name": "deleteAll" - }, { "name": "addOrUpdate:development" }, @@ -1270,9 +1243,6 @@ { "name": "updateProject" }, - { - "name": "deleteAll" - }, { "name": "delete" }, @@ -1330,9 +1300,6 @@ { "name": "viewAll" }, - { - "name": "deleteAll" - }, { "name": "delete" } @@ -1597,7 +1564,7 @@ "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"openshift\"]", - "scopes": "[\"delete\",\"view:token\",\"update\",\"add\",\"deleteAll\"]", + "scopes": "[\"delete\",\"view:token\",\"update\",\"add\"]", "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, @@ -1810,17 +1777,6 @@ "applyPolicies": "[\"[Lagoon] User is admin of organization\",\"[Lagoon] User is owner of organization\",\"[Lagoon] Users role for realm is Platform Owner\",\"[Lagoon] User is viewer of organization\"]" } }, - { - "name": "Delete All SSH Keys", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"ssh_key\"]", - "scopes": "[\"removeAll\",\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "Update Project", "type": "scope", @@ -1854,17 +1810,6 @@ "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, - { - "name": "Delete All Notifications", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"notification\"]", - "scopes": "[\"removeAll\",\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "View Facts", "type": "scope", @@ -1887,17 +1832,6 @@ "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, - { - "name": "Delete All Projects", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"project\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "Delete Deployment", "type": "scope", @@ -1916,7 +1850,7 @@ "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"organization\"]", - "scopes": "[\"delete\",\"update\",\"add\",\"deleteAll\"]", + "scopes": "[\"delete\",\"update\",\"add\"]", "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, @@ -2052,17 +1986,6 @@ "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Maintainer\"]" } }, - { - "name": "Delete All Groups", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"group\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "User can SSH to Development Environment", "type": "scope", @@ -2107,17 +2030,6 @@ "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, - { - "name": "Delete All Users", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"user\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "Get User By SSH Key", "type": "scope", @@ -2250,17 +2162,6 @@ "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Developer\"]" } }, - { - "name": "Delete All Environments", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"environment\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "Add Environment Variable to Production Environment", "type": "scope", @@ -2646,17 +2547,6 @@ "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Owner\"]" } }, - { - "name": "Delete All Backups", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"backup\"]", - "scopes": "[\"deleteAll\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "View All Projects", "type": "scope", @@ -2919,9 +2809,6 @@ { "name": "view" }, - { - "name": "deleteAll" - }, { "name": "storage" }, @@ -2979,9 +2866,6 @@ { "name": "add" }, - { - "name": "removeAll" - }, { "name": "removeNotification" }, diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh index 34116c560e..6cce53cd30 100755 --- a/services/keycloak/startup-scripts/00-configure-lagoon.sh +++ b/services/keycloak/startup-scripts/00-configure-lagoon.sh @@ -256,7 +256,7 @@ function migrate_admin_organization_permissions { echo Configuring Organization admin permissions - echo Delete existing organization management + echo Delete deleteall sshkeys manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Manage+Organization --config $CONFIG_PATH | jq -r '.[0]["id"]') /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH @@ -357,6 +357,71 @@ function migrate_remove_harbor_scan_permissions { /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$delete_harbor_scan_match_id --config $CONFIG_PATH } +function remove_deleteall_permissions_scopes { + # The changes here match the changes that are made in the realm import script + # fresh installs will not need to perform this migration as the changes will already be in the import + # this will only run on existing installations to get it into a state that matches the realm import + CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients?clientId=api --config $CONFIG_PATH | jq -r '.[0]["id"]') + delete_all_projects=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Projects --config $CONFIG_PATH) + + if [ "$delete_all_projects" == "[ ]" ]; then + echo "deleteall permissions already removed" + return 0 + fi + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=notification --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"add"},{"name":"delete"},{"name":"view"},{"name":"update"},{"name":"viewAll"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=group --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"addUser"},{"name":"add"},{"name":"removeUser"},{"name":"update"},{"name":"viewAll"},{"name":"delete"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=backup --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"add"},{"name":"view"},{"name":"delete"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=ssh_key --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"add"},{"name":"update"},{"name":"view:user"},{"name":"delete"},{"name":"view:project"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=user --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"add"},{"name":"getBySshKey"},{"name":"update"},{"name":"viewAll"},{"name":"delete"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=environment --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"deploy:production"},{"name":"addOrUpdate:production"},{"name":"viewAll"},{"name":"storage"},{"name":"addOrUpdate:development"},{"name":"update:development"},{"name":"ssh:development"},{"name":"delete:development"},{"name":"view"},{"name":"deploy:development"},{"name":"deleteNoExec"},{"name":"ssh:production"},{"name":"delete:production"},{"name":"update:production"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=organization --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"updateNotification"},{"name":"addUser"},{"name":"add"},{"name":"removeNotification"},{"name":"viewNotification"},{"name":"addOwner"},{"name":"updateOrganization"},{"name":"update"},{"name":"viewUser"},{"name":"viewAll"},{"name":"updateProject"},{"name":"delete"},{"name":"viewProject"},{"name":"addNotification"},{"name":"viewUsers"},{"name":"view"},{"name":"viewGroup"},{"name":"deleteProject"},{"name":"removeGroup"},{"name":"addViewer"},{"name":"addProject"},{"name":"addGroup"}]' + + NOTIFICATION_RESOURCE_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$api_client_id/authz/resource-server/resource?name=openshift --config $CONFIG_PATH | jq -r '.[0]["_id"]') + /opt/keycloak/bin/kcadm.sh update clients/$CLIENT_ID/authz/resource-server/resource/$NOTIFICATION_RESOURCE_ID --config $CONFIG_PATH -r ${KEYCLOAK_REALM:-master} -s 'scopes=[{"name":"add"},{"name":"view"},{"name":"view:token"},{"name":"update"},{"name":"viewAll"},{"name":"delete"}]' + echo Delete deleteall sshkeys permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+SSH Keys --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + + echo Delete deleteall notifications permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Notifications --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + + echo Delete deleteall groups permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Groups --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + + echo Delete deleteall users permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Users --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + + echo Delete deleteall environments permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Environments --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + + echo Delete deleteall backups permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Backups --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + + echo Delete deleteall projects permission + manage_organization=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+All+Projects --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$manage_organization --config $CONFIG_PATH + +} + ################## # Initialization # ################## @@ -388,6 +453,7 @@ function configure_keycloak { add_notification_view_all migrate_admin_organization_permissions migrate_remove_harbor_scan_permissions + remove_deleteall_permissions_scopes # always run last sync_client_secrets diff --git a/services/workflows/internal/lagoonclient/schema.graphql b/services/workflows/internal/lagoonclient/schema.graphql index 0c41bb17a9..d508c8c08e 100644 --- a/services/workflows/internal/lagoonclient/schema.graphql +++ b/services/workflows/internal/lagoonclient/schema.graphql @@ -974,7 +974,6 @@ type Mutation { addOrUpdateEnvironment(input: AddEnvironmentInput!): Environment updateEnvironment(input: UpdateEnvironmentInput!): Environment deleteEnvironment(input: DeleteEnvironmentInput!): String - deleteAllEnvironments: String """ Add or update Storage Information for Environment @@ -987,7 +986,6 @@ type Mutation { input: UpdateNotificationSlackInput! ): NotificationSlack deleteNotificationSlack(input: DeleteNotificationSlackInput!): String - deleteAllNotificationSlacks: String addNotificationRocketChat( input: AddNotificationRocketChatInput! ): NotificationRocketChat @@ -997,7 +995,6 @@ type Mutation { deleteNotificationRocketChat( input: DeleteNotificationRocketChatInput! ): String - deleteAllNotificationRocketChats: String addNotificationMicrosoftTeams( input: AddNotificationMicrosoftTeamsInput! ): NotificationMicrosoftTeams @@ -1007,7 +1004,6 @@ type Mutation { deleteNotificationMicrosoftTeams( input: DeleteNotificationMicrosoftTeamsInput! ): String - deleteAllNotificationMicrosoftTeams: String addNotificationWebhook( input: AddNotificationWebhookInput! ): NotificationWebhook @@ -1015,13 +1011,11 @@ type Mutation { input: UpdateNotificationWebhookInput! ): NotificationWebhook deleteNotificationWebhook(input: DeleteNotificationWebhookInput!): String - deleteAllNotificationWebhook: String addNotificationEmail(input: AddNotificationEmailInput!): NotificationEmail updateNotificationEmail( input: UpdateNotificationEmailInput! ): NotificationEmail deleteNotificationEmail(input: DeleteNotificationEmailInput!): String - deleteAllNotificationEmails: String """ Connect previous created Notification to a Project @@ -1030,29 +1024,22 @@ type Mutation { removeNotificationFromProject( input: RemoveNotificationFromProjectInput! ): Project - removeAllNotificationsFromAllProjects: String addOpenshift(input: AddOpenshiftInput!): Openshift updateOpenshift(input: UpdateOpenshiftInput!): Openshift deleteOpenshift(input: DeleteOpenshiftInput!): String - deleteAllOpenshifts: String addKubernetes(input: AddKubernetesInput!): Kubernetes updateKubernetes(input: UpdateKubernetesInput!): Kubernetes deleteKubernetes(input: DeleteKubernetesInput!): String - deleteAllKubernetes: String addProject(input: AddProjectInput!): Project updateProject(input: UpdateProjectInput!): Project deleteProject(input: DeleteProjectInput!): String - deleteAllProjects: String addSshKey(input: AddSshKeyInput!): SshKey updateSshKey(input: UpdateSshKeyInput!): SshKey deleteSshKey(input: DeleteSshKeyInput!): String deleteSshKeyById(input: DeleteSshKeyByIdInput!): String - deleteAllSshKeys: String - removeAllSshKeysFromAllUsers: String addUser(input: AddUserInput!): User updateUser(input: UpdateUserInput!): User deleteUser(input: DeleteUserInput!): String - deleteAllUsers: String addDeployment(input: AddDeploymentInput!): Deployment deleteDeployment(input: DeleteDeploymentInput!): String updateDeployment(input: UpdateDeploymentInput): Deployment @@ -1071,7 +1058,6 @@ type Mutation { input: DeleteFactReferencesByFactIdInput! ): String deleteBackup(input: DeleteBackupInput!): String - deleteAllBackups: String addRestore(input: AddRestoreInput!): Restore updateRestore(input: UpdateRestoreInput!): Restore addEnvVariable(input: EnvVariableInput!): EnvKeyValue @@ -1110,7 +1096,6 @@ type Mutation { addGroup(input: AddGroupInput!): GroupInterface updateGroup(input: UpdateGroupInput!): GroupInterface deleteGroup(input: DeleteGroupInput!): String - deleteAllGroups: String addUserToGroup(input: UserGroupRoleInput!): GroupInterface removeUserFromGroup(input: UserGroupInput!): GroupInterface addGroupsToProject(input: ProjectGroupsInput): Project @@ -1123,10 +1108,6 @@ type Mutation { removeGroupsFromProject(input: ProjectGroupsInput!): Project updateProjectMetadata(input: UpdateMetadataInput!): Project removeProjectMetadataByKey(input: RemoveMetadataInput!): Project - addBillingModifier(input: AddBillingModifierInput!): BillingModifier - updateBillingModifier(input: UpdateBillingModifierInput!): BillingModifier - deleteBillingModifier(input: DeleteBillingModifierInput!): String - deleteAllBillingModifiersByBillingGroup(input: GroupInput!): String addDeployTargetConfig(input: AddDeployTargetConfigInput!): DeployTargetConfig @deprecated( reason: "Unstable API, subject to breaking changes in any release. Use at your own risk" @@ -1141,10 +1122,6 @@ type Mutation { @deprecated( reason: "Unstable API, subject to breaking changes in any release. Use at your own risk" ) - deleteAllDeployTargetConfigs: String - @deprecated( - reason: "Unstable API, subject to breaking changes in any release. Use at your own risk" - ) } union Notification =