Merge pull request #785 from dod-ccpo/check-user-is-in-app-before-adding-env-role

Check user is in app before adding env role
2019-04-30 14:31:08 -04:00
parent d67a56b7b2 94e3dc637a
commit 0c6f00bf4d
11 changed files with 85 additions and 6 deletions
--- a/atst/domain/application_roles.py
+++ b/atst/domain/application_roles.py
@@ -6,6 +6,7 @@ from atst.domain.permission_sets import PermissionSets
 class ApplicationRoles(object):
    @classmethod
    def _permission_sets_for_names(cls, set_names):
+        set_names = set(set_names).union({PermissionSets.VIEW_APPLICATION})
        return PermissionSets.get_many(set_names)

    @classmethod
--- a/atst/domain/exceptions.py
+++ b/atst/domain/exceptions.py
@@ -1,6 +1,7 @@
 class NotFoundError(Exception):
-    def __init__(self, resource_name):
+    def __init__(self, resource_name, resource_id=None):
        self.resource_name = resource_name
+        self.resource_id = resource_id

    @property
    def message(self):
--- a/atst/models/application.py
+++ b/atst/models/application.py
@@ -9,7 +9,6 @@ from atst.models.application_role import (
    ApplicationRole,
    Status as ApplicationRoleStatuses,
 )
-
 from atst.database import db


--- a/atst/routes/applications/settings.py
+++ b/atst/routes/applications/settings.py
@@ -7,6 +7,8 @@ from atst.domain.applications import Applications
 from atst.forms.app_settings import EnvironmentRolesForm
 from atst.forms.application import ApplicationForm, EditEnvironmentForm
 from atst.domain.authz.decorator import user_can_access_decorator as user_can
+from atst.domain.exceptions import NotFoundError
+
 from atst.models.permissions import Permissions
 from atst.utils.flash import formatted_flash as flash

@@ -46,6 +48,14 @@ def serialize_env_member_form_data(application):
    return environments_list


+def check_users_are_in_application(user_ids, application):
+    existing_ids = [str(role.user_id) for role in application.roles]
+    for user_id in user_ids:
+        if not user_id in existing_ids:
+            raise NotFoundError("application user", user_id)
+    return True
+
+
@applications_bp.route("/applications/<application_id>/settings")
@user_can(Permissions.VIEW_APPLICATION, message="view application edit form")
 def settings(application_id):
@@ -128,6 +138,19 @@ def update_env_roles(environment_id):
    env_roles_form = EnvironmentRolesForm(http_request.form)

    if env_roles_form.validate():
+
+        try:
+            user_ids = [user["user_id"] for user in env_roles_form.data["team_roles"]]
+            check_users_are_in_application(user_ids, application)
+        except NotFoundError as err:
+            app.logger.warning(
+                "User {} requested environment role change for unauthorized user {} in application {}.".format(
+                    g.current_user.id, err.resource_id, application.id
+                ),
+                extra={"tags": ["update", "failure"], "security_warning": True},
+            )
+
+            raise (err)
        env_data = env_roles_form.data
        Environments.update_env_roles_by_environment(
            environment_id=environment_id, team_roles=env_data["team_roles"]