change authorization for export commands

change error with debug in case parade migration didn't run yet
treeverse · Nov 10, 2020 · ae06cf6 · ae06cf6
1 parent 7d7d674
commit ae06cf6
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 10 deletions.
diff --git a/api/api_controller.go b/api/api_controller.go
@@ -2198,7 +2198,7 @@ func (c *Controller) ExportGetContinuousExportHandler() exportop.GetContinuousEx
 	return exportop.GetContinuousExportHandlerFunc(func(params exportop.GetContinuousExportParams, user *models.User) middleware.Responder {
 		deps, err := c.setupRequest(user, params.HTTPRequest, []permissions.Permission{
 			{
-				Action:   permissions.ListBranchesAction,
+				Action:   permissions.ReadBranchAction,
 				Resource: permissions.BranchArn(params.Repository, params.Branch),
 			},
 		})
@@ -2232,8 +2232,8 @@ func (c *Controller) ExportRunHandler() exportop.RunHandler {
 	return exportop.RunHandlerFunc(func(params exportop.RunParams, user *models.User) middleware.Responder {
 		deps, err := c.setupRequest(user, params.HTTPRequest, []permissions.Permission{
 			{
-				Action:   permissions.WriteObjectAction,
-				Resource: permissions.ObjectArn(params.Repository, params.Branch),
+				Action:   permissions.CreateCommitAction,
+				Resource: permissions.BranchArn(params.Repository, params.Branch),
 			},
 		})
 		if err != nil {
@@ -2255,7 +2255,7 @@ func (c *Controller) ExportSetContinuousExportHandler() exportop.SetContinuousEx
 	return exportop.SetContinuousExportHandlerFunc(func(params exportop.SetContinuousExportParams, user *models.User) middleware.Responder {
 		deps, err := c.setupRequest(user, params.HTTPRequest, []permissions.Permission{
 			{
-				Action:   permissions.CreateBranchAction,
+				Action:   permissions.ExportSetConfigAction,
 				Resource: permissions.BranchArn(params.Repository, params.Branch),
 			},
 		})

diff --git a/auth/setup.go b/auth/setup.go
@@ -130,6 +130,19 @@ func SetupBaseGroups(authService Service, ts time.Time) error {
 				},
 			},
 		},
+		{
+			CreatedAt:   ts,
+			DisplayName: "ExportSetConfiguration",
+			Statement: model.Statements{
+				{
+					Action: []string{
+						"export:Set*",
+					},
+					Resource: permissions.All,
+					Effect:   model.StatementEffectAllow,
+				},
+			},
+		},
 		{
 			CreatedAt:   ts,
 			DisplayName: "AuthFullAccess",
@@ -164,7 +177,7 @@ func SetupBaseGroups(authService Service, ts time.Time) error {
 		return err
 	}
 
-	err = attachPolicies(authService, "Admins", []string{"FSFullAccess", "AuthFullAccess", "RepoManagementFullAccess"})
+	err = attachPolicies(authService, "Admins", []string{"FSFullAccess", "AuthFullAccess", "RepoManagementFullAccess", "ExportSetConfiguration"})
 	if err != nil {
 		return err
 	}

diff --git a/parade/action_manager.go b/parade/action_manager.go
@@ -1,6 +1,7 @@
 package parade
 
 import (
+	"errors"
 	"sync"
 	"time"
 
@@ -14,7 +15,7 @@ const (
 	defaultChannelSize = 1000
 	defaultMaxTasks    = 500
 	defaultWaitTime    = time.Millisecond * 300
-	defaultErrWaitTime = time.Millisecond * 300
+	defaultErrWaitTime = time.Second * 3
 	defaultMaxDuration = time.Minute * 30 // Todo(guys): change this
 )
 
@@ -103,7 +104,11 @@ func (a *ActionManager) start() {
 			case <-time.After(d):
 				ownedTasks, err := a.parade.OwnTasks(actorID, a.properties.MaxTasks, actions, a.properties.MaxDuration)
 				if err != nil {
-					logging.Default().WithField("actor", actorID).Errorf("manager failed to receive tasks: %s", err)
+					if errors.Is(err, ErrServiceUnavailable) {
+						logging.Default().WithField("actor", actorID).WithError(err).Debug("manager failed to receive tasks")
+					} else {
+						logging.Default().WithField("actor", actorID).WithError(err).Error("manager failed to receive tasks")
+					}
 					d = *a.properties.ErrWaitTime
 					continue
 				}

diff --git a/parade/ddl.go b/parade/ddl.go
@@ -9,6 +9,9 @@ import (
 	"strings"
 	"time"
 
+	"github.com/jackc/pgconn"
+	"github.com/jackc/pgerrcode"
+
 	"github.com/georgysavva/scany/pgxscan"
 	"github.com/jackc/pgtype"
 	"github.com/jackc/pgx/v4"
@@ -210,10 +213,15 @@ func OwnTasks(conn pgxscan.Querier, actor ActorID, maxTasks int, actions []strin
 	rows, err := conn.Query(
 		ctx, `SELECT * FROM own_tasks($1, $2, $3, $4)`, maxTasks, actions, actor, maxDuration)
 	if err != nil {
+		var pgerr *pgconn.PgError
+		if errors.As(err, &pgerr) && pgerr.Code == pgerrcode.UndefinedFunction {
+			return nil, ErrServiceUnavailable
+		}
 		return nil, fmt.Errorf("try to own tasks: %w", err)
 	}
 	tasks := make([]OwnedTaskData, 0, maxTasks)
 	err = pgxscan.ScanAll(&tasks, rows)
+
 	return tasks, err
 }
 

diff --git a/parade/parade.go b/parade/parade.go
@@ -12,9 +12,10 @@ import (
 )
 
 var (
-	ErrInvalidToken    = errors.New("performance token invalid (action may have exceeded deadline)")
-	ErrBadStatus       = errors.New("bad status for task")
-	ErrNoNotifyChannel = errors.New("task has no notify_channel_after")
+	ErrInvalidToken       = errors.New("performance token invalid (action may have exceeded deadline)")
+	ErrBadStatus          = errors.New("bad status for task")
+	ErrNoNotifyChannel    = errors.New("task has no notify_channel_after")
+	ErrServiceUnavailable = errors.New("service unavailable")
 )
 
 type Parade interface {

diff --git a/permissions/actions.go b/permissions/actions.go
@@ -31,6 +31,8 @@ const (
 	RetentionReadPolicyAction  = "retention:GetPolicy"
 	RetentionWritePolicyAction = "retention:WritePolicy"
 
+	ExportSetConfigAction = "fs:export:SetConfig"
+
 	ReadUserAction          = "auth:ReadUser"
 	CreateUserAction        = "auth:CreateUser"
 	DeleteUserAction        = "auth:DeleteUser"