Skip to content

Commit

Permalink
Enable deletion of integration resources (#1294)
Browse files Browse the repository at this point in the history
* Enforce admin service user role for integration group deletion

Added a check to prevent non-admin service users from deleting integration groups.

* Restrict deletion of integration user to admin service user only

* Refactor user and group deletion tests
  • Loading branch information
bcmmbaga authored Nov 7, 2023
1 parent 8be6e92 commit 9f7e13f
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 8 deletions.
10 changes: 8 additions & 2 deletions management/server/group.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,9 +163,15 @@ func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string)
return nil
}

// check integration link
// disable a deleting integration group if the initiator is not an admin service user
if g.Issued == GroupIssuedIntegration {
return &GroupLinkError{GroupIssuedIntegration, g.IntegrationReference.String()}
executingUser := account.Users[userId]
if executingUser == nil {
return status.Errorf(status.NotFound, "user not found")
}
if executingUser.Role != UserRoleAdmin || !executingUser.IsServiceUser {
return status.Errorf(status.PermissionDenied, "only admins service user can delete integration group")
}
}

// check route links
Expand Down
17 changes: 14 additions & 3 deletions management/server/group_test.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
package server

import (
"errors"
"testing"

nbdns "github.com/netbirdio/netbird/dns"
"github.com/netbirdio/netbird/management/server/status"
"github.com/netbirdio/netbird/route"
)

Expand Down Expand Up @@ -55,19 +57,28 @@ func TestDefaultAccountManager_DeleteGroup(t *testing.T) {
{
"integration",
"grp-for-integration",
"integration",
"only admins service user can delete integration group",
},
}

for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
err = am.DeleteGroup(account.Id, "", testCase.groupID)
err = am.DeleteGroup(account.Id, groupAdminUserID, testCase.groupID)
if err == nil {
t.Errorf("delete %s group successfully", testCase.groupID)
return
}

gErr, ok := err.(*GroupLinkError)
var sErr *status.Error
if errors.As(err, &sErr) {
if sErr.Message != testCase.expectedReason {
t.Errorf("invalid error case: %s, expected: %s", sErr.Message, testCase.expectedReason)
}
return
}

var gErr *GroupLinkError
ok := errors.As(err, &gErr)
if !ok {
t.Error("invalid error type")
return
Expand Down
5 changes: 3 additions & 2 deletions management/server/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -387,8 +387,9 @@ func (am *DefaultAccountManager) DeleteUser(accountID, initiatorUserID string, t
return status.Errorf(status.NotFound, "target user not found")
}

if targetUser.Issued == UserIssuedIntegration {
return status.Errorf(status.PermissionDenied, "only integration can delete this user")
// disable deleting integration user if the initiator is not admin service user
if targetUser.Issued == UserIssuedIntegration && !executingUser.IsServiceUser {
return status.Errorf(status.PermissionDenied, "only admin service user can delete this user")
}

// handle service user first and exit, no need to fetch extra data from IDP, etc
Expand Down
2 changes: 1 addition & 1 deletion management/server/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -508,7 +508,7 @@ func TestUser_DeleteUser_regularUser(t *testing.T) {
name: "Delete integration regular user permission denied ",
userID: "user4",
assertErrFunc: assert.Error,
assertErrMessage: "only integration can delete this user",
assertErrMessage: "only admin service user can delete this user",
},
}

Expand Down

0 comments on commit 9f7e13f

Please sign in to comment.