WIP #600 - Control authorized entities before create or update usage plan

quentinovega · quentinovega · commit e3f0fc0a90d2 · 2024-02-02T14:43:35.000+01:00
diff --git a/daikoku/app/controllers/ApiController.scala b/daikoku/app/controllers/ApiController.scala
@@ -4730,6 +4730,7 @@ class ApiController(
         }
 
         (for {
+          _ <- newPlan.checkAuthorizedEntities(team)
           api <- EitherT.fromOptionF[Future, AppError, Api](
             env.dataStore.apiRepo
               .forTenant(ctx.tenant)
@@ -5059,6 +5060,7 @@ class ApiController(
         }
 
         val value: EitherT[Future, AppError, Result] = for {
+          _ <- updatedPlan.checkAuthorizedEntities(team)
           api <- EitherT.fromOptionF(
             env.dataStore.apiRepo
               .forTenant(ctx.tenant)
diff --git a/daikoku/app/domain/apiEntities.scala b/daikoku/app/domain/apiEntities.scala
@@ -296,6 +296,24 @@ sealed trait UsagePlan {
       case (_, TenantDisplay.Default) => EitherT.pure[Future, AppError](())
     }
   }
+
+  def checkAuthorizedEntities(team: Team)(implicit ec: ExecutionContext): EitherT[Future, AppError, Unit] = {
+    otoroshiTarget match {
+      case Some(otoroshiTarget) if team.authorizedOtoroshiEntities.isDefined =>
+        val teamAuthorizedEntities = team.authorizedOtoroshiEntities.get.find(_.otoroshiSettingsId == otoroshiTarget.otoroshiSettings)
+
+        teamAuthorizedEntities match {
+          case Some(authorizedEntities) =>
+            for {
+              _ <- EitherT.cond[Future](authorizedEntities.authorizedEntities.groups.diff(otoroshiTarget.authorizedEntities.map(_.groups).getOrElse(Set.empty)).isEmpty, (), AppError.Unauthorized)
+              _ <- EitherT.cond[Future](authorizedEntities.authorizedEntities.services.diff(otoroshiTarget.authorizedEntities.map(_.services).getOrElse(Set.empty)).isEmpty, (), AppError.Unauthorized)
+              _ <- EitherT.cond[Future](authorizedEntities.authorizedEntities.routes.diff(otoroshiTarget.authorizedEntities.map(_.routes).getOrElse(Set.empty)).isEmpty, (), AppError.Unauthorized)
+            } yield ()
+          case None => EitherT.leftT[Future, Unit](AppError.Unauthorized)
+        }
+      case _ => EitherT.pure[Future, AppError](())
+    }
+  }
 }
 
 case object UsagePlan {

Original file line number	Diff line number	Diff line change
`@@ -4730,6 +4730,7 @@ class ApiController(`
`4730`	`4730`	`}`
`4731`	`4731`
`4732`	`4732`	`(for {`
	`4733`	`+ _ <- newPlan.checkAuthorizedEntities(team)`
`4733`	`4734`	`api <- EitherT.fromOptionF[Future, AppError, Api](`
`4734`	`4735`	`env.dataStore.apiRepo`
`4735`	`4736`	`.forTenant(ctx.tenant)`
`@@ -5059,6 +5060,7 @@ class ApiController(`
`5059`	`5060`	`}`
`5060`	`5061`
`5061`	`5062`	`val value: EitherT[Future, AppError, Result] = for {`
	`5063`	`+ _ <- updatedPlan.checkAuthorizedEntities(team)`
`5062`	`5064`	`api <- EitherT.fromOptionF(`
`5063`	`5065`	`env.dataStore.apiRepo`
`5064`	`5066`	`.forTenant(ctx.tenant)`