Validate group inputs on invites (#1439)

Author: michaeljguarino

Dockerfile

@@ -42,39 +42,40 @@ FROM alpine:3.17.0 as tools
 ARG TARGETARCH
 
 # renovate: datasource=github-releases depName=helm/helm
-ENV HELM_VERSION=v3.11.0
+ENV HELM_VERSION=v3.17.3
 
 # renovate: datasource=github-releases depName=alco/goon
 ENV GOON_VERSION=v1.1.1
 
 # renovate: datasource=github-releases depName=pluralsh/plural-cli
-ENV CLI_VERSION=v0.7.8
-
-# renovate: datasource=github-releases depName=accurics/terrascan
-ENV TERRASCAN_VERSION=v1.17.1
+ENV CLI_VERSION=v0.12.8
 
 # renovate: datasource=github-releases depName=aquasecurity/trivy
-ENV TRIVY_VERSION=v0.36.1
+ENV TRIVY_VERSION=v0.64.1
 
 RUN apk add --update --no-cache curl ca-certificates unzip wget openssl && \
     # download helm
-    curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xvz && \
+    echo "installing helm" && \
+    curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xz && \
     mv linux-${TARGETARCH}/helm /usr/local/bin/helm && \
     # download goon
-    curl -L https://github.com/alco/goon/releases/download/${GOON_VERSION}/goon_linux_${TARGETARCH}.tar.gz | tar xvz && \
-    mv goon /usr/local/bin/goon && \
+    # echo "installing goon" && \
+    # curl -L https://github.com/alco/goon/releases/download/${GOON_VERSION}/goon_linux_${TARGETARCH}.tar.gz | tar xvz && \
+    # mv goon /usr/local/bin/goon && \
     # download plural cli
-    curl -L https://github.com/pluralsh/plural-cli/releases/download/${CLI_VERSION}/plural-cli_console_${CLI_VERSION/v/}_Linux_${TARGETARCH}.tar.gz | tar xvz plural && \
+    echo "installing plural" && \
+    curl -L https://github.com/pluralsh/plural-cli/releases/download/${CLI_VERSION}/plural-cli_${CLI_VERSION#v}_Linux_${TARGETARCH}.tar.gz | tar xvz plural && \
     mv plural /usr/local/bin/plural && \
     # download terrascan
-    if [ "$TARGETARCH" = "amd64" ]; then \
-      curl -L https://github.com/accurics/terrascan/releases/download/${TERRASCAN_VERSION}/terrascan_${TERRASCAN_VERSION/v/}_Linux_x86_64.tar.gz > terrascan.tar.gz; \
-    else \
-      curl -L https://github.com/accurics/terrascan/releases/download/${TERRASCAN_VERSION}/terrascan_${TERRASCAN_VERSION/v/}_Linux_${TARGETARCH}.tar.gz > terrascan.tar.gz; \
-    fi && \
-    tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \
-    mv terrascan /usr/local/bin/terrascan && \
+    # if [ "$TARGETARCH" = "amd64" ]; then \
+    #   curl -L https://github.com/accurics/terrascan/releases/download/${TERRASCAN_VERSION}/terrascan_${TERRASCAN_VERSION/v/}_Linux_x86_64.tar.gz > terrascan.tar.gz; \
+    # else \
+    #   curl -L https://github.com/accurics/terrascan/releases/download/${TERRASCAN_VERSION}/terrascan_${TERRASCAN_VERSION/v/}_Linux_${TARGETARCH}.tar.gz > terrascan.tar.gz; \
+    # fi && \
+    # tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \
+    # mv terrascan /usr/local/bin/terrascan && \
     # download trivy
+    echo "installing trivy" && \
     if [ "$TARGETARCH" = "amd64" ]; then \
       curl -L https://github.com/aquasecurity/trivy/releases/download/${TRIVY_VERSION}/trivy_${TRIVY_VERSION/v/}_Linux-64bit.tar.gz > trivy.tar.gz; \
     elif [ "$TARGETARCH" = "arm64" ]; then \
@@ -84,9 +85,9 @@ RUN apk add --update --no-cache curl ca-certificates unzip wget openssl && \
     mv trivy /usr/local/bin/trivy && \
     # make tools executable
     chmod +x /usr/local/bin/helm && \
-    chmod +x /usr/local/bin/goon && \
+    # chmod +x /usr/local/bin/goon && \
     chmod +x /usr/local/bin/plural && \
-    chmod +x /usr/local/bin/terrascan && \
+    # chmod +x /usr/local/bin/terrascan && \
     chmod +x /usr/local/bin/trivy
 
 FROM erlang:24.3.4.6-alpine
@@ -112,8 +113,8 @@ WORKDIR /opt/app
 
 COPY --from=tools /usr/local/bin/plural /usr/local/bin/plural
 COPY --from=tools /usr/local/bin/helm /usr/local/bin/helm
-COPY --from=tools /usr/local/bin/goon /usr/local/bin/goon
-COPY --from=tools /usr/local/bin/terrascan /usr/local/bin/terrascan
+# COPY --from=tools /usr/local/bin/goon /usr/local/bin/goon
+# COPY --from=tools /usr/local/bin/terrascan /usr/local/bin/terrascan
 COPY --from=tools /usr/local/bin/trivy /usr/local/bin/trivy
 COPY --from=builder /opt/built .
 

apps/core/lib/core/services/accounts.ex

@@ -290,6 +290,14 @@ defmodule Core.Services.Accounts do
       |> allow(user, :create)
       |> when_ok(:insert)
     end)
+    |> add_operation(:validate, fn %{invite: invite} ->
+      with %Invite{groups: [_ | _] = groups} <- Core.Repo.preload(invite, [:groups]),
+           true <- Enum.any?(groups, & &1.account_id != aid) do
+        {:error, "you cannot invite users to groups in other accounts"}
+      else
+        _ -> {:ok, invite}
+      end
+    end)
     |> execute(extract: :invite)
     |> notify(:create, user)
   end

apps/core/lib/core/services/base.ex

@@ -18,6 +18,7 @@ defmodule Core.Services.Base do
       _ -> []
     end
   end
+  def find_bindings(%User{id: id}), do: [%{user_id: id}]
   def find_bindings(_), do: []
 
   def ok(val), do: {:ok, val}

apps/core/test/services/accounts_test.exs

@@ -338,6 +338,29 @@ defmodule Core.Services.AccountsTest do
       assert invite.account_id == account.id
     end
 
+    test "you can invite users into an accounts groups", %{user: user, account: account} do
+      group = insert(:group, account: account)
+      {:ok, invite} = Accounts.create_invite(%{
+        email: "[email protected]",
+        invite_groups: [%{group_id: group.id}]
+      }, user)
+
+      assert invite.email == "[email protected]"
+      assert invite.secure_id
+      assert invite.account_id == account.id
+
+      %{groups: [%{id: id}]} = Core.Repo.preload(invite, [:groups])
+      assert id == group.id
+    end
+
+    test "you cannot invite users into another account's groups", %{user: user} do
+      group = insert(:group)
+      {:error, _} = Accounts.create_invite(%{
+        email: "[email protected]",
+        invite_groups: [%{group_id: group.id}]
+      }, user)
+    end
+
     test "it will not accept invalid emails", %{user: user} do
       {:error, _} = Accounts.create_invite(%{email: "invalidemail"}, user)
     end

apps/graphql/test/mutations/repository_mutation_test.exs

@@ -337,8 +337,8 @@ defmodule GraphQl.RepositoryMutationsTest do
       assert provider["redirectUris"] == ["example.com"]
       assert provider["configuration"]["issuer"] == "https://oidc.plural.sh/"
 
-      [%{"group" => g}] = provider["bindings"]
-      assert g["id"] == group.id
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["group", "id"]) == group.id)
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["user", "id"]) == installation.user.id)
     end
 
     test "it will create an user-bound oidc provider" do
@@ -385,8 +385,8 @@ defmodule GraphQl.RepositoryMutationsTest do
       assert provider["redirectUris"] == ["example.com"]
       assert provider["configuration"]["issuer"] == "https://oidc.plural.sh/"
 
-      [%{"group" => g}] = provider["bindings"]
-      assert g["id"] == group.id
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["group", "id"]) == group.id)
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["user", "id"]) == user.id)
     end
   end