refactor(core): Log denials from subworkflow caller policy (no-changelog) (#9827)

This commit is contained in:
Iván Ovejero 2024-06-21 10:47:11 +02:00 committed by GitHub
parent 553b135b0b
commit f0ee0a1655
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -7,6 +7,7 @@ import { License } from '@/License';
import { OwnershipService } from '@/services/ownership.service'; import { OwnershipService } from '@/services/ownership.service';
import { SharedCredentialsRepository } from '@db/repositories/sharedCredentials.repository'; import { SharedCredentialsRepository } from '@db/repositories/sharedCredentials.repository';
import { ProjectService } from '@/services/project.service'; import { ProjectService } from '@/services/project.service';
import { Logger } from '@/Logger';
@Service() @Service()
export class PermissionChecker { export class PermissionChecker {
@ -15,6 +16,7 @@ export class PermissionChecker {
private readonly ownershipService: OwnershipService, private readonly ownershipService: OwnershipService,
private readonly license: License, private readonly license: License,
private readonly projectService: ProjectService, private readonly projectService: ProjectService,
private readonly logger: Logger,
) {} ) {}
/** /**
@ -68,7 +70,9 @@ export class PermissionChecker {
let policy = let policy =
subworkflow.settings?.callerPolicy ?? config.getEnv('workflows.callerPolicyDefaultOption'); subworkflow.settings?.callerPolicy ?? config.getEnv('workflows.callerPolicyDefaultOption');
if (!this.license.isSharingEnabled()) { const isSharingEnabled = this.license.isSharingEnabled();
if (!isSharingEnabled) {
// Community version allows only same owner workflows // Community version allows only same owner workflows
policy = 'workflowsFromSameOwner'; policy = 'workflowsFromSameOwner';
} }
@ -90,24 +94,56 @@ export class PermissionChecker {
); );
if (policy === 'none') { if (policy === 'none') {
this.logger.warn('[PermissionChecker] Subworkflow execution denied', {
callerWorkflowId: parentWorkflowId,
subworkflowId: subworkflow.id,
reason: 'Subworkflow may not be called',
policy,
isSharingEnabled,
});
throw errorToThrow; throw errorToThrow;
} }
if (policy === 'workflowsFromAList') { if (policy === 'workflowsFromAList') {
if (parentWorkflowId === undefined) { if (parentWorkflowId === undefined) {
this.logger.warn('[PermissionChecker] Subworkflow execution denied', {
reason: 'Subworkflow may be called only by workflows from an allowlist',
callerWorkflowId: parentWorkflowId,
subworkflowId: subworkflow.id,
policy,
isSharingEnabled,
});
throw errorToThrow; throw errorToThrow;
} }
const allowedCallerIds = subworkflow.settings.callerIds const allowedCallerIds = subworkflow.settings.callerIds
?.split(',') ?.split(',')
.map((id) => id.trim()) .map((id) => id.trim())
.filter((id) => id !== ''); .filter((id) => id !== '');
if (!allowedCallerIds?.includes(parentWorkflowId)) { if (!allowedCallerIds?.includes(parentWorkflowId)) {
this.logger.warn('[PermissionChecker] Subworkflow execution denied', {
reason: 'Subworkflow may be called only by workflows from an allowlist',
callerWorkflowId: parentWorkflowId,
subworkflowId: subworkflow.id,
allowlist: allowedCallerIds,
policy,
isSharingEnabled,
});
throw errorToThrow; throw errorToThrow;
} }
} }
if (policy === 'workflowsFromSameOwner' && subworkflowOwner?.id !== parentWorkflowOwner.id) { if (policy === 'workflowsFromSameOwner' && subworkflowOwner?.id !== parentWorkflowOwner.id) {
this.logger.warn('[PermissionChecker] Subworkflow execution denied', {
reason: 'Subworkflow may be called only by workflows owned by the same project',
callerWorkflowId: parentWorkflowId,
subworkflowId: subworkflow.id,
callerProjectId: parentWorkflowOwner.id,
subworkflowProjectId: subworkflowOwner.id,
policy,
isSharingEnabled,
});
throw errorToThrow; throw errorToThrow;
} }
} }