Check that client exists before assigning them an org role

Previously the set-org-role command would not validate that the provided client
ID actually corresponded to an existing client.  Fetching a client from UAA
requires the clients.read, clients.admin or zones.<zone.id>.admin scope so
users who want to assign roles to clients will need to verify that they have
one of those scopes if they want to use --client.

[#159967411]

Co-authored-by: Brendan Smith <[email protected]>
Co-authored-by: Will Murphy <[email protected]>
Co-authored-by: Tom Viehman <[email protected]>

Author: 4 people

cf/api/apifakes/fake_client_repository.go

@@ -0,0 +1,62 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"code.cloudfoundry.org/cli/cf/api/resources"
+	"code.cloudfoundry.org/cli/cf/configuration/coreconfig"
+	"code.cloudfoundry.org/cli/cf/errors"
+	. "code.cloudfoundry.org/cli/cf/i18n"
+	"code.cloudfoundry.org/cli/cf/net"
+)
+
+//go:generate counterfeiter . ClientRepository
+
+type ClientRepository interface {
+	ClientExists(clientID string) (exists bool, apiErr error)
+}
+
+type CloudControllerClientRepository struct {
+	config     coreconfig.Reader
+	uaaGateway net.Gateway
+}
+
+func NewCloudControllerClientRepository(config coreconfig.Reader, uaaGateway net.Gateway) (repo CloudControllerClientRepository) {
+	repo.config = config
+	repo.uaaGateway = uaaGateway
+	return
+}
+
+func (repo CloudControllerClientRepository) ClientExists(clientID string) (exists bool, apiErr error) {
+	exists = false
+	uaaEndpoint, apiErr := repo.getAuthEndpoint()
+	if apiErr != nil {
+		return exists, apiErr
+	}
+
+	path := fmt.Sprintf("%s/oauth/clients/%s", uaaEndpoint, clientID)
+
+	uaaResponse := new(resources.UAAUserResources)
+	apiErr = repo.uaaGateway.GetResource(path, uaaResponse)
+	if apiErr != nil {
+		if errType, ok := apiErr.(errors.HTTPError); ok {
+			switch errType.StatusCode() {
+			case http.StatusNotFound:
+				return false, errors.NewModelNotFoundError("Client", clientID)
+			case http.StatusForbidden:
+				return false, errors.NewAccessDeniedError()
+			}
+		}
+		return false, apiErr
+	}
+	return true, nil
+}
+
+func (repo CloudControllerClientRepository) getAuthEndpoint() (string, error) {
+	uaaEndpoint := repo.config.UaaEndpoint()
+	if uaaEndpoint == "" {
+		return "", errors.New(T("UAA endpoint missing from config file"))
+	}
+	return uaaEndpoint, nil
+}

cf/api/clients.go

@@ -0,0 +1,125 @@
+package api_test
+
+import (
+	"fmt"
+	"net/http"
+
+	"code.cloudfoundry.org/cli/cf/api"
+	"code.cloudfoundry.org/cli/cf/configuration/coreconfig"
+	"code.cloudfoundry.org/cli/cf/errors"
+	"code.cloudfoundry.org/cli/cf/net"
+	"code.cloudfoundry.org/cli/cf/terminal/terminalfakes"
+	"code.cloudfoundry.org/cli/cf/trace/tracefakes"
+	testconfig "code.cloudfoundry.org/cli/cf/util/testhelpers/configuration"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"github.com/onsi/gomega/ghttp"
+)
+
+var _ = Describe("ClientRepository", func() {
+	Describe("ClientExists", func() {
+		var (
+			client     api.ClientRepository
+			uaaServer  *ghttp.Server
+			uaaGateway net.Gateway
+			config     coreconfig.ReadWriter
+		)
+
+		BeforeEach(func() {
+			uaaServer = ghttp.NewServer()
+			config = testconfig.NewRepositoryWithDefaults()
+
+			config.SetUaaEndpoint(uaaServer.URL())
+			uaaGateway = net.NewUAAGateway(config, new(terminalfakes.FakeUI), new(tracefakes.FakePrinter), "")
+			client = api.NewCloudControllerClientRepository(config, uaaGateway)
+		})
+
+		Context("when a client does not exist", func() {
+			var clientID string
+			BeforeEach(func() {
+				clientID = "some-client"
+
+				requestPath := fmt.Sprintf("/oauth/clients/%s", clientID)
+
+				uaaServer.AppendHandlers(
+					ghttp.CombineHandlers(
+						ghttp.VerifyRequest("GET", requestPath),
+						ghttp.RespondWith(http.StatusNotFound, ""),
+					),
+				)
+			})
+
+			It("returns a ModelNotFound error", func() {
+				b, err := client.ClientExists("some-client")
+				Expect(err).To(MatchError(&errors.ModelNotFoundError{
+					ModelType: "Client",
+					ModelName: "some-client",
+				}))
+				Expect(b).To(BeFalse())
+			})
+		})
+
+		Context("when the active user has insufficient permissions", func() {
+			var clientID string
+			BeforeEach(func() {
+				clientID = "some-client"
+
+				requestPath := fmt.Sprintf("/oauth/clients/%s", clientID)
+
+				uaaServer.AppendHandlers(
+					ghttp.CombineHandlers(
+						ghttp.VerifyRequest("GET", requestPath),
+						ghttp.RespondWith(http.StatusForbidden, ""),
+					),
+				)
+			})
+
+			It("returns an AccessDenied error", func() {
+				b, err := client.ClientExists(clientID)
+				Expect(err).To(MatchError(&errors.AccessDeniedError{}))
+				Expect(b).To(BeFalse())
+			})
+		})
+
+		Context("when a client does exist", func() {
+			var clientID string
+			BeforeEach(func() {
+				clientID = "some-client"
+
+				requestPath := fmt.Sprintf("/oauth/clients/%s", clientID)
+
+				uaaServer.AppendHandlers(
+					ghttp.CombineHandlers(
+						ghttp.VerifyRequest("GET", requestPath),
+						ghttp.RespondWith(http.StatusOK, ""),
+					),
+				)
+			})
+
+			It("returns true and no error", func() {
+				b, err := client.ClientExists("some-client")
+
+				Expect(b).To(BeTrue())
+				Expect(err).To(BeNil())
+
+			})
+		})
+
+		Context("when getAuthEndpoint fails", func() {
+			var executeErr error
+
+			BeforeEach(func() {
+				executeErr = errors.New("UAA endpoint missing from config file")
+				config.SetUaaEndpoint("")
+			})
+
+			It("returns that error", func() {
+				b, err := client.ClientExists("some-client")
+				Expect(b).To(BeFalse())
+				Expect(err).To(MatchError(executeErr))
+			})
+		})
+	})
+
+})

cf/api/clients_test.go

@@ -57,6 +57,7 @@ type RepositoryLocator struct {
 	routeServiceBindingRepo         RouteServiceBindingRepository
 	serviceSummaryRepo              ServiceSummaryRepository
 	userRepo                        UserRepository
+	clientRepo                      ClientRepository
 	passwordRepo                    password.Repository
 	logsRepo                        logs.Repository
 	authTokenRepo                   ServiceAuthTokenRepository
@@ -130,6 +131,7 @@ func NewRepositoryLocator(config coreconfig.ReadWriter, gatewaysByName map[strin
 	loc.spaceRepo = spaces.NewCloudControllerSpaceRepository(config, cloudControllerGateway)
 	loc.userProvidedServiceInstanceRepo = NewCCUserProvidedServiceInstanceRepository(config, cloudControllerGateway)
 	loc.userRepo = NewCloudControllerUserRepository(config, uaaGateway, cloudControllerGateway)
+	loc.clientRepo = NewCloudControllerClientRepository(config, uaaGateway)
 	loc.buildpackRepo = NewCloudControllerBuildpackRepository(config, cloudControllerGateway)
 	loc.buildpackBitsRepo = NewCloudControllerBuildpackBitsRepository(config, cloudControllerGateway, appfiles.ApplicationZipper{})
 	loc.securityGroupRepo = securitygroups.NewSecurityGroupRepo(config, cloudControllerGateway)
@@ -336,6 +338,15 @@ func (locator RepositoryLocator) GetUserRepository() UserRepository {
 	return locator.userRepo
 }
 
+func (locator RepositoryLocator) GetClientRepository() ClientRepository {
+	return locator.clientRepo
+}
+
+func (locator RepositoryLocator) SetClientRepository(repo ClientRepository) RepositoryLocator {
+	locator.clientRepo = repo
+	return locator
+}
+
 func (locator RepositoryLocator) SetPasswordRepository(repo password.Repository) RepositoryLocator {
 	locator.passwordRepo = repo
 	return locator

cf/api/repository_locator.go

@@ -110,6 +110,7 @@ func (f apiRequirementFactory) NewUserRequirement(username string, wantGUID bool
 func (f apiRequirementFactory) NewClientRequirement(username string) UserRequirement {
 	return NewClientRequirement(
 		username,
+		f.repoLocator.GetClientRepository(),
 	)
 }
 

cf/requirements/factory.go

@@ -13,17 +13,19 @@ type UserRequirement interface {
 }
 
 type userAPIRequirement struct {
-	username string
-	userRepo api.UserRepository
-	wantGUID bool
-	clientID string
+	username   string
+	userRepo   api.UserRepository
+	clientRepo api.ClientRepository
+	wantGUID   bool
+	clientID   string
 
 	user models.UserFields
 }
 
-func NewClientRequirement(clientID string) *userAPIRequirement {
+func NewClientRequirement(clientID string, clientRepo api.ClientRepository) *userAPIRequirement {
 	req := new(userAPIRequirement)
 	req.clientID = clientID
+	req.clientRepo = clientRepo
 	return req
 }
 
@@ -48,6 +50,11 @@ func (req *userAPIRequirement) Execute() error {
 			return err
 		}
 	} else if req.clientID != "" {
+		var err error
+		_, err = req.clientRepo.ClientExists(req.clientID)
+		if err != nil {
+			return err
+		}
 		req.user = models.UserFields{GUID: req.clientID, Username: req.clientID}
 	} else {
 		req.user = models.UserFields{Username: req.username}