Check user authorization before accessing the page

aleDsz · aleDsz · commit 040836fca64a · 2025-04-13T18:36:28.000-03:00
diff --git a/lib/livebook/zta/livebook_teams.ex b/lib/livebook/zta/livebook_teams.ex
@@ -79,7 +79,9 @@ defmodule Livebook.ZTA.LivebookTeams do
   defp handle_request(conn, team, _params) do
     case get_session(conn) do
       %{"livebook_teams_access_token" => access_token} ->
-        validate_access_token(conn, team, access_token)
+        conn
+        |> validate_access_token(team, access_token)
+        |> authorize_user(team)
 
       # it means, we couldn't reach to Teams server
       %{"teams_error" => true} ->
@@ -111,6 +113,27 @@ defmodule Livebook.ZTA.LivebookTeams do
     end
   end
 
+  defp authorize_user({%{halted: true} = conn, metadata}, _team) do
+    {conn, metadata}
+  end
+
+  defp authorize_user({%{path_info: path_info} = conn, metadata}, _team)
+       when path_info in [[], ["apps"]] do
+    {conn, metadata}
+  end
+
+  defp authorize_user({%{path_info: ["apps", slug | _]} = conn, metadata}, team) do
+    if Livebook.Apps.exists?(slug) do
+      check_app_access(conn, metadata, slug, team)
+    else
+      check_full_access(conn, metadata, team)
+    end
+  end
+
+  defp authorize_user({conn, metadata}, team) do
+    check_full_access(conn, metadata, team)
+  end
+
   defp retrieve_access_token(team, code) do
     with {:ok, %{"access_token" => access_token}} <-
            Teams.Requests.retrieve_access_token(team, code) do
@@ -177,4 +200,35 @@ defmodule Livebook.ZTA.LivebookTeams do
       {:ok, metadata}
     end
   end
+
+  defp check_full_access(conn, metadata, team) do
+    if Livebook.Hubs.TeamClient.user_full_access?(team.id, get_user!(metadata)) do
+      {conn, metadata}
+    else
+      {conn
+       |> put_view(LivebookWeb.ErrorHTML)
+       |> render("401.html", %{details: "You don't have permission to access this server"})
+       |> halt(), nil}
+    end
+  end
+
+  defp check_app_access(conn, metadata, slug, team) do
+    if Livebook.Hubs.TeamClient.user_app_access?(team.id, get_user!(metadata), slug) do
+      {conn, metadata}
+    else
+      {conn
+       |> put_view(LivebookWeb.ErrorHTML)
+       |> render("401.html", %{details: "You don't have permission to access this app"})
+       |> halt(), nil}
+    end
+  end
+
+  defp get_user!(metadata) do
+    {:ok, user} =
+      metadata.id
+      |> Livebook.Users.User.new()
+      |> Livebook.Users.update_user(metadata)
+
+    user
+  end
 end
diff --git a/test/livebook_teams/zta/livebook_teams_test.exs b/test/livebook_teams/zta/livebook_teams_test.exs
@@ -16,7 +16,7 @@ defmodule Livebook.ZTA.LivebookTeamsTest do
                     %{hub_id: ^hub_id, org_id: ^org_id, deployment_group_id: ^deployment_group_id}}
 
     start_supervised!({LivebookTeams, name: test, identity_key: team.id})
-    {:ok, deployment_group: deployment_group, team: team}
+    {:ok, deployment_group: deployment_group, org: org, team: team}
   end
 
   describe "authenticate/3" do
@@ -58,6 +58,171 @@ defmodule Livebook.ZTA.LivebookTeamsTest do
       assert {%{halted: false}, ^metadata} = LivebookTeams.authenticate(test, conn, [])
     end
 
+    test "authorizes user to access admin page with full access permission",
+         %{conn: conn, node: node, deployment_group: deployment_group, org: org, test: test} do
+      erpc_call(node, :toggle_groups_authorization, [deployment_group])
+      oidc_provider = erpc_call(node, :create_oidc_provider, [org])
+
+      authorization_group =
+        erpc_call(node, :create_authorization_group, [
+          %{
+            group_name: "developers",
+            access_type: :app_server,
+            oidc_provider: oidc_provider,
+            deployment_group: deployment_group
+          }
+        ])
+
+      {conn, code, %{groups: []}} = authenticate_user(conn, node, test)
+      session = get_session(conn)
+
+      conn =
+        build_conn(:get, ~p"/")
+        |> init_test_session(session)
+
+      group = %{
+        "oidc_provider_id" => to_string(oidc_provider.id),
+        "group_name" => authorization_group.group_name
+      }
+
+      # Get the user with updated groups
+      erpc_call(node, :update_user_info_groups, [code, [group]])
+      assert {%{halted: false}, %{groups: [^group]}} = LivebookTeams.authenticate(test, conn, [])
+    end
+
+    @tag :tmp_dir
+    test "renders unauthorized user to access app with prefix the user don't have access",
+         %{
+           conn: conn,
+           node: node,
+           deployment_group: deployment_group,
+           org: org,
+           tmp_dir: tmp_dir,
+           team: team,
+           test: test
+         } do
+      erpc_call(node, :toggle_groups_authorization, [deployment_group])
+      oidc_provider = erpc_call(node, :create_oidc_provider, [org])
+
+      authorization_group =
+        erpc_call(node, :create_authorization_group, [
+          %{
+            group_name: "marketing",
+            access_type: :apps,
+            prefixes: ["mkt-"],
+            oidc_provider: oidc_provider,
+            deployment_group: deployment_group
+          }
+        ])
+
+      Livebook.Apps.subscribe()
+      slug = "marketing-app"
+
+      notebook = %{
+        Livebook.Notebook.new()
+        | app_settings: %{Livebook.Notebook.AppSettings.new() | slug: slug},
+          file_entries: [],
+          name: slug,
+          hub_id: team.id,
+          deployment_group_id: to_string(deployment_group.id)
+      }
+
+      files_dir = Livebook.FileSystem.File.local(tmp_dir)
+
+      {:ok, %Livebook.Teams.AppDeployment{file: zip_content} = app_deployment} =
+        Livebook.Teams.AppDeployment.new(notebook, files_dir)
+
+      secret_key = Livebook.Teams.derive_key(team.teams_key)
+      encrypted_content = Livebook.Teams.encrypt(zip_content, secret_key)
+
+      Livebook.Teams.Broadcasts.subscribe(:app_deployments)
+
+      app_deployment_id =
+        erpc_call(node, :upload_app_deployment, [
+          org,
+          deployment_group,
+          app_deployment,
+          encrypted_content,
+          # broadcast?
+          true
+        ]).id
+
+      app_deployment_id = to_string(app_deployment_id)
+      assert_receive {:app_deployment_started, %{id: ^app_deployment_id}}
+
+      Livebook.Apps.Manager.sync_permanent_apps()
+      Livebook.Apps.subscribe()
+
+      assert_receive {:app_created, %{pid: pid, slug: ^slug}}
+
+      assert_receive {:app_updated,
+                      %{
+                        slug: ^slug,
+                        sessions: [%{app_status: %{execution: :executed, lifecycle: :active}}]
+                      }}
+
+      # Now we need to check if the current user has access to this app
+      {conn, code, %{groups: []}} = authenticate_user(conn, node, test)
+      session = get_session(conn)
+
+      conn =
+        build_conn(:get, ~p"/apps/#{slug}")
+        |> init_test_session(session)
+
+      group = %{
+        "oidc_provider_id" => to_string(oidc_provider.id),
+        "group_name" => authorization_group.group_name
+      }
+
+      # Get the user with updated groups
+      erpc_call(node, :update_user_info_groups, [code, [group]])
+      assert {%{halted: true} = conn, nil} = LivebookTeams.authenticate(test, conn, [])
+      assert html_response(conn, 200) =~ "You don&#39;t have permission to access this app"
+
+      # Guarantee we don't list the app for this user
+      conn = build_conn(:get, ~p"/") |> init_test_session(session)
+      {%{halted: false}, metadata} = LivebookTeams.authenticate(test, conn, [])
+      {:ok, user} = Livebook.Users.update_user(Livebook.Users.User.new(metadata.id), metadata)
+      assert Livebook.Apps.list_authorized_apps(user) == []
+
+      Livebook.App.close(pid)
+    end
+
+    test "renders unauthorized user to access admin page with slug prefix access permission",
+         %{conn: conn, node: node, deployment_group: deployment_group, org: org, test: test} do
+      erpc_call(node, :toggle_groups_authorization, [deployment_group])
+      oidc_provider = erpc_call(node, :create_oidc_provider, [org])
+
+      authorization_group =
+        erpc_call(node, :create_authorization_group, [
+          %{
+            group_name: "marketing",
+            access_type: :apps,
+            prefixes: ["mkt-"],
+            oidc_provider: oidc_provider,
+            deployment_group: deployment_group
+          }
+        ])
+
+      {conn, code, %{groups: []}} = authenticate_user(conn, node, test)
+
+      group = %{
+        "oidc_provider_id" => to_string(oidc_provider.id),
+        "group_name" => authorization_group.group_name
+      }
+
+      erpc_call(node, :update_user_info_groups, [code, [group]])
+
+      for page <- ["/settings", "/learn", "/hub", "/apps-dashboard"] do
+        conn =
+          build_conn(:get, page)
+          |> init_test_session(get_session(conn))
+
+        assert {%{halted: true} = conn, nil} = LivebookTeams.authenticate(test, conn, [])
+        assert html_response(conn, 200) =~ "You don&#39;t have permission to access this server"
+      end
+    end
+
     test "redirects to Livebook Teams with invalid access token",
          %{conn: conn, test: test} do
       conn = init_test_session(conn, %{livebook_teams_access_token: "1234567890"})
@@ -78,13 +243,12 @@ defmodule Livebook.ZTA.LivebookTeamsTest do
       conn = %Plug.Conn{conn | params: params_from_teams}
 
       {conn, nil} = LivebookTeams.authenticate(test, conn, [])
-      session = Plug.Conn.get_session(conn)
-
       assert conn.status == 302
 
       # Step 2: follow the redirect keeping the session set in previous request
-      conn = build_conn(:get, redirected_to(conn))
-      conn = init_test_session(conn, session)
+      conn =
+        build_conn(:get, redirected_to(conn))
+        |> init_test_session(get_session(conn))
 
       {conn, nil} = LivebookTeams.authenticate(test, conn, [])
 
@@ -95,51 +259,44 @@ defmodule Livebook.ZTA.LivebookTeamsTest do
 
   describe "logout/2" do
     test "revoke access token from Livebook Teams", %{conn: conn, node: node, test: test} do
-      # Step 1: Get redirected to Livebook Teams
-      conn = init_test_session(conn, %{})
-      {conn, nil} = LivebookTeams.authenticate(test, conn, [])
-
-      [_, location] = Regex.run(~r/URL\("(.*?)"\)/, html_response(conn, 200))
-      uri = URI.parse(location)
-      assert uri.path == "/identity/authorize"
-      assert %{"code" => code} = URI.decode_query(uri.query)
-
-      erpc_call(node, :allow_auth_request, [code])
-
-      # Step 2: Emulate the redirect back with the code for validation
-      conn =
-        build_conn(:get, "/", %{teams_identity: "", code: code})
-        |> init_test_session(Plug.Conn.get_session(conn))
-
-      assert {conn, %{id: _id, name: _, email: _, payload: %{}} = metadata} =
-               LivebookTeams.authenticate(test, conn, [])
-
-      assert redirected_to(conn, 302) == "/"
-
-      # Step 3: Confirm the token is valid for future requests
-      conn =
-        build_conn(:get, "/")
-        |> init_test_session(Plug.Conn.get_session(conn))
-
+      {conn, _code, metadata} = authenticate_user(conn, node, test)
       assert {%{halted: false}, ^metadata} = LivebookTeams.authenticate(test, conn, [])
 
-      # Step 4: Revoke the token and the metadata will be invalid for future requests
-      conn =
-        build_conn(:get, "/")
-        |> init_test_session(Plug.Conn.get_session(conn))
-
+      # Revoke the token and the metadata will be invalid for future requests
       assert %{status: 302} = conn = LivebookTeams.logout(test, conn)
       [url] = get_resp_header(conn, "location")
       assert %{status: 200} = Req.get!(url)
 
-      # Step 5: It we try to authenticate again, it should redirect to Teams
+      # If we try to authenticate again, it should redirect to Teams
       conn =
-        build_conn(:get, "/")
-        |> init_test_session(Plug.Conn.get_session(conn))
+        build_conn(:get, ~p"/")
+        |> init_test_session(get_session(conn))
 
       {conn, nil} = LivebookTeams.authenticate(test, conn, [])
       assert conn.halted
       assert html_response(conn, 200) =~ "window.location.href = "
     end
   end
+
+  defp authenticate_user(conn, node, test) do
+    conn = init_test_session(conn, %{})
+    {conn, nil} = LivebookTeams.authenticate(test, conn, [])
+
+    [_, location] = Regex.run(~r/URL\("(.*?)"\)/, html_response(conn, 200))
+    uri = URI.parse(location)
+    %{"code" => code} = URI.decode_query(uri.query)
+
+    erpc_call(node, :allow_auth_request, [code])
+
+    session = get_session(conn)
+
+    conn =
+      build_conn(:get, ~p"/", %{teams_identity: "", code: code})
+      |> init_test_session(session)
+
+    {conn, %{id: _id} = metadata} = LivebookTeams.authenticate(test, conn, [])
+    session = get_session(conn)
+
+    {init_test_session(build_conn(), session), code, metadata}
+  end
 end
