Add ability to delegate authorization to external sources

Author: nickking-brt

server/core/config/parser_validator_test.go

@@ -1326,10 +1326,13 @@ func TestParseGlobalCfg(t *testing.T) {
 					},
 				},
 				Workflows: defaultCfg.Workflows,
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"disable repo locks": {
-			input: `repos: 
+			input: `repos:
 - id: /.*/
   repo_locks:
     mode: disabled`,
@@ -1342,6 +1345,9 @@ func TestParseGlobalCfg(t *testing.T) {
 					},
 				},
 				Workflows: defaultCfg.Workflows,
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"no workflows key": {
@@ -1362,6 +1368,9 @@ workflows:
 					"default": defaultCfg.Workflows["default"],
 					"name":    defaultWorkflow("name"),
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"workflow stages empty": {
@@ -1380,6 +1389,9 @@ workflows:
 					"default": defaultCfg.Workflows["default"],
 					"name":    defaultWorkflow("name"),
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"workflow steps empty": {
@@ -1403,6 +1415,9 @@ workflows:
 					"default": defaultCfg.Workflows["default"],
 					"name":    defaultWorkflow("name"),
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"all keys specified": {
@@ -1509,6 +1524,9 @@ policies:
 						},
 					},
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"id regex with trailing slash": {
@@ -1526,6 +1544,9 @@ repos:
 				Workflows: map[string]valid.Workflow{
 					"default": defaultCfg.Workflows["default"],
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"referencing default workflow": {
@@ -1545,6 +1566,9 @@ repos:
 				Workflows: map[string]valid.Workflow{
 					"default": defaultCfg.Workflows["default"],
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 		"redefine default workflow": {
@@ -1620,6 +1644,9 @@ workflows:
 						},
 					},
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 	}
@@ -1841,6 +1868,9 @@ func TestParserValidator_ParseGlobalCfgJSON(t *testing.T) {
 						},
 					},
 				},
+				TeamAuthz: valid.TeamAuthz{
+					Args: make([]string, 0),
+				},
 			},
 		},
 	}

server/core/config/raw/global_cfg.go

@@ -17,6 +17,7 @@ type GlobalCfg struct {
 	Workflows  map[string]Workflow `yaml:"workflows" json:"workflows"`
 	PolicySets PolicySets          `yaml:"policies" json:"policies"`
 	Metrics    Metrics             `yaml:"metrics" json:"metrics"`
+	TeamAuthz  TeamAuthz           `yaml:"team_authz" json:"team_authz"`
 }
 
 // Repo is the raw schema for repos in the server-side repo config.
@@ -161,6 +162,7 @@ func (g GlobalCfg) ToValid(defaultCfg valid.GlobalCfg) valid.GlobalCfg {
 		Workflows:  workflows,
 		PolicySets: g.PolicySets.ToValid(),
 		Metrics:    g.Metrics.ToValid(),
+		TeamAuthz:  g.TeamAuthz.ToValid(),
 	}
 }
 

server/core/config/raw/team_authz.go

@@ -0,0 +1,21 @@
+package raw
+
+import "github.com/runatlantis/atlantis/server/core/config/valid"
+
+type TeamAuthz struct {
+	Command string   `yaml:"command" json:"command"`
+	Args    []string `yaml:"args" json:"args"`
+}
+
+func (t *TeamAuthz) ToValid() valid.TeamAuthz {
+	var v valid.TeamAuthz
+	v.Command = t.Command
+	v.Args = make([]string, 0)
+	if t.Args != nil {
+		for _, arg := range t.Args {
+			v.Args = append(v.Args, arg)
+		}
+	}
+
+	return v
+}

server/core/config/valid/global_cfg.go

@@ -47,6 +47,7 @@ type GlobalCfg struct {
 	Workflows  map[string]Workflow
 	PolicySets PolicySets
 	Metrics    Metrics
+	TeamAuthz  TeamAuthz
 }
 
 type Metrics struct {
@@ -249,6 +250,9 @@ func NewGlobalCfgFromArgs(args GlobalCfgArgs) GlobalCfg {
 		Workflows: map[string]Workflow{
 			DefaultWorkflowName: defaultWorkflow,
 		},
+		TeamAuthz: TeamAuthz{
+			Args: make([]string, 0),
+		},
 	}
 }
 

server/core/config/valid/global_cfg_test.go

@@ -89,6 +89,9 @@ func TestNewGlobalCfg(t *testing.T) {
 		Workflows: map[string]valid.Workflow{
 			"default": expDefaultWorkflow,
 		},
+		TeamAuthz: valid.TeamAuthz{
+			Args: make([]string, 0),
+		},
 	}
 
 	cases := []struct {

server/core/config/valid/team_authz.go

@@ -0,0 +1,6 @@
+package valid
+
+type TeamAuthz struct {
+	Command string   `yaml:"command" json:"command"`
+	Args    []string `yaml:"args" json:"args"`
+}

server/events/command/context.go

@@ -46,4 +46,7 @@ type Context struct {
 
 	// API is true if plan/apply by API endpoints
 	API bool
+
+	// TeamAllowlistChecker is used to check authorization on a project-level
+	TeamAllowlistChecker TeamAllowlistChecker
 }

server/events/command/project_context.go

@@ -126,6 +126,9 @@ type ProjectContext struct {
 	// Allows custom policy check tools outside of Conftest to run in checks
 	CustomPolicyCheck bool
 	SilencePRComments []string
+
+	// TeamAllowlistChecker is used to check authorization on a project-level
+	TeamAllowlistChecker TeamAllowlistChecker
 }
 
 // SetProjectScopeTags adds ProjectContext tags to a new returned scope.

server/events/team_allowlist_checker.go server/events/command/team_allowlist_checker.go

@@ -1,6 +1,7 @@
-package events
+package command
 
 import (
+	"github.com/runatlantis/atlantis/server/events/models"
 	"strings"
 )
 
@@ -10,14 +11,25 @@ const wildcard = "*"
 // mapOfStrings is an alias for map[string]string
 type mapOfStrings map[string]string
 
-// TeamAllowlistChecker implements checking the teams and the operations that the members
+type TeamAllowlistChecker interface {
+	// HasRules returns true if the checker has rules defined
+	HasRules() bool
+
+	// IsCommandAllowedForTeam determines if the specified team can perform the specified action
+	IsCommandAllowedForTeam(ctx models.TeamAllowlistCheckerContext, team, command string) bool
+
+	// IsCommandAllowedForAnyTeam determines if any of the specified teams can perform the specified action
+	IsCommandAllowedForAnyTeam(ctx models.TeamAllowlistCheckerContext, teams []string, command string) bool
+}
+
+// DefaultTeamAllowlistChecker implements checking the teams and the operations that the members
 // of a particular team are allowed to perform
-type TeamAllowlistChecker struct {
+type DefaultTeamAllowlistChecker struct {
 	rules []mapOfStrings
 }
 
 // NewTeamAllowlistChecker constructs a new checker
-func NewTeamAllowlistChecker(allowlist string) (*TeamAllowlistChecker, error) {
+func NewTeamAllowlistChecker(allowlist string) (*DefaultTeamAllowlistChecker, error) {
 	var rules []mapOfStrings
 	pairs := strings.Split(allowlist, ",")
 	if pairs[0] != "" {
@@ -29,18 +41,18 @@ func NewTeamAllowlistChecker(allowlist string) (*TeamAllowlistChecker, error) {
 			rules = append(rules, m)
 		}
 	}
-	return &TeamAllowlistChecker{
+	return &DefaultTeamAllowlistChecker{
 		rules: rules,
 	}, nil
 }
 
-func (checker *TeamAllowlistChecker) HasRules() bool {
+func (checker *DefaultTeamAllowlistChecker) HasRules() bool {
 	return len(checker.rules) > 0
 }
 
 // IsCommandAllowedForTeam returns true if the team is allowed to execute the command
 // and false otherwise.
-func (checker *TeamAllowlistChecker) IsCommandAllowedForTeam(team string, command string) bool {
+func (checker *DefaultTeamAllowlistChecker) IsCommandAllowedForTeam(_ models.TeamAllowlistCheckerContext, team string, command string) bool {
 	for _, rule := range checker.rules {
 		for key, value := range rule {
 			if (key == wildcard || strings.EqualFold(key, team)) && (value == wildcard || strings.EqualFold(value, command)) {
@@ -53,7 +65,7 @@ func (checker *TeamAllowlistChecker) IsCommandAllowedForTeam(team string, comman
 
 // IsCommandAllowedForAnyTeam returns true if any of the teams is allowed to execute the command
 // and false otherwise.
-func (checker *TeamAllowlistChecker) IsCommandAllowedForAnyTeam(teams []string, command string) bool {
+func (checker *DefaultTeamAllowlistChecker) IsCommandAllowedForAnyTeam(ctx models.TeamAllowlistCheckerContext, teams []string, command string) bool {
 	if len(teams) == 0 {
 		for _, rule := range checker.rules {
 			for key, value := range rule {
@@ -64,7 +76,7 @@ func (checker *TeamAllowlistChecker) IsCommandAllowedForAnyTeam(teams []string,
 		}
 	} else {
 		for _, t := range teams {
-			if checker.IsCommandAllowedForTeam(t, command) {
+			if checker.IsCommandAllowedForTeam(ctx, t, command) {
 				return true
 			}
 		}

server/events/command/team_allowlist_checker_test.go

@@ -0,0 +1,44 @@
+package command_test
+
+import (
+	"github.com/runatlantis/atlantis/server/events/command"
+	"github.com/runatlantis/atlantis/server/events/models"
+	"testing"
+
+	. "github.com/runatlantis/atlantis/testing"
+)
+
+func TestNewTeamAllowListChecker(t *testing.T) {
+	allowlist := `bob:plan, dave:apply`
+	_, err := command.NewTeamAllowlistChecker(allowlist)
+	Ok(t, err)
+}
+
+func TestNewTeamAllowListCheckerEmpty(t *testing.T) {
+	allowlist := ``
+	checker, err := command.NewTeamAllowlistChecker(allowlist)
+	Ok(t, err)
+	Equals(t, false, checker.HasRules())
+}
+
+func TestIsCommandAllowedForTeam(t *testing.T) {
+	allowlist := `bob:plan, dave:apply, connie:plan, connie:apply`
+	checker, err := command.NewTeamAllowlistChecker(allowlist)
+	Ok(t, err)
+	Equals(t, true, checker.IsCommandAllowedForTeam(models.TeamAllowlistCheckerContext{}, "connie", "plan"))
+	Equals(t, true, checker.IsCommandAllowedForTeam(models.TeamAllowlistCheckerContext{}, "connie", "apply"))
+	Equals(t, true, checker.IsCommandAllowedForTeam(models.TeamAllowlistCheckerContext{}, "dave", "apply"))
+	Equals(t, true, checker.IsCommandAllowedForTeam(models.TeamAllowlistCheckerContext{}, "bob", "plan"))
+	Equals(t, false, checker.IsCommandAllowedForTeam(models.TeamAllowlistCheckerContext{}, "bob", "apply"))
+}
+
+func TestIsCommandAllowedForAnyTeam(t *testing.T) {
+	allowlist := `alpha:plan,beta:release,*:unlock,nobody:*`
+	teams := []string{`alpha`, `beta`}
+	checker, err := command.NewTeamAllowlistChecker(allowlist)
+	Ok(t, err)
+	Equals(t, true, checker.IsCommandAllowedForAnyTeam(models.TeamAllowlistCheckerContext{}, teams, `plan`))
+	Equals(t, true, checker.IsCommandAllowedForAnyTeam(models.TeamAllowlistCheckerContext{}, teams, `release`))
+	Equals(t, true, checker.IsCommandAllowedForAnyTeam(models.TeamAllowlistCheckerContext{}, teams, `unlock`))
+	Equals(t, false, checker.IsCommandAllowedForAnyTeam(models.TeamAllowlistCheckerContext{}, teams, `noop`))
+}