github/drone
5
0
Fork 0
mirror of https://github.com/harness/drone.git synced 2025-05-06 02:40:52 +08:00
Code Issues Packages Projects Releases Wiki Activity
ad619c7e3c
drone/internal/api/controller/user/create.go
Johannes Batzill 3ba0f75c8d Introduce UIDs for Space / Repo / Tokens, Add Custom Harness Validation, ... (#57) 
This change adds the following:
- Space UID + Custom harness validation (accountId for top level space, harness identifier for child spaces)
- Repo UID + Custom harness validation (harness identifier)
- Store Unique casing of space / repo path and add Path.ValueUnique (with Unique index) to allow for application layer controlling the case sensitivity (case insensitive standalone vs partially case sensitive harness)
- Token UID (unique index over ownertype + ownerID + tokenUID)
- Add DisplayName for principals (replaces Name to avoid confustion)
- Store Unique casing of principal UID and add Principal.ValueUnique (with unique index) to allow for application layer, per principal type control of case sensitivity (required in embedded mode)
- Generate serviceAccount UID (+Email) Randomly (sa-{space|repo}-{ID}-{random}) - Allows to have a unique UID across all principals while reducing likelyhood of overlaps with users + avoid overlap across spaces / repos.
- Sync casing of space names (accountId orgId projectId) when creating spaces on the fly (to ensure case sensitivity of - harness code) or use the existing space to update casing.
- Update serviceaccount client to match updated NG Manager API
- in embedded mode create spaces for harness resources owning the service account
2022-11-06 23:14:47 -08:00

96 lines
2.5 KiB
Go
Raw Blame History

// Copyright 2022 Harness Inc. All rights reserved.
// Use of this source code is governed by the Polyform Free Trial License
// that can be found in the LICENSE.md file for this repository.
package user
import (
"context"
"fmt"
"time"
"github.com/dchest/uniuri"
apiauth "github.com/harness/gitness/internal/api/auth"
"github.com/harness/gitness/internal/auth"
"github.com/harness/gitness/types"
"github.com/harness/gitness/types/check"
"github.com/harness/gitness/types/enum"
"golang.org/x/crypto/bcrypt"
)
// CreateInput is the input used for create operations.
// On purpose don't expose admin, has to be enabled explicitly.
type CreateInput struct {
UID string `json:"uid"`
Email string `json:"email"`
DisplayName string `json:"displayName"`
Password string `json:"password"`
}
/*
* Create creates a new user.
*/
func (c *Controller) Create(ctx context.Context, session *auth.Session, in *CreateInput) (*types.User, error) {
// Ensure principal has required permissions (user is global, no explicit resource)
scope := &types.Scope{}
resource := &types.Resource{
Type: enum.ResourceTypeUser,
}
if err := apiauth.Check(ctx, c.authorizer, session, scope, resource, enum.PermissionUserCreate); err != nil {
return nil, err
}
return c.CreateNoAuth(ctx, in, false)
}
/*
* CreateNoAuth creates a new user without auth checks.
* WARNING: Never call as part of user flow.
*
* Note: take admin separately to avoid potential vulnerabilities for user calls.
*/
func (c *Controller) CreateNoAuth(ctx context.Context, in *CreateInput, admin bool) (*types.User, error) {
// validate password before hashing
if err := check.Password(in.Password); err != nil {
return nil, err
}
hash, err := hashPassword([]byte(in.Password), bcrypt.DefaultCost)
if err != nil {
return nil, fmt.Errorf("failed to create hash: %w", err)
}
user := &types.User{
UID: in.UID,
DisplayName: in.DisplayName,
Email: in.Email,
Password: string(hash),
Salt: uniuri.NewLen(uniuri.UUIDLen),
Created: time.Now().UnixMilli(),
Updated: time.Now().UnixMilli(),
Admin: admin,
}
// validate user
if err = c.userCheck(user); err != nil {
return nil, err
}
err = c.userStore.Create(ctx, user)
if err != nil {
return nil, err
}
// first user will be admin by default.
// TODO: move responsibility somewhere else.
if user.ID == 1 {
user.Admin = true
err = c.userStore.Update(ctx, user)
if err != nil {
return nil, err
}
}
return user, nil
}
Reference in New Issue View Git Blame Copy Permalink