Fix an issue which the pipeline owner cannot approve his pipeline

Signed-off-by: rick <rick@jenkins-zh.cn>
2020-12-02 14:07:55 +08:00
parent 8451c18277
commit 92e7349cf9
4 changed files with 23 additions and 9 deletions
--- a/go.mod
+++ b/go.mod
@@ -51,6 +51,7 @@ require (
 	github.com/kubernetes-csi/external-snapshotter/v2 v2.1.0
 	github.com/kubesphere/sonargo v0.0.2
 	github.com/lib/pq v1.2.0 // indirect
+	github.com/mitchellh/mapstructure v1.2.2
 	github.com/onsi/ginkgo v1.12.0
 	github.com/onsi/gomega v1.9.0
 	github.com/open-policy-agent/opa v0.18.0
@@ -80,6 +81,7 @@ require (
 	gopkg.in/src-d/go-git.v4 v4.11.0
 	gopkg.in/yaml.v2 v2.3.0
 	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
+	gotest.tools v2.2.0+incompatible
 	istio.io/api v0.0.0-20191111210003-35e06ef8d838
 	istio.io/client-go v0.0.0-20191113122552-9bd0ba57c3d2
 	k8s.io/api v0.17.5
--- a/pkg/kapis/devops/v1alpha2/devops.go
+++ b/pkg/kapis/devops/v1alpha2/devops.go
@@ -26,6 +26,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/api"
 	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/apiserver/request"
+	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/models/devops"
 	clientDevOps "kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"net/http"
@@ -229,6 +230,17 @@ func (h *ProjectPipelineHandler) approvableCheck(nodes []clientDevOps.NodesDetai
 	}
 }

+func (h *ProjectPipelineHandler) createdBy(projectName string, pipelineName string, currentUserName string) bool {
+	if pipeline, err := h.devopsOperator.GetPipelineObj(projectName, pipelineName); err == nil {
+		if creator, ok := pipeline.Annotations[constants.CreatorAnnotationKey]; ok {
+			return creator == currentUserName
+		}
+	} else {
+		log.Error(fmt.Sprintf("cannot get pipeline %s/%s, error %#v", projectName, pipelineName, err))
+	}
+	return false
+}
+
 func (h *ProjectPipelineHandler) getCurrentUser(req *restful.Request) (username, roleName string) {
 	var userInfo user.Info
 	var ok bool
@@ -247,8 +259,10 @@ func (h *ProjectPipelineHandler) getCurrentUser(req *restful.Request) (username,

 func (h *ProjectPipelineHandler) hasSubmitPermission(req *restful.Request) (hasPermit bool, err error) {
 	currentUserName, roleName := h.getCurrentUser(req)
-	// check if current user belong to the admin group, grant it if it's true
-	if roleName == iamv1alpha2.PlatformAdmin {
+	projectName := req.PathParameter("devops")
+	pipelineName := req.PathParameter("pipeline")
+	// check if current user belong to the admin group or he's the owner, grant it if it's true
+	if roleName == iamv1alpha2.PlatformAdmin || h.createdBy(projectName, pipelineName, currentUserName) {
 		hasPermit = true
 		return
 	}
@@ -261,8 +275,6 @@ func (h *ProjectPipelineHandler) hasSubmitPermission(req *restful.Request) (hasP
 		PostForm: req.Request.PostForm,
 	}

-	projectName := req.PathParameter("devops")
-	pipelineName := req.PathParameter("pipeline")
 	runId := req.PathParameter("run")
 	nodeId := req.PathParameter("node")
 	stepId := req.PathParameter("step")
--- a/pkg/kapis/devops/v1alpha2/handler.go
+++ b/pkg/kapis/devops/v1alpha2/handler.go
@@ -36,9 +36,9 @@ type PipelineSonarHandler struct {
 	pipelineSonarGetter devops.PipelineSonarGetter
 }

-func NewProjectPipelineHandler(devopsClient devopsClient.Interface, amInterface am.AccessManagementInterface) ProjectPipelineHandler {
+func NewProjectPipelineHandler(devopsClient devopsClient.Interface, ksInformers externalversions.SharedInformerFactory, amInterface am.AccessManagementInterface) ProjectPipelineHandler {
 	return ProjectPipelineHandler{
-		devopsOperator:          devops.NewDevopsOperator(devopsClient, nil, nil, nil, nil),
+		devopsOperator:          devops.NewDevopsOperator(devopsClient, nil, nil, ksInformers, nil),
 		projectCredentialGetter: devops.NewProjectCredentialOperator(devopsClient),
 		amInterface:             amInterface,
 	}
--- a/pkg/kapis/devops/v1alpha2/register.go
+++ b/pkg/kapis/devops/v1alpha2/register.go
@@ -50,7 +50,7 @@ var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
 func AddToContainer(container *restful.Container, ksInformers externalversions.SharedInformerFactory, devopsClient devops.Interface, sonarqubeClient sonarqube.SonarInterface, ksClient versioned.Interface, s3Client s3.Interface, endpoint string, amInterface am.AccessManagementInterface) error {
 	ws := runtime.NewWebService(GroupVersion)

-	err := AddPipelineToWebService(ws, devopsClient, amInterface)
+	err := AddPipelineToWebService(ws, devopsClient, ksInformers, amInterface)
 	if err != nil {
 		return err
 	}
@@ -75,12 +75,12 @@ func AddToContainer(container *restful.Container, ksInformers externalversions.S
 	return nil
 }

-func AddPipelineToWebService(webservice *restful.WebService, devopsClient devops.Interface, amInterface am.AccessManagementInterface) error {
+func AddPipelineToWebService(webservice *restful.WebService, devopsClient devops.Interface, ksInformers externalversions.SharedInformerFactory, amInterface am.AccessManagementInterface) error {

 	projectPipelineEnable := devopsClient != nil

 	if projectPipelineEnable {
-		projectPipelineHandler := NewProjectPipelineHandler(devopsClient, amInterface)
+		projectPipelineHandler := NewProjectPipelineHandler(devopsClient, ksInformers, amInterface)

 		webservice.Route(webservice.GET("/devops/{devops}/credentials/{credential}/usage").
 			To(projectPipelineHandler.GetProjectCredentialUsage).