Merge branch 'main' of github.com:l3montree-dev/flawfix

Author: seb-kw

cmd/devguard/api/api.go

@@ -304,7 +304,8 @@ func multiOrganizationMiddleware(rbacProvider core.RBACProvider, organizationSer
 					return ctx.JSON(500, map[string]string{"error": "no oauth2 config found for external entity provider"})
 				}
 
-				domainRBAC = accesscontrol.NewExternalEntityProviderRBAC(ctx, core.GetThirdPartyIntegration(ctx), *org.ExternalEntityProviderID, *conf.AdminToken)
+				domainRBAC = accesscontrol.NewExternalEntityProviderRBAC(ctx, core.GetThirdPartyIntegration(ctx), *org.ExternalEntityProviderID, conf.AdminToken)
+
 			} else {
 				domainRBAC = rbacProvider.GetDomainRBAC(org.ID.String())
 			}

internal/accesscontrol/external_entity_provider_rbac.go

@@ -11,7 +11,7 @@ type externalEntityProviderRBAC struct {
 	thirdPartyIntegration    core.ThirdPartyIntegration
 	externalEntityProviderID string
 	externalEntityID         string
-	adminToken               string
+	adminToken               *string
 	ctx                      core.Context
 }
 
@@ -29,7 +29,7 @@ func isRoleAllowedToPerformAction(role string, action core.Action) bool {
 	return false
 }
 
-func NewExternalEntityProviderRBAC(ctx core.Context, thirdPartyIntegration core.ThirdPartyIntegration, externalEntityProviderID string, adminToken string) core.AccessControl {
+func NewExternalEntityProviderRBAC(ctx core.Context, thirdPartyIntegration core.ThirdPartyIntegration, externalEntityProviderID string, adminToken *string) core.AccessControl {
 	return &externalEntityProviderRBAC{
 		thirdPartyIntegration:    thirdPartyIntegration,
 		externalEntityProviderID: externalEntityProviderID,
@@ -79,7 +79,7 @@ func (e *externalEntityProviderRBAC) GetExternalEntityProviderID() *string {
 */
 
 func (e *externalEntityProviderRBAC) HasAccess(userID string) (bool, error) {
-	if userID == e.adminToken {
+	if e.adminToken != nil && userID == *e.adminToken {
 		return true, nil
 	}
 	return e.thirdPartyIntegration.HasAccessToExternalEntityProvider(e.ctx, e.externalEntityProviderID)
@@ -117,7 +117,7 @@ func (e *externalEntityProviderRBAC) AllowRole(role string, object core.Object,
 	return nil
 }
 func (e *externalEntityProviderRBAC) IsAllowed(userID string, object core.Object, action core.Action) (bool, error) {
-	if userID == e.adminToken {
+	if e.adminToken != nil && userID == *e.adminToken {
 		if action == core.ActionRead {
 			return true, nil
 		}
@@ -142,7 +142,7 @@ func (e *externalEntityProviderRBAC) IsAllowedInProject(project *models.Project,
 	if project.ExternalEntityProviderID == nil || project.ExternalEntityID == nil {
 		return false, nil
 	}
-	if user == e.adminToken && action == core.ActionRead {
+	if e.adminToken != nil && user == *e.adminToken && action == core.ActionRead {
 		return true, nil
 	}
 

internal/accesscontrol/external_entity_provider_rbac_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/l3montree-dev/devguard/internal/core"
+	"github.com/l3montree-dev/devguard/internal/utils"
 	"github.com/l3montree-dev/devguard/mocks"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -17,7 +18,7 @@ func TestIsAllowed(t *testing.T) {
 		userID         string
 		object         core.Object
 		action         core.Action
-		adminToken     string
+		adminToken     *string
 		mockRole       string
 		mockRoleErr    error
 		expectedResult bool
@@ -30,23 +31,23 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "admin-token",
 			object:         core.ObjectProject,
 			action:         core.ActionRead,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			expectedResult: true,
 		},
 		{
 			name:           "all users can read organization",
 			userID:         "user1",
 			object:         core.ObjectOrganization,
 			action:         core.ActionRead,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			expectedResult: true,
 		},
 		{
 			name:           "role member can read",
 			userID:         "user2",
 			object:         core.ObjectProject,
 			action:         core.ActionRead,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			mockRole:       core.RoleMember,
 			expectedResult: true,
 		},
@@ -55,7 +56,7 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "user3",
 			object:         core.ObjectProject,
 			action:         core.ActionUpdate,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			mockRole:       core.RoleAdmin,
 			expectedResult: true,
 		},
@@ -64,7 +65,7 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "user4",
 			object:         core.ObjectProject,
 			action:         core.ActionUpdate,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			mockRole:       core.RoleMember,
 			expectedResult: false,
 		},
@@ -73,7 +74,7 @@ func TestIsAllowed(t *testing.T) {
 			userID:      "user5",
 			object:      core.ObjectProject,
 			action:      core.ActionRead,
-			adminToken:  "admin-token",
+			adminToken:  utils.Ptr("admin-token"),
 			mockRoleErr: errors.New("some error"),
 			expectErr:   true,
 		},
@@ -82,7 +83,7 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "user6",
 			object:         core.ObjectProject,
 			action:         core.ActionDelete,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			mockRole:       core.RoleAdmin,
 			expectedResult: false,
 		},
@@ -91,7 +92,7 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "user7",
 			object:         core.ObjectProject,
 			action:         core.ActionDelete,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			mockRole:       core.RoleMember,
 			expectedResult: false,
 		},
@@ -100,7 +101,7 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "user8",
 			object:         core.ObjectProject,
 			action:         core.ActionDelete,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			mockRole:       core.RoleOwner,
 			expectedResult: true,
 		},
@@ -109,15 +110,15 @@ func TestIsAllowed(t *testing.T) {
 			userID:         "admin-token",
 			object:         core.ObjectProject,
 			action:         core.ActionCreate,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			expectedResult: false,
 		},
 		{
 			name:           "admin token cannot delete",
 			userID:         "admin-token",
 			object:         core.ObjectProject,
 			action:         core.ActionDelete,
-			adminToken:     "admin-token",
+			adminToken:     utils.Ptr("admin-token"),
 			expectedResult: false,
 		},
 	}
@@ -159,7 +160,7 @@ func TestHasAccess(t *testing.T) {
 			nil,
 			nil,
 			"external-entity-provider-id",
-			"admin-token",
+			utils.Ptr("admin-token"),
 		)
 
 		hasAccess, err := rbac.HasAccess("admin-token")
@@ -175,7 +176,7 @@ func TestHasAccess(t *testing.T) {
 			nil,
 			thirdpartyIntegrationMock,
 			"external-entity-provider-id",
-			"",
+			nil,
 		)
 
 		hasAccess, err := rbac.HasAccess("user1")
@@ -190,7 +191,7 @@ func TestHasAccess(t *testing.T) {
 			nil,
 			thirdpartyIntegrationMock,
 			"external-entity-provider-id",
-			"",
+			nil,
 		)
 
 		hasAccess, err := rbac.HasAccess("user1")

internal/core/integrations/gitlabint/gitlab_integration.go

@@ -336,15 +336,44 @@ func (g *GitlabIntegration) ListGroups(ctx core.Context, userID string, provider
 	}
 	// get the groups for this user
 	groups, _, err := gitlabClient.ListGroups(ctx.Request().Context(), &gitlab.ListGroupsOptions{
-		MinAccessLevel: utils.Ptr(gitlab.ReporterPermissions), // only list groups where the user has at least owner permissions
+		ListOptions: gitlab.ListOptions{PerPage: 100},
+		//MinAccessLevel: utils.Ptr(gitlab.ReporterPermissions),
+		// only list groups where the user has at least reporter permissions
 	})
 
 	if err != nil {
 		slog.Error("failed to list groups", "err", err)
 		return nil, err
 	}
 
-	return utils.Map(groups, func(el *gitlab.Group) models.Project {
+	errgroup := utils.ErrGroup[*gitlab.Group](10)
+	for _, group := range groups {
+		errgroup.Go(func() (*gitlab.Group, error) {
+			member, _, err := gitlabClient.GetMemberInGroup(ctx.Request().Context(), token.GitLabUserID, (*group).ID)
+			if err != nil {
+				if strings.Contains(err.Error(), "403 Forbidden") || strings.Contains(err.Error(), "404 Not Found") {
+					return nil, nil
+				} else {
+
+					return nil, err
+				}
+			}
+			if member.AccessLevel >= gitlab.ReporterPermissions {
+				return group, nil
+			}
+			return nil, nil
+		})
+	}
+
+	cleanedGroups, err := errgroup.WaitAndCollect()
+	if err != nil {
+		return nil, err
+	}
+	cleanedGroups = utils.Filter(cleanedGroups, func(g *gitlab.Group) bool {
+		return g != nil
+	})
+
+	return utils.Map(cleanedGroups, func(el *gitlab.Group) models.Project {
 		return groupToProject(el, providerID)
 	}), nil
 }

internal/core/integrations/thirdparty_integration.go

@@ -102,6 +102,7 @@ func (t *thirdPartyIntegrations) GetRoleInGroup(ctx context.Context, userID stri
 			return role, nil
 		}
 	}
+	//when we are part of a subgroup we also have some basic access level to see the parent groups but we have no permissions to fetch the members of those groups
 	return "", fmt.Errorf("no role found for user %s in org %s with providerID %s", userID, groupID, providerID)
 }
 

internal/core/org/org_service.go

@@ -59,6 +59,10 @@ func (o *orgService) CreateOrganization(ctx core.Context, organization models.Or
 		return echo.NewHTTPError(409, "organizations with an empty name or an empty slug are not allowed").WithInternal(fmt.Errorf("organizations with an empty name or an empty slug are not allowed"))
 	}
 
+	if organization.Name == "opencode" || organization.Name == "gitlab" || organization.Name == "github" {
+		return echo.NewHTTPError(409, "organizations named opencode, github or gitlab are not allowed").WithInternal(fmt.Errorf("organizations named opencode, github or gitlab are not allowed"))
+	}
+
 	err := o.organizationRepository.Create(nil, &organization)
 	if err != nil {
 		if strings.Contains(err.Error(), "duplicate key value") { //Check the returned error of Create Function