Enable deletion of integration resources (#1294)

* Enforce admin service user role for integration group deletion Added a check to prevent non-admin service users from deleting integration groups. * Restrict deletion of integration user to admin service user only * Refactor user and group deletion tests
2024-11-26 01:53:42 +01:00 · 2023-11-07 17:02:51 +03:00 · 2023-11-07 17:02:51 +03:00 · 9f7e13fc87
commit 9f7e13fc87
parent 8be6e92563
4 changed files with 26 additions and 8 deletions
--- a/management/server/group.go
+++ b/management/server/group.go
@ -163,9 +163,15 @@ func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string)
 		return nil
 	}

-	// check integration link
+	// disable a deleting integration group if the initiator is not an admin service user
 	if g.Issued == GroupIssuedIntegration {
-		return &GroupLinkError{GroupIssuedIntegration, g.IntegrationReference.String()}
+		executingUser := account.Users[userId]
+		if executingUser == nil {
+			return status.Errorf(status.NotFound, "user not found")
+		}
+		if executingUser.Role != UserRoleAdmin || !executingUser.IsServiceUser {
+			return status.Errorf(status.PermissionDenied, "only admins service user can delete integration group")
+		}
 	}

 	// check route links
--- a/management/server/group_test.go
+++ b/management/server/group_test.go
@ -1,9 +1,11 @@
 package server

 import (
+	"errors"
 	"testing"

 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"
 )

@ -55,19 +57,28 @@ func TestDefaultAccountManager_DeleteGroup(t *testing.T) {
 		{
 			"integration",
 			"grp-for-integration",
-			"integration",
+			"only admins service user can delete integration group",
 		},
 	}

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			err = am.DeleteGroup(account.Id, "", testCase.groupID)
+			err = am.DeleteGroup(account.Id, groupAdminUserID, testCase.groupID)
 			if err == nil {
 				t.Errorf("delete %s group successfully", testCase.groupID)
 				return
 			}

-			gErr, ok := err.(*GroupLinkError)
+			var sErr *status.Error
+			if errors.As(err, &sErr) {
+				if sErr.Message != testCase.expectedReason {
+					t.Errorf("invalid error case: %s, expected: %s", sErr.Message, testCase.expectedReason)
+				}
+				return
+			}
+
+			var gErr *GroupLinkError
+			ok := errors.As(err, &gErr)
 			if !ok {
 				t.Error("invalid error type")
 				return
--- a/management/server/user.go
+++ b/management/server/user.go
@ -387,8 +387,9 @@ func (am *DefaultAccountManager) DeleteUser(accountID, initiatorUserID string, t
 		return status.Errorf(status.NotFound, "target user not found")
 	}

-	if targetUser.Issued == UserIssuedIntegration {
-		return status.Errorf(status.PermissionDenied, "only integration can delete this user")
+	// disable deleting integration user if the initiator is not admin service user
+	if targetUser.Issued == UserIssuedIntegration && !executingUser.IsServiceUser {
+		return status.Errorf(status.PermissionDenied, "only admin service user can delete this user")
 	}

 	// handle service user first and exit, no need to fetch extra data from IDP, etc
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@ -508,7 +508,7 @@ func TestUser_DeleteUser_regularUser(t *testing.T) {
 			name:             "Delete integration regular user permission denied ",
 			userID:           "user4",
 			assertErrFunc:    assert.Error,
-			assertErrMessage: "only integration can delete this user",
+			assertErrMessage: "only admin service user can delete this user",
 		},
 	}