Skip to content

Commit

Permalink
feat: add flag to enable dangerous mutations, disabled by default
Browse files Browse the repository at this point in the history
  • Loading branch information
shreddedbacon committed Jun 27, 2024
1 parent 5637896 commit bc4abb5
Show file tree
Hide file tree
Showing 9 changed files with 194 additions and 100 deletions.
1 change: 1 addition & 0 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ services:
- S3_BAAS_ACCESS_KEY_ID=minio
- S3_BAAS_SECRET_ACCESS_KEY=minio123
- CONSOLE_LOGGING_LEVEL=debug
- ENABLE_DANGEROUS_GRAPHQL_MUTATIONS=true # enable all the deleteAll mutations only for local development
depends_on:
api-lagoon-migrations:
condition: service_started
Expand Down
18 changes: 13 additions & 5 deletions services/api/src/resources/backup/resolvers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ import { Helpers as projectHelpers } from '../project/helpers';
import { getEnvVarsByProjectId } from '../env-variables/resolvers';
import { logger } from '../../loggers/logger';

const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"

const getRestoreLocation = async (backupId, restoreLocation, sqlClientPool) => {
let restoreSize = 0;
const rows = await query(sqlClientPool, Sql.selectBackupByBackupId(backupId));
Expand Down Expand Up @@ -233,14 +235,20 @@ export const deleteAllBackups: ResolverFn = async (
args,
{ sqlClientPool, hasPermission, userActivityLogger }
) => {
await hasPermission('backup', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('backup', 'deleteAll');

await query(sqlClientPool, Sql.truncateBackup());
await query(sqlClientPool, Sql.truncateBackup());

userActivityLogger(`User deleted all backups`);
userActivityLogger(`User deleted all backups`);

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const addRestore: ResolverFn = async (
Expand Down
30 changes: 19 additions & 11 deletions services/api/src/resources/environment/resolvers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import { Helpers as organizationHelpers } from '../organization/helpers';
import { getFactFilteredEnvironmentIds } from '../fact/resolvers';
import { getUserProjectIdsFromRoleProjectIds } from '../../util/auth';

const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"

export const getEnvironmentByName: ResolverFn = async (
root,
args,
Expand Down Expand Up @@ -725,20 +727,26 @@ export const deleteAllEnvironments: ResolverFn = async (
args,
{ sqlClientPool, hasPermission, userActivityLogger }
) => {
await hasPermission('environment', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('environment', 'deleteAll');

await query(sqlClientPool, Sql.truncateEnvironment());
await query(sqlClientPool, Sql.truncateEnvironment());

userActivityLogger(`User deleted all environments'`, {
project: '',
event: 'api:deleteAllEnvironments',
payload: {
args
}
});
userActivityLogger(`User deleted all environments'`, {
project: '',
event: 'api:deleteAllEnvironments',
payload: {
args
}
});

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

// @deprecated in favor of addOrUpdateEnvironmentService and deleteEnvironmentService, will eventually be removed
Expand Down
34 changes: 21 additions & 13 deletions services/api/src/resources/group/resolvers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ import { sqlClientPool } from '../../clients/sqlClient';

const DISABLE_NON_ORGANIZATION_GROUP_CREATION = process.env.DISABLE_NON_ORGANIZATION_GROUP_CREATION || "false"

const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"

export const getAllGroups: ResolverFn = async (
root,
{ name, type },
Expand Down Expand Up @@ -515,23 +517,29 @@ export const deleteAllGroups: ResolverFn = async (
_args,
{ models, hasPermission }
) => {
await hasPermission('group', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('group', 'deleteAll');

const allGroups = await models.GroupModel.loadAllGroups();
const groups = await models.GroupModel.transformKeycloakGroups(allGroups);
const allGroups = await models.GroupModel.loadAllGroups();
const groups = await models.GroupModel.transformKeycloakGroups(allGroups);

let deleteErrors: String[] = [];
for (const group of groups) {
try {
await models.GroupModel.deleteGroup(group.id);
} catch (err) {
deleteErrors = [...deleteErrors, `${group.name} (${group.id})`];
let deleteErrors: String[] = [];
for (const group of groups) {
try {
await models.GroupModel.deleteGroup(group.id);
} catch (err) {
deleteErrors = [...deleteErrors, `${group.name} (${group.id})`];
}
}
}

return R.ifElse(R.isEmpty, R.always('success'), deleteErrors => {
throw new Error(`Could not delete groups: ${deleteErrors.join(', ')}`);
})(deleteErrors);
return R.ifElse(R.isEmpty, R.always('success'), deleteErrors => {
throw new Error(`Could not delete groups: ${deleteErrors.join(', ')}`);
})(deleteErrors);
}
};

export const addUserToGroup: ResolverFn = async (
Expand Down
86 changes: 62 additions & 24 deletions services/api/src/resources/notification/resolvers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ import { logger } from '../../loggers/logger';

const DISABLE_NON_ORGANIZATION_NOTIFICATION_ASSIGNMENT = process.env.DISABLE_NON_ORGANIZATION_NOTIFICATION_ASSIGNMENT || "false"

const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"

const addNotificationGeneric = async (sqlClientPool, notificationTable, input) => {
const createSql = knex(notificationTable).insert(input).toString();

Expand Down Expand Up @@ -701,77 +703,113 @@ export const deleteAllNotificationSlacks: ResolverFn = async (
args,
{ sqlClientPool, hasPermission }
) => {
await hasPermission('notification', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('notification', 'deleteAll');

await query(sqlClientPool, Sql.truncateNotificationSlack());
await query(sqlClientPool, Sql.truncateNotificationSlack());

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const deleteAllNotificationEmails: ResolverFn = async (
root,
args,
{ sqlClientPool, hasPermission }
) => {
await hasPermission('notification', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('notification', 'deleteAll');

await query(sqlClientPool, Sql.truncateNotificationEmail());
await query(sqlClientPool, Sql.truncateNotificationEmail());

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const deleteAllNotificationRocketChats: ResolverFn = async (
root,
args,
{ sqlClientPool, hasPermission }
) => {
await hasPermission('notification', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('notification', 'deleteAll');

await query(sqlClientPool, Sql.truncateNotificationRocketchat());
await query(sqlClientPool, Sql.truncateNotificationRocketchat());

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const deleteAllNotificationMicrosoftTeams: ResolverFn = async (
root,
args,
{ sqlClientPool, hasPermission }
) => {
await hasPermission('notification', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('notification', 'deleteAll');

await query(sqlClientPool, Sql.truncateNotificationMicrosoftTeams());
await query(sqlClientPool, Sql.truncateNotificationMicrosoftTeams());

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const deleteAllNotificationWebhook: ResolverFn = async (
root,
args,
{ sqlClientPool, hasPermission },
) => {
await hasPermission('notification', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('notification', 'deleteAll');

await query(sqlClientPool, Sql.truncateNotificationWebhook());
await query(sqlClientPool, Sql.truncateNotificationWebhook());

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const removeAllNotificationsFromAllProjects: ResolverFn = async (
root,
args,
{ sqlClientPool, hasPermission }
) => {
await hasPermission('notification', 'removeAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('notification', 'removeAll');

await query(sqlClientPool, Sql.truncateProjectNotification());
await query(sqlClientPool, Sql.truncateProjectNotification());

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};

export const getAllNotifications: ResolverFn = async (
Expand Down
26 changes: 17 additions & 9 deletions services/api/src/resources/openshift/resolvers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import { query, isPatchEmpty, knex } from '../../util/db';
import { Helpers as projectHelpers } from '../project/helpers';
import { Sql } from './sql';

const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"

export const getToken: ResolverFn = async (
kubernetes,
_args,
Expand Down Expand Up @@ -219,16 +221,22 @@ export const deleteAllOpenshifts: ResolverFn = async (
args,
{ sqlClientPool, hasPermission, userActivityLogger }
) => {
await hasPermission('openshift', 'deleteAll');
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('openshift', 'deleteAll');

await query(sqlClientPool, Sql.truncateOpenshift());
await query(sqlClientPool, Sql.truncateOpenshift());

userActivityLogger(`User deleted all openshifts`, {
project: '',
event: 'api:updateOpenshift',
payload: { }
});
userActivityLogger(`User deleted all openshifts`, {
project: '',
event: 'api:updateOpenshift',
payload: { }
});

// TODO: Check rows for success
return 'success';
// TODO: Check rows for success
return 'success';
}
};
38 changes: 23 additions & 15 deletions services/api/src/resources/project/resolvers.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ const DISABLE_CORE_HARBOR = process.env.DISABLE_CORE_HARBOR || "false"

const DISABLE_NON_ORGANIZATION_PROJECT_CREATION = process.env.DISABLE_NON_ORGANIZATION_PROJECT_CREATION || "false"

const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"

const isValidGitUrl = value => {
try {
GitUrlParse(value)
Expand Down Expand Up @@ -939,26 +941,32 @@ export const deleteAllProjects: ResolverFn = async (
args,
{ sqlClientPool, hasPermission, userActivityLogger }
) => {
await hasPermission('project', 'deleteAll');

const projectNames = await Helpers(sqlClientPool).getAllProjectNames();
if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
throw new Error(
'This mutation has been disabled'
);
} else {
await hasPermission('project', 'deleteAll');

await query(sqlClientPool, Sql.truncateProject());
const projectNames = await Helpers(sqlClientPool).getAllProjectNames();

for (const name of projectNames) {
await KeycloakOperations.deleteGroup(name);
}
await query(sqlClientPool, Sql.truncateProject());

userActivityLogger(`User deleted all projects`, {
project: '',
event: 'api:deleteAllProjects',
payload: {
...args
for (const name of projectNames) {
await KeycloakOperations.deleteGroup(name);
}
});

// TODO: Check rows for success
return 'success';
userActivityLogger(`User deleted all projects`, {
project: '',
event: 'api:deleteAllProjects',
payload: {
...args
}
});

// TODO: Check rows for success
return 'success';
}
};

export const removeProjectMetadataByKey: ResolverFn = async (
Expand Down
Loading

0 comments on commit bc4abb5

Please sign in to comment.