feat(api): forbidden create unresolved contact type (#1030)

moira-alert · May 23, 2024 · f8ec459 · f8ec459
1 parent b40375d
commit f8ec459
Show file tree

Hide file tree

Showing 9 changed files with 268 additions and 63 deletions.
diff --git a/api/config.go b/api/config.go
@@ -42,8 +42,9 @@ type Config struct {
 
 // Authorization contains authorization configuration.
 type Authorization struct {
-	AdminList map[string]struct{}
-	Enabled   bool
+	AdminList           map[string]struct{}
+	Enabled             bool
+	AllowedContactTypes map[string]struct{}
 }
 
 // IsEnabled returns true if auth is enabled and false otherwise.

diff --git a/api/controller/contact.go b/api/controller/contact.go
@@ -15,6 +15,9 @@ import (
 	"github.com/moira-alert/moira/database"
 )
 
+// ErrNotAllowedContactType means that this type of contact is not allowed to be created.
+var ErrNotAllowedContactType = errors.New("cannot create contact with not allowed contact type")
+
 // GetAllContacts gets all moira contacts.
 func GetAllContacts(database moira.Database) (*dto.ContactList, *api.ErrorResponse) {
 	contacts, err := database.GetAllContacts()
@@ -47,11 +50,21 @@ func GetContactById(database moira.Database, contactID string) (*dto.Contact, *a
 }
 
 // CreateContact creates new notification contact for current user.
-func CreateContact(dataBase moira.Database, auth *api.Authorization, contact *dto.Contact, userLogin, teamID string) *api.ErrorResponse {
+func CreateContact(
+	dataBase moira.Database,
+	auth *api.Authorization,
+	contact *dto.Contact,
+	userLogin,
+	teamID string,
+) *api.ErrorResponse {
 	if userLogin != "" && teamID != "" {
 		return api.ErrorInternalServer(fmt.Errorf("CreateContact: cannot create contact when both userLogin and teamID specified"))
 	}
 
+	if !isAllowedContactType(auth, userLogin, contact.Type) {
+		return api.ErrorInvalidRequest(ErrNotAllowedContactType)
+	}
+
 	// Only admins are allowed to create contacts for other users
 	if !auth.IsAdmin(userLogin) || contact.User == "" {
 		contact.User = userLogin
@@ -91,7 +104,16 @@ func CreateContact(dataBase moira.Database, auth *api.Authorization, contact *dt
 }
 
 // UpdateContact updates notification contact for current user.
-func UpdateContact(dataBase moira.Database, contactDTO dto.Contact, contactData moira.ContactData) (dto.Contact, *api.ErrorResponse) {
+func UpdateContact(
+	dataBase moira.Database,
+	auth *api.Authorization,
+	contactDTO dto.Contact,
+	contactData moira.ContactData,
+) (dto.Contact, *api.ErrorResponse) {
+	if !isAllowedContactType(auth, contactDTO.User, contactDTO.Type) {
+		return contactDTO, api.ErrorInvalidRequest(ErrNotAllowedContactType)
+	}
+
 	contactData.Type = contactDTO.Type
 	contactData.Value = contactDTO.Value
 	contactData.Name = contactDTO.Name
@@ -227,3 +249,11 @@ func isContactExists(dataBase moira.Database, contactID string) (bool, error) {
 	}
 	return true, nil
 }
+
+func isAllowedContactType(auth *api.Authorization, userLogin string, contactType string) bool {
+	isAdmin := auth.IsAdmin(userLogin)
+
+	_, isAllowedContact := auth.AllowedContactTypes[contactType]
+
+	return isAllowedContact || isAdmin
+}