goto · rahmatrhd · Nov 27, 2024 · Nov 27, 2024 · Nov 29, 2024 · Nov 29, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -5,6 +5,11 @@ RUN apk add openssl
 
 RUN apk add --no-cache ca-certificates && update-ca-certificates
 
+# odps package has an unhandled (panicking) error that requires this pkg to be installed to avoid the panic:
+# https://github.com/aliyun/aliyun-odps-go-sdk/blob/master/odps/restclient/rest_client.go#L171
+# https://github.com/aliyun/aliyun-odps-go-sdk/blob/master/odps/common/http_const.go#L38
+RUN apk --no-cache add tzdata 
+
 RUN curl --output /usr/local/share/ca-certificates/SectigoRSADomainValidationSecureServerCA.crt http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
 
 RUN openssl x509 -inform DER -in /usr/local/share/ca-certificates/SectigoRSADomainValidationSecureServerCA.crt -out /usr/local/share/ca-certificates/SectigoRSADomainValidationSecureServerCA.pem -text

diff --git a/core/appeal/mocks/grantService.go b/core/appeal/mocks/grantService.go
diff --git a/core/appeal/mocks/providerService.go b/core/appeal/mocks/providerService.go
diff --git a/core/appeal/service.go b/core/appeal/service.go
@@ -83,6 +83,7 @@ type providerService interface {
 	ValidateAppeal(context.Context, *domain.Appeal, *domain.Provider, *domain.Policy) error
 	GetPermissions(context.Context, *domain.ProviderConfig, string, string) ([]interface{}, error)
 	IsExclusiveRoleAssignment(context.Context, string, string) bool
+	GetDependencyGrants(context.Context, domain.Grant) ([]*domain.Grant, error)
 }
 
 //go:generate mockery --name=resourceService --exported --with-expecter
@@ -96,6 +97,7 @@ type grantService interface {
 	List(context.Context, domain.ListGrantsFilter) ([]domain.Grant, error)
 	Prepare(context.Context, domain.Appeal) (*domain.Grant, error)
 	Revoke(ctx context.Context, id, actor, reason string, opts ...grant.Option) (*domain.Grant, error)
+	Create(ctx context.Context, grant *domain.Grant) error
 }
 
 //go:generate mockery --name=auditLogger --exported --with-expecter
@@ -1489,10 +1491,52 @@ func (s *Service) GrantAccessToProvider(ctx context.Context, a *domain.Appeal, o
 		}
 	}
 
-	if err := s.providerService.GrantAccess(ctx, *a.Grant); err != nil {
+	appealCopy := *a
+	appealCopy.Grant = nil
+	grantWithAppeal := *a.Grant
+	grantWithAppeal.Appeal = &appealCopy
+
+	// grant access dependencies (if any)
+	dependencyGrants, err := s.providerService.GetDependencyGrants(ctx, grantWithAppeal)
+	if err != nil {
+		return fmt.Errorf("getting grant dependencies: %w", err)
+	}
+	for _, dg := range dependencyGrants {
+		activeDepGrants, err := s.grantService.List(ctx, domain.ListGrantsFilter{
+			Statuses:     []string{string(domain.GrantStatusActive)},
+			AccountIDs:   []string{dg.AccountID},
+			AccountTypes: []string{dg.AccountType},
+			ResourceIDs:  []string{dg.Resource.ID},
+			Permissions:  dg.Permissions,
+			Size:         1,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to get existing active grant dependency: %w", err)
+		}
+
+		if len(activeDepGrants) > 0 {
+			continue
+		}
+
+		dg.Status = domain.GrantStatusActive
+		dg.Appeal = &appealCopy
+		if err := s.providerService.GrantAccess(ctx, *dg); err != nil {
+			return fmt.Errorf("failed to grant an access dependency: %w", err)
+		}
+		dg.Appeal = nil
+
+		dg.Owner = a.CreatedBy
+		if err := s.grantService.Create(ctx, dg); err != nil {
+			return fmt.Errorf("failed to store grant of access dependency: %w", err)
+		}
+	}
+
+	// grant main access
+	if err := s.providerService.GrantAccess(ctx, grantWithAppeal); err != nil {
 		return fmt.Errorf("granting access: %w", err)
 	}
 
+	grantWithAppeal.Appeal = nil
 	return nil
 }
 

diff --git a/core/appeal/service_test.go b/core/appeal/service_test.go
@@ -12,6 +12,8 @@ import (
 	"time"
 
 	"github.com/go-playground/validator/v10"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/uuid"
 	"github.com/goto/guardian/core/appeal"
 	appealmocks "github.com/goto/guardian/core/appeal/mocks"
@@ -2476,6 +2478,7 @@ func (s *ServiceTestSuite) TestCreate() {
 			h.mockGrantService.EXPECT().List(mock.Anything, mock.Anything).Return([]domain.Grant{}, nil).Once()
 			h.mockGrantService.EXPECT().Prepare(mock.Anything, mock.Anything).Return(&domain.Grant{}, nil).Once()
 			h.mockPolicyService.EXPECT().GetOne(mock.Anything, mock.Anything, mock.Anything).Return(overriddingPolicy, nil).Once()
+			h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
 			h.mockProviderService.EXPECT().GrantAccess(mock.Anything, mock.Anything).Return(nil).Once()
 
 			err := h.service.Create(context.Background(), []*domain.Appeal{input}, appeal.CreateWithAdditionalAppeal())
@@ -2740,6 +2743,7 @@ func (s *ServiceTestSuite) TestCreate__WithExistingAppealAndWithAutoApprovalStep
 		).
 		Return(preparedGrant, nil).Once()
 	h.mockPolicyService.EXPECT().GetOne(mock.Anything, policies[0].ID, policies[0].Version).Return(policies[0], nil).Once()
+	h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
 	h.mockProviderService.EXPECT().GrantAccess(mock.Anything, mock.Anything).Return(nil).Once()
 
 	h.mockRepository.EXPECT().
@@ -2930,6 +2934,7 @@ func (s *ServiceTestSuite) TestCreate__WithAdditionalAppeals() {
 	h.mockPolicyService.EXPECT().GetOne(mock.AnythingOfType("*context.cancelCtx"), policies[0].ID, policies[0].Version).Return(policies[0], nil).Once()
 
 	// 2.b grant access for the additional appeal
+	h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
 	h.mockProviderService.EXPECT().GrantAccess(mock.AnythingOfType("*context.cancelCtx"), mock.AnythingOfType("domain.Grant")).Return(nil).Once().Run(func(args mock.Arguments) {
 		grant := args.Get(1).(domain.Grant)
 		s.Equal(expectedAdditionalGrant.ID, grant.ID)
@@ -2943,6 +2948,7 @@ func (s *ServiceTestSuite) TestCreate__WithAdditionalAppeals() {
 	h.mockNotifier.EXPECT().Notify(h.ctxMatcher, mock.Anything).Return(nil).Once()
 
 	// 1.b grant access for the main appeal
+	h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
 	h.mockProviderService.EXPECT().GrantAccess(h.ctxMatcher, mock.AnythingOfType("domain.Grant")).Return(nil).Once().Run(func(args mock.Arguments) {
 		grant := args.Get(1).(domain.Grant)
 		s.Equal(expectedGrant.ID, grant.ID)
@@ -4830,6 +4836,7 @@ func (s *ServiceTestSuite) TestUpdateApproval() {
 				appeal.RevokeReasonForExtension, mock.Anything, mock.Anything).
 			Return(expectedNewGrant, nil).Once()
 		h.mockPolicyService.EXPECT().GetOne(mock.Anything, mock.Anything, mock.Anything).Return(dummyPolicy, nil).Once()
+		h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
 		h.mockProviderService.EXPECT().GrantAccess(mock.Anything, mock.Anything).Return(nil).Once()
 		h.mockRepository.EXPECT().Update(h.ctxMatcher, appealDetails).Return(nil).Once()
 		h.mockNotifier.EXPECT().Notify(h.ctxMatcher, mock.Anything).Return(nil).Once()
@@ -5276,7 +5283,8 @@ func (s *ServiceTestSuite) TestUpdateApproval() {
 					h.mockGrantService.EXPECT().
 						Prepare(mock.Anything, mock.Anything).Return(tc.expectedGrant, nil).Once()
 
-					h.mockProviderService.EXPECT().GrantAccess(mock.Anything, *tc.expectedGrant).Return(nil).Once()
+					h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
+					h.mockProviderService.EXPECT().GrantAccess(mock.Anything, grantArgMatcher(*tc.expectedGrant)).Return(nil).Once()
 				}
 
 				h.mockRepository.EXPECT().Update(h.ctxMatcher, tc.expectedResult).Return(nil).Once()
@@ -5433,7 +5441,8 @@ func (s *ServiceTestSuite) TestUpdateApproval() {
 					h.mockGrantService.EXPECT().
 						Prepare(mock.Anything, mock.Anything).Return(tc.expectedGrant, nil).Once()
 
-					h.mockProviderService.EXPECT().GrantAccess(mock.Anything, *tc.expectedGrant).Return(nil).Once()
+					h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
+					h.mockProviderService.EXPECT().GrantAccess(mock.Anything, grantArgMatcher(*tc.expectedGrant)).Return(nil).Once()
 				}
 
 				h.mockRepository.EXPECT().Update(h.ctxMatcher, tc.expectedResult).Return(nil).Once()
@@ -5531,6 +5540,7 @@ func (s *ServiceTestSuite) TestUpdateApproval() {
 				h.mockGrantService.EXPECT().
 					Prepare(mock.Anything, mock.Anything).Return(nil, nil).Once()
 
+				h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
 				h.mockProviderService.EXPECT().GrantAccess(mock.Anything, mock.Anything).Return(nil).Once()
 
 				h.mockRepository.EXPECT().Update(h.ctxMatcher, mock.Anything).Return(nil).Once()
@@ -5611,9 +5621,8 @@ func (s *ServiceTestSuite) TestGrantAccessToProvider() {
 				Version: 1,
 			}, nil).Once()
 
-		h.mockProviderService.
-			On("GrantAccess", mock.Anything, mock.Anything).
-			Return(fmt.Errorf("error")).Once()
+		h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
+		h.mockProviderService.EXPECT().GrantAccess(mock.Anything, mock.Anything).Return(fmt.Errorf("error")).Once()
 
 		actualError := h.service.GrantAccessToProvider(context.Background(), &domain.Appeal{
 			PolicyID:      "policy_1",
@@ -5633,9 +5642,8 @@ func (s *ServiceTestSuite) TestGrantAccessToProvider() {
 				Version: 1,
 			}, nil).Once()
 
-		h.mockProviderService.
-			On("GrantAccess", mock.Anything, mock.Anything).
-			Return(nil).Once()
+		h.mockProviderService.EXPECT().GetDependencyGrants(mock.Anything, mock.AnythingOfType("domain.Grant")).Return(nil, nil).Once()
+		h.mockProviderService.EXPECT().GrantAccess(mock.Anything, mock.Anything).Return(nil).Once()
 
 		actualError := h.service.GrantAccessToProvider(context.Background(), &domain.Appeal{
 			PolicyID:      "policy_1",
@@ -6295,3 +6303,14 @@ func (s *ServiceTestSuite) TestGetAppealsTotalCount() {
 		s.NoError(actualError)
 	})
 }
+
+func grantArgMatcher(expected domain.Grant) any {
+	return mock.MatchedBy(func(actual domain.Grant) bool {
+		return cmp.Equal(
+			expected,
+			actual,
+			cmpopts.EquateApproxTime(time.Millisecond),
+			cmpopts.IgnoreFields(domain.Grant{}, "Appeal"),
+		)
+	})
+}
diff --git a/core/grant/mocks/repository.go b/core/grant/mocks/repository.go
diff --git a/core/grant/service.go b/core/grant/service.go
@@ -30,6 +30,7 @@ type repository interface {
 	BulkUpsert(context.Context, []*domain.Grant) error
 	GetGrantsTotalCount(context.Context, domain.ListGrantsFilter) (int64, error)
 	ListUserRoles(context.Context, string) ([]string, error)
+	Create(context.Context, *domain.Grant) error
 }
 
 //go:generate mockery --name=providerService --exported --with-expecter
@@ -110,6 +111,10 @@ func (s *Service) GetByID(ctx context.Context, id string) (*domain.Grant, error)
 	return s.repo.GetByID(ctx, id)
 }
 
+func (s *Service) Create(ctx context.Context, grant *domain.Grant) error {
+	return s.repo.Create(ctx, grant)
+}
+
 func (s *Service) Update(ctx context.Context, payload *domain.GrantUpdate) (*domain.Grant, error) {
 	grant, err := s.GetByID(ctx, payload.ID)
 	if err != nil {