From a6d0881665b046f5171c59fbf13922324864d4ed Mon Sep 17 00:00:00 2001 From: Kevin Glisson Date: Thu, 19 Dec 2024 13:16:56 -0800 Subject: [PATCH 1/2] Adds additional permissions and switches to minmal to prevent information disclosure --- src/dispatch/workflow/models.py | 4 ++-- src/dispatch/workflow/views.py | 39 +++++++++++++++++++++++++++------ 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/src/dispatch/workflow/models.py b/src/dispatch/workflow/models.py index b29749b6ca7c..32e45995380a 100644 --- a/src/dispatch/workflow/models.py +++ b/src/dispatch/workflow/models.py @@ -21,7 +21,7 @@ Pagination, ) from dispatch.participant.models import ParticipantRead -from dispatch.plugin.models import PluginInstance, PluginInstanceRead +from dispatch.plugin.models import PluginInstance, PluginInstanceReadMinimal from dispatch.project.models import ProjectRead from .enums import WorkflowInstanceStatus @@ -121,7 +121,7 @@ class WorkflowSignal(DispatchBase): class WorkflowBase(DispatchBase): name: NameStr resource_id: str - plugin_instance: PluginInstanceRead + plugin_instance: PluginInstanceReadMinimal parameters: Optional[List[dict]] = [] enabled: Optional[bool] description: Optional[str] = Field(None, nullable=True) diff --git a/src/dispatch/workflow/views.py b/src/dispatch/workflow/views.py index 553b8e7229c9..988f42a653cc 100644 --- a/src/dispatch/workflow/views.py +++ b/src/dispatch/workflow/views.py @@ -1,8 +1,9 @@ -from fastapi import APIRouter, HTTPException, status +from fastapi import APIRouter, HTTPException, status, Depends from pydantic.error_wrappers import ErrorWrapper, ValidationError from dispatch.database.core import DbSession from dispatch.database.service import CommonParameters, search_filter_sort_paginate +from dispatch.auth.permissions import SensitiveProjectActionPermission, PermissionsDependency from dispatch.exceptions import NotFoundError from dispatch.models import PrimaryKey from dispatch.plugin import service as plugin_service @@ -27,7 +28,11 @@ def get_workflows(common: CommonParameters): return search_filter_sort_paginate(model="Workflow", **common) -@router.get("/{workflow_id}", response_model=WorkflowRead) +@router.get( + "/{workflow_id}", + response_model=WorkflowRead, + dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], +) def get_workflow(db_session: DbSession, workflow_id: PrimaryKey): """Get a workflow.""" workflow = get(db_session=db_session, workflow_id=workflow_id) @@ -39,7 +44,11 @@ def get_workflow(db_session: DbSession, workflow_id: PrimaryKey): return workflow -@router.get("/instances/{workflow_instance_id}", response_model=WorkflowInstanceRead) +@router.get( + "/instances/{workflow_instance_id}", + response_model=WorkflowInstanceRead, + dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], +) def get_workflow_instance(db_session: DbSession, workflow_instance_id: PrimaryKey): """Get a workflow instance.""" workflow_instance = get_instance(db_session=db_session, instance_id=workflow_instance_id) @@ -51,7 +60,11 @@ def get_workflow_instance(db_session: DbSession, workflow_instance_id: PrimaryKe return workflow_instance -@router.post("", response_model=WorkflowRead) +@router.post( + "", + response_model=WorkflowRead, + dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], +) def create_workflow(db_session: DbSession, workflow_in: WorkflowCreate): """Create a new workflow.""" plugin_instance = plugin_service.get_instance( @@ -66,7 +79,11 @@ def create_workflow(db_session: DbSession, workflow_in: WorkflowCreate): return create(db_session=db_session, workflow_in=workflow_in) -@router.put("/{workflow_id}", response_model=WorkflowRead) +@router.put( + "/{workflow_id}", + response_model=WorkflowRead, + dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], +) def update_workflow(db_session: DbSession, workflow_id: PrimaryKey, workflow_in: WorkflowUpdate): """Update a workflow.""" workflow = get(db_session=db_session, workflow_id=workflow_id) @@ -78,7 +95,11 @@ def update_workflow(db_session: DbSession, workflow_id: PrimaryKey, workflow_in: return update(db_session=db_session, workflow=workflow, workflow_in=workflow_in) -@router.delete("/{workflow_id}", response_model=None) +@router.delete( + "/{workflow_id}", + response_model=None, + dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], +) def delete_workflow(db_session: DbSession, workflow_id: PrimaryKey): """Delete a workflow.""" workflow = get(db_session=db_session, workflow_id=workflow_id) @@ -90,7 +111,11 @@ def delete_workflow(db_session: DbSession, workflow_id: PrimaryKey): delete(db_session=db_session, workflow_id=workflow_id) -@router.post("/{workflow_id}/run", response_model=WorkflowInstanceRead) +@router.post( + "/{workflow_id}/run", + response_model=WorkflowInstanceRead, + dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], +) def run_workflow( db_session: DbSession, workflow_id: PrimaryKey, From b6397952ba181c3ccf41600ac2a4aa240e0adab0 Mon Sep 17 00:00:00 2001 From: Kevin Glisson Date: Thu, 19 Dec 2024 13:20:07 -0800 Subject: [PATCH 2/2] Adjusting permissions --- src/dispatch/workflow/views.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/dispatch/workflow/views.py b/src/dispatch/workflow/views.py index 988f42a653cc..bdf421e41b41 100644 --- a/src/dispatch/workflow/views.py +++ b/src/dispatch/workflow/views.py @@ -31,7 +31,6 @@ def get_workflows(common: CommonParameters): @router.get( "/{workflow_id}", response_model=WorkflowRead, - dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], ) def get_workflow(db_session: DbSession, workflow_id: PrimaryKey): """Get a workflow.""" @@ -47,7 +46,6 @@ def get_workflow(db_session: DbSession, workflow_id: PrimaryKey): @router.get( "/instances/{workflow_instance_id}", response_model=WorkflowInstanceRead, - dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], ) def get_workflow_instance(db_session: DbSession, workflow_instance_id: PrimaryKey): """Get a workflow instance.""" @@ -114,7 +112,6 @@ def delete_workflow(db_session: DbSession, workflow_id: PrimaryKey): @router.post( "/{workflow_id}/run", response_model=WorkflowInstanceRead, - dependencies=[Depends(PermissionsDependency([SensitiveProjectActionPermission]))], ) def run_workflow( db_session: DbSession,