fix: issue when executor is downloading the state file using terrafor…

…m_remote_state (#1361)

api/src/main/java/org/terrakube/api/plugin/security/state/StateService.java

@@ -16,18 +16,21 @@ public class StateService {
    private TeamRepository teamRepository;
 
    public boolean hasManageStatePermission(Authentication authentication, String orgnizationId) {
-      Object groupNames = ((JwtAuthenticationToken) authentication).getTokenAttributes().get("groups");
-      if (groupNames == null) {
-         return false;
-      }
-      @SuppressWarnings("unchecked")
-      List<Team> teams = teamRepository.findAllByOrganizationIdAndNameIn(UUID.fromString(orgnizationId), (List<String>) groupNames);
-      for (Team team : teams) {
-         if (team.isManageState()) {
-            return true;
+      if (((JwtAuthenticationToken) authentication).getTokenAttributes().get("iss").equals("TerrakubeInternal")) {
+         return true;
+      } else {
+         Object groupNames = ((JwtAuthenticationToken) authentication).getTokenAttributes().get("groups");
+         if (groupNames == null) {
+            return false;
          }
+         @SuppressWarnings("unchecked")
+         List<Team> teams = teamRepository.findAllByOrganizationIdAndNameIn(UUID.fromString(orgnizationId), (List<String>) groupNames);
+         for (Team team : teams) {
+            if (team.isManageState()) {
+               return true;
+            }
+         }
+         return false;
       }
-
-      return false;
-   } 
+   }
 }

api/src/test/java/org/terrakube/api/WorkspaceTests.java

@@ -1,13 +1,26 @@
 package org.terrakube.api;
 
+import org.apache.commons.io.FileUtils;
 import org.hamcrest.core.IsEqual;
 import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.terrakube.api.repository.TeamRepository;
+import org.terrakube.api.rs.team.Team;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.Optional;
+import java.util.UUID;
 
 import static io.restassured.RestAssured.given;
 
 class WorkspaceTests extends ServerApplicationTests {
 
+    @Autowired
+    TeamRepository teamRepository;
+
     @Test
     void searchWorkspaceAsOrgMember() {
         given()
@@ -22,6 +35,84 @@ void searchWorkspaceAsOrgMember() {
                 .statusCode(HttpStatus.OK.value());
     }
 
+    @Test
+    void searchWorkspaceManageSateOrgMember() throws IOException {
+
+        FileUtils.writeStringToFile(
+                new File(
+                        String.format("%s/.terraform-spring-boot/local/backend/%s/%s/terraform.tfstate", FileUtils.getUserDirectoryPath(), "d9b58bd3-f3fc-4056-a026-1163297e80a8", "5ed411ca-7ab8-4d2f-b591-02d0d5788afc")),
+                "SAMPLE",
+                Charset.defaultCharset().toString()
+        );
+
+        Optional<Team> teamOptional = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7"));
+        Team team = teamOptional.get();
+        team.setManageState(true);
+        teamRepository.save(team);
+
+        given()
+                .headers("Authorization", "Bearer " + generatePAT("TERRAKUBE_DEVELOPERS"))
+                .when()
+                .get("/tfstate/v1/organization/d9b58bd3-f3fc-4056-a026-1163297e80a8/workspace/5ed411ca-7ab8-4d2f-b591-02d0d5788afc/state/terraform.tfstate")
+                .then()
+                .assertThat()
+                .log()
+                .all()
+                .statusCode(HttpStatus.OK.value());
+    }
+
+    @Test
+    void searchWorkspaceManageSateNoOrgMember() throws IOException {
+
+        FileUtils.writeStringToFile(
+                new File(
+                        String.format("%s/.terraform-spring-boot/local/backend/%s/%s/terraform.tfstate", FileUtils.getUserDirectoryPath(), "d9b58bd3-f3fc-4056-a026-1163297e80a8", "5ed411ca-7ab8-4d2f-b591-02d0d5788afc")),
+                "SAMPLE",
+                Charset.defaultCharset().toString()
+        );
+
+        Optional<Team> teamOptional = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7"));
+        Team team = teamOptional.get();
+        team.setManageState(true);
+        teamRepository.save(team);
+
+        given()
+                .headers("Authorization", "Bearer " + generatePAT("FAKE_GROUP"))
+                .when()
+                .get("/tfstate/v1/organization/d9b58bd3-f3fc-4056-a026-1163297e80a8/workspace/5ed411ca-7ab8-4d2f-b591-02d0d5788afc/state/terraform.tfstate")
+                .then()
+                .assertThat()
+                .log()
+                .all()
+                .statusCode(HttpStatus.FORBIDDEN.value());
+    }
+
+    @Test
+    void searchWorkspaceStateAsExecutor() throws IOException {
+
+        FileUtils.writeStringToFile(
+                new File(
+                        String.format("%s/.terraform-spring-boot/local/backend/%s/%s/terraform.tfstate", FileUtils.getUserDirectoryPath(), "d9b58bd3-f3fc-4056-a026-1163297e80a8", "5ed411ca-7ab8-4d2f-b591-02d0d5788afc")),
+                "SAMPLE",
+                Charset.defaultCharset().toString()
+        );
+
+        Optional<Team> teamOptional = teamRepository.findById(UUID.fromString("58529721-425e-44d7-8b0d-1d515043c2f7"));
+        Team team = teamOptional.get();
+        team.setManageState(true);
+        teamRepository.save(team);
+
+        given()
+                .headers("Authorization", "Bearer " + generateSystemToken())
+                .when()
+                .get("/tfstate/v1/organization/d9b58bd3-f3fc-4056-a026-1163297e80a8/workspace/5ed411ca-7ab8-4d2f-b591-02d0d5788afc/state/terraform.tfstate")
+                .then()
+                .assertThat()
+                .log()
+                .all()
+                .statusCode(HttpStatus.OK.value());
+    }
+
     @Test
     void searchWorkspaceAsNonOrgMember() {
         given()
@@ -261,4 +352,5 @@ void createWorkspaceAsNonOrgMember() {
                 .all()
                 .statusCode(HttpStatus.FORBIDDEN.value());
     }
+
 }