From fafe524688bd80763a9f4dc8dbcb24fd79ed25fc Mon Sep 17 00:00:00 2001
From: raintygao <tygao@amazon.com>
Date: Fri, 11 Aug 2023 16:43:25 +0800
Subject: [PATCH]  add permission check when updating workspace (#81)

* feat: add permission check when updating workspace

Signed-off-by: tygao <tygao@amazon.com>

* fix: only use management access and update bulkUpdate logic

Signed-off-by: tygao <tygao@amazon.com>

* chore: update code

Signed-off-by: tygao <tygao@amazon.com>

* chore: update code after rebase

Signed-off-by: tygao <tygao@amazon.com>

---------

Signed-off-by: tygao <tygao@amazon.com>
---
 .../workspace_saved_objects_client_wrapper.ts | 73 ++++++++++++++++++-
 1 file changed, 71 insertions(+), 2 deletions(-)

diff --git a/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts b/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
index bd1d68bd0f7b..170498fb40bb 100644
--- a/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
+++ b/src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
@@ -19,6 +19,11 @@ import {
   SavedObjectsDeleteOptions,
   SavedObjectsFindOptions,
   SavedObjectsShareObjects,
+  SavedObjectsUpdateOptions,
+  SavedObjectsUpdateResponse,
+  SavedObjectsBulkUpdateObject,
+  SavedObjectsBulkUpdateResponse,
+  SavedObjectsBulkUpdateOptions,
   SavedObjectsPermissionControlContract,
   WORKSPACE_TYPE,
   ACL,
@@ -60,6 +65,28 @@ export class WorkspaceSavedObjectsClientWrapper {
 
     return [permission];
   }
+  private async validateSingleWorkspacePermissions(
+    workspaceId: string | undefined,
+    request: OpenSearchDashboardsRequest,
+    permissionMode: WorkspacePermissionMode | WorkspacePermissionMode[]
+  ) {
+    if (!workspaceId) {
+      return;
+    }
+    if (
+      !(await this.permissionControl.validate(
+        request,
+        {
+          type: WORKSPACE_TYPE,
+          id: workspaceId,
+        },
+        this.formatWorkspacePermissionModeToStringArray(permissionMode)
+      ))
+    ) {
+      throw generateWorkspacePermissionError();
+    }
+  }
+
   private async validateMultiWorkspacesPermissions(
     workspaces: string[] | undefined,
     request: OpenSearchDashboardsRequest,
@@ -129,6 +156,12 @@ export class WorkspaceSavedObjectsClientWrapper {
       id: string,
       options: SavedObjectsDeleteOptions = {}
     ) => {
+      if (this.isRelatedToWorkspace(type)) {
+        await this.validateSingleWorkspacePermissions(id, wrapperOptions.request, [
+          WorkspacePermissionMode.Management,
+        ]);
+      }
+
       const objectToDeleted = await wrapperOptions.client.get(type, id, options);
       await this.validateMultiWorkspacesPermissions(
         objectToDeleted.workspaces,
@@ -138,6 +171,42 @@ export class WorkspaceSavedObjectsClientWrapper {
       return await wrapperOptions.client.delete(type, id, options);
     };
 
+    const updateWithWorkspacePermissionControl = async <T = unknown>(
+      type: string,
+      id: string,
+      attributes: Partial<T>,
+      options: SavedObjectsUpdateOptions = {}
+    ): Promise<SavedObjectsUpdateResponse<T>> => {
+      if (this.isRelatedToWorkspace(type)) {
+        await this.validateSingleWorkspacePermissions(id, wrapperOptions.request, [
+          WorkspacePermissionMode.Management,
+        ]);
+      }
+      return await wrapperOptions.client.update(type, id, attributes, options);
+    };
+
+    const bulkUpdateWithWorkspacePermissionControl = async <T = unknown>(
+      objects: Array<SavedObjectsBulkUpdateObject<T>>,
+      options?: SavedObjectsBulkUpdateOptions
+    ): Promise<SavedObjectsBulkUpdateResponse<T>> => {
+      const workspaceIds = objects.reduce<string[]>((acc, cur) => {
+        if (this.isRelatedToWorkspace(cur.type)) {
+          acc.push(cur.id);
+        }
+        return acc;
+      }, []);
+      const permittedWorkspaceIds =
+        (await this.permissionControl.getPermittedWorkspaceIds(wrapperOptions.request, [
+          WorkspacePermissionMode.Management,
+        ])) ?? [];
+      const workspacePermitted = workspaceIds.every((id) => permittedWorkspaceIds.includes(id));
+      if (!workspacePermitted) {
+        throw generateWorkspacePermissionError();
+      }
+
+      return await wrapperOptions.client.bulkUpdate(objects, options);
+    };
+
     const bulkCreateWithWorkspacePermissionControl = async <T = unknown>(
       objects: Array<SavedObjectsBulkCreateObject<T>>,
       options: SavedObjectsCreateOptions = {}
@@ -310,8 +379,8 @@ export class WorkspaceSavedObjectsClientWrapper {
       create: createWithWorkspacePermissionControl,
       bulkCreate: bulkCreateWithWorkspacePermissionControl,
       delete: deleteWithWorkspacePermissionControl,
-      update: wrapperOptions.client.update,
-      bulkUpdate: wrapperOptions.client.bulkUpdate,
+      update: updateWithWorkspacePermissionControl,
+      bulkUpdate: bulkUpdateWithWorkspacePermissionControl,
       addToWorkspaces: addToWorkspacesWithPermissionControl,
     };
   };