fix(orchestrator):Limit access to workflow instances to initiators only (#867)

Signed-off-by: Lior Soffer <liorsoffer1@gmail.com>

Author: LiorSoffer

workspaces/orchestrator/.changeset/four-swans-deliver.md

@@ -0,0 +1,6 @@
+---
+'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': patch
+'@red-hat-developer-hub/backstage-plugin-orchestrator-common': patch
+---
+
+Limit access to workflow instances to initiators only

workspaces/orchestrator/docs/rbac-policy.csv

@@ -8,6 +8,7 @@ p, role:default/workflowUser, orchestrator.workflow.use.yamlgreet, update, allow
 p, role:default/workflowAdmin, orchestrator.workflow, read, allow
 p, role:default/workflowAdmin, orchestrator.workflow.use, update, allow
 p, role:default/workflowAdmin, orchestrator.workflowAdminView, read, allow
+p, role:default/workflowAdmin, orchestrator.instanceAdminView, read, allow 
 
 p, role:default/workflowDenied, orchestrator.workflow, read, deny
 p, role:default/workflowDenied, orchestrator.workflow.use, update, deny 

workspaces/orchestrator/plugins/orchestrator-backend/src/plugin.ts

@@ -41,6 +41,7 @@ export const orchestratorPlugin = createBackendPlugin({
         scheduler: coreServices.scheduler,
         httpAuth: coreServices.httpAuth,
         http: coreServices.httpRouter,
+        userInfo: coreServices.userInfo,
       },
       async init(props) {
         const { http } = props;

workspaces/orchestrator/plugins/orchestrator-backend/src/routerWrapper/index.ts

@@ -22,6 +22,7 @@ import type {
   PermissionsService,
   SchedulerService,
   UrlReaderService,
+  UserInfoService,
 } from '@backstage/backend-plugin-api';
 import type { CatalogApi } from '@backstage/catalog-client';
 import type { Config } from '@backstage/config';
@@ -41,6 +42,7 @@ export interface RouterOptions {
   scheduler: SchedulerService;
   permissions: PermissionsService;
   httpAuth: HttpAuthService;
+  userInfo: UserInfoService;
 }
 
 export async function createRouter(
@@ -71,5 +73,6 @@ export async function createRouter(
     scheduler: args.scheduler,
     permissions: args.permissions,
     httpAuth: args.httpAuth,
+    userInfo: args.userInfo,
   });
 }

workspaces/orchestrator/plugins/orchestrator-backend/src/service/api/mapping/V2Mappings.ts

@@ -144,6 +144,7 @@ export function mapToProcessInstanceDTO(
     duration: duration,
     // @ts-ignore
     workflowdata: variables?.workflowdata,
+    initiatorEntity: variables?.initiatorEntity as string,
     state: processInstance.state
       ? getProcessInstancesStatusDTOFromString(processInstance.state)
       : undefined,

workspaces/orchestrator/plugins/orchestrator-backend/src/service/api/v2.test.ts

@@ -382,6 +382,7 @@ describe('executeWorkflow', () => {
       workflowData,
       workflowInfo.id,
       'businessKey',
+      'someUserEntity',
     );
 
     // Assert

workspaces/orchestrator/plugins/orchestrator-backend/src/service/api/v2.ts

@@ -25,7 +25,6 @@ import {
   ProcessInstance,
   ProcessInstanceListResultDTO,
   ProcessInstanceState,
-  ProcessInstanceVariables,
   WorkflowDTO,
   WorkflowInfo,
   WorkflowOverviewDTO,
@@ -158,6 +157,7 @@ export class V2 {
     executeWorkflowRequestDTO: ExecuteWorkflowRequestDTO,
     workflowId: string,
     businessKey: string | undefined,
+    initiatorEntity: string,
   ): Promise<ExecuteWorkflowResponseDTO> {
     const definition = await this.orchestratorService.fetchWorkflowInfo({
       definitionId: workflowId,
@@ -170,8 +170,10 @@ export class V2 {
     }
     const executionResponse = await this.orchestratorService.executeWorkflow({
       definitionId: workflowId,
-      inputData:
-        executeWorkflowRequestDTO.inputData as ProcessInstanceVariables,
+      inputData: {
+        workflowdata: executeWorkflowRequestDTO.inputData,
+        initiatorEntity: initiatorEntity,
+      },
       authTokens: executeWorkflowRequestDTO.authTokens as Array<AuthToken>,
       serviceUrl: definition.serviceUrl,
       businessKey,

workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts

@@ -22,6 +22,7 @@ import {
   LoggerService,
   PermissionsService,
   SchedulerService,
+  UserInfoService,
 } from '@backstage/backend-plugin-api';
 import type { Config } from '@backstage/config';
 import type { DiscoveryApi } from '@backstage/core-plugin-api';
@@ -41,8 +42,11 @@ import { Request as HttpRequest } from 'express-serve-static-core';
 import { OpenAPIBackend, Request } from 'openapi-backend';
 
 import {
+  FieldFilter,
   Filter,
+  NestedFilter,
   openApiDocument,
+  orchestratorInstanceAdminViewPermission,
   orchestratorPermissions,
   orchestratorWorkflowPermission,
   orchestratorWorkflowSpecificPermission,
@@ -100,6 +104,20 @@ const authorize = async (
   );
 };
 
+const isUserAuthorizedForInstanceAdminViewPermission = async (
+  request: HttpRequest,
+  permissionsSvc: PermissionsService,
+  httpAuth: HttpAuthService,
+): Promise<boolean> => {
+  const credentials = await httpAuth.credentials(request);
+  const [decision] = await permissionsSvc.authorize(
+    [{ permission: orchestratorInstanceAdminViewPermission }],
+    { credentials },
+  );
+
+  return decision.result === AuthorizeResult.ALLOW;
+};
+
 const filterAuthorizedWorkflowIds = async (
   request: HttpRequest,
   permissionsSvc: PermissionsService,
@@ -173,6 +191,7 @@ export async function createBackendRouter(
     scheduler,
     permissions,
     httpAuth,
+    userInfo,
   } = options;
   const publicServices = initPublicServices(logger, config, scheduler);
 
@@ -203,6 +222,7 @@ export async function createBackendRouter(
     permissions,
     httpAuth,
     auditor,
+    userInfo,
   );
   setupExternalRoutes(router, discovery, scaffolderService, auditor);
 
@@ -313,6 +333,7 @@ function setupInternalRoutes(
   permissions: PermissionsService,
   httpAuth: HttpAuthService,
   auditor: AuditorService,
+  userInfo: UserInfoService,
 ) {
   function manageDenyAuthorization(auditEvent: AuditorServiceEvent) {
     const error = new UnauthorizedError();
@@ -404,6 +425,10 @@ function setupInternalRoutes(
     'executeWorkflow',
     async (c, req: express.Request, res: express.Response, next) => {
       const workflowId = c.request.params.workflowId as string;
+      const credentials = await httpAuth.credentials(req);
+      const initiatorEntity = await (
+        await userInfo.getUserInfo(credentials)
+      ).userEntityRef;
 
       const auditEvent = await auditor.createEvent({
         eventId: 'execute-workflow',
@@ -434,7 +459,12 @@ function setupInternalRoutes(
       const executeWorkflowRequestDTO = req.body;
 
       return routerApi.v2
-        .executeWorkflow(executeWorkflowRequestDTO, workflowId, businessKey)
+        .executeWorkflow(
+          executeWorkflowRequestDTO,
+          workflowId,
+          businessKey,
+          initiatorEntity,
+        )
         .then(result => {
           auditEvent.success({ meta: { id: result.id } });
           return res.status(200).json(result);
@@ -778,9 +808,46 @@ function setupInternalRoutes(
         if (!authorizedWorkflowIds || authorizedWorkflowIds.length === 0)
           res.json([]);
 
+        const credentials = await httpAuth.credentials(req);
+        const initiatorEntity = (await userInfo.getUserInfo(credentials))
+          .userEntityRef;
+        const isUserAuthorizedForInstanceAdminView: boolean = // This permission will let user see ALL instances (including ones others created)
+          await isUserAuthorizedForInstanceAdminViewPermission(
+            req,
+            permissions,
+            httpAuth,
+          );
+
+        const requestFilters = getRequestFilters(req);
+
+        let filters = requestFilters;
+
+        if (!isUserAuthorizedForInstanceAdminView) {
+          const initiatorEntityFilter: FieldFilter = {
+            operator: 'EQ',
+            value: initiatorEntity,
+            field: 'initiatorEntity',
+          };
+
+          const nestedVariablesFilter: NestedFilter = {
+            field: 'variables',
+            nested: initiatorEntityFilter,
+          };
+
+          if (requestFilters === undefined) {
+            filters = nestedVariablesFilter;
+          } else {
+            // combine filters
+            filters = {
+              operator: 'AND',
+              filters: [nestedVariablesFilter, requestFilters],
+            };
+          }
+        }
+
         const result = await routerApi.v2.getInstances(
           buildPagination(req),
-          getRequestFilters(req),
+          filters,
           authorizedWorkflowIds,
         );
 
@@ -834,6 +901,28 @@ function setupInternalRoutes(
           manageDenyAuthorization(auditEvent);
         }
 
+        const credentials = await httpAuth.credentials(request);
+        const initiatorEntity = (await userInfo.getUserInfo(credentials))
+          .userEntityRef;
+        // Check if user is authorized to view all instances
+        const isUserAuthorizedForInstanceAdminView =
+          await isUserAuthorizedForInstanceAdminViewPermission(
+            request,
+            permissions,
+            httpAuth,
+          );
+
+        // If not an admin, enforce initiatorEntity check
+        if (!isUserAuthorizedForInstanceAdminView) {
+          const instanceInitiatorEntity =
+            assessedInstance.instance.initiatorEntity;
+          if (instanceInitiatorEntity !== initiatorEntity) {
+            throw new Error(
+              `Unauthorized to access instance ${instanceId} not initiated by user.`,
+            );
+          }
+        }
+
         auditEvent.success();
         res.status(200).json(assessedInstance);
       } catch (error) {