2024-10-10 13:16:06 +00:00
|
|
|
package validate
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2024-10-14 10:33:47 +00:00
|
|
|
"errors"
|
2024-10-10 13:16:06 +00:00
|
|
|
"fmt"
|
2024-10-14 10:33:47 +00:00
|
|
|
"path"
|
2024-10-10 13:16:06 +00:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/databricks/cli/bundle"
|
2024-10-14 10:33:47 +00:00
|
|
|
"github.com/databricks/cli/bundle/libraries"
|
2024-10-10 13:16:06 +00:00
|
|
|
"github.com/databricks/cli/bundle/permissions"
|
|
|
|
"github.com/databricks/cli/libs/diag"
|
2024-10-14 10:33:47 +00:00
|
|
|
"github.com/databricks/databricks-sdk-go/apierr"
|
2024-10-10 13:16:06 +00:00
|
|
|
"github.com/databricks/databricks-sdk-go/service/workspace"
|
|
|
|
"golang.org/x/sync/errgroup"
|
|
|
|
)
|
|
|
|
|
|
|
|
type folderPermissions struct {
|
|
|
|
}
|
|
|
|
|
|
|
|
// Apply implements bundle.ReadOnlyMutator.
|
|
|
|
func (f *folderPermissions) Apply(ctx context.Context, b bundle.ReadOnlyBundle) diag.Diagnostics {
|
|
|
|
if len(b.Config().Permissions) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
rootPath := b.Config().Workspace.RootPath
|
|
|
|
paths := []string{}
|
|
|
|
if !libraries.IsVolumesPath(rootPath) {
|
|
|
|
paths = append(paths, rootPath)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !strings.HasSuffix(rootPath, "/") {
|
|
|
|
rootPath += "/"
|
|
|
|
}
|
2024-10-10 13:16:06 +00:00
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
if !strings.HasPrefix(b.Config().Workspace.ArtifactPath, rootPath) &&
|
|
|
|
!libraries.IsVolumesPath(b.Config().Workspace.ArtifactPath) {
|
2024-10-10 13:16:06 +00:00
|
|
|
paths = append(paths, b.Config().Workspace.ArtifactPath)
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
if !strings.HasPrefix(b.Config().Workspace.FilePath, rootPath) &&
|
|
|
|
!libraries.IsVolumesPath(b.Config().Workspace.FilePath) {
|
2024-10-10 13:16:06 +00:00
|
|
|
paths = append(paths, b.Config().Workspace.FilePath)
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
if !strings.HasPrefix(b.Config().Workspace.StatePath, rootPath) &&
|
|
|
|
!libraries.IsVolumesPath(b.Config().Workspace.StatePath) {
|
2024-10-10 13:16:06 +00:00
|
|
|
paths = append(paths, b.Config().Workspace.StatePath)
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
if !strings.HasPrefix(b.Config().Workspace.ResourcePath, rootPath) &&
|
|
|
|
!libraries.IsVolumesPath(b.Config().Workspace.ResourcePath) {
|
2024-10-10 13:16:06 +00:00
|
|
|
paths = append(paths, b.Config().Workspace.ResourcePath)
|
|
|
|
}
|
|
|
|
|
|
|
|
var diags diag.Diagnostics
|
2024-10-14 10:33:47 +00:00
|
|
|
g, ctx := errgroup.WithContext(ctx)
|
|
|
|
results := make([]diag.Diagnostics, len(paths))
|
|
|
|
for i, p := range paths {
|
|
|
|
g.Go(func() error {
|
|
|
|
results[i] = checkFolderPermission(ctx, b, p)
|
2024-10-10 13:16:06 +00:00
|
|
|
return nil
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
if err := g.Wait(); err != nil {
|
2024-10-10 13:16:06 +00:00
|
|
|
return diag.FromErr(err)
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
for _, r := range results {
|
|
|
|
diags = diags.Extend(r)
|
|
|
|
}
|
|
|
|
|
2024-10-10 13:16:06 +00:00
|
|
|
return diags
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkFolderPermission(ctx context.Context, b bundle.ReadOnlyBundle, folderPath string) diag.Diagnostics {
|
|
|
|
w := b.WorkspaceClient().Workspace
|
2024-10-14 10:33:47 +00:00
|
|
|
obj, err := getClosestExistingObject(ctx, w, folderPath)
|
2024-10-10 13:16:06 +00:00
|
|
|
if err != nil {
|
|
|
|
return diag.FromErr(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
objPermissions, err := w.GetPermissions(ctx, workspace.GetWorkspaceObjectPermissionsRequest{
|
|
|
|
WorkspaceObjectId: fmt.Sprint(obj.ObjectId),
|
|
|
|
WorkspaceObjectType: "directories",
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return diag.FromErr(err)
|
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
p := permissions.NewFromWorkspaceObjectAcl(folderPath, objPermissions.AccessControlList)
|
|
|
|
return p.Compare(b.Config().Permissions)
|
|
|
|
}
|
|
|
|
|
|
|
|
var cache = map[string]*workspace.ObjectInfo{}
|
|
|
|
|
|
|
|
func getClosestExistingObject(ctx context.Context, w workspace.WorkspaceInterface, folderPath string) (*workspace.ObjectInfo, error) {
|
|
|
|
if obj, ok := cache[folderPath]; ok {
|
|
|
|
return obj, nil
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
for folderPath != "/" {
|
|
|
|
obj, err := w.GetStatusByPath(ctx, folderPath)
|
|
|
|
if err == nil {
|
|
|
|
cache[folderPath] = obj
|
|
|
|
return obj, nil
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
var aerr *apierr.APIError
|
|
|
|
if !errors.As(err, &aerr) {
|
|
|
|
return nil, err
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
if aerr.ErrorCode != "RESOURCE_DOES_NOT_EXIST" {
|
|
|
|
return nil, err
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
folderPath = path.Dir(folderPath)
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
|
|
|
|
2024-10-14 10:33:47 +00:00
|
|
|
// Check "/" root folder
|
|
|
|
obj, err := w.GetStatusByPath(ctx, folderPath)
|
|
|
|
if err == nil {
|
|
|
|
cache[folderPath] = obj
|
|
|
|
return obj, nil
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
2024-10-14 10:33:47 +00:00
|
|
|
|
|
|
|
return nil, fmt.Errorf("folder %s and its parent folders do not exist", folderPath)
|
2024-10-10 13:16:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Name implements bundle.ReadOnlyMutator.
|
|
|
|
func (f *folderPermissions) Name() string {
|
|
|
|
return "validate:folder_permissions"
|
|
|
|
}
|
|
|
|
|
|
|
|
func ValidateFolderPermissions() bundle.ReadOnlyMutator {
|
|
|
|
return &folderPermissions{}
|
|
|
|
}
|