feat: add flag to enable dangerous mutations, disabled by default

uselagoon · Jun 27, 2024 · 8ac8955 · 8ac8955
1 parent 5637896
commit 8ac8955
Show file tree

Hide file tree

Showing 9 changed files with 181 additions and 87 deletions.
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -104,6 +104,7 @@ services:
       - S3_BAAS_ACCESS_KEY_ID=minio
       - S3_BAAS_SECRET_ACCESS_KEY=minio123
       - CONSOLE_LOGGING_LEVEL=debug
+      - ENABLE_DANGEROUS_GRAPHQL_MUTATIONS=true # enable all the deleteAll mutations only for local development
     depends_on:
       api-lagoon-migrations:
         condition: service_started

diff --git a/services/api/src/resources/backup/resolvers.ts b/services/api/src/resources/backup/resolvers.ts
@@ -18,6 +18,8 @@ import { Helpers as projectHelpers } from '../project/helpers';
 import { getEnvVarsByProjectId } from '../env-variables/resolvers';
 import { logger } from '../../loggers/logger';
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
+
 const getRestoreLocation = async (backupId, restoreLocation, sqlClientPool) => {
   let restoreSize = 0;
   const rows = await query(sqlClientPool, Sql.selectBackupByBackupId(backupId));
@@ -234,13 +236,19 @@ export const deleteAllBackups: ResolverFn = async (
   { sqlClientPool, hasPermission, userActivityLogger }
 ) => {
   await hasPermission('backup', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateBackup());
+    await query(sqlClientPool, Sql.truncateBackup());
 
-  userActivityLogger(`User deleted all backups`);
+    userActivityLogger(`User deleted all backups`);
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const addRestore: ResolverFn = async (

diff --git a/services/api/src/resources/environment/resolvers.ts b/services/api/src/resources/environment/resolvers.ts
@@ -14,6 +14,8 @@ import { Helpers as organizationHelpers } from '../organization/helpers';
 import { getFactFilteredEnvironmentIds } from '../fact/resolvers';
 import { getUserProjectIdsFromRoleProjectIds } from '../../util/auth';
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
+
 export const getEnvironmentByName: ResolverFn = async (
   root,
   args,
@@ -726,19 +728,25 @@ export const deleteAllEnvironments: ResolverFn = async (
   { sqlClientPool, hasPermission, userActivityLogger }
 ) => {
   await hasPermission('environment', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateEnvironment());
+    await query(sqlClientPool, Sql.truncateEnvironment());
 
-  userActivityLogger(`User deleted all environments'`, {
-    project: '',
-    event: 'api:deleteAllEnvironments',
-    payload: {
-      args
-    }
-  });
+    userActivityLogger(`User deleted all environments'`, {
+      project: '',
+      event: 'api:deleteAllEnvironments',
+      payload: {
+        args
+      }
+    });
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 // @deprecated in favor of addOrUpdateEnvironmentService and deleteEnvironmentService, will eventually be removed

diff --git a/services/api/src/resources/group/resolvers.ts b/services/api/src/resources/group/resolvers.ts
@@ -13,6 +13,8 @@ import { sqlClientPool } from '../../clients/sqlClient';
 
 const DISABLE_NON_ORGANIZATION_GROUP_CREATION = process.env.DISABLE_NON_ORGANIZATION_GROUP_CREATION || "false"
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
+
 export const getAllGroups: ResolverFn = async (
   root,
   { name, type },
@@ -516,22 +518,28 @@ export const deleteAllGroups: ResolverFn = async (
   { models, hasPermission }
 ) => {
   await hasPermission('group', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  const allGroups = await models.GroupModel.loadAllGroups();
-  const groups = await models.GroupModel.transformKeycloakGroups(allGroups);
+    const allGroups = await models.GroupModel.loadAllGroups();
+    const groups = await models.GroupModel.transformKeycloakGroups(allGroups);
 
-  let deleteErrors: String[] = [];
-  for (const group of groups) {
-    try {
-      await models.GroupModel.deleteGroup(group.id);
-    } catch (err) {
-      deleteErrors = [...deleteErrors, `${group.name} (${group.id})`];
+    let deleteErrors: String[] = [];
+    for (const group of groups) {
+      try {
+        await models.GroupModel.deleteGroup(group.id);
+      } catch (err) {
+        deleteErrors = [...deleteErrors, `${group.name} (${group.id})`];
+      }
     }
-  }
 
-  return R.ifElse(R.isEmpty, R.always('success'), deleteErrors => {
-    throw new Error(`Could not delete groups: ${deleteErrors.join(', ')}`);
-  })(deleteErrors);
+    return R.ifElse(R.isEmpty, R.always('success'), deleteErrors => {
+      throw new Error(`Could not delete groups: ${deleteErrors.join(', ')}`);
+    })(deleteErrors);
+  }
 };
 
 export const addUserToGroup: ResolverFn = async (

diff --git a/services/api/src/resources/notification/resolvers.ts b/services/api/src/resources/notification/resolvers.ts
@@ -19,6 +19,8 @@ import { logger } from '../../loggers/logger';
 
 const DISABLE_NON_ORGANIZATION_NOTIFICATION_ASSIGNMENT = process.env.DISABLE_NON_ORGANIZATION_NOTIFICATION_ASSIGNMENT || "false"
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
+
 const addNotificationGeneric = async (sqlClientPool, notificationTable, input) => {
   const createSql = knex(notificationTable).insert(input).toString();
 
@@ -702,11 +704,17 @@ export const deleteAllNotificationSlacks: ResolverFn = async (
   { sqlClientPool, hasPermission }
 ) => {
   await hasPermission('notification', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateNotificationSlack());
+    await query(sqlClientPool, Sql.truncateNotificationSlack());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const deleteAllNotificationEmails: ResolverFn = async (
@@ -715,11 +723,17 @@ export const deleteAllNotificationEmails: ResolverFn = async (
   { sqlClientPool, hasPermission }
 ) => {
   await hasPermission('notification', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateNotificationEmail());
+    await query(sqlClientPool, Sql.truncateNotificationEmail());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const deleteAllNotificationRocketChats: ResolverFn = async (
@@ -728,11 +742,17 @@ export const deleteAllNotificationRocketChats: ResolverFn = async (
   { sqlClientPool, hasPermission }
 ) => {
   await hasPermission('notification', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateNotificationRocketchat());
+    await query(sqlClientPool, Sql.truncateNotificationRocketchat());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const deleteAllNotificationMicrosoftTeams: ResolverFn = async (
@@ -741,11 +761,17 @@ export const deleteAllNotificationMicrosoftTeams: ResolverFn = async (
   { sqlClientPool, hasPermission }
 ) => {
   await hasPermission('notification', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateNotificationMicrosoftTeams());
+    await query(sqlClientPool, Sql.truncateNotificationMicrosoftTeams());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const deleteAllNotificationWebhook: ResolverFn = async (
@@ -754,24 +780,36 @@ export const deleteAllNotificationWebhook: ResolverFn = async (
   { sqlClientPool, hasPermission },
 ) => {
   await hasPermission('notification', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateNotificationWebhook());
+    await query(sqlClientPool, Sql.truncateNotificationWebhook());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const removeAllNotificationsFromAllProjects: ResolverFn = async (
   root,
   args,
   { sqlClientPool, hasPermission }
 ) => {
-  await hasPermission('notification', 'removeAll');
+  await hasPermission('notification', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateProjectNotification());
+    await query(sqlClientPool, Sql.truncateProjectNotification());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const getAllNotifications: ResolverFn = async (

diff --git a/services/api/src/resources/openshift/resolvers.ts b/services/api/src/resources/openshift/resolvers.ts
@@ -4,6 +4,8 @@ import { query, isPatchEmpty, knex } from '../../util/db';
 import { Helpers as projectHelpers } from '../project/helpers';
 import { Sql } from './sql';
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
+
 export const getToken: ResolverFn = async (
   kubernetes,
   _args,
@@ -220,15 +222,21 @@ export const deleteAllOpenshifts: ResolverFn = async (
   { sqlClientPool, hasPermission, userActivityLogger }
 ) => {
   await hasPermission('openshift', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateOpenshift());
+    await query(sqlClientPool, Sql.truncateOpenshift());
 
-  userActivityLogger(`User deleted all openshifts`, {
-    project: '',
-    event: 'api:updateOpenshift',
-    payload: { }
-  });
+    userActivityLogger(`User deleted all openshifts`, {
+      project: '',
+      event: 'api:updateOpenshift',
+      payload: { }
+    });
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
diff --git a/services/api/src/resources/project/resolvers.ts b/services/api/src/resources/project/resolvers.ts
@@ -23,6 +23,8 @@ const DISABLE_CORE_HARBOR = process.env.DISABLE_CORE_HARBOR || "false"
 
 const DISABLE_NON_ORGANIZATION_PROJECT_CREATION = process.env.DISABLE_NON_ORGANIZATION_PROJECT_CREATION || "false"
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
+
 const isValidGitUrl = value => {
   try {
     GitUrlParse(value)
@@ -940,25 +942,31 @@ export const deleteAllProjects: ResolverFn = async (
   { sqlClientPool, hasPermission, userActivityLogger }
 ) => {
   await hasPermission('project', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  const projectNames = await Helpers(sqlClientPool).getAllProjectNames();
-
-  await query(sqlClientPool, Sql.truncateProject());
+    const projectNames = await Helpers(sqlClientPool).getAllProjectNames();
 
-  for (const name of projectNames) {
-    await KeycloakOperations.deleteGroup(name);
-  }
+    await query(sqlClientPool, Sql.truncateProject());
 
-  userActivityLogger(`User deleted all projects`, {
-    project: '',
-    event: 'api:deleteAllProjects',
-    payload: {
-      ...args
+    for (const name of projectNames) {
+      await KeycloakOperations.deleteGroup(name);
     }
-  });
 
-  // TODO: Check rows for success
-  return 'success';
+    userActivityLogger(`User deleted all projects`, {
+      project: '',
+      event: 'api:deleteAllProjects',
+      payload: {
+        ...args
+      }
+    });
+
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const removeProjectMetadataByKey: ResolverFn = async (

diff --git a/services/api/src/resources/sshKey/resolvers.ts b/services/api/src/resources/sshKey/resolvers.ts
@@ -4,6 +4,7 @@ import { query, isPatchEmpty } from '../../util/db';
 import { validateSshKey, getSshKeyFingerprint } from '.';
 import { Sql } from './sql';
 
+const ENABLE_DANGEROUS_GRAPHQL_MUTATIONS = process.env.ENABLE_DANGEROUS_GRAPHQL_MUTATIONS || "false"
 
 const formatSshKey = ({ keyType, keyValue }) => `${keyType} ${keyValue}`;
 
@@ -285,11 +286,17 @@ export const deleteAllSshKeys: ResolverFn = async (
   { sqlClientPool, hasPermission }
 ) => {
   await hasPermission('ssh_key', 'deleteAll');
+  if (ENABLE_DANGEROUS_GRAPHQL_MUTATIONS == "false") {
+    throw new Error(
+      'This mutation has been disabled'
+    );
+  } else {
 
-  await query(sqlClientPool, Sql.truncateSshKey());
+    await query(sqlClientPool, Sql.truncateSshKey());
 
-  // TODO: Check rows for success
-  return 'success';
+    // TODO: Check rows for success
+    return 'success';
+  }
 };
 
 export const removeAllSshKeysFromAllUsers: ResolverFn = async (