services/kill.py: Allow admins to kill any run

VallariAg · VallariAg · commit 756cad2f4035 · 2024-04-24T21:36:48.000+05:30
Signed-off-by: Vallari Agrawal &lt;val.agl002@gmail.com&gt;
diff --git a/.env.dev b/.env.dev
@@ -8,6 +8,7 @@ GH_CLIENT_SECRET=
 GH_AUTHORIZATION_BASE_URL='https://github.com/login/oauth/authorize'
 GH_TOKEN_URL='https://github.com/login/oauth/access_token'
 GH_FETCH_MEMBERSHIP_URL='https://api.github.com/user/memberships/orgs/ceph'
+ADMIN_TEAM='Ceph'
 
 #Session Related Stuff
 ## SESSION_SECRET_KEY is used to encrypt session data
diff --git a/src/teuthology_api/config.py b/src/teuthology_api/config.py
@@ -27,9 +27,7 @@ class APISettings(BaseSettings):
     model_config = SettingsConfigDict(
         env_file=".env", env_file_encoding="utf-8", extra="ignore"
     )
-    # TODO: team names need to be changed below when created
-    admin_team: str = "ceph"  # ceph's github team with *sudo* access to sepia
-    teuth_team: str = "teuth"  # ceph's github team with access to sepia
+    admin_team: str = "Ceph"  # ceph's github team with *sudo* access to sepia
 
 
 @lru_cache()
diff --git a/src/teuthology_api/routes/kill.py b/src/teuthology_api/routes/kill.py
@@ -1,6 +1,7 @@
 import logging
 
-from fastapi import APIRouter, Depends, Request
+from fastapi import APIRouter, Depends, Request, HTTPException
+from requests.exceptions import HTTPError
 
 from teuthology_api.services.kill import run
 from teuthology_api.services.helpers import get_token
@@ -15,7 +16,7 @@
 
 
 @router.post("/", status_code=200)
-def create_run(
+async def create_run(
     request: Request,
     args: KillArgs,
     logs: bool = False,
@@ -28,5 +29,16 @@ def create_run(
     or else it will SyntaxError: non-dafault
     argument follows default argument error.
     """
-    args = args.model_dump(by_alias=True, exclude_unset=True)
-    return run(args, logs, access_token, request)
+    try:
+        args = args.model_dump(by_alias=True, exclude_unset=True)
+        return await run(args, logs, access_token, request)
+    except HTTPException:
+        raise
+    except HTTPError as http_err:
+        log.error(http_err)
+        raise HTTPException(
+            status_code=http_err.response.status_code, detail=repr(http_err)
+        ) from http_err
+    except Exception as err:
+        log.error(err)
+        raise HTTPException(status_code=500, detail=repr(err)) from err
diff --git a/src/teuthology_api/services/kill.py b/src/teuthology_api/services/kill.py
@@ -1,5 +1,6 @@
 import logging
 import subprocess
+import httpx
 
 from fastapi import HTTPException, Request
 
@@ -8,10 +9,11 @@
 
 
 TEUTHOLOGY_PATH = settings.teuthology_path
+ADMIN_TEAM = settings.admin_team
 log = logging.getLogger(__name__)
 
 
-def run(args, send_logs: bool, access_token: str, request: Request):
+async def run(args, send_logs: bool, access_token: dict, request: Request):
     """
     Kill running teuthology jobs.
     """
@@ -30,16 +32,19 @@ def run(args, send_logs: bool, access_token: str, request: Request):
     else:
         log.error("teuthology-kill is missing --run")
         raise HTTPException(status_code=400, detail="--run is a required argument")
-    # TODO if user has admin priviledge, then they can kill any run/job.
+
     if run_owner.lower() != username.lower():
-        log.error(
-            "%s doesn't have permission to kill a job scheduled by: %s",
-            username,
-            run_owner,
-        )
-        raise HTTPException(
-            status_code=401, detail="You don't have permission to kill this run/job"
-        )
+        isUserAdmin = await isAdmin(username, access_token)
+        if not isUserAdmin:
+            log.error(
+                "%s doesn't have permission to kill a job scheduled by: %s",
+                username,
+                run_owner,
+            )
+            raise HTTPException(
+                status_code=401, detail="You don't have permission to kill this run/job"
+            )
+        log.info("Killing with admin privileges")
     try:
         kill_cmd = [f"{TEUTHOLOGY_PATH}/virtualenv/bin/teuthology-kill"]
         for flag, flag_value in args.items():
@@ -61,3 +66,19 @@ def run(args, send_logs: bool, access_token: str, request: Request):
     except Exception as exc:
         log.error("teuthology-kill command failed with the error: %s", repr(exc))
         raise HTTPException(status_code=500, detail=repr(exc)) from exc
+
+
+async def isAdmin(username, token):
+    TEAM_MEMBER_URL = (
+        f"https://api.github.com/orgs/ceph/teams/{ADMIN_TEAM}/memberships/{username}"
+    )
+    async with httpx.AsyncClient() as client:
+        headers = {
+            "Authorization": "token " + token["access_token"],
+            "Accept": "application/json",
+        }
+        response_org = await client.get(url=TEAM_MEMBER_URL, headers=headers)
+        response_org_dic = dict(response_org.json())
+        if response_org_dic.get("state") == "active":
+            return True
+        return False

Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,7 @@ class APISettings(BaseSettings):`
`27`	`27`	`model_config = SettingsConfigDict(`
`28`	`28`	`env_file=".env", env_file_encoding="utf-8", extra="ignore"`
`29`	`29`	`)`
`30`		`- # TODO: team names need to be changed below when created`
`31`		`- admin_team: str = "ceph" # ceph's github team with sudo access to sepia`
`32`		`- teuth_team: str = "teuth" # ceph's github team with access to sepia`
	`30`	`+ admin_team: str = "Ceph" # ceph's github team with sudo access to sepia`
`33`	`31`
`34`	`32`
`35`	`33`	`@lru_cache()`