From 44fa85bdf067f24f3711cd1cb5fcc17cf823233f Mon Sep 17 00:00:00 2001
From: Thomas E Lackey <telackey@bozemanpass.com>
Date: Thu, 21 Dec 2023 17:31:16 -0600
Subject: [PATCH] Double-check ownership.

---
 .../webapp/deploy_webapp_from_registry.py     | 28 ++++++++-----------
 .../webapp/undeploy_webapp_from_registry.py   | 15 +++++++++-
 stack_orchestrator/deploy/webapp/util.py      |  8 ++++++
 3 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/stack_orchestrator/deploy/webapp/deploy_webapp_from_registry.py b/stack_orchestrator/deploy/webapp/deploy_webapp_from_registry.py
index 35caae2b..2e4544eb 100644
--- a/stack_orchestrator/deploy/webapp/deploy_webapp_from_registry.py
+++ b/stack_orchestrator/deploy/webapp/deploy_webapp_from_registry.py
@@ -26,7 +26,8 @@ from stack_orchestrator.deploy.webapp import deploy_webapp
 from stack_orchestrator.deploy.webapp.util import (LaconicRegistryClient,
                                                    build_container_image, push_container_image,
                                                    file_hash, deploy_to_k8s, publish_deployment,
-                                                   hostname_for_deployment_request, generate_hostname_for_app)
+                                                   hostname_for_deployment_request, generate_hostname_for_app,
+                                                   match_owner)
 
 
 def process_app_deployment_request(
@@ -57,19 +58,12 @@ def process_app_deployment_request(
     dns_crn = f"{dns_record_namespace}/{fqdn}"
     dns_record = laconic.get_record(dns_crn)
     if dns_record:
-        dns_record_owners = dns_record.owners
-        dns_request_owners = []
-        if dns_record.request:
-            prev_request = laconic.get_record(dns_record.request, require=True)
-            dns_request_owners = prev_request.owners
+        matched_owner = match_owner(app_deployment_request, dns_record)
+        if not matched_owner and dns_record.request:
+            matched_owner = match_owner(app_deployment_request, laconic.get_record(dns_record.request, require=True))
 
-        owner_match = None
-
-        for owner in app_deployment_request.owners:
-            if owner in dns_request_owners or owner in dns_record_owners:
-                owner_match = owner
-        if owner_match:
-            print("Matched DnsRecord ownership to", owner)
+        if matched_owner:
+            print("Matched DnsRecord ownership:", matched_owner)
         else:
             raise Exception("Unable to confirm ownership of DnsRecord %s for request %s" %
                             (dns_record.id, app_deployment_request.id))
@@ -237,16 +231,16 @@ def command(ctx, kube_config, laconic_config, image_registry, deployment_parent_
             deployments_by_request[d.attributes.request] = d
 
     # Find removal requests.
-    removals_by_request = {}
+    cancellation_requests = {}
     removal_requests = laconic.app_deployment_removal_requests()
     for r in removal_requests:
         if r.attributes.request:
-            removals_by_request[r.attributes.request] = r
+            cancellation_requests[r.attributes.request] = r
 
     requests_to_execute = []
     for r in requests_by_name.values():
-        if r.id in removals_by_request:
-            print(f"Found removal request for {r.id} at {removals_by_request[r.id].id}")
+        if r.id in cancellation_requests and match_owner(cancellation_requests[r.id], r):
+            print(f"Found deployment cancellation request for {r.id} at {cancellation_requests[r.id].id}")
         elif r.id in deployments_by_request:
             print(f"Found satisfied request for {r.id} at {deployments_by_request[r.id].id}")
         else:
diff --git a/stack_orchestrator/deploy/webapp/undeploy_webapp_from_registry.py b/stack_orchestrator/deploy/webapp/undeploy_webapp_from_registry.py
index 406c0255..6c5cac85 100644
--- a/stack_orchestrator/deploy/webapp/undeploy_webapp_from_registry.py
+++ b/stack_orchestrator/deploy/webapp/undeploy_webapp_from_registry.py
@@ -20,7 +20,7 @@ import sys
 
 import click
 
-from stack_orchestrator.deploy.webapp.util import LaconicRegistryClient
+from stack_orchestrator.deploy.webapp.util import LaconicRegistryClient, match_owner
 
 
 def process_app_removal_request(ctx,
@@ -36,6 +36,19 @@ def process_app_removal_request(ctx,
     if not os.path.exists(deployment_dir):
         raise Exception("Deployment directory %s does not exist." % deployment_dir)
 
+    # Check if the removal request is from the owner of the DnsRecord or deployment record.
+    matched_owner = match_owner(app_removal_request, deployment_record, dns_record)
+
+    # Or of the original deployment request.
+    if not matched_owner and deployment_record.request:
+        matched_owner = match_owner(app_removal_request, laconic.get_record(deployment_record.request, require=True))
+
+    if matched_owner:
+        print("Matched deployment ownership:", matched_owner)
+    else:
+        raise Exception("Unable to confirm ownership of deployment %s for removal request %s" %
+                        (deployment_record.id, app_removal_request.id))
+
     # TODO(telackey): Call the function directly.  The easiest way to build the correct click context is to
     # exec the process, but it would be better to refactor so we could just call down_operation with the
     # necessary parameters
diff --git a/stack_orchestrator/deploy/webapp/util.py b/stack_orchestrator/deploy/webapp/util.py
index 41ed50ae..b6d019aa 100644
--- a/stack_orchestrator/deploy/webapp/util.py
+++ b/stack_orchestrator/deploy/webapp/util.py
@@ -49,6 +49,14 @@ def cmd(*vargs):
         raise err
 
 
+def match_owner(recordA, *records):
+    for owner in recordA.owners:
+        for otherRecord in records:
+            if owner in otherRecord.owners:
+                return owner
+    return None
+
+
 class LaconicRegistryClient:
     def __init__(self, config_file):
         self.config_file = config_file