spinnaker · robzienert · Oct 26, 2020 · Jun 23, 2020 · Jun 23, 2020 · Oct 25, 2020
@@ -1,6 +1,6 @@
 # _<short_summary_of_proposal>_
 
-_**IMPORTANT**: Fill in and remove all italicized text before submission. 
+_**IMPORTANT**: Fill in and remove all italicized text before submission.
 If a section is not applicable, remove it._
 
 | | |

@@ -0,0 +1,94 @@
+# Select roles that can execute manual judgement stage
+
+| | |
+|-|-|
+| **Status**     | _**Proposed**, Accepted, Implemented, Obsolete_ |
+| **RFC #**      | https://github.com/spinnaker/deck/pull/8368 | https://github.com/spinnaker/orca/pull/3763
+| **Author(s)**  | Sanjeev Thatiparthi (@sanopsmx) (https://github.com/sanopsmx)
+| **SIG / WG**   | sig-ux
+
+## Overview
+
+ Display all the roles of the user added in the application in the manual judgment stage.If there are 2 groups(dev,qa)
+ and qa group has the permission to deploy.If there is a manual judgment stage before the deploy stage.If there are
+ no groups attached to the manual judgment stage, then dev group can continue with the manual judgment stage and get
+ failed at the deploy stage as only qa group has the permission to deploy. This is the reason we are displaying all
+ the roles of the application. This is a usability feature.
+
+### Goals and Non-Goals
+
+Display authorized groups dropdown list only when the user selects the manual judgment stage.
+Display all the groups the user has selected while creating application(permissions) in the authorized groups dropdown.
+When the pipeline is executed, disable the manual judgment 'continue/cancel' based on the user role selected in the authorized groups.
+
+opsmxemp1 : ["mail-qa","sra-dev","mail-dev","sra-qa","empdev"]
+
+| Testcase No. | Application Name | Application Roles                               | Application Permissions                                             |   Manual Judgment Roles | User      | Result         |
+|:------------:|------------------|-------------------------------------------------|---------------------------------------------------------------------|-------------------------|-----------|----------------|
+| 1            | testmanualjud001 | sra-dev,sra-qa                                  |sra-dev(r,w,e),sra-qa(r)                                             |                 sra-dev | opsmxemp1 | Enable Button  |
+| 2            | testmanualjud002 | N.A                                             |         ----                                                        |                     N.A | opsmxemp1 | Enable Button  |
+| 3            | testmanualjud003 | sra-dev,sra-qa                                  |sra-dev(r,w,e),sra-qa(r)                                             |                     N.A | opsmxemp1 | Enable Button  |
+| 4            | testmanualjud004 | sra-dev,sra-qa,mail-dev,mail-qa,emp-dev,finance |sra-dev(r),sra-qa(r),mail-dev(r,w,e),mail-qa(r),emp-dev(r),finance(r)| sra-qa,mail-dev,finance | opsmxemp1 | Enable Button  |
+| 5            | testmanualjud005 | sra-dev,mail-qa,operations                      |sra-dev(r),mail-qa(r),operations(r,w,e)                              |              operations | opsmxemp1 | Disable Button |
+| 6            | testmanualjud006 | sra-dev,mail-qa                                 |sra-dev(r),mail-qa(r,w,e)                                            |              sra-dev    | opsmxemp1 | Disable Button |
+
+User can opt out of this feature as stated in the testcase 2 & 3.
+If authz is not enabled, it will work in the same way.
+The above test cases will handle all the test scenarios.
+If the role is set in the manual judgment stage, then we check the stage role both in the application roles and user roles.
+If yes,we check for application permissions of that role. If yes(stage role has execute/write/create application permission),
+we can approve and move to the downstream stage, if no(stage role has read application permission), then we deny
+(disable the continue button in the manual judgment stage).If the pipeline is triggered from command line,
+then the backend orca code checks the same above mentioned logic.If yes,we approve and moves to the
+downstream stage , if no, then we deny(It will be running in the same stage).
+
+## Motivation and Rationale
+
+Only legitimate users can approve the manual judgment stage so that it can be moved to downstream stages.
+
+## Timeline
+
+Already Implemented
+
+## Design
+
+1. Enhanced stage.html to
+
+   Get the roles of the application.
+   Display the roles of the application as a list only if the stage is Manual Judgment.
+
+2. Enhanced stage.module.js to
+
+   Fetch the permissions of the application from the gate application url.
+   Application permissions has all the roles.
+   Populate the list with only the roles of the application with no duplicates.
+
+3.  Enhanced ApplicationReader.ts to
+
+   Fetch the permissions of the application from the gate application url.
+
+4.  Enhanced ManualJudgmentApproval.tsx to
+
+   Fetch the roles of the application, stage and the user during the execution.
+   Iterate through each of the user role to check if the role exists in the stage and application.
+   We also check for stage role application permission.
+   If the stage role has execute/write/create application permission, then enable the continue button.
+   If the stage role has read application permission, then disable the continue button.
+
+5.  Enhanced OperationsController.groovy to
+
+    Get the application roles, stage roles and the user roles.
+    Check each of the user roles whether they are contained in the stage and application roles.
+    We also check for stage role application permission.
+    If the stage role has execute/write/create application permission, then we set the isAuthorized flag to true.
+    If the stage role has read application permission, then we set the isAuthorized flag to false.
+    By default, all the stages except Manual Judgment are true.
+
+6.  Enhanced ManualJudgmentStage.groovy to
+
+    Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not.
+    If yes/no, continue with the next stages/continues running the same stage.
+
+7.  Enhanced ManualJudgmentStageSpec.groovy to
+
+    Modified the testcases as per the new logic.