feat(4157): adding option to hide UI button to disable apply commands

[igaskin]

what

Adds a flag for --disable-global-apply-lock, to the server command. The flag can be used to optional hid the "disable apply commands" button in the UI.

why

In shared environments it may not be desirable to have this button available to all users. In leu of RBAC, hiding the button can be an acceptable option.
before

after

tests

references

#4157

[lukemassa]

Hi @igaskin thanks for the contribution!

A few notes:

• I'm not sure about the name --disable-global-lock-feature, I wonder if --disable-global-apply-lock would be clearer? There are a number of locks in atlantis and I don't want it to be confusing
• Unless I'm misreading the code, it looks like this only removes the button from the GUI, it doesn't actually prevent someone from hitting /apply/lock and triggering the lock:

  atlantis/server/server.go

  Line 944 in 8983521

  s.Router.HandleFunc("/apply/lock", s.LocksController.LockApply).Methods("POST").Queries()

  . If we're disabling it for security reasons we might as well not leave that backdoor

[igaskin]

Hi @igaskin thanks for the contribution!

A few notes:

• I'm not sure about the name --disable-global-lock-feature, I wonder if --disable-global-apply-lock would be clearer? There are a number of locks in atlantis and I don't want it to be confusing
• Unless I'm misreading the code, it looks like this only removes the button from the GUI, it doesn't actually prevent someone from hitting /apply/lock and triggering the lock:

  atlantis/server/server.go

  Line 944 in 8983521

  s.Router.HandleFunc("/apply/lock", s.LocksController.LockApply).Methods("POST").Queries()

  
  . If we're disabling it for security reasons we might as well not leave that backdoor

sure, I can make that name change! And agreed on the API still being available, I close that off as well. Honestly I was being lazy, but your comment was the encouragement I needed.

[igaskin]

removed adding the /lock and /unlock routes if the --disable-global-apply-lock is enabled.

$ curl -XPOST localhost:4141/apply/lock
404 page not found
$ curl -XDELETE localhost:4141/apply/unlock
404 page not found

[DanielCastronovo]

When the --disable-global-apply-lock is enabled, as an admin is it possible to bypass it and use the API ? or maybe a specific route for secure specificaly with an OIDC provider like Okta.

[igaskin]

When the --disable-global-apply-lock is enabled, as an admin is it possible to bypass it and use the API ? or maybe a specific route for secure specificaly with an OIDC provider like Okta.

Agreed, it would be a great to have robust RBAC with permissions that are granular to the individual user. This PR is meant to be a easy option for Atlantis admins to restrict global locks. A proper RBAC/OIDC integration would be best fit in a separate PR.

[igaskin]

@lukemassa addressed comments. Please let me know if there are other changes you would like to see as part of this PR.

[lukemassa]

Looks good to me! I'll let other maintainers weigh in if they have any concerns.

[GenPage]

LGTM