[RMZ-413] Fix setUserRole when defaultRole is admin

jreynard-code · jreynard-code · commit 922b00577569 · 2024-11-20T11:17:48.000+01:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -144,6 +144,8 @@ tasks.jar {
   }
 }
 
+tasks.test { useJUnitPlatform() }
+
 // Dependencies version
 
 // Required versions
@@ -237,7 +239,7 @@ dependencies {
   testImplementation("org.jetbrains.kotlin:kotlin-test")
 
   // Use the Kotlin JUnit integration.
-  testImplementation("org.jetbrains.kotlin:kotlin-test-junit")
+  testImplementation("org.jetbrains.kotlin:kotlin-test-junit5")
 
   annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
 }
diff --git a/src/main/kotlin/com/cosmotech/api/rbac/CsmRbac.kt b/src/main/kotlin/com/cosmotech/api/rbac/CsmRbac.kt
@@ -114,9 +114,10 @@ open class CsmRbac(
   ): RbacSecurity {
     logger.info("RBAC ${rbacSecurity.id} - Setting user $userId roles")
     this.verifyRoleOrThrow(rbacSecurity, role, rolesDefinition)
-    val currentRole = this.getUserRole(rbacSecurity, userId)
+    val currentACLRole =
+        rbacSecurity.accessControlList.firstOrNull { it.id.lowercase() == userId.lowercase() }?.role
     val adminRole = this.getAdminRole(rolesDefinition)
-    if (currentRole == adminRole &&
+    if (currentACLRole == adminRole &&
         role != adminRole &&
         this.getAdminCount(rbacSecurity, rolesDefinition) == 1) {
       throw CsmAccessForbiddenException(
diff --git a/src/test/kotlin/com/cosmotech/api/rbac/CsmRbacTests.kt b/src/test/kotlin/com/cosmotech/api/rbac/CsmRbacTests.kt
@@ -19,6 +19,8 @@ import kotlin.test.Test
 import kotlin.test.assertEquals
 import kotlin.test.assertFalse
 import kotlin.test.assertTrue
+import org.junit.jupiter.api.DynamicTest
+import org.junit.jupiter.api.TestFactory
 import org.junit.jupiter.api.assertDoesNotThrow
 import org.junit.jupiter.api.assertThrows
 import org.slf4j.Logger
@@ -683,7 +685,7 @@ class CsmRbacTests {
     assertTrue(rbacTest.check(rbacSecurity, customPermission, definition))
   }
 
-  // Utilitary methods for rbac creation
+  // Utility methods for rbac creation
   @Test
   fun `can add resource id and resource security in a second step`() {
     val definition = getCommonRolesDefinition()
@@ -695,6 +697,105 @@ class CsmRbacTests {
     assertTrue(rbacTest.check(rbacSecurity, PERMISSION_READ, definition))
   }
 
+  @TestFactory
+  fun `add ACL entry when default role is admin with only one admin defined`() =
+      listOf(ROLE_VIEWER, ROLE_USER, ROLE_EDITOR, ROLE_ADMIN).map { role ->
+        DynamicTest.dynamicTest(
+            "add ACL entry $role when default role is admin (with only one admin defined)") {
+              val rbacDefinition =
+                  RbacSecurity(
+                      id = "rbacOnlyOneAdminWithAdminDefaultRole",
+                      default = ROLE_ADMIN,
+                      accessControlList =
+                          mutableListOf(
+                              RbacAccessControl(id = "test.user@test.com", role = ROLE_ADMIN)))
+              val newUserId = "whatever.user@test.com"
+              rbac.setUserRole(rbacDefinition, newUserId, role, getCommonRolesDefinition())
+              assertTrue(rbacDefinition.accessControlList.size == 2)
+              assertTrue(
+                  rbacDefinition.accessControlList.contains(
+                      RbacAccessControl(id = newUserId, role = role)))
+            }
+      }
+
+  @TestFactory
+  fun `update ACL entry with only one admin defined`() =
+      mapOf(ROLE_VIEWER to true, ROLE_USER to true, ROLE_EDITOR to true, ROLE_ADMIN to false).map {
+          (role, shouldThrows) ->
+        DynamicTest.dynamicTest("update ACL entry $role with only one admin defined") {
+          val userId = "test.user@test.com"
+          val rbacDefinition =
+              RbacSecurity(
+                  id = "rbacOnlyOneAdmin",
+                  default = ROLE_NONE,
+                  accessControlList =
+                      mutableListOf(RbacAccessControl(id = userId, role = ROLE_ADMIN)))
+          if (shouldThrows) {
+            val assertThrows =
+                assertThrows<CsmAccessForbiddenException> {
+                  rbac.setUserRole(rbacDefinition, userId, role, getCommonRolesDefinition())
+                }
+            assertEquals(
+                "RBAC ${rbacDefinition.id} - It is forbidden to unset the last administrator",
+                assertThrows.message)
+          } else {
+            assertDoesNotThrow {
+              rbac.setUserRole(rbacDefinition, userId, role, getCommonRolesDefinition())
+              assertTrue(rbacDefinition.accessControlList.size == 1)
+              assertTrue(
+                  rbacDefinition.accessControlList.contains(
+                      RbacAccessControl(id = userId, role = role)))
+            }
+          }
+        }
+      }
+
+  @TestFactory
+  fun `remove ACL entry when default role is admin with only one admin defined`() =
+      listOf(ROLE_VIEWER, ROLE_USER, ROLE_EDITOR, ROLE_ADMIN).map { role ->
+        DynamicTest.dynamicTest(
+            "remove ACL entry $role when default role is admin (with only one admin defined)") {
+              val userId = "test.user@test.com"
+              val rbacDefinition =
+                  RbacSecurity(
+                      id = "rbacOnlyOneAdminWithAdminDefaultRole",
+                      default = ROLE_ADMIN,
+                      accessControlList =
+                          mutableListOf(RbacAccessControl(id = userId, role = ROLE_ADMIN)))
+              val assertThrows =
+                  assertThrows<CsmAccessForbiddenException> {
+                    rbac.removeUser(rbacDefinition, userId, getCommonRolesDefinition())
+                  }
+              assertEquals(
+                  "RBAC ${rbacDefinition.id} - It is forbidden to remove the last administrator",
+                  assertThrows.message)
+            }
+      }
+
+  @TestFactory
+  fun `remove ACL entry when default role is admin with an admin and another user defined`() =
+      listOf(ROLE_VIEWER, ROLE_USER, ROLE_EDITOR, ROLE_ADMIN).map { role ->
+        DynamicTest.dynamicTest(
+            "remove ACL entry $role when default role is admin (with only one admin defined)") {
+              val userId = "test.user@test.com"
+              val rbacDefinition =
+                  RbacSecurity(
+                      id = "rbacOnlyOneAdminWithAdminDefaultRole",
+                      default = ROLE_ADMIN,
+                      accessControlList =
+                          mutableListOf(
+                              RbacAccessControl(id = USER_ADMIN, role = ROLE_ADMIN),
+                              RbacAccessControl(id = userId, role = role)))
+              assertDoesNotThrow {
+                rbac.removeUser(rbacDefinition, userId, getCommonRolesDefinition())
+                assertTrue(rbacDefinition.accessControlList.size == 1)
+                assertTrue(
+                    rbacDefinition.accessControlList.contains(
+                        RbacAccessControl(id = USER_ADMIN, role = ROLE_ADMIN)))
+              }
+            }
+      }
+
   @Test
   fun `can add resource id and resource security in one call`() {
     val definition = getCommonRolesDefinition()

Original file line number	Diff line number	Diff line change
`@@ -144,6 +144,8 @@ tasks.jar {`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`
	`147`	`+tasks.test { useJUnitPlatform() }`
	`148`	`+`
`147`	`149`	`// Dependencies version`
`148`	`150`
`149`	`151`	`// Required versions`
`@@ -237,7 +239,7 @@ dependencies {`
`237`	`239`	`testImplementation("org.jetbrains.kotlin:kotlin-test")`
`238`	`240`
`239`	`241`	`// Use the Kotlin JUnit integration.`
`240`		`- testImplementation("org.jetbrains.kotlin:kotlin-test-junit")`
	`242`	`+ testImplementation("org.jetbrains.kotlin:kotlin-test-junit5")`
`241`	`243`
`242`	`244`	`annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")`
`243`	`245`	`}`