[PROD-13443] Make sure to have an admin when creating a resource

Author: sjoubert

dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt

@@ -24,7 +24,6 @@ import com.cosmotech.api.rbac.PERMISSION_DELETE
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
@@ -184,21 +183,7 @@ class DatasetServiceImpl(
     val existingConnector = connectorService.findConnectorById(dataset.connector!!.id!!)
     logger.debug("Found connector: {}", existingConnector)
 
-    var datasetSecurity = dataset.security
-    if (datasetSecurity == null) {
-      datasetSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
-    } else {
-      val accessControls = mutableListOf<String>()
-      datasetSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
-
-    val datasetCopy =
+    val createdDataset =
         dataset.copy(
             id = idGenerator.generate("dataset"),
             twingraphId = twingraphId,
@@ -209,13 +194,14 @@ class DatasetServiceImpl(
             ingestionStatus = IngestionStatusEnum.NONE,
             twincacheStatus = TwincacheStatusEnum.EMPTY,
             ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            organizationId = organizationId,
-            security = datasetSecurity)
-    datasetCopy.connector!!.apply {
+            organizationId = organizationId)
+    createdDataset.setRbac(csmRbac.initSecurity(dataset.getRbac()))
+    createdDataset.connector!!.apply {
       name = existingConnector.name
       version = existingConnector.version
     }
-    return datasetRepository.save(datasetCopy)
+
+    return datasetRepository.save(createdDataset)
   }
 
   override fun createSubDataset(
@@ -1241,12 +1227,6 @@ class DatasetServiceImpl(
   }
 }
 
-private fun initSecurity(userId: String): DatasetSecurity {
-  return DatasetSecurity(
-      default = ROLE_NONE,
-      accessControlList = mutableListOf(DatasetAccessControl(userId, ROLE_ADMIN)))
-}
-
 fun Dataset.getRbac(): RbacSecurity {
   return RbacSecurity(
       this.id,

organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt

@@ -118,8 +118,10 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
 
     @Test
     fun `findAllOrganizations with correct values and RBAC for current user`() {
-
+      runAsDifferentOrganizationUser()
       val numberOfOrganizationCreated = createOrganizationsWithAllCombinationOfRole(TEST_USER_ID)
+
+      runAsOrganizationUser()
       // This number represents the amount of Organization that test.user can read regarding RBAC
       // This is typically all simple combinations except "securityRole to none"
       // We have 36 combinations per user in batchOrganizationCreationWithRBAC
@@ -129,9 +131,11 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
 
     @Test
     fun `findAllOrganizations with correct values and no RBAC for current user`() {
-
+      runAsDifferentOrganizationUser()
       val numberOfOrganizationCreated =
           createOrganizationsWithAllCombinationOfRole(OTHER_TEST_USER_ID)
+
+      runAsOrganizationUser()
       // This number represents the amount of Organization that test.user can read regarding RBAC
       // We have 36 combinations per user in batchOrganizationCreationWithRBAC
       // securityRole does not refer to test.user
@@ -222,7 +226,8 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
             OrganizationSecurity(
                 default = ROLE_USER,
                 mutableListOf(
-                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE))),
+                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE),
+                    OrganizationAccessControl(id = TEST_USER_ID, role = ROLE_ADMIN))),
             organizationRegistered.security)
         assertEquals(name, organizationRegistered.name)
         assertTrue(organizationRegistered.id!!.startsWith("o-"))
@@ -252,7 +257,8 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       assertThrows<CsmAccessForbiddenException> {
         val name = "o-connector-test-1"
         val organizationToRegister =
-            createTestOrganizationWithSimpleSecurity(name, OTHER_TEST_USER_ID, ROLE_USER, ROLE_NONE)
+            createTestOrganizationWithSimpleSecurity(
+                name, OTHER_TEST_USER_ID, ROLE_USER, ROLE_ADMIN)
         val organizationRegistered =
             organizationApiService.registerOrganization(organizationToRegister)
         organizationApiService.unregisterOrganization(organizationRegistered.id!!)
@@ -1011,7 +1017,7 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       runAsOrganizationUser()
       val orgaUsers =
           organizationApiService.getOrganizationSecurityUsers(organizationRegistered.id!!)
-      assertEquals(listOf(TEST_USER_ID), orgaUsers)
+      assertEquals(listOf(TEST_USER_ID, OTHER_TEST_USER_ID), orgaUsers)
     }
 
     @Test
@@ -1161,7 +1167,8 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
             OrganizationSecurity(
                 default = ROLE_USER,
                 mutableListOf(
-                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE))),
+                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE),
+                    OrganizationAccessControl(id = TEST_ADMIN_USER_ID, role = ROLE_ADMIN))),
             organizationRegistered.security)
         assertEquals(name, organizationRegistered.name)
         assertTrue(organizationRegistered.id!!.startsWith("o-"))
@@ -2027,7 +2034,7 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       runAsPlatformAdmin()
       val orgaUsers =
           organizationApiService.getOrganizationSecurityUsers(organizationRegistered.id!!)
-      assertEquals(listOf(TEST_USER_ID), orgaUsers)
+      assertEquals(listOf(TEST_USER_ID, OTHER_TEST_USER_ID), orgaUsers)
     }
 
     @Test
@@ -2040,7 +2047,7 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       runAsPlatformAdmin()
       val orgaUsers =
           organizationApiService.getOrganizationSecurityUsers(organizationRegistered.id!!)
-      assertEquals(listOf(TEST_USER_ID), orgaUsers)
+      assertEquals(listOf(TEST_USER_ID, OTHER_TEST_USER_ID), orgaUsers)
     }
 
     @Test

organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt

@@ -12,7 +12,6 @@ import com.cosmotech.api.rbac.PERMISSION_READ
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.getAllRolesDefinition
 import com.cosmotech.api.rbac.getCommonRolesDefinition
@@ -77,33 +76,19 @@ class OrganizationServiceImpl(
   }
 
   override fun registerOrganization(organization: Organization): Organization {
-    logger.trace("Registering organization : {}", organization)
+    logger.trace("Registering organization: {}", organization)
 
     if (organization.name.isNullOrBlank()) {
       throw IllegalArgumentException("Organization name must not be null or blank")
     }
 
-    val newOrganizationId = idGenerator.generate("organization")
-    var organizationSecurity = organization.security
-    if (organizationSecurity == null) {
-      val currentUser = getCurrentAccountIdentifier(this.csmPlatformProperties)
-      organizationSecurity = initSecurity(currentUser)
-    } else {
-      val accessControls = mutableListOf<String>()
-      organizationSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
-
-    return organizationRepository.save(
+    val createdOrganization =
         organization.copy(
-            id = newOrganizationId,
-            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            security = organizationSecurity))
+            id = idGenerator.generate("organization"),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
+    createdOrganization.setRbac(csmRbac.initSecurity(organization.getRbac()))
+
+    return organizationRepository.save(createdOrganization)
   }
 
   override fun unregisterOrganization(organizationId: String) {
@@ -242,12 +227,6 @@ class OrganizationServiceImpl(
     requiredPermissions.forEach { csmRbac.verify(organization.getRbac(), it) }
     return organization
   }
-
-  private fun initSecurity(userId: String): OrganizationSecurity {
-    return OrganizationSecurity(
-        default = ROLE_NONE,
-        accessControlList = mutableListOf(OrganizationAccessControl(userId, ROLE_ADMIN)))
-  }
 }
 
 fun Organization.getRbac(): RbacSecurity {

runner/src/main/kotlin/com/cosmotech/runner/service/RunnerApiServiceImpl.kt

@@ -37,12 +37,7 @@ internal class RunnerApiServiceImpl(
             .inWorkspace(workspaceId)
             .userHasPermissionOnWorkspace(PERMISSION_CREATE_CHILDREN)
     val runnerInstance =
-        runnerService
-            .getNewInstance()
-            .setValueFrom(runner)
-            .initSecurity()
-            .initParameters()
-            .setSecurityFrom(runner)
+        runnerService.getNewInstance().setValueFrom(runner).initSecurity(runner).initParameters()
 
     return runnerService.saveInstance(runnerInstance)
   }

runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt

@@ -11,7 +11,6 @@ import com.cosmotech.api.exceptions.CsmClientException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
 import com.cosmotech.api.rbac.CsmRbac
 import com.cosmotech.api.rbac.PERMISSION_READ
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.ROLE_USER
 import com.cosmotech.api.rbac.ROLE_VALIDATOR
@@ -192,21 +191,13 @@ class RunnerService(
           }
     }
 
-    fun setSecurityFrom(runner: Runner): RunnerInstance = apply {
-      val rbacSecurity = extractRbacSecurity(runner) ?: return@apply
-      this.setRbacSecurity(rbacSecurity)
-    }
-
     fun setLastRunId(runInfo: String) {
       this.runner.lastRunId = runInfo
     }
 
-    fun initSecurity(): RunnerInstance = apply {
-      val userId = getCurrentAccountIdentifier(csmPlatformProperties)
-      this.runner.security =
-          RunnerSecurity(
-              default = ROLE_NONE,
-              accessControlList = mutableListOf(RunnerAccessControl(userId, ROLE_ADMIN)))
+    fun initSecurity(runner: Runner): RunnerInstance = apply {
+      val rbacSecurity = csmRbac.initSecurity(extractRbacSecurity(runner))
+      setRbacSecurity(rbacSecurity)
     }
 
     fun initParameters(): RunnerInstance = apply {
@@ -270,7 +261,7 @@ class RunnerService(
     }
 
     private fun getRbacSecurity(): RbacSecurity {
-      return extractRbacSecurity(this.runner)!!
+      return extractRbacSecurity(this.runner)
     }
 
     private fun setRbacSecurity(rbacSecurity: RbacSecurity) {
@@ -283,10 +274,7 @@ class RunnerService(
                   .toMutableList())
     }
 
-    private fun extractRbacSecurity(runner: Runner): RbacSecurity? {
-      if (runner.security == null) {
-        return null
-      }
+    private fun extractRbacSecurity(runner: Runner): RbacSecurity {
       return RbacSecurity(
           runner.id,
           runner.security?.default ?: ROLE_NONE,

solution/src/main/kotlin/com/cosmotech/solution/service/SolutionServiceImpl.kt

@@ -13,7 +13,6 @@ import com.cosmotech.api.rbac.PERMISSION_DELETE
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
@@ -191,27 +190,15 @@ class SolutionServiceImpl(
 
   override fun createSolution(organizationId: String, solution: Solution): Solution {
     organizationApiService.getVerifiedOrganization(organizationId, PERMISSION_CREATE_CHILDREN)
-    var solutionSecurity = solution.security
-    if (solutionSecurity == null) {
-      solutionSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
-    } else {
-      val accessControls = mutableListOf<String>()
-      solutionSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
 
-    return solutionRepository.save(
+    val createdSolution =
         solution.copy(
             id = idGenerator.generate("solution", prependPrefix = "sol-"),
             organizationId = organizationId,
-            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            security = solutionSecurity,
-            runTemplates = solution.runTemplates))
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
+    createdSolution.setRbac(csmRbac.initSecurity(solution.getRbac()))
+
+    return solutionRepository.save(createdSolution)
   }
 
   override fun deleteSolution(organizationId: String, solutionId: String) {
@@ -412,12 +399,6 @@ fun Solution.getRbac(): RbacSecurity {
           ?: mutableListOf())
 }
 
-private fun initSecurity(userId: String): SolutionSecurity {
-  return SolutionSecurity(
-      default = ROLE_NONE,
-      accessControlList = mutableListOf(SolutionAccessControl(userId, ROLE_ADMIN)))
-}
-
 fun Solution.setRbac(rbacSecurity: RbacSecurity) {
   this.security =
       SolutionSecurity(

workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt

@@ -19,7 +19,6 @@ import com.cosmotech.api.rbac.PERMISSION_READ
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.getCommonRolesDefinition
 import com.cosmotech.api.rbac.getPermissions
@@ -114,26 +113,14 @@ internal class WorkspaceServiceImpl(
     // Validate Solution ID
     workspace.solution.solutionId?.let { solutionService.findSolutionById(organizationId, it) }
 
-    var workspaceSecurity = workspace.security
-    if (workspaceSecurity == null) {
-      workspaceSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
-    } else {
-      val accessControls = mutableListOf<String>()
-      workspaceSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
-
-    return workspaceRepository.save(
+    val createdWorkspace =
         workspace.copy(
             id = idGenerator.generate("workspace"),
             organizationId = organizationId,
-            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            security = workspaceSecurity))
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
+    createdWorkspace.setRbac(csmRbac.initSecurity(workspace.getRbac()))
+
+    return workspaceRepository.save(createdWorkspace)
   }
 
   override fun deleteAllWorkspaceFiles(organizationId: String, workspaceId: String) {
@@ -531,12 +518,6 @@ internal class WorkspaceServiceImpl(
     return workspaceRepository.save(workspace)
   }
 
-  private fun initSecurity(userId: String): WorkspaceSecurity {
-    return WorkspaceSecurity(
-        default = ROLE_NONE,
-        accessControlList = mutableListOf(WorkspaceAccessControl(userId, ROLE_ADMIN)))
-  }
-
   private fun sendRemoveWorkspaceFromDatasetEvent(
       organizationId: String,
       datasetId: String,