Use cosmotech-api-common in version 0.1.38-hotfixed

- Twingraph endpoints are now secured by platform role (Organization.User,...)
- OID can be set in RBAC (to access/manipulate organization/workspace/scenario)
- Users with Platform.Admin role can now delete/update ressources which was not created by them

Author: jreynard-code

build.gradle.kts

@@ -39,7 +39,7 @@ group = "com.cosmotech"
 version = scmVersion.version
 
 val kotlinJvmTarget = 17
-val cosmotechApiCommonVersion = "0.1.37-hotfixed"
+val cosmotechApiCommonVersion = "0.1.38-hotfixed"
 val cosmotechApiAzureVersion = "0.1.9-SNAPSHOT"
 val cosmotechApiCosmosDBVersion = "0.1.0-SNAPSHOT"
 val azureSpringBootBomVersion = "3.14.0"

connector/src/main/kotlin/com/cosmotech/connector/azure/ConnectorServiceImpl.kt

@@ -8,6 +8,8 @@ import com.cosmotech.api.azure.cosmosdb.ext.findByIdOrThrow
 import com.cosmotech.api.azure.cosmosdb.service.CsmCosmosDBService
 import com.cosmotech.api.events.ConnectorRemoved
 import com.cosmotech.api.exceptions.CsmAccessForbiddenException
+import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
+import com.cosmotech.api.utils.getCurrentAuthenticatedRoles
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.connector.api.ConnectorApiService
 import com.cosmotech.connector.domain.Connector
@@ -46,14 +48,17 @@ internal class ConnectorServiceImpl : CsmCosmosDBService(), ConnectorApiService
     return cosmosTemplate.insert(
         coreConnectorContainer,
         connector.copy(
-            id = idGenerator.generate("connector"), ownerId = getCurrentAuthenticatedUserName()))
+            id = idGenerator.generate("connector"),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties)))
         ?: throw IllegalStateException("No connector returned in response: $connector")
   }
 
   override fun unregisterConnector(connectorId: String) {
     val connector = this.findConnectorById(connectorId)
-    if (connector.ownerId != getCurrentAuthenticatedUserName()) {
-      // TODO Only the owner or an admin should be able to perform this operation
+    val isPlatformAdmin =
+        getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
+    if (connector.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
+        !isPlatformAdmin) {
       throw CsmAccessForbiddenException("You are not allowed to delete this Resource")
     }
     cosmosTemplate.deleteEntity(coreConnectorContainer, connector)

dataset/src/main/kotlin/com/cosmotech/dataset/azure/DatasetServiceImpl.kt

@@ -14,8 +14,10 @@ import com.cosmotech.api.events.ConnectorRemovedForOrganization
 import com.cosmotech.api.events.OrganizationRegistered
 import com.cosmotech.api.events.OrganizationUnregistered
 import com.cosmotech.api.exceptions.CsmAccessForbiddenException
+import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
 import com.cosmotech.api.utils.changed
 import com.cosmotech.api.utils.compareToAndMutateIfNeeded
+import com.cosmotech.api.utils.getCurrentAuthenticatedRoles
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.toDomain
 import com.cosmotech.connector.api.ConnectorApiService
@@ -67,7 +69,8 @@ internal class DatasetServiceImpl(
 
     val datasetCopy =
         dataset.copy(
-            id = idGenerator.generate("dataset"), ownerId = getCurrentAuthenticatedUserName())
+            id = idGenerator.generate("dataset"),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
     datasetCopy.connector!!.apply {
       name = existingConnector.name
       version = existingConnector.version
@@ -78,8 +81,10 @@ internal class DatasetServiceImpl(
 
   override fun deleteDataset(organizationId: String, datasetId: String) {
     val dataset = findDatasetById(organizationId, datasetId)
-    if (dataset.ownerId != getCurrentAuthenticatedUserName()) {
-      // TODO Only the owner or an admin should be able to perform this operation
+    val isPlatformAdmin =
+        getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
+    if (dataset.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
+        !isPlatformAdmin) {
       throw CsmAccessForbiddenException("You are not allowed to delete this Resource")
     }
     cosmosTemplate.deleteEntity("${organizationId}_datasets", dataset)
@@ -94,9 +99,11 @@ internal class DatasetServiceImpl(
             .isNotEmpty()
 
     if (dataset.ownerId != null && dataset.changed(existingDataset) { ownerId }) {
+      val isPlatformAdmin =
+          getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
       // Allow to change the ownerId as well, but only the owner can transfer the ownership
-      if (existingDataset.ownerId != getCurrentAuthenticatedUserName()) {
-        // TODO Only the owner or an admin should be able to perform this operation
+      if (existingDataset.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
+          !isPlatformAdmin) {
         throw CsmAccessForbiddenException(
             "You are not allowed to change the ownership of this Resource")
       }

organization/src/main/kotlin/com/cosmotech/organization/azure/OrganizationServiceImpl.kt

@@ -28,7 +28,7 @@ import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
 import com.cosmotech.api.utils.changed
 import com.cosmotech.api.utils.compareToAndMutateIfNeeded
-import com.cosmotech.api.utils.getCurrentAuthenticatedMail
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.toDomain
 import com.cosmotech.organization.api.OrganizationApiService
@@ -65,7 +65,7 @@ class OrganizationServiceImpl(private val csmRbac: CsmRbac, private val csmAdmin
     if (isAdmin || !this.csmPlatformProperties.rbac.enabled) {
       return cosmosTemplate.findAll(coreOrganizationContainer)
     }
-    val currentUser = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+    val currentUser = getCurrentAccountIdentifier(this.csmPlatformProperties)
     return cosmosCoreDatabase
         .getContainer(this.coreOrganizationContainer)
         .queryItems(
@@ -101,15 +101,15 @@ class OrganizationServiceImpl(private val csmRbac: CsmRbac, private val csmAdmin
 
     var organizationSecurity = organization.security
     if (organizationSecurity == null) {
-      organizationSecurity = initSecurity(getCurrentAuthenticatedMail(this.csmPlatformProperties))
+      organizationSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
     }
 
     val organizationRegistered =
         cosmosTemplate.insert(
             coreOrganizationContainer,
             organization.copy(
                 id = newOrganizationId,
-                ownerId = getCurrentAuthenticatedUserName(),
+                ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
                 security = organizationSecurity))
 
     val organizationId =

scenario/src/main/kotlin/com/cosmotech/scenario/azure/ScenarioServiceImpl.kt

@@ -40,7 +40,7 @@ import com.cosmotech.api.rbac.getScenarioRolesDefinition
 import com.cosmotech.api.scenario.ScenarioMetaData
 import com.cosmotech.api.utils.changed
 import com.cosmotech.api.utils.compareToAndMutateIfNeeded
-import com.cosmotech.api.utils.getCurrentAuthenticatedMail
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.toDomain
 import com.cosmotech.organization.api.OrganizationApiService
@@ -159,14 +159,14 @@ internal class ScenarioServiceImpl(
 
     var scenarioSecurity = scenario.security
     if (scenarioSecurity == null) {
-      scenarioSecurity = initSecurity(getCurrentAuthenticatedMail(this.csmPlatformProperties))
+      scenarioSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
     }
 
     val now = OffsetDateTime.now()
     val scenarioToSave =
         scenario.copy(
             id = idGenerator.generate("scenario"),
-            ownerId = getCurrentAuthenticatedUserName(),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
             solutionId = solution?.id,
             solutionName = solution?.name,
             runTemplateName = runTemplate?.name,
@@ -401,7 +401,7 @@ internal class ScenarioServiceImpl(
     }
     val isAdmin = csmRbac.isAdmin(workspace.getRbac(), getCommonRolesDefinition())
     if (!isAdmin && this.csmPlatformProperties.rbac.enabled) {
-      val currentUser = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+      val currentUser = getCurrentAccountIdentifier(this.csmPlatformProperties)
       templateQuery +=
           " AND (ARRAY_CONTAINS(c.security.accessControlList, {id: @ACL_USER}, true) " +
               "OR c.security.default NOT LIKE 'none')"

scenario/src/test/kotlin/com/cosmotech/scenario/azure/ScenarioServiceImplTests.kt

@@ -18,7 +18,7 @@ import com.cosmotech.api.events.WorkflowStatusRequest
 import com.cosmotech.api.id.CsmIdGenerator
 import com.cosmotech.api.rbac.CsmRbac
 import com.cosmotech.api.rbac.PERMISSION_CREATE_CHILDREN
-import com.cosmotech.api.utils.getCurrentAuthenticatedMail
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.getCurrentAuthentication
 import com.cosmotech.organization.api.OrganizationApiService
@@ -139,8 +139,8 @@ class ScenarioServiceImplTests {
     every { scenarioServiceImpl getProperty "csmPlatformProperties" } returns csmPlatformProperties
 
     mockkStatic("com.cosmotech.api.utils.SecurityUtilsKt")
-    every { getCurrentAuthenticatedUserName() } returns AUTHENTICATED_USERNAME
-    every { getCurrentAuthenticatedMail(csmPlatformProperties) } returns "[email protected]"
+    every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns AUTHENTICATED_USERNAME
+    every { getCurrentAccountIdentifier(csmPlatformProperties) } returns "[email protected]"
 
     scenarioServiceImpl.init()
   }

scenariorun/src/main/kotlin/com/cosmotech/scenariorun/azure/ScenarioRunServiceImpl.kt

@@ -28,8 +28,10 @@ import com.cosmotech.api.events.WorkflowPhaseToStateRequest
 import com.cosmotech.api.exceptions.CsmAccessForbiddenException
 import com.cosmotech.api.scenario.ScenarioRunMetaData
 import com.cosmotech.api.scenariorun.DataIngestionState
+import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
 import com.cosmotech.api.security.coroutine.SecurityCoroutineContext
 import com.cosmotech.api.utils.convertToMap
+import com.cosmotech.api.utils.getCurrentAuthenticatedRoles
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.toDomain
 import com.cosmotech.scenario.api.ScenarioApiService
@@ -118,8 +120,10 @@ internal class ScenarioRunServiceImpl(
 
   override fun deleteScenarioRun(organizationId: String, scenariorunId: String) {
     val scenarioRun = this.findScenarioRunById(organizationId, scenariorunId)
-    if (scenarioRun.ownerId != getCurrentAuthenticatedUserName()) {
-      // TODO Only the owner or an admin should be able to perform this operation
+    val isPlatformAdmin =
+        getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
+    if (scenarioRun.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
+        !isPlatformAdmin) {
       throw CsmAccessForbiddenException("You are not allowed to delete this Resource")
     }
     deleteScenarioRunWithoutAccessEnforcement(scenarioRun)
@@ -618,7 +622,7 @@ internal class ScenarioRunServiceImpl(
     val scenarioRun =
         scenarioRunRequest.copy(
             id = idGenerator.generate("scenariorun", prependPrefix = "sr-"),
-            ownerId = getCurrentAuthenticatedUserName(),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
             csmSimulationRun = csmSimulationId,
             organizationId = organizationId,
             workspaceId = workspaceId,

scenariorun/src/test/kotlin/com/cosmotech/scenariorun/azure/ScenarioRunServiceImplTests.kt

@@ -15,6 +15,7 @@ import com.cosmotech.api.azure.eventhubs.AzureEventHubsClient
 import com.cosmotech.api.config.CsmPlatformProperties
 import com.cosmotech.api.events.CsmEventPublisher
 import com.cosmotech.api.id.CsmIdGenerator
+import com.cosmotech.api.utils.getCurrentAuthenticatedRoles
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.getCurrentAuthentication
 import com.cosmotech.api.utils.objectMapper
@@ -49,7 +50,7 @@ import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
 import kotlin.test.assertNull
 import org.junit.jupiter.api.extension.ExtendWith
-import org.springframework.security.core.Authentication
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication
 
 private const val ORGANIZATION_ID = "O-AbCdEf123"
 private const val WORKSPACE_ID = "W-AbCdEf123"
@@ -122,8 +123,9 @@ class ScenarioRunServiceImplTests {
         csmPlatformProperties
 
     mockkStatic(::getCurrentAuthentication)
-    val authentication = mockk<Authentication>()
-    every { authentication.name } returns AUTHENTICATED_USERNAME
+    val authentication = mockk<BearerTokenAuthentication>()
+    every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns AUTHENTICATED_USERNAME
+    every { getCurrentAuthenticatedRoles(any()) } returns listOf()
     every { getCurrentAuthentication() } returns authentication
 
     scenarioRunServiceImpl.init()
@@ -446,8 +448,8 @@ class ScenarioRunServiceImplTests {
     every { scenarioRun.workspaceKey } returns "wk"
     every { scenarioRun.csmSimulationRun } returns "csmSimulationRun"
     every { scenarioRun.scenarioId } returns "scenarioId"
-    every { getCurrentAuthenticatedUserName() } returns "ownerId"
-    scenarioRun.ownerId != getCurrentAuthenticatedUserName()
+    every { getCurrentAuthenticatedUserName(csmPlatformProperties) } returns "ownerId"
+    scenarioRun.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties)
     scenarioRunServiceImpl.deleteScenarioRun("orgId", "scenariorunId")
     verify(exactly = 1) { scenarioRunServiceImpl.deleteScenarioRun("orgId", "scenariorunId") }
   }

solution/src/main/kotlin/com/cosmotech/solution/azure/SolutionServiceImpl.kt

@@ -12,9 +12,11 @@ import com.cosmotech.api.events.OrganizationRegistered
 import com.cosmotech.api.events.OrganizationUnregistered
 import com.cosmotech.api.exceptions.CsmAccessForbiddenException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
+import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
 import com.cosmotech.api.utils.ResourceScanner
 import com.cosmotech.api.utils.changed
 import com.cosmotech.api.utils.compareToAndMutateIfNeeded
+import com.cosmotech.api.utils.getCurrentAuthenticatedRoles
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.solution.api.SolutionApiService
 import com.cosmotech.solution.domain.RunTemplate
@@ -138,13 +140,15 @@ internal class SolutionServiceImpl(
           "${organizationId}_solutions",
           solution.copy(
               id = idGenerator.generate("solution", prependPrefix = "sol-"),
-              ownerId = getCurrentAuthenticatedUserName()))
+              ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties)))
           ?: throw IllegalArgumentException("No solution returned in response: $solution")
 
   override fun deleteSolution(organizationId: String, solutionId: String) {
     val solution = findSolutionById(organizationId, solutionId)
-    if (solution.ownerId != getCurrentAuthenticatedUserName()) {
-      // TODO Only the owner or an admin should be able to perform this operation
+    val isPlatformAdmin =
+        getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
+    if (solution.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
+        !isPlatformAdmin) {
       throw CsmAccessForbiddenException("You are not allowed to delete this Resource")
     }
     cosmosTemplate.deleteEntity("${organizationId}_solutions", solution)
@@ -177,8 +181,10 @@ internal class SolutionServiceImpl(
 
     if (solution.ownerId != null && solution.changed(existingSolution) { ownerId }) {
       // Allow to change the ownerId as well, but only the owner can transfer the ownership
-      if (existingSolution.ownerId != getCurrentAuthenticatedUserName()) {
-        // TODO Only the owner or an admin should be able to perform this operation
+      val isPlatformAdmin =
+          getCurrentAuthenticatedRoles(csmPlatformProperties).contains(ROLE_PLATFORM_ADMIN)
+      if (existingSolution.ownerId != getCurrentAuthenticatedUserName(csmPlatformProperties) &&
+          !isPlatformAdmin) {
         throw CsmAccessForbiddenException(
             "You are not allowed to change the ownership of this Resource")
       }

workspace/src/main/kotlin/com/cosmotech/workspace/azure/WorkspaceServiceImpl.kt

@@ -37,7 +37,7 @@ import com.cosmotech.api.security.coroutine.SecurityCoroutineContext
 import com.cosmotech.api.utils.ResourceScanner
 import com.cosmotech.api.utils.SecretManager
 import com.cosmotech.api.utils.compareToAndMutateIfNeeded
-import com.cosmotech.api.utils.getCurrentAuthenticatedMail
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
 import com.cosmotech.api.utils.toDomain
 import com.cosmotech.organization.api.OrganizationApiService
@@ -89,7 +89,7 @@ internal class WorkspaceServiceImpl(
             "OR c.security.default NOT LIKE 'none'"
     logger.debug("Template query: $templateQuery")
 
-    val currentUser = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+    val currentUser = getCurrentAccountIdentifier(this.csmPlatformProperties)
     logger.debug("Getting workspaces for user $currentUser")
     return cosmosCoreDatabase
         .getContainer("${organizationId}_workspaces")
@@ -126,14 +126,14 @@ internal class WorkspaceServiceImpl(
 
     var workspaceSecurity = workspace.security
     if (workspaceSecurity == null) {
-      workspaceSecurity = initSecurity(getCurrentAuthenticatedMail(this.csmPlatformProperties))
+      workspaceSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
     }
 
     return cosmosTemplate.insert(
         "${organizationId}_workspaces",
         workspace.copy(
             id = idGenerator.generate("workspace"),
-            ownerId = getCurrentAuthenticatedUserName(),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
             security = workspaceSecurity))
         ?: throw IllegalArgumentException("No Workspace returned in response: $workspace")
   }