add tests for added security endpoints

Leopold-Cramer · Leopold-Cramer · commit 6846a265eb8b · 2023-11-07T11:43:38.000+01:00
diff --git a/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt b/dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt
@@ -494,6 +494,23 @@ class DatasetServiceIntegrationTest : CsmRedisTestBase() {
     }
   }
 
+  @Test
+  fun `test security endpoints`() {
+    organizationSaved = organizationApiService.registerOrganization(organization)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+    logger.info("should return the current security")
+    val datasetSecurity =
+        datasetApiService.getDatasetSecurity(organizationSaved.id!!, datasetSaved.id!!)
+    assertEquals(datasetSaved.security, datasetSecurity)
+
+    logger.info("should update the default security and assert it worked")
+    val datasetDefaultSecurity =
+        datasetApiService.setDatasetDefaultSecurity(
+            organizationSaved.id!!, datasetSaved.id!!, DatasetRole(ROLE_VIEWER))
+    datasetSaved = datasetApiService.findDatasetById(organizationSaved.id!!, datasetSaved.id!!)
+    assertEquals(datasetSaved.security!!, datasetDefaultSecurity)
+  }
+
   @TestFactory
   fun `test RBAC twingraphBatchUpdate`() =
       mapOf(
@@ -1595,6 +1612,95 @@ class DatasetServiceIntegrationTest : CsmRedisTestBase() {
             }
           }
 
+  @TestFactory
+  fun `test RBAC getDatasetSecurity`() =
+      mapOf(
+              ROLE_VIEWER to false,
+              ROLE_EDITOR to false,
+              ROLE_USER to false,
+              ROLE_NONE to true,
+              ROLE_ADMIN to false,
+          )
+          .map { (role, shouldThrow) ->
+            DynamicTest.dynamicTest("Test RBAC getDatasetSecurity : $role") {
+              every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+
+              val organization = makeOrganizationWithRole()
+              organizationSaved = organizationApiService.registerOrganization(organization)
+              val dataset = makeDatasetWithRole(role = role)
+              datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+              materializeTwingraph()
+
+              every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+
+              if (shouldThrow) {
+                val exception =
+                    assertThrows<CsmAccessForbiddenException> {
+                      datasetApiService.getDatasetSecurity(
+                          organizationSaved.id!!, datasetSaved.id!!)
+                    }
+                if (role == ROLE_NONE) {
+                  assertEquals(
+                      "RBAC ${datasetSaved.id!!} - User does not have permission $PERMISSION_READ",
+                      exception.message)
+                } else {
+                  assertEquals(
+                      "RBAC ${datasetSaved.id!!} - User does not have permission $PERMISSION_READ_SECURITY",
+                      exception.message)
+                }
+              } else {
+                assertDoesNotThrow {
+                  datasetApiService.getDatasetSecurity(organizationSaved.id!!, datasetSaved.id!!)
+                }
+              }
+            }
+          }
+
+  @TestFactory
+  fun `test RBAC setDatasetDefaultSecurity`() =
+      mapOf(
+              ROLE_VIEWER to true,
+              ROLE_EDITOR to true,
+              ROLE_USER to true,
+              ROLE_NONE to true,
+              ROLE_ADMIN to false,
+          )
+          .map { (role, shouldThrow) ->
+            DynamicTest.dynamicTest("Test RBAC setDatasetDefaultSecurity : $role") {
+              every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+
+              val organization = makeOrganizationWithRole()
+              organizationSaved = organizationApiService.registerOrganization(organization)
+              val dataset = makeDatasetWithRole(role = role)
+              datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+              materializeTwingraph()
+
+              every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+
+              if (shouldThrow) {
+                val exception =
+                    assertThrows<CsmAccessForbiddenException> {
+                      datasetApiService.setDatasetDefaultSecurity(
+                          organizationSaved.id!!, datasetSaved.id!!, DatasetRole(ROLE_VIEWER))
+                    }
+                if (role == ROLE_NONE) {
+                  assertEquals(
+                      "RBAC ${datasetSaved.id!!} - User does not have permission $PERMISSION_READ",
+                      exception.message)
+                } else {
+                  assertEquals(
+                      "RBAC ${datasetSaved.id!!} - User does not have permission $PERMISSION_WRITE_SECURITY",
+                      exception.message)
+                }
+              } else {
+                assertDoesNotThrow {
+                  datasetApiService.setDatasetDefaultSecurity(
+                      organizationSaved.id!!, datasetSaved.id!!, DatasetRole(ROLE_VIEWER))
+                }
+              }
+            }
+          }
+
   private fun materializeTwingraph(
       dataset: Dataset = datasetSaved,
       createTwingraph: Boolean = true
diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt
@@ -8,6 +8,7 @@ import com.cosmotech.api.exceptions.CsmAccessForbiddenException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
 import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
+import com.cosmotech.api.rbac.ROLE_VIEWER
 import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
 import com.cosmotech.api.tests.CsmRedisTestBase
 import com.cosmotech.api.utils.getCurrentAccountIdentifier
@@ -23,6 +24,7 @@ import com.cosmotech.solution.domain.RunTemplateParameter
 import com.cosmotech.solution.domain.RunTemplateParameterGroup
 import com.cosmotech.solution.domain.Solution
 import com.cosmotech.solution.domain.SolutionAccessControl
+import com.cosmotech.solution.domain.SolutionRole
 import com.cosmotech.solution.domain.SolutionSecurity
 import com.redis.om.spring.RediSearchIndexer
 import io.mockk.every
@@ -390,6 +392,23 @@ class SolutionServiceIntegrationTest : CsmRedisTestBase() {
       solutionApiService.findAllSolutions(organizationRegistered.id!!, 0, -1)
     }
   }
+
+  @Test
+  fun `test security endpoints`() {
+    logger.info("should return the current security")
+    val solutionSecurity =
+        solutionApiService.getSolutionSecurity(organizationRegistered.id!!, solutionRegistered.id!!)
+    assertEquals(solutionRegistered.security, solutionSecurity)
+
+    logger.info("should update the default security and assert it worked")
+    val solutionDefaultSecurity =
+        solutionApiService.setSolutionDefaultSecurity(
+            organizationRegistered.id!!, solutionRegistered.id!!, SolutionRole(ROLE_VIEWER))
+    solutionRegistered =
+        solutionApiService.findSolutionById(organizationRegistered.id!!, solutionRegistered.id!!)
+    assertEquals(solutionRegistered.security!!, solutionDefaultSecurity)
+  }
+
   fun makeOrganization(id: String = "organization_id"): Organization {
     return Organization(
         id = id,
diff --git a/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt b/solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceRBACTest.kt
@@ -1030,6 +1030,97 @@ class SolutionServiceRBACTest : CsmRedisTestBase() {
             }
           }
 
+  @TestFactory
+  fun `test RBAC getSolutionSecurity`() =
+      mapOf(
+              ROLE_VIEWER to false,
+              ROLE_EDITOR to false,
+              ROLE_USER to false,
+              ROLE_NONE to true,
+              ROLE_ADMIN to false,
+          )
+          .map { (role, shouldThrow) ->
+            DynamicTest.dynamicTest("Test RBAC getSolutionSecurity : $role") {
+              every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+
+              val organization =
+                  makeOrganizationWithRole(userName = TEST_USER_MAIL, role = ROLE_ADMIN)
+              organizationSaved = organizationApiService.registerOrganization(organization)
+              val solution =
+                  makeSolutionWithRole(organizationSaved.id!!, TEST_USER_MAIL, role = role)
+              solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, solution)
+
+              every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+
+              if (shouldThrow) {
+                val exception =
+                    assertThrows<CsmAccessForbiddenException> {
+                      solutionApiService.getSolutionSecurity(
+                          organizationSaved.id!!, solutionSaved.id!!)
+                    }
+                if (role == ROLE_NONE) {
+                  assertEquals(
+                      "RBAC ${solutionSaved.id!!} - User does not have permission $PERMISSION_READ",
+                      exception.message)
+                } else {
+                  assertEquals(
+                      "RBAC ${solutionSaved.id!!} - User does not have permission $PERMISSION_READ_SECURITY",
+                      exception.message)
+                }
+              } else {
+                assertDoesNotThrow {
+                  solutionApiService.getSolutionSecurity(organizationSaved.id!!, solutionSaved.id!!)
+                }
+              }
+            }
+          }
+
+  @TestFactory
+  fun `test RBAC setSolutionDefaultSecurity`() =
+      mapOf(
+              ROLE_VIEWER to true,
+              ROLE_EDITOR to true,
+              ROLE_USER to true,
+              ROLE_NONE to true,
+              ROLE_ADMIN to false,
+          )
+          .map { (role, shouldThrow) ->
+            DynamicTest.dynamicTest("Test RBAC setSolutionDefaultSecurity : $role") {
+              every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+
+              val organization =
+                  makeOrganizationWithRole(userName = TEST_USER_MAIL, role = ROLE_ADMIN)
+              organizationSaved = organizationApiService.registerOrganization(organization)
+              val solution =
+                  makeSolutionWithRole(organizationSaved.id!!, TEST_USER_MAIL, role = role)
+              solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, solution)
+
+              every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+
+              if (shouldThrow) {
+                val exception =
+                    assertThrows<CsmAccessForbiddenException> {
+                      solutionApiService.setSolutionDefaultSecurity(
+                          organizationSaved.id!!, solutionSaved.id!!, SolutionRole(ROLE_VIEWER))
+                    }
+                if (role == ROLE_NONE) {
+                  assertEquals(
+                      "RBAC ${solutionSaved.id!!} - User does not have permission $PERMISSION_READ",
+                      exception.message)
+                } else {
+                  assertEquals(
+                      "RBAC ${solutionSaved.id!!} - User does not have permission $PERMISSION_WRITE_SECURITY",
+                      exception.message)
+                }
+              } else {
+                assertDoesNotThrow {
+                  solutionApiService.setSolutionDefaultSecurity(
+                      organizationSaved.id!!, solutionSaved.id!!, SolutionRole(ROLE_VIEWER))
+                }
+              }
+            }
+          }
+
   fun makeOrganizationWithRole(
       id: String = "organization_id",
       userName: String,
