add PR review feedbacks

Author: Leopold-Cramer

dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt

@@ -1020,42 +1020,22 @@ class DatasetServiceIntegrationTest : CsmRedisTestBase() {
   }
 
   @Test
-  fun `viewerRole has limited vision on security`() {
+  fun `As viewer, I can only see my information in security property for findDatasetById`() {
     dataset = makeDatasetWithRole(role = ROLE_VIEWER)
-
     datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
-    assertEquals(
-        DatasetSecurity(
-            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
-        datasetSaved.security)
 
     datasetSaved = datasetApiService.findDatasetById(organizationSaved.id!!, datasetSaved.id!!)
     assertEquals(
         DatasetSecurity(
             default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
         datasetSaved.security)
+    assertEquals(1, datasetSaved.security!!.accessControlList.size)
+  }
 
-    datasetSaved = datasetApiService.getVerifiedDataset(organizationSaved.id!!, datasetSaved.id!!)
-    assertEquals(
-        DatasetSecurity(
-            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
-        datasetSaved.security)
-
-    datasetSaved =
-        datasetApiService.linkWorkspace(
-            organizationSaved.id!!, datasetSaved.id!!, workspaceSaved.id!!)
-    assertEquals(
-        DatasetSecurity(
-            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
-        datasetSaved.security)
-
-    datasetSaved =
-        datasetApiService.unlinkWorkspace(
-            organizationSaved.id!!, datasetSaved.id!!, workspaceSaved.id!!)
-    assertEquals(
-        DatasetSecurity(
-            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
-        datasetSaved.security)
+  @Test
+  fun `As viewer, I can only see my information in security property for findByOrganizationIdAndDatasetId`() {
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
 
     datasetSaved =
         datasetApiService.findByOrganizationIdAndDatasetId(
@@ -1064,25 +1044,46 @@ class DatasetServiceIntegrationTest : CsmRedisTestBase() {
         DatasetSecurity(
             default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
         datasetSaved.security)
+    assertEquals(1, datasetSaved.security!!.accessControlList.size)
+  }
 
-    var datasets = datasetApiService.findAllDatasets(organizationSaved.id!!, 0, 10)
+  @Test
+  fun `As viewer, I can only see my information in security property for findAllDatasets`() {
+    every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+    datasetApiService.deleteDataset(organizationSaved.id!!, datasetSaved.id!!)
+    every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+
+    val datasets = datasetApiService.findAllDatasets(organizationSaved.id!!, null, null)
     datasets.forEach {
       assertEquals(
           DatasetSecurity(
               default = ROLE_NONE,
               mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
-          datasetSaved.security)
+          it.security)
+      assertEquals(1, it.security!!.accessControlList.size)
     }
+  }
+
+  @Test
+  fun `As viewer, I can only see my information in security property for searchDatasets`() {
+    every { getCurrentAccountIdentifier(any()) } returns CONNECTED_ADMIN_USER
+    datasetApiService.deleteDataset(organizationSaved.id!!, datasetSaved.id!!)
+    every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
 
-    datasets =
+    val datasets =
         datasetApiService.searchDatasets(
             organizationSaved.id!!, DatasetSearch(mutableListOf("dataset")), 0, 10)
     datasets.forEach {
       assertEquals(
           DatasetSecurity(
               default = ROLE_NONE,
               mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
-          datasetSaved.security)
+          it.security)
+      assertEquals(1, it.security!!.accessControlList.size)
     }
   }
 

dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt

@@ -26,7 +26,6 @@ import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
 import com.cosmotech.api.rbac.ROLE_NONE
-import com.cosmotech.api.rbac.ROLE_VIEWER
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
 import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
@@ -168,12 +167,12 @@ class DatasetServiceImpl(
             datasetRepository.findAll(pageable).toList()
           }
     }
-    result.forEach { checkReadSecurity(it) }
+    result.forEach { it.security = updateSecurityVisibility(it).security }
     return result
   }
 
   override fun findDatasetById(organizationId: String, datasetId: String): Dataset {
-    return getVerifiedDataset(organizationId, datasetId)
+    return updateSecurityVisibility(getVerifiedDataset(organizationId, datasetId))
   }
 
   override fun removeAllDatasetCompatibilityElements(organizationId: String, datasetId: String) {
@@ -238,7 +237,7 @@ class DatasetServiceImpl(
         version = existingConnector.version
       }
     }
-    return checkReadSecurity(datasetRepository.save(createdDataset))
+    return datasetRepository.save(createdDataset)
   }
 
   override fun createSubDataset(
@@ -301,7 +300,7 @@ class DatasetServiceImpl(
             })
       }
     }
-    return checkReadSecurity(datasetSaved)
+    return datasetSaved
   }
 
   private fun checkIfGraphFunctionalityIsAvailable() {
@@ -674,7 +673,7 @@ class DatasetServiceImpl(
     organizationService.getVerifiedOrganization(organizationId)
     var dataset = datasetRepository.findBy(organizationId, datasetId).getOrNull()
     if (dataset != null) {
-      dataset = checkReadSecurity(dataset)
+      dataset = updateSecurityVisibility(dataset)
     }
     return dataset
   }
@@ -869,12 +868,15 @@ class DatasetServiceImpl(
       datasetId: String,
       workspaceId: String
   ): Dataset {
+    this.getVerifiedDataset(organizationId, datasetId, PERMISSION_WRITE)
     sendAddDatasetToWorkspaceEvent(organizationId, workspaceId, datasetId)
     return addWorkspaceToLinkedWorkspaceIdList(organizationId, datasetId, workspaceId)
   }
 
   @EventListener(AddWorkspaceToDataset::class)
   fun processEventAddWorkspace(addWorkspaceToDataset: AddWorkspaceToDataset) {
+    this.getVerifiedDataset(
+        addWorkspaceToDataset.organizationId, addWorkspaceToDataset.datasetId, PERMISSION_WRITE)
     addWorkspaceToLinkedWorkspaceIdList(
         addWorkspaceToDataset.organizationId,
         addWorkspaceToDataset.datasetId,
@@ -905,14 +907,17 @@ class DatasetServiceImpl(
       datasetId: String,
       workspaceId: String
   ): Dataset {
-
+    this.getVerifiedDataset(organizationId, datasetId, PERMISSION_WRITE)
     sendRemoveDatasetFromWorkspaceEvent(organizationId, workspaceId, datasetId)
-
     return removeWorkspaceFromLinkedWorkspaceIdList(organizationId, datasetId, workspaceId)
   }
 
   @EventListener(RemoveWorkspaceFromDataset::class)
   fun processEventRemoveWorkspace(removeWorkspaceFromDataset: RemoveWorkspaceFromDataset) {
+    this.getVerifiedDataset(
+        removeWorkspaceFromDataset.organizationId,
+        removeWorkspaceFromDataset.datasetId,
+        PERMISSION_WRITE)
     removeWorkspaceFromLinkedWorkspaceIdList(
         removeWorkspaceFromDataset.organizationId,
         removeWorkspaceFromDataset.datasetId,
@@ -1045,7 +1050,7 @@ class DatasetServiceImpl(
               .findDatasetByTags(organizationId, datasetSearch.datasetTags.toSet(), it)
               .toList()
         }
-    datasetList.forEach { checkReadSecurity(it) }
+    datasetList.forEach { it.security = updateSecurityVisibility(it).security }
     return datasetList
   }
 
@@ -1217,6 +1222,7 @@ class DatasetServiceImpl(
       }
     }
   }
+
   private fun sendTwingraphImportJobInfoRequestEvent(
       dataset: Dataset,
       organizationId: String
@@ -1276,37 +1282,31 @@ class DatasetServiceImpl(
       requiredPermission: String
   ): Dataset {
     organizationService.getVerifiedOrganization(organizationId)
-    val dataset = findBy(organizationId, datasetId)
-    csmRbac.verify(dataset.getRbac(), requiredPermission)
-    return dataset
-  }
-
-  fun findBy(organizationId: String, datasetId: String): Dataset {
-    var dataset =
+    val dataset =
         datasetRepository.findBy(organizationId, datasetId).orElseThrow {
           CsmResourceNotFoundException(
               "Dataset $datasetId not found in organization $organizationId")
         }
-    dataset = checkReadSecurity(dataset)
+    csmRbac.verify(dataset.getRbac(), requiredPermission)
     return dataset
   }
 
-  fun checkReadSecurity(dataset: Dataset): Dataset {
-    val username = getCurrentAccountIdentifier(csmPlatformProperties)
-    val retrievedAC = dataset.security!!.accessControlList.firstOrNull { it.id == username }
-    if (retrievedAC != null) {
-      if (retrievedAC.role == ROLE_VIEWER) {
+  fun updateSecurityVisibility(dataset: Dataset): Dataset {
+    if (csmRbac.check(dataset.getRbac(), PERMISSION_READ_SECURITY).not()) {
+      val username = getCurrentAccountIdentifier(csmPlatformProperties)
+      val retrievedAC = dataset.security!!.accessControlList.firstOrNull { it.id == username }
+      if (retrievedAC != null) {
         return dataset.copy(
             security =
                 DatasetSecurity(
                     default = dataset.security!!.default,
                     accessControlList = mutableListOf(retrievedAC)))
+      } else {
+        return dataset.copy(
+            security =
+                DatasetSecurity(
+                    default = dataset.security!!.default, accessControlList = mutableListOf()))
       }
-    } else if (dataset.security!!.default == ROLE_VIEWER) {
-      return dataset.copy(
-          security =
-              DatasetSecurity(
-                  default = dataset.security!!.default, accessControlList = mutableListOf()))
     }
     return dataset
   }

organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt

@@ -1059,37 +1059,32 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
     }
 
     @Test
-    fun `viewerRole has limited vision on security`() {
+    fun `As a viewer, I can only see my information in security property for findOrganizationById`() {
       val organization = makeOrganization(role = ROLE_VIEWER)
-
       var organizationSaved = organizationApiService.registerOrganization(organization)
-      assertEquals(
-          OrganizationSecurity(
-              default = ROLE_NONE,
-              mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
-          organizationSaved.security)
 
       organizationSaved = organizationApiService.findOrganizationById(organizationSaved.id!!)
       assertEquals(
           OrganizationSecurity(
               default = ROLE_NONE,
               mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
           organizationSaved.security)
+      assertEquals(1, organizationSaved.security!!.accessControlList.size)
+    }
 
-      organizationSaved = organizationApiService.getVerifiedOrganization(organizationSaved.id!!)
-      assertEquals(
-          OrganizationSecurity(
-              default = ROLE_NONE,
-              mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
-          organizationSaved.security)
+    @Test
+    fun `As a viewer, I can only see my information in security property for findAllOrganizations`() {
+      val organization = makeOrganization(role = ROLE_VIEWER)
+      organizationApiService.registerOrganization(organization)
 
-      var organizations = organizationApiService.findAllOrganizations(0, 10)
+      val organizations = organizationApiService.findAllOrganizations(null, null)
       organizations.forEach {
         assertEquals(
             OrganizationSecurity(
                 default = ROLE_NONE,
                 mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
-            organizationSaved.security)
+            it.security)
+        assertEquals(1, it.security!!.accessControlList.size)
       }
     }
   }

organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt

@@ -13,7 +13,6 @@ import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
 import com.cosmotech.api.rbac.ROLE_NONE
-import com.cosmotech.api.rbac.ROLE_VIEWER
 import com.cosmotech.api.rbac.getAllRolesDefinition
 import com.cosmotech.api.rbac.getCommonRolesDefinition
 import com.cosmotech.api.rbac.model.RbacAccessControl
@@ -68,12 +67,12 @@ class OrganizationServiceImpl(
             organizationRepository.findAll(pageable).toList()
           }
     }
-    result.forEach { checkReadSecurity(it) }
+    result.forEach { it.security = updateSecurityVisibility(it).security }
     return result
   }
 
   override fun findOrganizationById(organizationId: String): Organization {
-    return getVerifiedOrganization(organizationId, PERMISSION_READ)
+    return updateSecurityVisibility(getVerifiedOrganization(organizationId, PERMISSION_READ))
   }
 
   override fun registerOrganization(organization: Organization): Organization {
@@ -89,7 +88,7 @@ class OrganizationServiceImpl(
             ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
     createdOrganization.setRbac(csmRbac.initSecurity(organization.getRbac()))
 
-    return checkReadSecurity(organizationRepository.save(createdOrganization))
+    return organizationRepository.save(createdOrganization)
   }
 
   override fun unregisterOrganization(organizationId: String) {
@@ -117,9 +116,9 @@ class OrganizationServiceImpl(
     }
 
     return if (hasChanged) {
-      checkReadSecurity(organizationRepository.save(existingOrganization))
+      organizationRepository.save(existingOrganization)
     } else {
-      checkReadSecurity(existingOrganization)
+      existingOrganization
     }
   }
 
@@ -217,7 +216,7 @@ class OrganizationServiceImpl(
         organizationRepository.findByIdOrNull(organizationId)
             ?: throw CsmResourceNotFoundException("Organization $organizationId does not exist!")
     csmRbac.verify(organization.getRbac(), requiredPermission)
-    return checkReadSecurity(organization)
+    return organization
   }
 
   override fun getVerifiedOrganization(
@@ -229,22 +228,22 @@ class OrganizationServiceImpl(
     return organization
   }
 
-  fun checkReadSecurity(organization: Organization): Organization {
-    val username = getCurrentAccountIdentifier(csmPlatformProperties)
-    val retrievedAC = organization.security!!.accessControlList.firstOrNull { it.id == username }
-    if (retrievedAC != null) {
-      if (retrievedAC.role == ROLE_VIEWER) {
-        return organization.copy(
+  fun updateSecurityVisibility(organization: Organization): Organization {
+    if (csmRbac.check(organization.getRbac(), PERMISSION_READ_SECURITY).not()) {
+      val username = getCurrentAccountIdentifier(csmPlatformProperties)
+      val retrievedAC = organization.security!!.accessControlList.firstOrNull { it.id == username }
+      return if (retrievedAC != null) {
+        organization.copy(
             security =
                 OrganizationSecurity(
                     default = organization.security!!.default,
                     accessControlList = mutableListOf(retrievedAC)))
+      } else {
+        organization.copy(
+            security =
+                OrganizationSecurity(
+                    default = organization.security!!.default, accessControlList = mutableListOf()))
       }
-    } else if (organization.security!!.default == ROLE_VIEWER) {
-      return organization.copy(
-          security =
-              OrganizationSecurity(
-                  default = organization.security!!.default, accessControlList = mutableListOf()))
     }
     return organization
   }