Fix [SDCOSMO-2543]: getVerifiedWorkspace is now based on organizationId

jreynard-code · jreynard-code · commit 8838c3b8fb1a · 2025-03-07T17:25:21.000+01:00
diff --git a/workspace/src/integrationTest/kotlin/com/cosmotech/worskpace/service/WorkspaceServiceIntegrationTest.kt b/workspace/src/integrationTest/kotlin/com/cosmotech/worskpace/service/WorkspaceServiceIntegrationTest.kt
@@ -49,6 +49,7 @@ import kotlin.test.assertNull
 import kotlin.test.assertTrue
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertDoesNotThrow
 import org.junit.jupiter.api.assertThrows
 import org.junit.jupiter.api.extension.ExtendWith
 import org.junit.runner.RunWith
@@ -500,6 +501,28 @@ class WorkspaceServiceIntegrationTest : CsmRedisTestBase() {
     }
   }
 
+  @Test
+  fun `SDCOSMO-2543 - test workspace is not accessible from another organization`() {
+    val workspace = makeWorkspace()
+    workspaceSaved = workspaceApiService.createWorkspace(organizationSaved.id!!, workspace)
+
+    val anotherOrganization = makeOrganization("Another Organization")
+    val anotherOrganizationSaved = organizationApiService.registerOrganization(anotherOrganization)
+
+    assertDoesNotThrow {
+      workspaceApiService.findWorkspaceById(organizationSaved.id!!, workspaceSaved.id!!)
+    }
+
+    val exception =
+        assertThrows<CsmResourceNotFoundException> {
+          workspaceApiService.findWorkspaceById(anotherOrganizationSaved.id!!, workspaceSaved.id!!)
+        }
+
+    assertEquals(
+        "Workspace ${workspaceSaved.id} not found in organization ${anotherOrganizationSaved.id}",
+        exception.message)
+  }
+
   fun makeOrganization(
       id: String,
       userName: String = CONNECTED_ADMIN_USER,
diff --git a/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt b/workspace/src/main/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImpl.kt
@@ -57,7 +57,6 @@ import org.springframework.context.annotation.Scope
 import org.springframework.context.event.EventListener
 import org.springframework.core.io.Resource
 import org.springframework.data.domain.Pageable
-import org.springframework.data.repository.findByIdOrNull
 import org.springframework.scheduling.annotation.Async
 import org.springframework.stereotype.Service
 
@@ -458,8 +457,10 @@ internal class WorkspaceServiceImpl(
   ): Workspace {
     organizationService.getVerifiedOrganization(organizationId)
     val workspace =
-        workspaceRepository.findByIdOrNull(workspaceId)
-            ?: throw CsmResourceNotFoundException("Workspace $workspaceId does not exist!")
+        workspaceRepository.findBy(organizationId, workspaceId).orElseThrow {
+          CsmResourceNotFoundException(
+              "Workspace $workspaceId not found in organization $organizationId")
+        }
     csmRbac.verify(workspace.getRbac(), requiredPermission)
     return workspace
   }
diff --git a/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt b/workspace/src/test/kotlin/com/cosmotech/workspace/service/WorkspaceServiceImplTests.kt
@@ -141,7 +141,7 @@ class WorkspaceServiceImplTests {
     every { workspace.id } returns WORKSPACE_ID
     every { workspace.name } returns "test workspace"
     every { workspace.security } returns WorkspaceSecurity(ROLE_ADMIN, mutableListOf())
-    every { workspaceRepository.findByIdOrNull(any()) } returns workspace
+    every { workspaceRepository.findBy(any(), any()) } returns Optional.of(workspace)
 
     val file = mockk<Resource>(relaxed = true)
     every { file.filename } returns "my_file.txt"
@@ -173,7 +173,7 @@ class WorkspaceServiceImplTests {
     every { workspace.security } returns WorkspaceSecurity(ROLE_ADMIN, mutableListOf())
     every { organizationService.getVerifiedOrganization(ORGANIZATION_ID) } returns
         mockk<Organization>()
-    every { workspaceRepository.findByIdOrNull(any()) } returns workspace
+    every { workspaceRepository.findBy(any(), any()) } returns Optional.of(workspace)
 
     val file = mockk<Resource>(relaxed = true)
     every { file.filename } returns "my_file.txt"
@@ -203,7 +203,7 @@ class WorkspaceServiceImplTests {
     every { workspace.id } returns WORKSPACE_ID
     every { workspace.name } returns "test workspace"
     every { workspace.security } returns WorkspaceSecurity(ROLE_ADMIN, mutableListOf())
-    every { workspaceRepository.findByIdOrNull(any()) } returns workspace
+    every { workspaceRepository.findBy(any(), any()) } returns Optional.of(workspace)
 
     val file = mockk<Resource>(relaxed = true)
     every { file.filename } returns "my_file.txt"
@@ -235,7 +235,7 @@ class WorkspaceServiceImplTests {
     every { workspace.id } returns WORKSPACE_ID
     every { workspace.name } returns "test workspace"
     every { workspace.security } returns WorkspaceSecurity(ROLE_ADMIN, mutableListOf())
-    every { workspaceRepository.findByIdOrNull(any()) } returns workspace
+    every { workspaceRepository.findBy(any(), any()) } returns Optional.of(workspace)
 
     val file = mockk<Resource>(relaxed = true)
     every { file.filename } returns "my_file.txt"
@@ -267,7 +267,7 @@ class WorkspaceServiceImplTests {
     every { workspace.id } returns WORKSPACE_ID
     every { workspace.name } returns "test workspace"
     every { workspace.security } returns WorkspaceSecurity(ROLE_ADMIN, mutableListOf())
-    every { workspaceRepository.findByIdOrNull(any()) } returns workspace
+    every { workspaceRepository.findBy(any(), any()) } returns Optional.of(workspace)
 
     val file = mockk<Resource>(relaxed = true)
     every { file.filename } returns "my_file.txt"
@@ -356,7 +356,7 @@ class WorkspaceServiceImplTests {
             name = "my workspace name",
             solution = WorkspaceSolution(solutionId = "SOL-my-solution-id"),
             security = WorkspaceSecurity(ROLE_ADMIN, mutableListOf()))
-    every { workspaceRepository.findByIdOrNull(WORKSPACE_ID) } returns workspace
+    every { workspaceRepository.findBy(any(), WORKSPACE_ID) } returns Optional.of(workspace)
     every { solutionService.findSolutionById(ORGANIZATION_ID, any()) } throws
         CsmResourceNotFoundException("Solution not found")
     assertThrows<CsmResourceNotFoundException> {
@@ -383,7 +383,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC read workspace: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               workspaceServiceImpl.getVerifiedWorkspace(it.organization.id!!, it.workspace.id!!)
             }
           }
@@ -420,7 +420,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC delete all workspace files: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               workspaceServiceImpl.deleteAllWorkspaceFiles(it.organization.id!!, it.workspace.id!!)
             }
           }
@@ -437,7 +437,7 @@ class WorkspaceServiceImplTests {
           .map { (role, shouldThrow) ->
             rbacTest("test RBAC update workspace: $role", role, shouldThrow) {
               every { solutionService.findSolutionById(any(), any()) } returns it.solution
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { workspaceRepository.save(any()) } returns it.workspace
               workspaceServiceImpl.updateWorkspace(
                   it.organization.id!!, it.workspace.id!!, it.workspace)
@@ -455,7 +455,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC delete workspace: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { secretManager.deleteSecret(any(), any()) } returns Unit
               workspaceServiceImpl.deleteWorkspace(it.organization.id!!, it.workspace.id!!)
             }
@@ -472,7 +472,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC delete workspace file: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every {
                 azureStorageBlobServiceClient
                     .getBlobContainerClient(any())
@@ -494,7 +494,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC download workspace file: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { azureStorageBlobProtocolResolver.getResource(any()) } returns mockk()
               workspaceServiceImpl.downloadWorkspaceFile(
                   it.organization.id!!, it.workspace.id!!, "")
@@ -512,7 +512,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC upload workspace file: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { resource.filename } returns "name"
               every {
                 azureStorageBlobServiceClient
@@ -538,7 +538,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC findAllWorkspaceFiles: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { azureStorageBlobServiceClient.getBlobContainerClient(any()) } returns mockk()
               every { azureStorageBlobProtocolResolver.getResources(any()) } returns arrayOf()
               workspaceServiceImpl.findAllWorkspaceFiles(it.organization.id!!, it.workspace.id!!)
@@ -556,7 +556,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC get workspace security: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               workspaceServiceImpl.getWorkspaceSecurity(it.organization.id!!, it.workspace.id!!)
             }
           }
@@ -572,7 +572,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("Test RBAC set workspace default security: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { workspaceRepository.save(any()) } returns it.workspace
               workspaceServiceImpl.setWorkspaceDefaultSecurity(
                   it.organization.id!!, it.workspace.id!!, WorkspaceRole(ROLE_NONE))
@@ -590,7 +590,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("test RBAC get workspace access control: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               workspaceServiceImpl.getWorkspaceAccessControl(
                   it.organization.id!!, it.workspace.id!!, CONNECTED_DEFAULT_USER)
             }
@@ -608,7 +608,7 @@ class WorkspaceServiceImplTests {
           .map { (role, shouldThrow) ->
             rbacTest("test RBAC add workspace access control: $role", role, shouldThrow) {
               every { workspaceRepository.save(any()) } returns it.workspace
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               workspaceServiceImpl.addWorkspaceAccessControl(
                   it.organization.id!!,
                   it.workspace.id!!,
@@ -627,7 +627,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("test RBAC update workspace access control: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { workspaceRepository.save(any()) } returns it.workspace
               workspaceServiceImpl.updateWorkspaceAccessControl(
                   it.organization.id!!,
@@ -648,7 +648,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("test RBAC remove workspace access control: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { workspaceRepository.save(any()) } returns it.workspace
               workspaceServiceImpl.removeWorkspaceAccessControl(
                   it.organization.id!!, it.workspace.id!!, "2$CONNECTED_DEFAULT_USER")
@@ -665,7 +665,7 @@ class WorkspaceServiceImplTests {
               ROLE_NONE to true)
           .map { (role, shouldThrow) ->
             rbacTest("test RBAC get workspace security users: $role", role, shouldThrow) {
-              every { workspaceRepository.findByIdOrNull(any()) } returns it.workspace
+              every { workspaceRepository.findBy(any(), any()) } returns Optional.of(it.workspace)
               every { workspaceRepository.save(any()) } returns it.workspace
               workspaceServiceImpl.getWorkspaceSecurityUsers(
                   it.organization.id!!, it.workspace.id!!)
