[PROD-13730] Add pre-condition checks for add/update runner ACL

sjoubert · sjoubert · commit c946d0467389 · 2024-08-09T11:09:05.000+02:00
diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt
@@ -36,6 +36,7 @@ import com.cosmotech.organization.domain.OrganizationAccessControl
 import com.cosmotech.organization.domain.OrganizationSecurity
 import com.cosmotech.runner.RunnerApiServiceInterface
 import com.cosmotech.runner.domain.*
+import com.cosmotech.runner.domain.RunnerRole
 import com.cosmotech.solution.api.SolutionApiService
 import com.cosmotech.solution.domain.*
 import com.cosmotech.workspace.api.WorkspaceApiService
@@ -524,7 +525,7 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() {
   }
 
   @Test
-  fun `access control list shouldn't contain more than one time each user on ACL addition`() {
+  fun `access control list can't add an existing user`() {
     organizationSaved =
         organizationApiService.registerOrganization(makeOrganization("organization"))
     solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, makeSolution())
@@ -538,11 +539,44 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() {
             organizationSaved.id!!, workspaceSaved.id!!, runnerSaved.id!!)
     assertEquals(2, runnerSavedSecurityUsers.size)
 
-    runnerApiService.addRunnerAccessControl(
-        organizationSaved.id!!,
-        workspaceSaved.id!!,
-        runnerSaved.id!!,
-        RunnerAccessControl(defaultName, ROLE_EDITOR))
+    assertThrows<IllegalArgumentException> {
+      runnerApiService.addRunnerAccessControl(
+          organizationSaved.id!!,
+          workspaceSaved.id!!,
+          runnerSaved.id!!,
+          RunnerAccessControl(defaultName, ROLE_EDITOR))
+    }
+
+    val runnerSecurityUsers =
+        runnerApiService.getRunnerSecurityUsers(
+            organizationSaved.id!!, workspaceSaved.id!!, runnerSaved.id!!)
+    assertEquals(2, runnerSecurityUsers.size)
+    assert(runnerSavedSecurityUsers == runnerSecurityUsers)
+  }
+
+  @Test
+  fun `access control list can't update a non-existing user`() {
+    organizationSaved =
+        organizationApiService.registerOrganization(makeOrganization("organization"))
+    solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, makeSolution())
+    workspaceSaved = workspaceApiService.createWorkspace(organizationSaved.id!!, makeWorkspace())
+    val workingRunner = makeRunner()
+    runnerSaved =
+        runnerApiService.createRunner(organizationSaved.id!!, workspaceSaved.id!!, workingRunner)
+
+    val runnerSavedSecurityUsers =
+        runnerApiService.getRunnerSecurityUsers(
+            organizationSaved.id!!, workspaceSaved.id!!, runnerSaved.id!!)
+    assertEquals(2, runnerSavedSecurityUsers.size)
+
+    assertThrows<CsmResourceNotFoundException> {
+      runnerApiService.updateRunnerAccessControl(
+          organizationSaved.id!!,
+          workspaceSaved.id!!,
+          runnerSaved.id!!,
+          "invalid user",
+          RunnerRole(ROLE_VIEWER))
+    }
 
     val runnerSecurityUsers =
         runnerApiService.getRunnerSecurityUsers(
diff --git a/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerApiServiceImpl.kt b/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerApiServiceImpl.kt
@@ -114,6 +114,11 @@ internal class RunnerApiServiceImpl(
     val runnerInstance =
         runnerService.getInstance(runnerId).userHasPermission(PERMISSION_WRITE_SECURITY)
 
+    val users = getRunnerSecurityUsers(organizationId, workspaceId, runnerId)
+    if (users.contains(runnerAccessControl.id)) {
+      throw IllegalArgumentException("User is already in this Runner security")
+    }
+
     runnerInstance.setAccessControl(runnerAccessControl)
     runnerService.saveInstance(runnerInstance)
 
@@ -143,6 +148,7 @@ internal class RunnerApiServiceImpl(
     val runnerService = getRunnerService().inOrganization(organizationId).inWorkspace(workspaceId)
     val runnerInstance =
         runnerService.getInstance(runnerId).userHasPermission(PERMISSION_WRITE_SECURITY)
+    runnerInstance.checkUserExists(identityId)
 
     val runnerAccessControl = RunnerAccessControl(identityId, runnerRole.role)
     runnerInstance.setAccessControl(runnerAccessControl)
diff --git a/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt b/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt
@@ -264,6 +264,11 @@ class RunnerService(
       this.removeAccessControlToDatasets(userId)
     }
 
+    fun checkUserExists(userId: String) {
+      csmRbac.checkUserExists(
+          runner.getRbac(), userId, "User '$userId' not found in runner ${runner.id}")
+    }
+
     private fun getRbacSecurity(): RbacSecurity {
       return extractRbacSecurity(this.runner)!!
     }

Original file line number	Diff line number	Diff line change
`@@ -264,6 +264,11 @@ class RunnerService(`
`264`	`264`	`this.removeAccessControlToDatasets(userId)`
`265`	`265`	`}`
`266`	`266`
	`267`	`+ fun checkUserExists(userId: String) {`
	`268`	`+ csmRbac.checkUserExists(`
	`269`	`+ runner.getRbac(), userId, "User '$userId' not found in runner ${runner.id}")`
	`270`	`+ }`
	`271`	`+`
`267`	`272`	`private fun getRbacSecurity(): RbacSecurity {`
`268`	`273`	`return extractRbacSecurity(this.runner)!!`
`269`	`274`	`}`