[PROD-13443] Make sure to have an admin when creating a resource

Author: sjoubert

dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt

@@ -24,7 +24,6 @@ import com.cosmotech.api.rbac.PERMISSION_DELETE
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
@@ -184,21 +183,7 @@ class DatasetServiceImpl(
     val existingConnector = connectorService.findConnectorById(dataset.connector!!.id!!)
     logger.debug("Found connector: {}", existingConnector)
 
-    var datasetSecurity = dataset.security
-    if (datasetSecurity == null) {
-      datasetSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
-    } else {
-      val accessControls = mutableListOf<String>()
-      datasetSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
-
-    val datasetCopy =
+    val createdDataset =
         dataset.copy(
             id = idGenerator.generate("dataset"),
             twingraphId = twingraphId,
@@ -209,13 +194,14 @@ class DatasetServiceImpl(
             ingestionStatus = IngestionStatusEnum.NONE,
             twincacheStatus = TwincacheStatusEnum.EMPTY,
             ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            organizationId = organizationId,
-            security = datasetSecurity)
-    datasetCopy.connector!!.apply {
+            organizationId = organizationId)
+    createdDataset.setRbac(csmRbac.initSecurity(dataset.getRbac()))
+    createdDataset.connector!!.apply {
       name = existingConnector.name
       version = existingConnector.version
     }
-    return datasetRepository.save(datasetCopy)
+
+    return datasetRepository.save(createdDataset)
   }
 
   override fun createSubDataset(
@@ -1241,12 +1227,6 @@ class DatasetServiceImpl(
   }
 }
 
-private fun initSecurity(userId: String): DatasetSecurity {
-  return DatasetSecurity(
-      default = ROLE_NONE,
-      accessControlList = mutableListOf(DatasetAccessControl(userId, ROLE_ADMIN)))
-}
-
 fun Dataset.getRbac(): RbacSecurity {
   return RbacSecurity(
       this.id,

organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt

@@ -120,8 +120,10 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
 
     @Test
     fun `findAllOrganizations with correct values and RBAC for current user`() {
-
+      runAsDifferentOrganizationUser()
       val numberOfOrganizationCreated = createOrganizationsWithAllCombinationOfRole(TEST_USER_ID)
+
+      runAsOrganizationUser()
       // This number represents the amount of Organization that test.user can read regarding RBAC
       // This is typically all simple combinations except "securityRole to none"
       // We have 36 combinations per user in batchOrganizationCreationWithRBAC
@@ -131,9 +133,11 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
 
     @Test
     fun `findAllOrganizations with correct values and no RBAC for current user`() {
-
+      runAsDifferentOrganizationUser()
       val numberOfOrganizationCreated =
           createOrganizationsWithAllCombinationOfRole(OTHER_TEST_USER_ID)
+
+      runAsOrganizationUser()
       // This number represents the amount of Organization that test.user can read regarding RBAC
       // We have 36 combinations per user in batchOrganizationCreationWithRBAC
       // securityRole does not refer to test.user
@@ -224,7 +228,8 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
             OrganizationSecurity(
                 default = ROLE_USER,
                 mutableListOf(
-                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE))),
+                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE),
+                    OrganizationAccessControl(id = TEST_USER_ID, role = ROLE_ADMIN))),
             organizationRegistered.security)
         assertEquals(name, organizationRegistered.name)
         assertTrue(organizationRegistered.id!!.startsWith("o-"))
@@ -254,7 +259,8 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       assertThrows<CsmAccessForbiddenException> {
         val name = "o-connector-test-1"
         val organizationToRegister =
-            createTestOrganizationWithSimpleSecurity(name, OTHER_TEST_USER_ID, ROLE_USER, ROLE_NONE)
+            createTestOrganizationWithSimpleSecurity(
+                name, OTHER_TEST_USER_ID, ROLE_USER, ROLE_ADMIN)
         val organizationRegistered =
             organizationApiService.registerOrganization(organizationToRegister)
         organizationApiService.unregisterOrganization(organizationRegistered.id!!)
@@ -1268,7 +1274,7 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       runAsOrganizationUser()
       val orgaUsers =
           organizationApiService.getOrganizationSecurityUsers(organizationRegistered.id!!)
-      assertEquals(listOf(TEST_USER_ID), orgaUsers)
+      assertEquals(listOf(TEST_USER_ID, OTHER_TEST_USER_ID), orgaUsers)
     }
 
     @Test
@@ -1418,7 +1424,8 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
             OrganizationSecurity(
                 default = ROLE_USER,
                 mutableListOf(
-                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE))),
+                    OrganizationAccessControl(id = OTHER_TEST_USER_ID, role = ROLE_NONE),
+                    OrganizationAccessControl(id = TEST_ADMIN_USER_ID, role = ROLE_ADMIN))),
             organizationRegistered.security)
         assertEquals(name, organizationRegistered.name)
         assertTrue(organizationRegistered.id!!.startsWith("o-"))
@@ -2557,7 +2564,7 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       runAsPlatformAdmin()
       val orgaUsers =
           organizationApiService.getOrganizationSecurityUsers(organizationRegistered.id!!)
-      assertEquals(listOf(TEST_USER_ID), orgaUsers)
+      assertEquals(listOf(TEST_USER_ID, OTHER_TEST_USER_ID), orgaUsers)
     }
 
     @Test
@@ -2570,7 +2577,7 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
       runAsPlatformAdmin()
       val orgaUsers =
           organizationApiService.getOrganizationSecurityUsers(organizationRegistered.id!!)
-      assertEquals(listOf(TEST_USER_ID), orgaUsers)
+      assertEquals(listOf(TEST_USER_ID, OTHER_TEST_USER_ID), orgaUsers)
     }
 
     @Test

organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt

@@ -12,7 +12,6 @@ import com.cosmotech.api.rbac.PERMISSION_READ
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.getAllRolesDefinition
 import com.cosmotech.api.rbac.getCommonRolesDefinition
@@ -80,33 +79,19 @@ class OrganizationServiceImpl(
   }
 
   override fun registerOrganization(organization: Organization): Organization {
-    logger.trace("Registering organization : {}", organization)
+    logger.trace("Registering organization: {}", organization)
 
     if (organization.name.isNullOrBlank()) {
       throw IllegalArgumentException("Organization name must not be null or blank")
     }
 
-    val newOrganizationId = idGenerator.generate("organization")
-    var organizationSecurity = organization.security
-    if (organizationSecurity == null) {
-      val currentUser = getCurrentAccountIdentifier(this.csmPlatformProperties)
-      organizationSecurity = initSecurity(currentUser)
-    } else {
-      val accessControls = mutableListOf<String>()
-      organizationSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
-
-    return organizationRepository.save(
+    val createdOrganization =
         organization.copy(
-            id = newOrganizationId,
-            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            security = organizationSecurity))
+            id = idGenerator.generate("organization"),
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
+    createdOrganization.setRbac(csmRbac.initSecurity(organization.getRbac()))
+
+    return organizationRepository.save(createdOrganization)
   }
 
   override fun unregisterOrganization(organizationId: String) {
@@ -313,12 +298,6 @@ class OrganizationServiceImpl(
 
     return existingOrganizationService
   }
-
-  private fun initSecurity(userId: String): OrganizationSecurity {
-    return OrganizationSecurity(
-        default = ROLE_NONE,
-        accessControlList = mutableListOf(OrganizationAccessControl(userId, ROLE_ADMIN)))
-  }
 }
 
 fun Organization.getRbac(): RbacSecurity {

runner/src/main/kotlin/com/cosmotech/runner/service/RunnerApiServiceImpl.kt

@@ -36,12 +36,7 @@ internal class RunnerApiServiceImpl(
             .inWorkspace(workspaceId)
             .userHasPermissionOnWorkspace(PERMISSION_CREATE_CHILDREN)
     val runnerInstance =
-        runnerService
-            .getNewInstance()
-            .setValueFrom(runner)
-            .initSecurity()
-            .initParameters()
-            .setSecurityFrom(runner)
+        runnerService.getNewInstance().setValueFrom(runner).initSecurity(runner).initParameters()
 
     return runnerService.saveInstance(runnerInstance)
   }

runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt

@@ -11,7 +11,6 @@ import com.cosmotech.api.exceptions.CsmClientException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
 import com.cosmotech.api.rbac.CsmRbac
 import com.cosmotech.api.rbac.PERMISSION_READ
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.ROLE_USER
 import com.cosmotech.api.rbac.ROLE_VALIDATOR
@@ -201,21 +200,13 @@ class RunnerService(
           }
     }
 
-    fun setSecurityFrom(runner: Runner): RunnerInstance = apply {
-      val rbacSecurity = extractRbacSecurity(runner) ?: return@apply
-      this.setRbacSecurity(rbacSecurity)
-    }
-
     fun setLastRunId(runInfo: String) {
       this.runner.lastRunId = runInfo
     }
 
-    fun initSecurity(): RunnerInstance = apply {
-      val userId = getCurrentAccountIdentifier(csmPlatformProperties)
-      this.runner.security =
-          RunnerSecurity(
-              default = ROLE_NONE,
-              accessControlList = mutableListOf(RunnerAccessControl(userId, ROLE_ADMIN)))
+    fun initSecurity(runner: Runner): RunnerInstance = apply {
+      val rbacSecurity = csmRbac.initSecurity(extractRbacSecurity(runner))
+      setRbacSecurity(rbacSecurity)
     }
 
     fun initParameters(): RunnerInstance = apply {
@@ -281,7 +272,7 @@ class RunnerService(
     }
 
     private fun getRbacSecurity(): RbacSecurity {
-      return extractRbacSecurity(this.runner)!!
+      return extractRbacSecurity(this.runner)
     }
 
     private fun setRbacSecurity(rbacSecurity: RbacSecurity) {
@@ -294,10 +285,7 @@ class RunnerService(
                   .toMutableList())
     }
 
-    private fun extractRbacSecurity(runner: Runner): RbacSecurity? {
-      if (runner.security == null) {
-        return null
-      }
+    private fun extractRbacSecurity(runner: Runner): RbacSecurity {
       return RbacSecurity(
           runner.id,
           runner.security?.default ?: ROLE_NONE,

scenario/src/main/kotlin/com/cosmotech/scenario/service/ScenarioServiceImpl.kt

@@ -27,8 +27,6 @@ import com.cosmotech.api.rbac.PERMISSION_DELETE
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
-import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.ROLE_USER
 import com.cosmotech.api.rbac.ROLE_VALIDATOR
 import com.cosmotech.api.rbac.ROLE_VIEWER
@@ -170,20 +168,6 @@ internal class ScenarioServiceImpl(
           parentId, solution, runTemplate, parent, scenario, newParametersValuesList)
     }
 
-    var scenarioSecurity = scenario.security
-    if (scenarioSecurity == null) {
-      scenarioSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
-    } else {
-      val accessControls = mutableListOf<String>()
-      scenarioSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
-
     if (workspace.datasetCopy == true) {
       datasetList =
           datasetList
@@ -221,8 +205,8 @@ internal class ScenarioServiceImpl(
             datasetList = datasetList,
             rootId = rootId,
             parametersValues = newParametersValuesList,
-            validationStatus = ScenarioValidationStatus.Draft,
-            security = scenarioSecurity)
+            validationStatus = ScenarioValidationStatus.Draft)
+    scenarioToSave.setRbac(csmRbac.initSecurity(scenario.getRbac()))
 
     scenarioRepository.save(scenarioToSave)
 
@@ -1137,12 +1121,6 @@ internal class ScenarioServiceImpl(
     return scenario
   }
 
-  private fun initSecurity(userId: String): ScenarioSecurity {
-    return ScenarioSecurity(
-        default = ROLE_NONE,
-        accessControlList = mutableListOf(ScenarioAccessControl(userId, ROLE_ADMIN)))
-  }
-
   internal fun checkInternalResultDataServiceConfiguration() {
     if (csmPlatformProperties.internalResultServices?.enabled == true) {
       throw NotImplementedException(notImplementedExceptionMessage)

solution/src/main/kotlin/com/cosmotech/solution/service/SolutionServiceImpl.kt

@@ -15,7 +15,6 @@ import com.cosmotech.api.rbac.PERMISSION_DELETE
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
-import com.cosmotech.api.rbac.ROLE_ADMIN
 import com.cosmotech.api.rbac.ROLE_NONE
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
@@ -204,26 +203,15 @@ class SolutionServiceImpl(
 
   override fun createSolution(organizationId: String, solution: Solution): Solution {
     organizationApiService.getVerifiedOrganization(organizationId, PERMISSION_CREATE_CHILDREN)
-    var solutionSecurity = solution.security
-    if (solutionSecurity == null) {
-      solutionSecurity = initSecurity(getCurrentAccountIdentifier(this.csmPlatformProperties))
-    } else {
-      val accessControls = mutableListOf<String>()
-      solutionSecurity.accessControlList.forEach {
-        if (!accessControls.contains(it.id)) {
-          accessControls.add(it.id)
-        } else {
-          throw IllegalArgumentException("User $it is referenced multiple times in the security")
-        }
-      }
-    }
 
-    return solutionRepository.save(
+    val createdSolution =
         solution.copy(
             id = idGenerator.generate("solution", prependPrefix = "sol-"),
             organizationId = organizationId,
-            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties),
-            security = solutionSecurity))
+            ownerId = getCurrentAuthenticatedUserName(csmPlatformProperties))
+    createdSolution.setRbac(csmRbac.initSecurity(solution.getRbac()))
+
+    return solutionRepository.save(createdSolution)
   }
 
   override fun deleteSolution(organizationId: String, solutionId: String) {
@@ -520,12 +508,6 @@ fun Solution.getRbac(): RbacSecurity {
           ?: mutableListOf())
 }
 
-private fun initSecurity(userId: String): SolutionSecurity {
-  return SolutionSecurity(
-      default = ROLE_NONE,
-      accessControlList = mutableListOf(SolutionAccessControl(userId, ROLE_ADMIN)))
-}
-
 fun Solution.setRbac(rbacSecurity: RbacSecurity) {
   this.security =
       SolutionSecurity(