add tests

Author: Leopold-Cramer

dataset/src/integrationTest/kotlin/com/cosmotech/dataset/service/DatasetServiceIntegrationTest.kt

@@ -977,6 +977,73 @@ class DatasetServiceIntegrationTest : CsmRedisTestBase() {
     assertEquals(dataset1.connector!!.id, dataset2.connector!!.id)
   }
 
+  @Test
+  fun `viewerRole has limited vision on security`() {
+    dataset = makeDatasetWithRole(role = ROLE_VIEWER)
+
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+
+    datasetSaved = datasetApiService.findDatasetById(organizationSaved.id!!, datasetSaved.id!!)
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+
+    datasetSaved = datasetApiService.getVerifiedDataset(organizationSaved.id!!, datasetSaved.id!!)
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+
+    datasetSaved =
+        datasetApiService.linkWorkspace(
+            organizationSaved.id!!, datasetSaved.id!!, workspaceSaved.id!!)
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+
+    datasetSaved =
+        datasetApiService.unlinkWorkspace(
+            organizationSaved.id!!, datasetSaved.id!!, workspaceSaved.id!!)
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+
+    datasetSaved =
+        datasetApiService.findByOrganizationIdAndDatasetId(
+            organizationSaved.id!!, datasetSaved.id!!)!!
+    assertEquals(
+        DatasetSecurity(
+            default = ROLE_NONE, mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        datasetSaved.security)
+
+    var datasets = datasetApiService.findAllDatasets(organizationSaved.id!!, 0, 10)
+    datasets.forEach {
+      assertEquals(
+          DatasetSecurity(
+              default = ROLE_NONE,
+              mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+          datasetSaved.security)
+    }
+
+    datasets =
+        datasetApiService.searchDatasets(
+            organizationSaved.id!!, DatasetSearch(mutableListOf("dataset")), 0, 10)
+    datasets.forEach {
+      assertEquals(
+          DatasetSecurity(
+              default = ROLE_NONE,
+              mutableListOf(DatasetAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+          datasetSaved.security)
+    }
+  }
+
   fun makeConnector(): Connector {
     return Connector(
         key = "connector",

dataset/src/main/kotlin/com/cosmotech/dataset/service/DatasetServiceImpl.kt

@@ -26,6 +26,7 @@ import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
 import com.cosmotech.api.rbac.ROLE_NONE
+import com.cosmotech.api.rbac.ROLE_VIEWER
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
 import com.cosmotech.api.security.ROLE_PLATFORM_ADMIN
@@ -81,6 +82,7 @@ import com.google.gson.reflect.TypeToken
 import java.io.InputStream
 import java.nio.charset.StandardCharsets
 import java.time.Instant
+import kotlin.jvm.optionals.getOrNull
 import kotlinx.coroutines.GlobalScope
 import kotlinx.coroutines.launch
 import org.apache.commons.compress.archivers.ArchiveStreamFactory
@@ -678,7 +680,11 @@ class DatasetServiceImpl(
       datasetId: String
   ): Dataset? {
     organizationService.getVerifiedOrganization(organizationId)
-    return findBy(organizationId, datasetId)
+    var dataset = datasetRepository.findBy(organizationId, datasetId).getOrNull()
+    if (dataset != null) {
+      dataset = checkReadSecurity(dataset)
+    }
+    return dataset
   }
 
   override fun addOrUpdateAccessControl(
@@ -1047,7 +1053,6 @@ class DatasetServiceImpl(
               .findDatasetByTags(organizationId, datasetSearch.datasetTags.toSet(), it)
               .toList()
         }
-    val currentUser = getCurrentAuthenticatedUserName(csmPlatformProperties)
     datasetList.forEach { checkReadSecurity(it) }
     return datasetList
   }
@@ -1295,16 +1300,27 @@ class DatasetServiceImpl(
   }
 
   fun checkReadSecurity(dataset: Dataset): Dataset {
-    val username = getCurrentAuthenticatedUserName(csmPlatformProperties)
+    var safeDataset = dataset
+    val username = getCurrentAccountIdentifier(csmPlatformProperties)
     var userAC = DatasetAccessControl("", "")
     val retrievedAC = dataset.security!!.accessControlList.filter { it.id == username }
-    if (retrievedAC.isNotEmpty()) userAC = retrievedAC[0]
-    val safeDataset =
-        dataset.copy(
-            security =
-                DatasetSecurity(
-                    default = dataset.security!!.default,
-                    accessControlList = mutableListOf(userAC)))
+    if (retrievedAC.isNotEmpty()) {
+      userAC = retrievedAC[0]
+      if (userAC.role == ROLE_VIEWER) {
+        safeDataset =
+            dataset.copy(
+                security =
+                    DatasetSecurity(
+                        default = dataset.security!!.default,
+                        accessControlList = mutableListOf(userAC)))
+      }
+    } else if (dataset.security!!.default == ROLE_VIEWER) {
+      safeDataset =
+          dataset.copy(
+              security =
+                  DatasetSecurity(
+                      default = dataset.security!!.default, accessControlList = mutableListOf()))
+    }
     return safeDataset
   }
 }

organization/src/integrationTest/kotlin/com/cosmotech/organization/service/OrganizationServiceIntegrationTest.kt

@@ -1057,6 +1057,41 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
         organizationApiService.getVerifiedOrganization("wrong_orga_id")
       }
     }
+
+    @Test
+    fun `viewerRole has limited vision on security`() {
+      val organization = makeOrganization(role = ROLE_VIEWER)
+
+      var organizationSaved = organizationApiService.registerOrganization(organization)
+      assertEquals(
+          OrganizationSecurity(
+              default = ROLE_NONE,
+              mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
+          organizationSaved.security)
+
+      organizationSaved = organizationApiService.findOrganizationById(organizationSaved.id!!)
+      assertEquals(
+          OrganizationSecurity(
+              default = ROLE_NONE,
+              mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
+          organizationSaved.security)
+
+      organizationSaved = organizationApiService.getVerifiedOrganization(organizationSaved.id!!)
+      assertEquals(
+          OrganizationSecurity(
+              default = ROLE_NONE,
+              mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
+          organizationSaved.security)
+
+      var organizations = organizationApiService.findAllOrganizations(0, 10)
+      organizations.forEach {
+        assertEquals(
+            OrganizationSecurity(
+                default = ROLE_NONE,
+                mutableListOf(OrganizationAccessControl(TEST_USER_ID, ROLE_VIEWER))),
+            organizationSaved.security)
+      }
+    }
   }
   @Nested
   inner class AsPlatformAdmin {
@@ -2246,6 +2281,24 @@ class OrganizationServiceIntegrationTest : CsmRedisTestBase() {
                 accessControlList = mutableListOf(OrganizationAccessControl(userName, role))))
   }
 
+  fun makeOrganization(
+      id: String = "organization_id",
+      userName: String = TEST_USER_ID,
+      role: String = ROLE_ADMIN
+  ): Organization {
+    return Organization(
+        id = id,
+        name = "Organization Name",
+        ownerId = "my.account-tester@cosmotech.com",
+        security =
+            OrganizationSecurity(
+                default = ROLE_NONE,
+                accessControlList =
+                    mutableListOf(
+                        OrganizationAccessControl(id = TEST_ADMIN_USER_ID, role = "admin"),
+                        OrganizationAccessControl(id = userName, role = role))))
+  }
+
   internal fun testFindAllOrganizations(page: Int?, size: Int?, expectedResultSize: Int) {
     val organizationList = organizationApiService.findAllOrganizations(page, size)
     logger.info("Organization list retrieved contains : ${organizationList.size} elements")

organization/src/main/kotlin/com/cosmotech/organization/service/OrganizationServiceImpl.kt

@@ -13,6 +13,7 @@ import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
 import com.cosmotech.api.rbac.ROLE_NONE
+import com.cosmotech.api.rbac.ROLE_VIEWER
 import com.cosmotech.api.rbac.getAllRolesDefinition
 import com.cosmotech.api.rbac.getCommonRolesDefinition
 import com.cosmotech.api.rbac.model.RbacAccessControl
@@ -229,16 +230,28 @@ class OrganizationServiceImpl(
   }
 
   fun checkReadSecurity(organization: Organization): Organization {
-    val username = getCurrentAuthenticatedUserName(csmPlatformProperties)
+    var safeOrganization = organization
+    val username = getCurrentAccountIdentifier(csmPlatformProperties)
     var userAC = OrganizationAccessControl("", "")
     val retrievedAC = organization.security!!.accessControlList.filter { it.id == username }
-    if (retrievedAC.isNotEmpty()) userAC = retrievedAC[0]
-    val safeOrganization =
-        organization.copy(
-            security =
-                OrganizationSecurity(
-                    default = organization.security!!.default,
-                    accessControlList = mutableListOf(userAC)))
+    if (retrievedAC.isNotEmpty()) {
+      userAC = retrievedAC[0]
+      if (userAC.role == ROLE_VIEWER) {
+        safeOrganization =
+            organization.copy(
+                security =
+                    OrganizationSecurity(
+                        default = organization.security!!.default,
+                        accessControlList = mutableListOf(userAC)))
+      }
+    } else if (organization.security!!.default == ROLE_VIEWER) {
+      safeOrganization =
+          organization.copy(
+              security =
+                  OrganizationSecurity(
+                      default = organization.security!!.default,
+                      accessControlList = mutableListOf()))
+    }
     return safeOrganization
   }
 }

runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt

@@ -1027,6 +1027,33 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() {
     assertEquals(expectedRunId, lastRunId)
   }
 
+  @Test
+  fun `viewerRole has limited vision on security`() {
+    every { getCurrentAccountIdentifier(any()) } returns defaultName
+    runner = makeRunner(userName = defaultName, role = ROLE_VIEWER)
+
+    runnerSaved = runnerApiService.createRunner(organizationSaved.id!!, workspaceSaved.id!!, runner)
+    assertEquals(
+        RunnerSecurity(
+            default = ROLE_NONE, mutableListOf(RunnerAccessControl(defaultName, ROLE_VIEWER))),
+        runnerSaved.security)
+
+    runnerSaved =
+        runnerApiService.getRunner(organizationSaved.id!!, workspaceSaved.id!!, runnerSaved.id!!)
+    assertEquals(
+        RunnerSecurity(
+            default = ROLE_NONE, mutableListOf(RunnerAccessControl(defaultName, ROLE_VIEWER))),
+        runnerSaved.security)
+
+    val runners = runnerApiService.listRunners(organizationSaved.id!!, workspaceSaved.id!!, 0, 10)
+    runners.forEach {
+      assertEquals(
+          RunnerSecurity(
+              default = ROLE_NONE, mutableListOf(RunnerAccessControl(defaultName, ROLE_VIEWER))),
+          runnerSaved.security)
+    }
+  }
+
   private fun makeConnector(name: String = "name"): Connector {
     return Connector(
         key = UUID.randomUUID().toString(),
@@ -1057,7 +1084,8 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() {
                 default = ROLE_NONE,
                 accessControlList =
                     mutableListOf(
-                        DatasetAccessControl(id = CONNECTED_ADMIN_USER, role = ROLE_ADMIN))))
+                        DatasetAccessControl(id = CONNECTED_ADMIN_USER, role = ROLE_ADMIN),
+                        DatasetAccessControl(defaultName, ROLE_USER))))
   }
 
   fun makeSolution(organizationId: String = organizationSaved.id!!): Solution {
@@ -1090,7 +1118,8 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() {
                 default = ROLE_NONE,
                 accessControlList =
                     mutableListOf(
-                        SolutionAccessControl(id = CONNECTED_ADMIN_USER, role = ROLE_ADMIN))))
+                        SolutionAccessControl(id = CONNECTED_ADMIN_USER, role = ROLE_ADMIN),
+                        SolutionAccessControl(id = defaultName, role = ROLE_USER))))
   }
 
   fun makeOrganization(

runner/src/main/kotlin/com/cosmotech/runner/service/RunnerApiServiceImpl.kt

@@ -10,9 +10,10 @@ import com.cosmotech.api.rbac.PERMISSION_LAUNCH
 import com.cosmotech.api.rbac.PERMISSION_READ_SECURITY
 import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
+import com.cosmotech.api.rbac.ROLE_VIEWER
 import com.cosmotech.api.rbac.getRunnerRolesDefinition
 import com.cosmotech.api.utils.constructPageRequest
-import com.cosmotech.api.utils.getCurrentAuthenticatedUserName
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import com.cosmotech.runner.RunnerApiServiceInterface
 import com.cosmotech.runner.domain.CreatedRun
 import com.cosmotech.runner.domain.Runner
@@ -241,15 +242,27 @@ internal class RunnerApiServiceImpl(
   }
 
   fun checkReadSecurity(runner: Runner): Runner {
-    val username = getCurrentAuthenticatedUserName(csmPlatformProperties)
+    var safeRunner = runner
+    val username = getCurrentAccountIdentifier(csmPlatformProperties)
     var userAC = RunnerAccessControl("", "")
     val retrievedAC = runner.security!!.accessControlList.filter { it.id == username }
-    if (retrievedAC.isNotEmpty()) userAC = retrievedAC[0]
-    val safeRunner =
-        runner.copy(
-            security =
-                RunnerSecurity(
-                    default = runner.security!!.default, accessControlList = mutableListOf(userAC)))
+    if (retrievedAC.isNotEmpty()) {
+      userAC = retrievedAC[0]
+      if (userAC.role == ROLE_VIEWER) {
+        safeRunner =
+            runner.copy(
+                security =
+                    RunnerSecurity(
+                        default = runner.security!!.default,
+                        accessControlList = mutableListOf(userAC)))
+      }
+    } else if (runner.security!!.default == ROLE_VIEWER) {
+      safeRunner =
+          runner.copy(
+              security =
+                  RunnerSecurity(
+                      default = runner.security!!.default, accessControlList = mutableListOf()))
+    }
     return safeRunner
   }
 }