feat(scope): validate scope context on list/count request (#361)

Author: jeffladiray

app/controllers/forest_liana/resources_controller.rb

@@ -22,7 +22,13 @@ def index
           checker = ForestLiana::PermissionsChecker.new(@resource, 'searchToEdit', @rendering_id)
           return head :forbidden unless checker.is_authorized?
         else
-          checker = ForestLiana::PermissionsChecker.new(@resource, 'list', @rendering_id)
+          checker = ForestLiana::PermissionsChecker.new(
+            @resource,
+            'list',
+            @rendering_id,
+            nil,
+            get_collection_list_permission_info(forest_user, request)
+          )
           return head :forbidden unless checker.is_authorized?
         end
 
@@ -51,7 +57,13 @@ def index
 
     def count
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'list', @rendering_id)
+        checker = ForestLiana::PermissionsChecker.new(
+          @resource,
+          'list',
+          @rendering_id,
+          nil,
+          get_collection_list_permission_info(forest_user, request)
+        )
         return head :forbidden unless checker.is_authorized?
 
         getter = ForestLiana::ResourcesGetter.new(@resource, params)
@@ -232,5 +244,15 @@ def get_collection
       collection_name = ForestLiana.name_for(@resource)
       @collection ||= ForestLiana.apimap.find { |collection| collection.name.to_s == collection_name }
     end
+
+    # NOTICE: Return a formatted object containing the request condition filters and 
+    #         the user id used by the scope validator class to validate if scope is 
+    #         in request
+    def get_collection_list_permission_info(user, collection_list_request)
+      {
+        user_id: user['id'],
+        filters: collection_list_request[:filters],
+      }
+    end
   end
 end

app/services/forest_liana/permissions_checker.rb

@@ -3,11 +3,12 @@ class PermissionsChecker
     @@permissions_per_rendering = Hash.new
     @@expiration_in_seconds = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 3600).to_i
 
-    def initialize(resource, permission_name, rendering_id, smart_action_parameters = nil)
+    def initialize(resource, permission_name, rendering_id, smart_action_parameters = nil, collection_list_parameters = nil)
       @collection_name = ForestLiana.name_for(resource)
       @permission_name = permission_name
       @rendering_id = rendering_id
       @smart_action_parameters = smart_action_parameters
+      @collection_list_parameters = collection_list_parameters
     end
 
     def is_authorized?
@@ -46,12 +47,23 @@ def smart_action_allowed?(smart_actions_permissions)
       return @allowed && (@users.nil?|| @users.include?(@user_id.to_i));
     end
 
+    def collection_list_allowed?(scope_permissions)
+      return ForestLiana::ScopeValidator.new(
+        scope_permissions['filter'],
+        scope_permissions['dynamicScopesValues']['users']
+      ).is_scope_in_request?(@collection_list_parameters)
+    end
+
     def is_allowed?
       permissions = get_permissions
       if permissions && permissions[@collection_name] &&
         permissions[@collection_name]['collection']
         if @permission_name === 'actions'
           return smart_action_allowed?(permissions[@collection_name]['actions'])
+        # NOTICE: Permissions[@collection_name]['scope'] will either contains conditions filter and
+        #         dynamic user values definition, or null for collection that does not use scopes
+        elsif @permission_name === 'list' and permissions[@collection_name]['scope']
+          return collection_list_allowed?(permissions[@collection_name]['scope'])
         else
           return permissions[@collection_name]['collection'][@permission_name]
         end

app/services/forest_liana/scope_validator.rb

@@ -0,0 +1,97 @@
+module ForestLiana
+  class ScopeValidator
+    def initialize(scope_permissions, users_variable_values)
+      @scope_filters = scope_permissions
+      @users_variable_values = users_variable_values
+    end
+
+    def is_scope_in_request?(scope_request)
+      begin
+        filters = JSON.parse(scope_request[:filters])
+      rescue JSON::ParserError
+        raise ForestLiana::Errors::HTTP422Error.new('Invalid filters JSON format')
+      end
+      @computed_scope = compute_condition_filters_from_scope(scope_request[:user_id])
+
+      # NOTICE: Perfom a travel in the request condition filters tree to find the scope
+      tagged_scope_filters = get_scope_found_in_request(filters)
+
+      # NOTICE: Permission system always send an aggregator even if there is only one condition
+      #         In that case, if the condition is valid, then request was not edited
+      return !tagged_scope_filters.nil? if @scope_filters['conditions'].length == 1
+
+      # NOTICE: If there is more than one condition, do a final validation on the condition filters
+      return tagged_scope_filters != nil &&
+        tagged_scope_filters[:aggregator] == @scope_filters['aggregator'] &&
+        tagged_scope_filters[:conditions] &&
+        tagged_scope_filters[:conditions].length == @scope_filters['conditions'].length
+    end
+
+    private
+
+    def compute_condition_filters_from_scope(user_id)
+      computed_condition_filters = @scope_filters.clone
+      computed_condition_filters['conditions'].each do |condition|
+        if condition.include?('value') && 
+          !condition['value'].nil? && 
+          condition['value'].start_with?('$') && 
+          @users_variable_values.include?(user_id)
+          condition['value'] = @users_variable_values[user_id][condition['value']]
+        end
+      end
+      return computed_condition_filters
+    end
+
+    def get_scope_found_in_request(filters)
+      return nil unless filters
+      return search_scope_aggregation(filters)
+    end
+
+    def search_scope_aggregation(node)
+      ensure_valid_aggregation(node)
+
+      return is_scope_condition?(node) unless node['aggregator']
+  
+      # NOTICE: Remove conditions that are not from the scope
+      filtered_conditions = node['conditions'].map { |condition| 
+        search_scope_aggregation(condition)
+      }.select { |condition|
+        condition
+      }
+
+      # NOTICE: If there is only one condition filter left and its current aggregator is
+      #         an "and", this condition filter is the searched scope
+      if (filtered_conditions.length == 1 && 
+        filtered_conditions.first.is_a?(Hash) &&
+        filtered_conditions.first.include?(:aggregator) &&
+        node['aggregator'] == 'and')
+        return filtered_conditions.first
+      end
+
+      # NOTICE: Otherwise, validate if the current node is the scope and return nil
+      #         if it's not
+      return (filtered_conditions.length == @scope_filters['conditions'].length && 
+        node['aggregator'] == @scope_filters['aggregator']) ?
+        { aggregator: node['aggregator'], conditions: filtered_conditions } :
+        nil
+    end
+
+    def is_scope_condition?(condition)
+      ensure_valid_condition(condition)
+      return @computed_scope['conditions'].include?(condition)
+    end
+
+    def ensure_valid_aggregation(node)
+      raise ForestLiana::Errors::HTTP422Error.new('Filters cannot be a raw value') unless node.is_a?(Hash)
+      raise_empty_condition_in_filter_error if node.empty?
+    end
+
+    def ensure_valid_condition(condition)
+      raise_empty_condition_in_filter_error if condition.empty?
+      raise ForestLiana::Errors::HTTP422Error.new('Condition cannot be a raw value') unless condition.is_a?(Hash)
+      unless condition['field'].is_a?(String) and condition['operator'].is_a?(String)
+        raise ForestLiana::Errors::HTTP422Error.new('Invalid condition format')
+      end
+    end
+  end
+end

test/services/forest_liana/scope_validator_test.rb

@@ -0,0 +1,185 @@
+module ForestLiana
+  class ScopeValidatorTest < ActiveSupport::TestCase
+    test 'Request with aggregated condition filters should be allowed if it matches the scope exactly' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'john', 'operator' => 'equal' },
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' }
+          ]
+        }, [])
+
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'john', operator: 'equal' },
+            { field: 'price', value: '2500', operator: 'equal' }              
+          ]
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with simple condition filter should be allowed if it matches the scope exactly' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'field', 'value' => 'value', 'operator' => 'equal' }
+          ]
+        }, [])
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          field: 'field', value: 'value', operator: 'equal'
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with multiples condition filters should be allowed if it contains the scope ' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'doe', 'operator' => 'equal' }
+          ]
+        }, []
+        )
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'doe', operator: 'equal' },
+            { field: 'field2', value: 'value2', operator: 'equal' }              
+          ]
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with dynamic user values should be allowed if it matches the scope exactly' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => '$currentUser.lastname', 'operator' => 'equal' }
+          ],
+        }, {
+          '1' => { '$currentUser.lastname' => 'john' }
+        })
+
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          'field' => 'name', 'value' => 'john', 'operator' => 'equal'
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with multiples aggregation and dynamic values should be allowed if it contains the scope' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+        'aggregator' => 'or',
+        'conditions' => [
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' },
+            { 'field' => 'name', 'value' => '$currentUser.lastname', 'operator' => 'equal' }
+          ]
+        }, {
+          '1' => { '$currentUser.lastname' => 'john' }
+        })
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'field', value: 'value', operator: 'equal' },
+            { 
+              aggregator: 'or',
+              conditions: [
+                { field: 'price', value: '2500', operator: 'equal' },
+                { field: 'name', value: 'john', operator: 'equal' }   
+              ]
+            }
+          ]
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request that does not match the expect scope should not be allowed' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'john', 'operator' => 'equal' },
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' }
+          ]
+        }, [])
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'definitely_not_john', operator: 'equal' },
+            { field: 'price', value: '0', operator: 'equal' }              
+          ]
+        })
+      })
+      assert allowed == false
+    end
+
+    test 'Request that are missing part of the scope should not be allowed' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'john', 'operator' => 'equal' },
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' }
+          ]
+        }, [])
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'john', operator: 'equal' },
+          ]
+        })
+      })
+      assert allowed == false
+    end
+
+    test 'Request that does not have a top aggregator being "and" should not be allowed' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+        'aggregator' => 'and',
+        'conditions' => [
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' },
+            { 'field' => 'name', 'value' => '$currentUser.lastname', 'operator' => 'equal' }
+          ]
+        }, {
+          '1' => { '$currentUser.lastname' => 'john' }
+        })
+
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'or',
+          conditions: [
+            { field: 'field', value: 'value', operator: 'equal' },
+            { 
+              aggregator: 'and',
+              conditions: [
+                { field: 'price', value: '2500', operator: 'equal' },
+                { field: 'name', value: 'john', operator: 'equal' }   
+              ]
+            }
+          ]
+        })
+      })
+      assert allowed == false
+    end
+  end
+end