Merge pull request #313 from IABTechLab/sch-UID2-2555-role-validation-for-service-links-in-operator

sophia-chen-ttd · web-flow · commit a7e85b633dbf · 2023-12-19T15:14:22.000+11:00
sch-UID2-2555-role-validation-for-service-links-in-operator
diff --git a/src/main/java/com/uid2/operator/service/SecureLinkValidatorService.java b/src/main/java/com/uid2/operator/service/SecureLinkValidatorService.java
@@ -2,6 +2,7 @@
 
 import com.uid2.shared.auth.ClientKey;
 import com.uid2.shared.auth.IAuthorizable;
+import com.uid2.shared.auth.Role;
 import com.uid2.shared.middleware.AuthMiddleware;
 import com.uid2.shared.model.Service;
 import com.uid2.shared.model.ServiceLink;
@@ -25,7 +26,7 @@ public SecureLinkValidatorService(RotatingServiceLinkStore rotatingServiceLinkSt
         this.rotatingServiceStore = rotatingServiceStore;
     }
 
-    public boolean validateRequest(RoutingContext rc, JsonObject requestJsonObject) {
+    public boolean validateRequest(RoutingContext rc, JsonObject requestJsonObject, Role role) {
         boolean result = true;
         final IAuthorizable profile = AuthMiddleware.getAuthClient(rc);
         if (profile instanceof ClientKey) {
@@ -34,15 +35,20 @@ public boolean validateRequest(RoutingContext rc, JsonObject requestJsonObject)
                 // service_id is set in the request, so need to check if the given link_id is linked to this service
                 if (this.rotatingServiceLinkStore == null) {
                     // this is an invalid configuration. This operator is not set to validate service links, but has a service Id set.
-                    LOGGER.warn("Invalid configuration. Operator not set to validate service links (validate_service_links=false in config), but the calling client has a ServiceId set. ");
+                    LOGGER.warn("Path: {} , Invalid configuration. Operator not set to validate service links (validate_service_links=false in config), but the calling client has a ServiceId set. ", rc.normalizedPath());
                     return false;
                 }
 
                 if (requestJsonObject.containsKey(LINK_ID)) {
                     String linkId = requestJsonObject.getString(LINK_ID);
                     ServiceLink serviceLink = this.rotatingServiceLinkStore.getServiceLink(clientKey.getServiceId(), linkId);
                     if (serviceLink == null) {
-                        LOGGER.warn("ClientKey has ServiceId set, but LinkId in request was not authorized. ServiceId: {}, LinkId in request: {}", clientKey.getServiceId(), linkId);
+                        LOGGER.warn("Path: {} , ClientKey has ServiceId set, but LinkId in request was not authorized. ServiceId: {}, LinkId in request: {}", rc.normalizedPath(), clientKey.getServiceId(), linkId);
+                        return false;
+                    }
+                    if (!serviceLink.getRoles().contains(role)) {
+                        LOGGER.warn("Path: {} , ServiceLink {} does not have role {}", rc.normalizedPath(), linkId, role);
+
                         return false;
                     }
                     Service service = rotatingServiceStore.getService(clientKey.getServiceId());
diff --git a/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java b/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java
@@ -1319,7 +1319,7 @@ private void handleIdentityMapV2(RoutingContext rc) {
             }
 
             JsonObject requestJsonObject = (JsonObject) rc.data().get(REQUEST);
-            if (!this.secureLinkValidatorService.validateRequest(rc, requestJsonObject)) {
+            if (!this.secureLinkValidatorService.validateRequest(rc, requestJsonObject, Role.MAPPER)) {
                 ResponseUtil.Error(ResponseStatus.Unauthorized, HttpStatus.SC_UNAUTHORIZED, rc, "Invalid link_id");
                 return;
             }
diff --git a/src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java b/src/test/java/com/uid2/operator/UIDOperatorVerticleTest.java
@@ -111,7 +111,7 @@ public void deployVerticle(Vertx vertx, VertxTestContext testContext, TestInfo t
         mocks = MockitoAnnotations.openMocks(this);
         when(saltProvider.getSnapshot(any())).thenReturn(saltProviderSnapshot);
         when(clock.instant()).thenAnswer(i -> now);
-        when(this.secureLinkValidatorService.validateRequest(any(RoutingContext.class), any(JsonObject.class))).thenReturn(true);
+        when(this.secureLinkValidatorService.validateRequest(any(RoutingContext.class), any(JsonObject.class), any(Role.class))).thenReturn(true);
 
 
         JsonObject config = new JsonObject();
@@ -4117,7 +4117,7 @@ void keySharingRotatingKeysets_IDREADER(String testRun, Vertx vertx, VertxTestCo
     @Test
     void secureLinkValidationPassesReturnsIdentity(Vertx vertx, VertxTestContext testContext) {
         JsonObject req = setupIdentityMapServiceLinkTest();
-        when(this.secureLinkValidatorService.validateRequest(any(RoutingContext.class), any(JsonObject.class))).thenReturn(true);
+        when(this.secureLinkValidatorService.validateRequest(any(RoutingContext.class), any(JsonObject.class), any(Role.class))).thenReturn(true);
 
         send("v2", vertx, "v2" + "/identity/map", false, null, req, 200, json -> {
             checkIdentityMapResponse(json, "test1@uid2.com", "test2@uid2.com");
@@ -4128,7 +4128,7 @@ void secureLinkValidationPassesReturnsIdentity(Vertx vertx, VertxTestContext tes
     @Test
     void secureLinkValidationFailsReturnsIdentityError(Vertx vertx, VertxTestContext testContext) {
         JsonObject req = setupIdentityMapServiceLinkTest();
-        when(this.secureLinkValidatorService.validateRequest(any(RoutingContext.class), any(JsonObject.class))).thenReturn(false);
+        when(this.secureLinkValidatorService.validateRequest(any(RoutingContext.class), any(JsonObject.class), any(Role.class))).thenReturn(false);
 
         send("v2", vertx, "v2" + "/identity/map", false, null, req, 401, json -> {
             assertEquals("unauthorized", json.getString("status"));
diff --git a/src/test/java/com/uid2/operator/service/SecureLinkValidatorServiceTest.java b/src/test/java/com/uid2/operator/service/SecureLinkValidatorServiceTest.java
@@ -40,19 +40,19 @@ void validateRequest_serviceIdNotSet_returnsTrue() {
         this.setClientKey(0);
 
         SecureLinkValidatorService service = new SecureLinkValidatorService(this.rotatingServiceLinkStore, this.rotatingServiceStore);
-        assertTrue(service.validateRequest(this.routingContext, null));
+        assertTrue(service.validateRequest(this.routingContext, null, Role.MAPPER));
     }
 
     @Test
-    void validateRequest_linkIdFound_returnsTrue() {
+    void validateRequest_linkIdFoundAndRoleAllowed_returnsTrue() {
         this.setClientKey(10);
         JsonObject requestJsonObject = new JsonObject();
         requestJsonObject.put(SecureLinkValidatorService.LINK_ID, "999");
 
-        when(this.rotatingServiceLinkStore.getServiceLink(10, "999")).thenReturn(new ServiceLink("999", 10, 100, "testServiceLink", null));
+        when(this.rotatingServiceLinkStore.getServiceLink(10, "999")).thenReturn(new ServiceLink("999", 10, 100, "testServiceLink", Set.of(Role.MAPPER)));
 
         SecureLinkValidatorService service = new SecureLinkValidatorService(this.rotatingServiceLinkStore, this.rotatingServiceStore);
-        assertTrue(service.validateRequest(this.routingContext, requestJsonObject));
+        assertTrue(service.validateRequest(this.routingContext, requestJsonObject, Role.MAPPER));
     }
 
     @Test
@@ -64,7 +64,19 @@ void validateRequest_linkIdNotFound_returnsFalse() {
         when(this.rotatingServiceLinkStore.getServiceLink(10, "999")).thenReturn(null);
 
         SecureLinkValidatorService service = new SecureLinkValidatorService(this.rotatingServiceLinkStore, this.rotatingServiceStore);
-        assertFalse(service.validateRequest(this.routingContext, requestJsonObject));
+        assertFalse(service.validateRequest(this.routingContext, requestJsonObject, Role.MAPPER));
+    }
+
+    @Test
+    void validateRequest_roleNotInServiceLink_returnsFalse() {
+        this.setClientKey(10);
+        JsonObject requestJsonObject = new JsonObject();
+        requestJsonObject.put(SecureLinkValidatorService.LINK_ID, "999");
+
+        when(this.rotatingServiceLinkStore.getServiceLink(10, "999")).thenReturn(new ServiceLink("999", 10, 100, "testServiceLink", Set.of(Role.SHARER, Role.CLIENTKEY_ISSUER)));
+
+        SecureLinkValidatorService service = new SecureLinkValidatorService(this.rotatingServiceLinkStore, this.rotatingServiceStore);
+        assertFalse(service.validateRequest(this.routingContext, requestJsonObject, Role.MAPPER));
     }
 
     private void setClientKey(int serviceId) {

Original file line number	Diff line number	Diff line change
`@@ -1319,7 +1319,7 @@ private void handleIdentityMapV2(RoutingContext rc) {`
`1319`	`1319`	`}`
`1320`	`1320`
`1321`	`1321`	`JsonObject requestJsonObject = (JsonObject) rc.data().get(REQUEST);`
`1322`		`- if (!this.secureLinkValidatorService.validateRequest(rc, requestJsonObject)) {`
	`1322`	`+ if (!this.secureLinkValidatorService.validateRequest(rc, requestJsonObject, Role.MAPPER)) {`
`1323`	`1323`	`ResponseUtil.Error(ResponseStatus.Unauthorized, HttpStatus.SC_UNAUTHORIZED, rc, "Invalid link_id");`
`1324`	`1324`	`return;`
`1325`	`1325`	`}`