SIMSBIOHUB 878: Team Middleware for Authorization

[J-pilon]

Links to Jira Tickets

https://apps.nrs.gov.bc.ca/int/jira/browse/SIMSBIOHUB-878

Description of Changes

• Introduces team-scoped authorization: models and a dedicated repository and service (with tests) for resolving team-based access.
• Adds Zod types TeamMemberRecord, TeamPolicyRecord, and DataRequestRecord for query results.
• TeamAuthorizationRepository provides Knex query-builder methods to find active team membership by team ID, by policy ID, and by data request ID, and a SQL (CTE) method to find a team policy for a submission feature via URN matching on policy_statement.
• TeamAuthorizationService exposes isUserAuthorizedForTeamEntity, which handles team, policy, data request, and submission_feature entity types; for submission features it respects the secured flag, optional submission ID, and uses the new repository method to resolve access by submission feature ID.
• AuthorizationService is refactored so team rules are evaluated by delegating to TeamAuthorizationService instead of inlining logic.
• The GET submission feature route (/submission/{submissionId}/features/{submissionFeatureId}) is updated to authorize via the Team rule with entity type submission_feature (submissionFeatureId and submissionId).
• Includes unit tests for TeamAuthorizationRepository, TeamAuthorizationService, and updated AuthorizationService tests that stub TeamAuthorizationService.
• Data requests scoped by user’s teams: GET /data-requests is filtered by the requesting user’s teams.
• TeamRepository gains a method to get teams by system_user_id (joining team_member and team); TeamService exposes getTeamIdsBySystemUserId; DataRequestRepository adds a team_ids filter; DataRequestService’s findDataRequests uses system_user_id to resolve team IDs and fetch only data requests for those teams.
• Discriminator handling is updated: adds system_user to confirm the user is in the system and removes the unimplemented ticket type. Adds tests for DataRequestService and for DataRequestRepository’s team_ids filter.

Testing Instructions

Regular System User:
Create data_request where your part of the team:

curl --location 'http://localhost:6100/api/data-request' \
--header 'Authorization: Bearer <TOKEN> \
--header 'Content-Type: application/json' \
--data '{
    "reason": "Part of this team"
}'

Create data_request where you are not part of the team:
After creating the data_request, remove yourself from the team.

curl --location 'http://localhost:6100/api/data-request' \
--header 'Authorization: Bearer <TOKEN> \
--header 'Content-Type: application/json' \
--data '{
    "reason": "Not part of this team",
    "team_id": "abc123"
}'

Request all data_request records

curl --location 'http://localhost:6100/api/data-request/' \
--header 'Authorization: Bearer <TOKEN>'

You should see only one data_request record that you are part of the team.

Change system user role to ADMIN
You should see both data_request records.

[github-actions]

OpenShift URLs for the PR Deployment:

• App Route: https://biohub-platform-app-339-a0ec71-dev.apps.silver.devops.gov.bc.ca/
• API Route: https://biohub-platform-api-339-a0ec71-dev.apps.silver.devops.gov.bc.ca/
• Pods: https://console.apps.silver.devops.gov.bc.ca/k8s/ns/a0ec71-dev/pods?name=339
• Helm Release: https://console.apps.silver.devops.gov.bc.ca/helm-releases/ns/a0ec71-dev/release/pr-339

[github-actions]

OpenShift URLs for the PR Deployment:

• App Route: https://biohub-platform-app-339-a0ec71-dev.apps.silver.devops.gov.bc.ca/
• API Route: https://biohub-platform-api-339-a0ec71-dev.apps.silver.devops.gov.bc.ca/
• Pods: https://console.apps.silver.devops.gov.bc.ca/k8s/ns/a0ec71-dev/pods?name=339
• Helm Release: https://console.apps.silver.devops.gov.bc.ca/helm-releases/ns/a0ec71-dev/release/pr-339

[mauberti-bc]

Looks good, just a couple comments to address

[github-actions]

OpenShift URLs for the PR Deployment:

• App Route: https://biohub-platform-app-339-a0ec71-dev.apps.silver.devops.gov.bc.ca/
• API Route: https://biohub-platform-api-339-a0ec71-dev.apps.silver.devops.gov.bc.ca/
• Pods: https://console.apps.silver.devops.gov.bc.ca/k8s/ns/a0ec71-dev/pods?name=339
• Helm Release: https://console.apps.silver.devops.gov.bc.ca/helm-releases/ns/a0ec71-dev/release/pr-339

[J-pilon]

@mauberti-bc

• Refactored TeamAuthorizationService's 'isUserAuthorizedForTeamEntity' method to conform to its contract of only returning booleans
• Removed duplication for 'findDataRequests' and 'findDataRequestsByTeamMembership' in DataRequestRepository by creating a private method for applying filters following the pattern in TeamRepository

[mauberti-bc]

👍

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud