Merge pull request #309 from bcgov/feature/cascade-permission-changes

Feature: optionally cascade add/remove bucket permissions operations

Author: TimCsaky

app/src/controllers/bucketPermission.js

@@ -1,4 +1,5 @@
 const errorToProblem = require('../components/errorToProblem');
+const utils = require('../db/models/utils');
 const {
   addDashesToUuid,
   mixedQueryToArray,
@@ -7,14 +8,15 @@ const {
   isTruthy
 } = require('../components/utils');
 const { NIL: SYSTEM_USER } = require('uuid');
-const { bucketPermissionService, userService } = require('../services');
+const { bucketPermissionService, userService, bucketService } = require('../services');
 
 const SERVICE = 'BucketPermissionService';
 
 /**
  * The Permission Controller
  */
 const controller = {
+
   /**
    * @function searchPermissions
    * Searches for bucket permissions
@@ -89,11 +91,36 @@ const controller = {
    */
   async addPermissions(req, res, next) {
     try {
-      const userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
-      const response = await bucketPermissionService.addPermissions(
-        addDashesToUuid(req.params.bucketId),req.body, userId
-      );
-      res.status(201).json(response);
+      const currUserId = await userService.getCurrentUserId(
+        getCurrentIdentity(req.currentUser, SYSTEM_USER), SYSTEM_USER);
+      const currBucketId = addDashesToUuid(req.params.bucketId);
+
+      if (isTruthy(req.query.recursive)) {
+
+        const parentBucket = await bucketService.read(currBucketId);
+
+        // Only apply permissions to child buckets that currentUser can MANAGE
+        // If the current user is SYSTEM_USER, apply permissions to all child buckets
+        const childBuckets = currUserId !== SYSTEM_USER ?
+          await bucketService.getChildrenWithManagePermissions(currBucketId, currUserId) :
+          await bucketService.searchChildBuckets(parentBucket, true, currUserId);
+
+        const allBuckets = [parentBucket, ...childBuckets];
+
+        const responses = await utils.trxWrapper(async (trx) => {
+          return await Promise.all(
+            allBuckets.map(b =>
+              bucketPermissionService.addPermissions(b.bucketId, req.body, currUserId, trx)
+            )
+          );
+        });
+        res.status(201).json(responses.flat());
+      }
+      else {
+        const response = await bucketPermissionService.addPermissions(
+          currBucketId, req.body, currUserId);
+        res.status(201).json(response);
+      }
     } catch (e) {
       next(errorToProblem(SERVICE, e));
     }
@@ -112,14 +139,41 @@ const controller = {
       const userArray = mixedQueryToArray(req.query.userId);
       const userIds = userArray ? userArray.map(id => addDashesToUuid(id)) : userArray;
       const permissions = mixedQueryToArray(req.query.permCode);
-      const response = await bucketPermissionService.removePermissions(req.params.bucketId, userIds, permissions);
-      res.status(200).json(response);
+
+      const currUserId = await userService.getCurrentUserId(
+        getCurrentIdentity(req.currentUser, SYSTEM_USER), SYSTEM_USER);
+      const currBucketId = addDashesToUuid(req.params.bucketId);
+
+      if (isTruthy(req.query.recursive)) {
+
+        const parentBucket = await bucketService.read(currBucketId);
+        // Only apply permissions to child buckets that currentUser can MANAGE
+        // If the current user is SYSTEM_USER, apply permissions to all child buckets
+        const childBuckets = currUserId !== SYSTEM_USER ?
+          await bucketService.getChildrenWithManagePermissions(currBucketId, currUserId) :
+          await bucketService.searchChildBuckets(parentBucket, true, currUserId);
+
+        const allBuckets = [parentBucket, ...childBuckets];
+
+        const responses = await utils.trxWrapper(async (trx) => {
+          return await Promise.all(
+            allBuckets.map(b =>
+              bucketPermissionService.removePermissions(b.bucketId, userIds, permissions, trx)
+            )
+          );
+        });
+        res.status(200).json(responses.flat());
+      }
+      else {
+        const response = await bucketPermissionService.removePermissions(currBucketId, userIds, permissions);
+        res.status(200).json(response);
+      }
+
     } catch (e) {
       next(errorToProblem(SERVICE, e));
     }
   },
 
-
 };
 
 module.exports = controller;

app/src/controllers/invite.js

@@ -3,7 +3,8 @@ const { v4: uuidv4, NIL: SYSTEM_USER } = require('uuid');
 
 const { AuthType, Permissions, ResourceType } = require('../components/constants');
 const errorToProblem = require('../components/errorToProblem');
-const { addDashesToUuid, getCurrentIdentity } = require('../components/utils');
+const { addDashesToUuid, getCurrentIdentity, isTruthy } = require('../components/utils');
+const utils = require('../db/models/utils');
 const {
   bucketPermissionService,
   bucketService,
@@ -29,7 +30,6 @@ const controller = {
    */
   async createInvite(req, res, next) {
     let resource, type;
-
     try {
       // Reject if expiresAt is more than 30 days away
       const maxExpiresAt = Math.floor(Date.now() / 1000) + 2592000;
@@ -120,12 +120,13 @@ const controller = {
         type: type,
         expiresAt: req.body.expiresAt ? new Date(req.body.expiresAt * 1000).toISOString() : undefined,
         userId: userId,
-        permCodes: req.body.permCodes
+        permCodes: req.body.permCodes,
+        recursive: (req.body.bucketId && isTruthy(req.body.recursive)) ?? false
       });
       res.status(201).json(response.token);
     } catch (e) {
       if (e.statusCode === 404) {
-        next(errorToProblem(SERVICE, new Problem(409, {
+        next(errorToProblem(SERVICE, new Problem(404, {
           detail: `Resource type '${type}' not found`,
           instance: req.originalUrl,
           resource: resource
@@ -186,7 +187,7 @@ const controller = {
         await objectPermissionService.addPermissions(invite.resource,
           permCodes.map(permCode => ({ userId, permCode })), invite.createdBy);
       } else if (invite.type === ResourceType.BUCKET) {
-        // Check for object existence
+        // Check for bucket existence
         await bucketService.read(invite.resource).catch(() => {
           inviteService.delete(token);
           throw new Problem(409, {
@@ -196,14 +197,37 @@ const controller = {
           });
         });
 
-        // Grant invitation permission and cleanup
-        await bucketPermissionService.addPermissions(invite.resource,
-          permCodes.map(permCode => ({ userId, permCode })), invite.createdBy);
+        // Grant invitation permission
+        // if invite was for specified folder AND all subfolders
+        if (invite.recursive) {
+          const parentBucket = await bucketService.read(invite.resource);
+          // Only apply permissions to child buckets that inviter can MANAGE
+          // If the invite was created via basic auth, apply permissions to all child buckets
+          const childBuckets = invite.createdBy !== SYSTEM_USER ?
+            await bucketService.getChildrenWithManagePermissions(invite.resource, invite.createdBy) :
+            await bucketService.searchChildBuckets(parentBucket, true, invite.createdBy);
+
+          const allBuckets = [parentBucket, ...childBuckets];
+
+          await utils.trxWrapper(async (trx) => {
+            return await Promise.all(
+              allBuckets.map(b =>
+                bucketPermissionService.addPermissions(b.bucketId, permCodes.map(
+                  permCode => ({ userId, permCode })), invite.createdBy, trx)
+              )
+            );
+          });
+        }
+        // else not recursive
+        else {
+          await bucketPermissionService.addPermissions(invite.resource,
+            permCodes.map(permCode => ({ userId, permCode })), invite.createdBy);
+        }
       }
 
       // Cleanup invite on success
       inviteService.delete(token);
-      res.status(200).json({ resource: invite.resource, type: invite.type });
+      res.status(200).json({ resource: invite.resource, type: invite.type, recursive: invite.recursive });
     } catch (e) {
       if (e.statusCode === 404) {
         next(errorToProblem(SERVICE, new Problem(404, {

app/src/db/migrations/20250625000000_016-invite-cascade-child-buckets.js

@@ -0,0 +1,23 @@
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.up = function (knex) {
+  return Promise.resolve()
+    // add recursive column to invite table
+    .then(() => knex.schema.alterTable('invite', table => {
+      table.boolean('recursive').notNullable().defaultTo(false);
+    }));
+};
+
+/**
+ * @param { import("knex").Knex } knex
+ * @returns { Promise<void> }
+ */
+exports.down = function (knex) {
+  return Promise.resolve()
+    // drop recursive column from invite table
+    .then(() => knex.schema.alterTable('invite', table => {
+      table.dropColumn('recursive');
+    }));
+};

app/src/db/models/tables/invite.js

@@ -23,6 +23,7 @@ class ObjectModel extends Timestamps(Model) {
         type: { type: 'string', enum: ['bucketId', 'objectId'] },
         expiresAt: { type: 'string', format: 'date-time' },
         permCodes: { type: 'array', items: { type: 'string' } },
+        recursive: { type: 'boolean' },
         ...stamps
       },
       additionalProperties: false

app/src/docs/v1.api-spec.yaml

@@ -199,10 +199,10 @@ paths:
       summary: Deletes a bucket
       description: >-
         Deletes the bucket record (and child objects) from the COMS database, based on bucketId.
-        When calling this endpoint using OIDC token authentication, the user requires the DELETE
+        When calling this endpoint using OIDC token authentication, the user requires the `DELETE`
         permission for the bucket.
-        Providing the 'recursive' parameter will also delete all sub-folders.
-        The recursive option also requires the OIDC user to have the DELETE permission
+        Providing the `recursive` parameter will also delete all sub-folders.
+        The `recursive` option also requires the OIDC user to have the `DELETE` permission
         on all of these sub-folders otherwise the entire operation will fail.
         This request does not dispatch an S3 operation to request the deletion of the associated
         bucket(s) or delete any objects in object storage, it simply 'de-registers' knowledge of the bucket/folder
@@ -1137,12 +1137,15 @@ paths:
         arbitrary array of permCode and user tuples. This is an idempotent
         operation, so users that already have a requested permission will remain
         unaffected. Only permissions successfully added to COMS will appear in
-        the response.
+        the response. The `recursive` option will also apply the specified
+        permissions to all child buckets where the current user has `MANAGE`
+        permissions.
       operationId: bucketAddPermissions
       tags:
         - Permission
       parameters:
         - $ref: "#/components/parameters/Path-BucketId"
+        - $ref: "#/components/parameters/Query-Recursive"
       requestBody:
         description: >-
           An array of bucket permissions, each containing a `userId` and
@@ -1175,16 +1178,18 @@ paths:
         of users and subset of permissions to revoke. This is an idempotent
         operation, so users that already lack the specified permission(s) will
         remain unaffected. Only permissions successfully removed from COMS will
-        appear in the response. WARNING: Specifying no parameters will delete
-        all permissions associated with a bucket; it is possible to lock
-        yourself out of your own bucket!
+        appear in the response. The `recursive` option will also remove the specified
+        permissions from all child buckets where the current user has `MANAGE`
+        permissions. WARNING: Specifying no parameters will delete all permissions
+        associated with a bucket; it is possible to lock yourself out of your own bucket!
       operationId: bucketRemovePermissions
       tags:
         - Permission
       parameters:
         - $ref: "#/components/parameters/Path-BucketId"
         - $ref: "#/components/parameters/Query-UserId"
         - $ref: "#/components/parameters/Query-PermCode"
+        - $ref: "#/components/parameters/Query-Recursive"
       responses:
         "200":
           description: Returns an array of deleted permissions
@@ -2583,6 +2588,11 @@ components:
             `objectId` must be specified.
           format: uuid
           example: ac246e31-c807-496c-bc93-cd8bc2f1b2b4
+        recursive:
+          type: boolean
+          description: >-
+            Optionally apply permCodes to all sub-folders in the spcified bucket
+          example: true
         email:
           type: string
           description: >-
@@ -2609,7 +2619,7 @@ components:
           type: array
           items:
             type: string
-          description: Optional array of permCode. Defaults to 'READ', if unspecified. Accepts any of `"READ", "CREATE", "UPDATE"` for bucket or  `"READ", "UPDATE"` for objects
+          description: Optional array of permCode. Defaults to `READ`, if unspecified. Accepts any of `"READ", "CREATE", "UPDATE"` for bucket or  `"READ", "UPDATE"` for objects
           example: ["READ", "CREATE", "UPDATE"]
     Request-UpdateBucket:
       title: Request Update Bucket

app/src/services/bucket.js

@@ -2,6 +2,7 @@ const { v4: uuidv4, NIL: SYSTEM_USER } = require('uuid');
 
 const bucketPermissionService = require('./bucketPermission');
 const { Bucket } = require('../db/models');
+const { Permissions } = require('../components/constants');
 
 /**
  * The Bucket DB Service
@@ -173,6 +174,25 @@ const service = {
     }
   },
 
+  /**
+   * Gets all child bucket records for a given bucket, where the specified user
+   * has MANAGE permission on said child buckets.
+   * @param {string} parentBucketId bucket id of the parent bucket
+   * @param {string} userId user id
+   * @param {object} [etrx=undefined] An optional Objection Transaction object
+   * @returns {Promise<object[]>} An array of bucket records that are children of the parent,
+   *                              where the user has MANAGE permissions.
+   */
+  getChildrenWithManagePermissions: async (parentBucketId, userId, etrx = undefined) => {
+    const parentBucket = await service.read(parentBucketId);
+    const allChildren = await service.searchChildBuckets(parentBucket, true, userId, etrx);
+
+    const filteredChildren = allChildren.filter(bucket =>
+      bucket.bucketPermission?.some(perm => perm.userId === userId && perm.permCode === Permissions.MANAGE)
+    );
+    return filteredChildren;
+  },
+
   /**
    * @function searchBuckets
    * Search and filter for specific bucket records
@@ -199,11 +219,13 @@ const service = {
 
   /**
    * @function searchChildBuckets
-   * Get db records for each bucket that acts as a sub-folder of the provided bucket
+   * Get db records for each bucket that acts as a sub-folder of the provided bucket,
+   * and is accessible to a given user
    * @param {object} parentBucket a bucket model (record) from the COMS db
    * @param {boolean} returnPermissions also return current user's permissions for each bucket
+   * @param {string} userId uuid of the user
    * @param {object} [etrx=undefined] An optional Objection Transaction object
-   * @returns {Promise<object[]>} An array of bucket records
+   * @returns {Promise<object[]>} An array of bucket records that the given user can access
    * @throws If there are no records found
    */
   searchChildBuckets: async (parentBucket, returnPermissions = false, userId, etrx = undefined) => {
@@ -215,9 +237,14 @@ const service = {
           if (returnPermissions) {
             query
               .withGraphJoined('bucketPermission')
-              .whereIn('bucketPermission.bucketId', builder => {
-                builder.distinct('bucketPermission.bucketId')
-                  .where('bucketPermission.userId', userId);
+              .modify(query => {
+                if (userId !== SYSTEM_USER) {
+                  query
+                    .whereIn('bucketPermission.bucketId', builder => {
+                      builder.distinct('bucketPermission.bucketId')
+                        .where('bucketPermission.userId', userId);
+                    });
+                }
               });
           }
         })

app/src/services/invite.js

@@ -33,7 +33,8 @@ const service = {
         // if permCodes provided set as unique permCodes otherwise just ['READ']
         permCodes: data.permCodes ? Array.from(new Set(data.permCodes)) : ['READ'],
         expiresAt: data.expiresAt,
-        createdBy: data.userId ?? SYSTEM_USER
+        createdBy: data.userId ?? SYSTEM_USER,
+        recursive: data.recursive ?? false
       });
 
       if (!etrx) await trx.commit();

app/src/validators/bucketPermission.js

@@ -45,6 +45,7 @@ const schema = {
       }).required()
     ).required(),
     query: Joi.object({
+      recursive: type.truthy,
     })
   },
 
@@ -55,6 +56,7 @@ const schema = {
     query: Joi.object({
       userId: scheme.guid,
       permCode: scheme.permCode,
+      recursive: type.truthy
     })
   }
 };