Skip to content

Commit a874be6

Browse files
daniel-zamoradaniel-zamora
committed
CMR-10430: adds test for autocomplete suggestions permissions
1 parent 8b90cb3 commit a874be6

File tree

1 file changed

+188
-0
lines changed

1 file changed

+188
-0
lines changed

system-int-test/test/cmr/system_int_test/search/autocomplete/suggestion_permissions_test.clj

Lines changed: 188 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,188 @@
1+
(ns cmr.system-int-test.search.autocomplete.suggestion-permissions-test
2+
"Tests permissions for autocomplete suggestions "
3+
(:require
4+
[clojure.test :refer :all]
5+
[cmr.mock-echo.client.echo-util :as e]
6+
[cmr.system-int-test.data2.core :as d]
7+
[cmr.system-int-test.data2.umm-spec-collection :as data-umm-spec]
8+
[cmr.system-int-test.system :as s]
9+
[cmr.system-int-test.utils.index-util :as index]
10+
[cmr.system-int-test.utils.ingest-util :as ingest]
11+
[cmr.system-int-test.utils.search-util :as search]
12+
[cmr.transmit.config :as transmit-config]))
13+
14+
(defn extract-autocomplete-entries
15+
"Helper to extract entries from autocomplete response"
16+
[response]
17+
(get-in response [:feed :entry]))
18+
19+
(use-fixtures :each (join-fixtures
20+
[(ingest/reset-fixture {"provguid1" "PROV1" "provguid2" "PROV2"}
21+
{:grant-all-search? false})]))
22+
23+
(deftest suggestion-permissions-test
24+
(testing "Suggestions respect collection access permissions"
25+
;; Create groups for our test
26+
(let [authorized-group-id (e/get-or-create-group (s/context) "authorized-group")
27+
28+
;; Create restricted collection with specific data center to test for suggestions
29+
_ (d/ingest-umm-spec-collection
30+
"PROV1"
31+
(data-umm-spec/collection
32+
{:EntryTitle "Restricted Collection"
33+
:ShortName "RESTRICTED"
34+
:DataCenters [(data-umm-spec/data-center
35+
{:Roles ["ARCHIVER"]
36+
:ShortName "RESTRICTED-ORG"})]})
37+
{:format :umm-json
38+
:validate-keywords false})
39+
40+
;; Create another restricted collection with different data center, this one will will delete later
41+
second-restricted-collection (d/ingest-umm-spec-collection
42+
"PROV1"
43+
(data-umm-spec/collection
44+
{:EntryTitle "Second Restricted Collection"
45+
:ShortName "SECOND RESTRICTED COLLECTION"
46+
:DataCenters [(data-umm-spec/data-center
47+
{:Roles ["ARCHIVER"]
48+
:ShortName "RESTRICTED-ORG2"})]})
49+
{:format :umm-json
50+
:validate-keywords false})
51+
52+
;; Create another restricted collection with different data center
53+
_ (d/ingest-umm-spec-collection
54+
"PROV1"
55+
(data-umm-spec/collection
56+
{:EntryTitle "Third Restricted Collection"
57+
:ShortName "THIRD RESTRICTED COLLECTION"
58+
:DataCenters [(data-umm-spec/data-center
59+
{:Roles ["ARCHIVER"]
60+
:ShortName "RESTRICTED-ORG3"})]})
61+
{:format :umm-json
62+
:validate-keywords false})
63+
64+
;; Create public collection with different data center
65+
_ (d/ingest-umm-spec-collection
66+
"PROV1"
67+
(data-umm-spec/collection
68+
{:EntryTitle "Public Collection"
69+
:ShortName "PUBLIC"
70+
:DataCenters [(data-umm-spec/data-center
71+
{:Roles ["ARCHIVER"]
72+
:ShortName "PUBLIC-ORG"})]})
73+
{:format :umm-json
74+
:validate-keywords false})
75+
76+
;; Grant explicit permission to only the authorized group for restricted collections
77+
_ (e/grant-group (s/context)
78+
authorized-group-id
79+
(e/coll-catalog-item-id "PROV1" (e/coll-id ["Restricted Collection"])))
80+
81+
_ (e/grant-group (s/context)
82+
authorized-group-id
83+
(e/coll-catalog-item-id "PROV1" (e/coll-id ["Second Restricted Collection"])))
84+
85+
_ (e/grant-group (s/context)
86+
authorized-group-id
87+
(e/coll-catalog-item-id "PROV1" (e/coll-id ["Third Restricted Collection"])))
88+
89+
;; Grant guest permission to the public collection
90+
_ (e/grant-guest (s/context)
91+
(e/coll-catalog-item-id "PROV1" (e/coll-id ["Public Collection"])))
92+
93+
;; Grant registered users permission to the public collection
94+
_ (e/grant-registered-users
95+
(s/context)
96+
(e/coll-catalog-item-id "PROV1" (e/coll-id ["Public Collection"])))
97+
98+
;; Create tokens for testing different access scenarios
99+
authorized-token (e/login (s/context) "authorized-user" [authorized-group-id])]
100+
101+
;; Delete second restricted collection collection, testing CMR-10362 solution
102+
(ingest/delete-concept (d/item->concept second-restricted-collection :echo10))
103+
104+
;; Index the collections and suggestions
105+
(index/wait-until-indexed)
106+
(ingest/reindex-collection-permitted-groups transmit-config/mock-echo-system-token)
107+
(index/wait-until-indexed)
108+
(index/reindex-suggestions)
109+
(index/wait-until-indexed)
110+
(search/clear-caches)
111+
112+
(testing "Guest user should not see suggestions for restricted collection but should see for public collection"
113+
(let [guest-results (extract-autocomplete-entries
114+
(search/get-autocomplete-json "q=ORG"))]
115+
;; Should contain only the public organization
116+
(is (= #{"PUBLIC-ORG"}
117+
(->> guest-results
118+
(map :value)
119+
set)))))
120+
121+
(testing "Authorized user should see suggestions for all collections"
122+
(let [authorized-results (extract-autocomplete-entries
123+
(search/get-autocomplete-json "q=ORG"
124+
{:headers {:authorization authorized-token}}))]
125+
;; Should find all organizations in the results except the deleted collection's organization
126+
(is (= #{"RESTRICTED-ORG" "PUBLIC-ORG" "RESTRICTED-ORG3"}
127+
(->> authorized-results
128+
(map :value)
129+
set)))))
130+
131+
;; Ungrant the authorized group
132+
(e/ungrant-by-search (s/context) {:identity-type "catalog_item"})
133+
134+
;; Re-index the collections and suggestions
135+
(index/wait-until-indexed)
136+
(ingest/reindex-collection-permitted-groups transmit-config/mock-echo-system-token)
137+
(index/wait-until-indexed)
138+
(index/reindex-suggestions)
139+
(index/wait-until-indexed)
140+
(search/clear-caches)
141+
142+
(let [unauthorized-token (e/login (s/context) "authorized-user" [authorized-group-id])]
143+
(testing "After revoking all permissions, user should not see suggestions for restricted collections"
144+
(let [unauthorized-results (extract-autocomplete-entries
145+
(search/get-autocomplete-json
146+
"q=RESTRICTED-ORG"
147+
{:headers {:authorization unauthorized-token}}))]
148+
(is (empty? unauthorized-results))))
149+
150+
(let [unauthorized-results (extract-autocomplete-entries
151+
(search/get-autocomplete-json
152+
"q=PUBLIC-ORG"
153+
{:headers {:authorization unauthorized-token}}))]
154+
(is (empty? unauthorized-results)))
155+
156+
;; Now grant guest permission to the restricted collection
157+
(e/grant-guest (s/context)
158+
(e/coll-catalog-item-id "PROV1" (e/coll-id ["Restricted Collection"])))
159+
160+
;; Re-index and clear caches
161+
(index/wait-until-indexed)
162+
(ingest/reindex-collection-permitted-groups transmit-config/mock-echo-system-token)
163+
(index/wait-until-indexed)
164+
(index/reindex-suggestions)
165+
(index/wait-until-indexed)
166+
(search/clear-caches)
167+
168+
(testing "After granting guest permission, users should see suggestions for previously restricted collection"
169+
(let [guest-results (extract-autocomplete-entries
170+
(search/get-autocomplete-json "q=RESTRICTED-ORG"))
171+
unauthorized-results (extract-autocomplete-entries
172+
(search/get-autocomplete-json
173+
"q=RESTRICTED-ORG"
174+
{:headers {:authorization unauthorized-token}}))]
175+
176+
;; Should now contain the previously restricted organization for guest users, but not the other restricted organizations
177+
;; nor the public organization that had its permissions revoked
178+
(is (= #{"RESTRICTED-ORG"}
179+
(->> guest-results
180+
(map :value)
181+
set)))
182+
183+
;; Because :contains-public-collections is true, unauthorized users should still see the restricted organization
184+
;; that is now public, the other restricted organizations and the public organization should not be visible
185+
(is (= #{"RESTRICTED-ORG"}
186+
(->> unauthorized-results
187+
(map :value)
188+
set)))))))))

0 commit comments

Comments
 (0)