Add recursive permission check (#137)

Meklo · web-flow · commit f47e37c8aef9 · 2025-04-04T10:48:19.000+02:00
Signed-off-by: Hugo Marcellin &lt;hugo.marcelin@rte-france.com&gt;
diff --git a/src/main/java/org/gridsuite/explore/server/ExploreController.java b/src/main/java/org/gridsuite/explore/server/ExploreController.java
@@ -236,7 +236,7 @@ public ResponseEntity<Void> replaceFilterWithScript(@PathVariable("id") UUID id,
         @ApiResponse(responseCode = "404", description = "Directory/element was not found"),
         @ApiResponse(responseCode = "403", description = "Access forbidden for the directory/element")
     })
-    @PreAuthorize("@authorizationService.isAuthorized(#userId, #elementUuid, null, T(org.gridsuite.explore.server.dto.PermissionType).WRITE)")
+    @PreAuthorize("@authorizationService.isRecursivelyAuthorized(#userId, #elementUuid, null)")
     public ResponseEntity<Void> deleteElement(@PathVariable("elementUuid") UUID elementUuid,
                                               @RequestHeader(QUERY_PARAM_USER_ID) String userId) {
         exploreService.deleteElement(elementUuid, userId);
@@ -537,8 +537,7 @@ public ResponseEntity<Void> updateElement(
         @ApiResponse(responseCode = "404", description = "The elements or the targeted directory was not found"),
         @ApiResponse(responseCode = "403", description = "Not authorized execute this update")
     })
-    @PreAuthorize(
-            "@authorizationService.isAuthorized(#userId, #elementsUuids, #targetDirectoryUuid, T(org.gridsuite.explore.server.dto.PermissionType).WRITE)")
+    @PreAuthorize("@authorizationService.isRecursivelyAuthorized(#userId, #elementsUuids, #targetDirectoryUuid)")
     public ResponseEntity<Void> moveElementsDirectory(
             @RequestParam UUID targetDirectoryUuid,
             @RequestBody List<UUID> elementsUuids,
@@ -654,13 +653,14 @@ public ResponseEntity<String> searchElements(
         @ApiResponse(responseCode = "200", description = "The user has the right on the directory"),
         @ApiResponse(responseCode = "204", description = "The user has not the right on the directory"),
     })
-    public ResponseEntity<Void> hasRight(@PathVariable("directoryUuid") UUID directoryUuid,
+    public ResponseEntity<String> hasRight(@PathVariable("directoryUuid") UUID directoryUuid,
                                          @RequestParam(name = "permission") PermissionType permission,
                                          @RequestHeader(QUERY_PARAM_USER_ID) String userId) {
-        if (directoryService.hasPermission(List.of(directoryUuid), null, userId, permission)) {
+        PermissionResponse permissionResponse = directoryService.checkPermission(List.of(directoryUuid), null, userId, permission);
+        if (permissionResponse.hasPermission()) {
             return ResponseEntity.ok().build();
         } else {
-            return ResponseEntity.noContent().build();
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).body(permissionResponse.permissionCheckResult());
         }
     }
 
diff --git a/src/main/java/org/gridsuite/explore/server/RestResponseEntityExceptionHandler.java b/src/main/java/org/gridsuite/explore/server/RestResponseEntityExceptionHandler.java
@@ -35,7 +35,7 @@ protected ResponseEntity<Object> handleExploreException(ExploreException excepti
             case NOT_FOUND:
                 return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
             case NOT_ALLOWED:
-                return ResponseEntity.status(HttpStatus.FORBIDDEN).body(NOT_ALLOWED);
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).body(exception.getMessage());
             case REMOTE_ERROR:
                 return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(exception.getMessage());
             case INCORRECT_CASE_FILE:
diff --git a/src/main/java/org/gridsuite/explore/server/dto/PermissionResponse.java b/src/main/java/org/gridsuite/explore/server/dto/PermissionResponse.java
@@ -0,0 +1,12 @@
+/**
+ * Copyright (c) 2025, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.gridsuite.explore.server.dto;
+
+/**
+ * @author Hugo Marcellin <hugo.marcelin at rte-france.com>
+ */
+public record PermissionResponse(boolean hasPermission, String permissionCheckResult) { }
diff --git a/src/main/java/org/gridsuite/explore/server/services/AuthorizationService.java b/src/main/java/org/gridsuite/explore/server/services/AuthorizationService.java
@@ -7,6 +7,7 @@
 package org.gridsuite.explore.server.services;
 
 import org.gridsuite.explore.server.ExploreException;
+import org.gridsuite.explore.server.dto.PermissionResponse;
 import org.gridsuite.explore.server.dto.PermissionType;
 import org.springframework.stereotype.Service;
 
@@ -28,17 +29,30 @@ public AuthorizationService(DirectoryService directoryService) {
 
     //This method should only be called inside of @PreAuthorize to centralize permission checks
     public boolean isAuthorized(String userId, List<UUID> elementUuids, UUID targetDirectoryUuid, PermissionType permissionType) {
-        if (!directoryService.hasPermission(elementUuids, targetDirectoryUuid, userId, permissionType)) {
-            throw new ExploreException(ExploreException.Type.NOT_ALLOWED);
+        PermissionResponse permissionResponse = directoryService.checkPermission(elementUuids, targetDirectoryUuid, userId, permissionType);
+        if (!permissionResponse.hasPermission()) {
+            throw new ExploreException(ExploreException.Type.NOT_ALLOWED, permissionResponse.permissionCheckResult());
         }
         return true;
     }
 
     //This method should only be called inside of @PreAuthorize to centralize permission checks
     public boolean isAuthorizedForDuplication(String userId, UUID elementToDuplicate, UUID targetDirectoryUuid) {
-        if (!directoryService.hasPermission(List.of(elementToDuplicate), null, userId, PermissionType.READ) ||
-                !directoryService.hasPermission(List.of(targetDirectoryUuid != null ? targetDirectoryUuid : elementToDuplicate), null, userId, PermissionType.WRITE)) {
-            throw new ExploreException(ExploreException.Type.NOT_ALLOWED);
+        PermissionResponse readCheck = directoryService.checkPermission(List.of(elementToDuplicate), null, userId, PermissionType.READ);
+        if (!readCheck.hasPermission()) {
+            throw new ExploreException(ExploreException.Type.NOT_ALLOWED, readCheck.permissionCheckResult());
+        }
+        PermissionResponse writeCheck = directoryService.checkPermission(List.of(targetDirectoryUuid != null ? targetDirectoryUuid : elementToDuplicate), null, userId, PermissionType.WRITE);
+        if (!writeCheck.hasPermission()) {
+            throw new ExploreException(ExploreException.Type.NOT_ALLOWED, writeCheck.permissionCheckResult());
+        }
+        return true;
+    }
+
+    public boolean isRecursivelyAuthorized(String userId, List<UUID> elementUuids, UUID targetDirectoryUuid) {
+        PermissionResponse permissionResponse = directoryService.checkPermission(elementUuids, targetDirectoryUuid, userId, PermissionType.WRITE, true);
+        if (!permissionResponse.hasPermission()) {
+            throw new ExploreException(ExploreException.Type.NOT_ALLOWED, permissionResponse.permissionCheckResult());
         }
         return true;
     }
diff --git a/src/main/java/org/gridsuite/explore/server/services/DirectoryService.java b/src/main/java/org/gridsuite/explore/server/services/DirectoryService.java
@@ -8,6 +8,7 @@
 
 import org.gridsuite.explore.server.ExploreException;
 import org.gridsuite.explore.server.dto.ElementAttributes;
+import org.gridsuite.explore.server.dto.PermissionResponse;
 import org.gridsuite.explore.server.dto.PermissionDTO;
 import org.gridsuite.explore.server.dto.PermissionType;
 import org.gridsuite.explore.server.utils.ParametersType;
@@ -52,10 +53,13 @@ public class DirectoryService implements IDirectoryElementsService {
     private static final String PARAM_ELEMENT_TYPES = "elementTypes";
     private static final String PARAM_RECURSIVE = "recursive";
     private static final String PARAM_DIRECTORY_NAME = "directoryName";
+    private static final String PARAM_RECURSIVE_CHECK = "recursiveCheck";
     private static final String PARAM_TYPE = "type";
     private static final String PARAM_DIRECTORY_UUID = "directoryUuid";
     private static final String PARAM_USER_INPUT = "userInput";
 
+    private static final String HEADER_PERMISION_ERROR = "X-Permission-Error";
+
     private final Map<String, IDirectoryElementsService> genericServices;
     private final RestTemplate restTemplate;
     private String directoryServerBaseUri;
@@ -394,8 +398,12 @@ public void moveElementsDirectory(List<UUID> elementsUuids, UUID targetDirectory
         restTemplate.exchange(directoryServerBaseUri + path, HttpMethod.PUT, httpEntity, Void.class);
     }
 
+    public PermissionResponse checkPermission(List<UUID> elementUuids, UUID targetDirectoryUuid, String userId, PermissionType permissionType) {
+        return checkPermission(elementUuids, targetDirectoryUuid, userId, permissionType, false);
+    }
+
     //This method should only be called inside of AuthorizationService to centralize permission checks
-    public boolean hasPermission(List<UUID> elementUuids, UUID targetDirectoryUuid, String userId, PermissionType permissionType) {
+    public PermissionResponse checkPermission(List<UUID> elementUuids, UUID targetDirectoryUuid, String userId, PermissionType permissionType, boolean recursiveCheck) {
         String ids = elementUuids.stream().map(UUID::toString).collect(Collectors.joining(","));
         HttpHeaders headers = new HttpHeaders();
         headers.add(HEADER_USER_ID, userId);
@@ -404,16 +412,25 @@ public boolean hasPermission(List<UUID> elementUuids, UUID targetDirectoryUuid,
                 .queryParam(PARAM_ACCESS_TYPE, permissionType)
                 .queryParam(PARAM_IDS, ids)
                 .queryParam(PARAM_TARGET_DIRECTORY_UUID, targetDirectoryUuid)
+                .queryParam(PARAM_RECURSIVE_CHECK, recursiveCheck)
                 .buildAndExpand()
                 .toUriString();
 
-        ResponseEntity<Void> response = null;
         try {
-            response = restTemplate.exchange(directoryServerBaseUri + path, HttpMethod.HEAD, new HttpEntity<>(headers), Void.class);
+            restTemplate.exchange(directoryServerBaseUri + path, HttpMethod.HEAD, new HttpEntity<>(headers), Void.class);
         } catch (HttpStatusCodeException e) {
-            handleException(e);
+            if (!HttpStatus.FORBIDDEN.equals(e.getStatusCode())) {
+                handleException(e);
+            }
+
+            String permissionCheckResult = null;
+            HttpHeaders responseHeader = e.getResponseHeaders();
+            if (responseHeader != null && responseHeader.getFirst(HEADER_PERMISION_ERROR) != null) {
+                permissionCheckResult = responseHeader.getFirst(HEADER_PERMISION_ERROR);
+            }
+            return new PermissionResponse(false, permissionCheckResult);
         }
-        return !HttpStatus.NO_CONTENT.equals(response.getStatusCode());
+        return new PermissionResponse(true, null);
     }
 
     public List<PermissionDTO> getDirectoryPermissions(UUID directoryUuid, String userId) {
@@ -453,9 +470,7 @@ public void setDirectoryPermissions(UUID directoryUuid, List<PermissionDTO> perm
     }
 
     private void handleException(HttpStatusCodeException e) {
-        if (HttpStatus.FORBIDDEN.equals(e.getStatusCode())) {
-            throw new ExploreException(NOT_ALLOWED);
-        } else if (HttpStatus.NOT_FOUND.equals(e.getStatusCode())) {
+        if (HttpStatus.NOT_FOUND.equals(e.getStatusCode())) {
             throw new ExploreException(NOT_FOUND);
         } else {
             throw e;
diff --git a/src/test/java/org/gridsuite/explore/server/ExploreTest.java b/src/test/java/org/gridsuite/explore/server/ExploreTest.java
@@ -134,6 +134,7 @@ class ExploreTest {
     private static final UUID SCRIPT_ID_BASE_FORM_CONTINGENCY_LIST_UUID = UUID.randomUUID();
     private static final UUID ELEMENT_UUID = UUID.randomUUID();
     private static final UUID FORBIDDEN_ELEMENT_UUID = UUID.randomUUID();
+    private static final UUID DIRECTORY_NOT_OWNED_SUBELEMENT_UUID = UUID.randomUUID();
 
     @Autowired
     private MockMvc mockMvc;
@@ -433,29 +434,31 @@ public MockResponse dispatch(RecordedRequest request) {
                     }
                     return new MockResponse(404);
                 } else if ("HEAD".equals(request.getMethod())) {
-                    if (path.matches("/v1/elements\\?accessType=.*&ids=" + PARENT_DIRECTORY_UUID + "&targetDirectoryUuid")) {
+                    if (path.matches("/v1/elements\\?accessType=.*&ids=" + PARENT_DIRECTORY_UUID + "&targetDirectoryUuid&recursiveCheck=.*")) {
                         return new MockResponse(200);
-                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=" + NO_CONTENT_DIRECTORY_UUID + "&targetDirectoryUuid")) {
-                        return new MockResponse(204);
-                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=" + FORBIDDEN_STUDY_UUID + "&targetDirectoryUuid")) {
+                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=" + NO_CONTENT_DIRECTORY_UUID + "&targetDirectoryUuid&recursiveCheck=.*")) {
                         return new MockResponse(403);
-                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=" + PARENT_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid")) {
+                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=" + FORBIDDEN_STUDY_UUID + "&targetDirectoryUuid&recursiveCheck=.*")) {
+                        return new MockResponse(403);
+                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=" + PARENT_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid&recursiveCheck=.*")) {
                         return new MockResponse(403);
                     } else if (path.matches("/v1/elements\\?forUpdate=true&ids=" + FORBIDDEN_ELEMENT_UUID) && USER_NOT_ALLOWED.equals(request.getHeaders().get("userId"))) {
                         return new MockResponse(403);
+                    } else if (path.matches("/v1/elements\\?accessType=WRITE&ids=" + DIRECTORY_NOT_OWNED_SUBELEMENT_UUID + "&targetDirectoryUuid.*&recursiveCheck=true")) {
+                        return new MockResponse(409);
                     } else if (path.matches("/v1/elements\\?forDeletion=true&ids=.*") || path.matches("/v1/elements\\?forUpdate=true&ids=.*")) {
                         return new MockResponse(200);
                     } else if (path.matches("/v1/directories/" + PARENT_DIRECTORY_UUID2 + "/elements/elementName/types/type")) {
                         return new MockResponse(200);
-                    } else if (path.matches("/v1/elements\\?accessType=READ&ids=" + TEST_ACCESS_DIRECTORY_UUID_ALLOWED + "&targetDirectoryUuid")) {
+                    } else if (path.matches("/v1/elements\\?accessType=READ&ids=" + TEST_ACCESS_DIRECTORY_UUID_ALLOWED + "&targetDirectoryUuid&recursiveCheck=.*")) {
                         return new MockResponse(200);
-                    } else if (path.matches("/v1/elements\\?accessType=READ&ids=" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid")) {
-                        return new MockResponse(204);
-                    } else if (path.matches("/v1/elements\\?accessType=WRITE&ids=" + TEST_ACCESS_DIRECTORY_UUID_ALLOWED + "&targetDirectoryUuid")) {
+                    } else if (path.matches("/v1/elements\\?accessType=READ&ids=" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid&recursiveCheck=.*")) {
+                        return new MockResponse(403);
+                    } else if (path.matches("/v1/elements\\?accessType=WRITE&ids=" + TEST_ACCESS_DIRECTORY_UUID_ALLOWED + "&targetDirectoryUuid&recursiveCheck=.*")) {
                         return new MockResponse(200);
-                    } else if (path.matches("/v1/elements\\?accessType=WRITE&ids=" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid")) {
-                        return new MockResponse(204);
-                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=.*&targetDirectoryUuid.*")) {
+                    } else if (path.matches("/v1/elements\\?accessType=WRITE&ids=" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid&recursiveCheck=.*")) {
+                        return new MockResponse(403);
+                    } else if (path.matches("/v1/elements\\?accessType=.*&ids=.*&targetDirectoryUuid.*&recursiveCheck=.*")) {
                         return new MockResponse(200);
                     }
                 }
@@ -660,6 +663,7 @@ void testDeleteElement() throws Exception {
         deleteElement(MODIFICATION_UUID);
         deleteElementsNotAllowed(List.of(FORBIDDEN_STUDY_UUID), PARENT_DIRECTORY_UUID_FORBIDDEN, 403);
         deleteElementNotAllowed(FORBIDDEN_STUDY_UUID, 403);
+        deleteElementNotAllowed(DIRECTORY_NOT_OWNED_SUBELEMENT_UUID, 409);
     }
 
     @Test
@@ -1242,6 +1246,18 @@ void testUpdateElementNotOk() throws Exception {
         ).andExpect(status().isForbidden());
     }
 
+    @Test
+    void testMoveDirectoryContainingNotOwnedSubelements() throws Exception {
+        ElementAttributes elementAttributes = new ElementAttributes();
+        elementAttributes.setElementName(STUDY1);
+        mockMvc.perform(put("/v1/explore/elements?targetDirectoryUuid={parentDirectoryUuid}",
+            PARENT_DIRECTORY_UUID)
+            .header("userId", USER1)
+            .contentType(MediaType.APPLICATION_JSON)
+            .content(mapper.writeValueAsString(List.of(DIRECTORY_NOT_OWNED_SUBELEMENT_UUID)))
+        ).andExpect(status().isConflict());
+    }
+
     @Test
     void testGetRootDirectories(final MockWebServer server) throws Exception {
         MvcResult result = mockMvc.perform(get("/v1/explore/directories/root-directories")
@@ -1358,15 +1374,15 @@ void testHasRights(final MockWebServer server) throws Exception {
         // test read access forbidden
         mockMvc.perform(head("/v1/explore/directories/" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "?permission=READ")
             .header("userId", NOT_ADMIN_USER)
-        ).andExpect(status().isNoContent());
+        ).andExpect(status().isForbidden());
 
         requests = TestUtils.getRequestsWithBodyDone(1, server);
         assertTrue(requests.stream().anyMatch(r -> r.getPath().contains("v1/elements?accessType=READ&ids=" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid")));
 
         // test write access forbidden
         mockMvc.perform(head("/v1/explore/directories/" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "?permission=WRITE")
             .header("userId", NOT_ADMIN_USER)
-        ).andExpect(status().isNoContent());
+        ).andExpect(status().isForbidden());
 
         requests = TestUtils.getRequestsWithBodyDone(1, server);
         assertTrue(requests.stream().anyMatch(r -> r.getPath().contains("v1/elements?accessType=WRITE&ids=" + TEST_ACCESS_DIRECTORY_UUID_FORBIDDEN + "&targetDirectoryUuid")));
diff --git a/src/test/java/org/gridsuite/explore/server/SingleLineDiagramTest.java b/src/test/java/org/gridsuite/explore/server/SingleLineDiagramTest.java
