Merge remote-tracking branch 'origin/main' into dependabot/npm_and_yarn/swagger-ui-express-5.0.1

Author: svcAPLBot

src/api/v1/users/{userId}.ts

@@ -6,9 +6,9 @@ const debug = Debug('otomi:api:v1:users')
 
 export default function (): OperationHandlerArray {
   const get: Operation = [
-    ({ otomi, params: { userId } }: OpenApiRequestExt, res): void => {
+    ({ otomi, user: sessionUser, params: { userId } }: OpenApiRequestExt, res): void => {
       debug(`getUser(${userId})`)
-      const data = otomi.getUser(decodeURIComponent(userId))
+      const data = otomi.getUser(decodeURIComponent(userId), sessionUser)
       res.json(data)
     },
   ]

src/error.ts

@@ -1,4 +1,3 @@
-/* eslint-disable max-classes-per-file */
 import { debug } from 'console'
 import { CustomError } from 'ts-custom-error'
 
@@ -13,6 +12,12 @@ export class OtomiError extends CustomError {
     this.publicMessage = msg
   }
 }
+export class ForbiddenError extends OtomiError {
+  public constructor(err?: string) {
+    super('Forbidden', err)
+    this.code = 403
+  }
+}
 export class NotExistError extends OtomiError {
   public constructor(err?: string) {
     super('Not Found', err)

src/otomi-stack.test.ts

@@ -259,6 +259,26 @@ describe('Users tests', () => {
 
   const domainSuffix = 'dev.linode-apl.net'
 
+  const platformAdminSession: SessionUser = {
+    name: 'Platform Admin',
+    email: `platform-admin@${domainSuffix}`,
+    isPlatformAdmin: true,
+    isTeamAdmin: false,
+    authz: {},
+    teams: [],
+    roles: [],
+    sub: 'platform-admin',
+  }
+  const teamAdminSession: SessionUser = {
+    name: 'Team Admin',
+    email: `team-admin@${domainSuffix}`,
+    isPlatformAdmin: false,
+    isTeamAdmin: true,
+    authz: {},
+    teams: ['team1'],
+    roles: [],
+    sub: 'team-admin',
+  }
   const sessionUser: SessionUser = {
     name: 'Session User',
     email: `session@${domainSuffix}`,
@@ -269,7 +289,6 @@ describe('Users tests', () => {
     roles: [],
     sub: 'session-user',
   }
-
   const defaultPlatformAdmin: User = {
     id: '1',
     email: `platform-admin@${domainSuffix}`,
@@ -342,14 +361,75 @@ describe('Users tests', () => {
   test('should not allow deleting the default platform admin user', async () => {
     await expect(otomiStack.deleteUser('1')).rejects.toMatchObject({
       code: 403,
-      publicMessage: 'Cannot delete the default platform admin user',
+      publicMessage: 'Forbidden',
     })
   })
 
   test('should allow deleting any other platform admin user', async () => {
     expect(await otomiStack.deleteUser('2')).toBeUndefined()
   })
 
+  describe('User Retrieve Validation', () => {
+    beforeEach(async () => {
+      otomiStack = new OtomiStack()
+      await otomiStack.init()
+      otomiStack.git = mockDeep<Git>()
+      await otomiStack.initRepo()
+      otomiStack.repoService.createUser(teamMember1)
+    })
+
+    it('should return full user for platform admin', () => {
+      const result = otomiStack.getUser(teamMember1.id!, platformAdminSession)
+      expect(result).toMatchObject(teamMember1)
+    })
+
+    it('should return limited user info for team admin', () => {
+      const result = otomiStack.getUser(teamMember1.id!, teamAdminSession)
+      expect(result).toEqual({
+        id: teamMember1.id,
+        email: teamMember1.email,
+        isPlatformAdmin: teamMember1.isPlatformAdmin,
+        isTeamAdmin: teamMember1.isTeamAdmin,
+        teams: teamMember1.teams,
+      })
+    })
+
+    it('should throw 403 for regular user', () => {
+      try {
+        otomiStack.getUser(teamMember1.id!, { ...sessionUser, isPlatformAdmin: false, isTeamAdmin: false })
+        fail('Expected error was not thrown')
+      } catch (err: any) {
+        expect(err).toHaveProperty('code', 403)
+      }
+    })
+
+    it('should return all users for platform admin in getAllUsers', () => {
+      const users = otomiStack.getAllUsers(platformAdminSession)
+      expect(users.some((u) => u.id === teamMember1.id)).toBe(true)
+    })
+
+    it('should return limited info for team admin in getAllUsers', () => {
+      const users = otomiStack.getAllUsers(teamAdminSession)
+      expect(users[0]).toHaveProperty('id')
+      expect(users[0]).toHaveProperty('email')
+      expect(users[0]).toHaveProperty('isPlatformAdmin')
+      expect(users[0]).toHaveProperty('isTeamAdmin')
+      expect(users[0]).toHaveProperty('teams')
+      // Should not have firstName/lastName
+      expect(users[0]).not.toHaveProperty('firstName')
+      expect(users[0]).not.toHaveProperty('lastName')
+    })
+
+    it('should throw 403 for regular user in getAllUsers', () => {
+      try {
+        otomiStack.getAllUsers({ ...sessionUser, isPlatformAdmin: false, isTeamAdmin: false })
+        fail('Expected error was not thrown')
+      } catch (err: any) {
+        expect(err).toHaveProperty('code', 403)
+      }
+    })
+  })
+
   describe('User Creation Validation', () => {
     describe('Username Length Validation', () => {
       it('should not create a user with less than 3 characters', async () => {
@@ -436,8 +516,6 @@ describe('Users tests', () => {
         await otomiStack.createUser(user)
         const updated = { ...user, firstName: 'edited' }
         jest.spyOn(otomiStack.repoService, 'updateUser').mockReturnValue(updated)
-        // Use a platform admin session user
-        const platformAdminSession = { ...sessionUser, isPlatformAdmin: true }
         const result = await otomiStack.editUser(user.id, updated, platformAdminSession)
         expect(result.firstName).toBe('edited')
       })
@@ -536,8 +614,7 @@ describe('Users tests', () => {
         const data = [{ ...teamMember2, teams: ['team3'] }]
         await expect(otomiStack.editTeamUsers(data, sessionUser)).rejects.toMatchObject({
           code: 403,
-          publicMessage:
-            'Team admins are permitted to add or remove users only within the teams they manage. However, they cannot remove themselves or other team admins from those teams.',
+          publicMessage: 'Forbidden',
         })
       })
 
@@ -569,7 +646,7 @@ describe('Users tests', () => {
         const data = [{ ...teamMember2, teams: ['team1'] }]
         await expect(otomiStack.editTeamUsers(data, regularUser)).rejects.toMatchObject({
           code: 403,
-          publicMessage: "Only platform admins or team admins can modify a user's team memberships.",
+          publicMessage: 'Forbidden',
         })
       })
     })

src/otomi-stack.ts

@@ -7,7 +7,7 @@ import { readdir, readFile, writeFile } from 'fs/promises'
 import { generate as generatePassword } from 'generate-password'
 import { cloneDeep, filter, isEmpty, map, mapValues, merge, omit, pick, set, unset } from 'lodash'
 import { getAppList, getAppSchema, getSpec } from 'src/app'
-import { AlreadyExists, HttpError, OtomiError, PublicUrlExists, ValidationError } from 'src/error'
+import { AlreadyExists, ForbiddenError, HttpError, OtomiError, PublicUrlExists, ValidationError } from 'src/error'
 import getRepo, { Git } from 'src/git'
 import { cleanSession, getSessionStack } from 'src/middleware'
 import {
@@ -1032,9 +1032,8 @@ export default class OtomiStack {
         return { id, email, isPlatformAdmin, isTeamAdmin, teams }
       })
       return usersWithBasicInfo as Array<User>
-    } else {
-      return []
     }
+    throw new ForbiddenError()
   }
 
   async createUser(data: User): Promise<User> {
@@ -1081,15 +1080,21 @@ export default class OtomiStack {
     }
   }
 
-  getUser(id: string): User {
-    return this.repoService.getUser(id)
+  getUser(id: string, sessionUser: SessionUser): User {
+    const user = this.repoService.getUser(id)
+    if (sessionUser.isPlatformAdmin) {
+      return user
+    }
+    if (sessionUser.isTeamAdmin) {
+      const { id: userId, email, isPlatformAdmin, isTeamAdmin, teams } = user
+      return { id: userId, email, isPlatformAdmin, isTeamAdmin, teams } as User
+    }
+    throw new ForbiddenError()
   }
 
   async editUser(id: string, data: User, sessionUser: SessionUser): Promise<User> {
     if (!sessionUser.isPlatformAdmin) {
-      const error = new OtomiError('Only platform admins can modify user details.')
-      error.code = 403
-      throw error
+      throw new ForbiddenError('Only platform admins can modify user details.')
     }
     const user = this.repoService.updateUser(id, data)
     await this.saveUser(user)
@@ -1106,10 +1111,7 @@ export default class OtomiStack {
   async deleteUser(id: string): Promise<void> {
     const user = this.repoService.getUser(id)
     if (user.email === env.DEFAULT_PLATFORM_ADMIN_EMAIL) {
-      const error = new OtomiError('Forbidden')
-      error.code = 403
-      error.publicMessage = 'Cannot delete the default platform admin user'
-      throw error
+      throw new ForbiddenError('Cannot delete the default platform admin user')
     }
     await this.deleteUserFile(user)
     await this.doRepoDeployment((repoService) => {
@@ -1150,21 +1152,17 @@ export default class OtomiStack {
     sessionUser: SessionUser,
   ): Promise<Pick<User, 'id' | 'teams'>[]> {
     if (!sessionUser.isPlatformAdmin && !sessionUser.isTeamAdmin) {
-      const error = new OtomiError("Only platform admins or team admins can modify a user's team memberships.")
-      error.code = 403
-      throw error
+      throw new ForbiddenError("Only platform admins or team admins can modify a user's team memberships.")
     }
     for (const user of data) {
       const existingUser = this.repoService.getUser(user.id!)
       if (
         !sessionUser.isPlatformAdmin &&
         !this.canTeamAdminUpdateUserTeams(sessionUser, existingUser, user.teams as string[])
       ) {
-        const error = new OtomiError(
+        throw new ForbiddenError(
           'Team admins are permitted to add or remove users only within the teams they manage. However, they cannot remove themselves or other team admins from those teams.',
         )
-        error.code = 403
-        throw error
       }
       const updateUser = this.repoService.updateUser(user.id!, { ...existingUser, teams: user.teams })
       await this.saveUser(updateUser)