Skip to content

Commit

Permalink
feat: prevent GDPR features with insufficient loa
Browse files Browse the repository at this point in the history
Originally profile would restrict verified information with
insufficient loa. This is seemingly fine, but there is a risk of GDPR
implementing service not checking loa and leaking sensitive information
for an account that may contain information that should not be accessed
with low loa.

Therefore it was decided, that accounts which have verified personal
information (ie. suomi.fi linked) may not use GDPR features unless they
have at least substantial loa.

Ref. HP-2269
  • Loading branch information
voneiden committed Mar 14, 2024
1 parent c4e795b commit bc586eb
Show file tree
Hide file tree
Showing 6 changed files with 73 additions and 12 deletions.
19 changes: 18 additions & 1 deletion profiles/schema.py
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,10 @@
VerifiedPersonalInformationPermanentForeignAddress,
VerifiedPersonalInformationTemporaryAddress,
)
from .utils import requester_can_view_verified_personal_information
from .utils import (
requester_can_view_verified_personal_information,
requester_has_sufficient_loa_to_perform_gdpr_request,
)

User = get_user_model()

Expand Down Expand Up @@ -1490,6 +1493,10 @@ def mutate_and_get_payload(cls, root, info, **input):
_("You do not have permission to perform this action.")
)

if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context):
raise PermissionDenied(
_("You do not have permission to perform this action.")
)
dry_run = input.get("dry_run", False)

results = delete_connected_service_data(
Expand Down Expand Up @@ -1554,6 +1561,11 @@ def mutate(parent, info, input):
_("You do not have permission to perform this action.")
)

if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context):
raise PermissionDenied(
_("You do not have permission to perform this action.")
)

service_connections = profile.effective_service_connections_qs().filter(
service__name=input["service_name"]
)
Expand Down Expand Up @@ -1734,6 +1746,11 @@ def resolve_download_my_profile(self, info, **kwargs):
_("You do not have permission to perform this action.")
)

if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context):
raise PermissionDenied(
_("You do not have permission to perform this action.")
)

external_data = download_connected_service_data(
profile,
kwargs["authorization_code"],
Expand Down
27 changes: 26 additions & 1 deletion profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@
from open_city_profile.oidc import TunnistamoTokenExchange
from open_city_profile.tests.asserts import assert_match_error_code
from profiles.models import Profile
from profiles.tests.factories import ProfileFactory, ProfileWithPrimaryEmailFactory
from profiles.tests.factories import (
ProfileFactory,
ProfileWithPrimaryEmailFactory,
VerifiedPersonalInformationFactory,
)
from services.models import ServiceConnection
from services.tests.factories import ServiceConnectionFactory
from users.models import User
Expand Down Expand Up @@ -546,3 +550,24 @@ def test_api_tokens_missing(user_gql_client, service_1, mocker):
executed = user_gql_client.execute(DELETE_MY_PROFILE_MUTATION)

assert_match_error_code(executed, MISSING_GDPR_API_TOKEN_ERROR)


@pytest.mark.parametrize(
"loa,errors",
[
("low", True),
("substantial", False),
("high", False),
],
)
def test_delete_with_verified_personal_information(
user_gql_client, gdpr_api_tokens, loa, errors
):
"""Deletion is allowed when GDPR URL is set, and service returns a successful status."""
profile = ProfileFactory(user=user_gql_client.user)
VerifiedPersonalInformationFactory(profile=profile)

executed = user_gql_client.execute(
DELETE_MY_PROFILE_MUTATION, auth_token_payload={"loa": loa}
)
assert bool(executed.get("errors")) == errors
19 changes: 11 additions & 8 deletions profiles/tests/gdpr/test_gql_download_my_profile_query.py
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ def download_verified_personal_information_with_loa(loa, user_gql_client, servic
)

full_dump = json.loads(executed["data"]["downloadMyProfile"])

profile_dump = next(
child for child in full_dump["children"] if child["key"] == "PROFILE"
)
Expand All @@ -154,16 +155,18 @@ def test_verified_personal_information_is_included_in_the_downloaded_profile_whe

@pytest.mark.parametrize("loa", [None, "foo", "low"])
def test_verified_personal_information_is_replaced_with_an_error_when_loa_is_not_high_enough(
loa, user_gql_client, profile_service
loa, user_gql_client, profile_service, service
):
vpi_dump = download_verified_personal_information_with_loa(
loa, user_gql_client, profile_service
)

assert vpi_dump == {
"key": "VERIFIEDPERSONALINFORMATION",
"error": _("No permission to read verified personal information."),
VerifiedPersonalInformationFactory(profile__user=user_gql_client.user)
token_payload = {
"loa": loa,
}
executed = user_gql_client.execute(
DOWNLOAD_MY_PROFILE_MUTATION, service=service, auth_token_payload=token_payload
)
assert executed["data"]["downloadMyProfile"] is None
assert len(executed["errors"]) == 1
assert executed["errors"][0]["extensions"]["code"] == "PERMISSION_DENIED_ERROR"


def test_downloading_non_existent_profile_doesnt_return_errors(user_gql_client):
Expand Down
4 changes: 3 additions & 1 deletion profiles/tests/test_audit_log_to_db.py
Original file line number Diff line number Diff line change
Expand Up @@ -414,7 +414,9 @@ def test_audit_log_delete(live_server, profile_with_related):
}
}
"""
do_graphql_call_as_user(live_server, user, query=query)
do_graphql_call_as_user(
live_server, user, query=query, extra_claims={"loa": "substantial"}
)

log_entries = list(LogEntry.objects.all())
# Audit logging the Profile DELETE with a related object causes some READs
Expand Down
4 changes: 3 additions & 1 deletion profiles/tests/test_audit_log_to_logger.py
Original file line number Diff line number Diff line change
Expand Up @@ -442,7 +442,9 @@ def test_audit_log_delete(live_server, profile_with_related, cap_audit_log):
}
}
"""
do_graphql_call_as_user(live_server, user, query=query)
do_graphql_call_as_user(
live_server, user, query=query, extra_claims={"loa": "substantial"}
)

audit_logs = cap_audit_log.get_logs()
# Audit logging the Profile DELETE with a related object causes some READs
Expand Down
12 changes: 12 additions & 0 deletions profiles/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,15 @@ def requester_can_view_verified_personal_information(request):
or request.user_auth.data.get("amr")
in settings.VERIFIED_PERSONAL_INFORMATION_ACCESS_AMR_LIST
)


def requester_has_sufficient_loa_to_perform_gdpr_request(request):
user = request.user
profile = user.profile
if not profile:
return False
loa = request.user_auth.data.get("loa")
return not hasattr(profile, "verified_personal_information") or loa in [
"substantial",
"high",
]

0 comments on commit bc586eb

Please sign in to comment.