From bc586eb01c8ca10d384bcccdd4b9edeb660c6a7c Mon Sep 17 00:00:00 2001 From: Matti Eiden Date: Thu, 14 Mar 2024 12:13:25 +0200 Subject: [PATCH] feat: prevent GDPR features with insufficient loa Originally profile would restrict verified information with insufficient loa. This is seemingly fine, but there is a risk of GDPR implementing service not checking loa and leaking sensitive information for an account that may contain information that should not be accessed with low loa. Therefore it was decided, that accounts which have verified personal information (ie. suomi.fi linked) may not use GDPR features unless they have at least substantial loa. Ref. HP-2269 --- profiles/schema.py | 19 ++++++++++++- .../test_gql_delete_my_profile_mutation.py | 27 ++++++++++++++++++- .../test_gql_download_my_profile_query.py | 19 +++++++------ profiles/tests/test_audit_log_to_db.py | 4 ++- profiles/tests/test_audit_log_to_logger.py | 4 ++- profiles/utils.py | 12 +++++++++ 6 files changed, 73 insertions(+), 12 deletions(-) diff --git a/profiles/schema.py b/profiles/schema.py index 1aa73c8c..dbe91826 100644 --- a/profiles/schema.py +++ b/profiles/schema.py @@ -70,7 +70,10 @@ VerifiedPersonalInformationPermanentForeignAddress, VerifiedPersonalInformationTemporaryAddress, ) -from .utils import requester_can_view_verified_personal_information +from .utils import ( + requester_can_view_verified_personal_information, + requester_has_sufficient_loa_to_perform_gdpr_request, +) User = get_user_model() @@ -1490,6 +1493,10 @@ def mutate_and_get_payload(cls, root, info, **input): _("You do not have permission to perform this action.") ) + if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context): + raise PermissionDenied( + _("You do not have permission to perform this action.") + ) dry_run = input.get("dry_run", False) results = delete_connected_service_data( @@ -1554,6 +1561,11 @@ def mutate(parent, info, input): _("You do not have permission to perform this action.") ) + if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context): + raise PermissionDenied( + _("You do not have permission to perform this action.") + ) + service_connections = profile.effective_service_connections_qs().filter( service__name=input["service_name"] ) @@ -1734,6 +1746,11 @@ def resolve_download_my_profile(self, info, **kwargs): _("You do not have permission to perform this action.") ) + if not requester_has_sufficient_loa_to_perform_gdpr_request(info.context): + raise PermissionDenied( + _("You do not have permission to perform this action.") + ) + external_data = download_connected_service_data( profile, kwargs["authorization_code"], diff --git a/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py b/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py index cf10dbba..ea693f60 100644 --- a/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py +++ b/profiles/tests/gdpr/test_gql_delete_my_profile_mutation.py @@ -11,7 +11,11 @@ from open_city_profile.oidc import TunnistamoTokenExchange from open_city_profile.tests.asserts import assert_match_error_code from profiles.models import Profile -from profiles.tests.factories import ProfileFactory, ProfileWithPrimaryEmailFactory +from profiles.tests.factories import ( + ProfileFactory, + ProfileWithPrimaryEmailFactory, + VerifiedPersonalInformationFactory, +) from services.models import ServiceConnection from services.tests.factories import ServiceConnectionFactory from users.models import User @@ -546,3 +550,24 @@ def test_api_tokens_missing(user_gql_client, service_1, mocker): executed = user_gql_client.execute(DELETE_MY_PROFILE_MUTATION) assert_match_error_code(executed, MISSING_GDPR_API_TOKEN_ERROR) + + +@pytest.mark.parametrize( + "loa,errors", + [ + ("low", True), + ("substantial", False), + ("high", False), + ], +) +def test_delete_with_verified_personal_information( + user_gql_client, gdpr_api_tokens, loa, errors +): + """Deletion is allowed when GDPR URL is set, and service returns a successful status.""" + profile = ProfileFactory(user=user_gql_client.user) + VerifiedPersonalInformationFactory(profile=profile) + + executed = user_gql_client.execute( + DELETE_MY_PROFILE_MUTATION, auth_token_payload={"loa": loa} + ) + assert bool(executed.get("errors")) == errors diff --git a/profiles/tests/gdpr/test_gql_download_my_profile_query.py b/profiles/tests/gdpr/test_gql_download_my_profile_query.py index f527c8a5..4616e3a5 100644 --- a/profiles/tests/gdpr/test_gql_download_my_profile_query.py +++ b/profiles/tests/gdpr/test_gql_download_my_profile_query.py @@ -128,6 +128,7 @@ def download_verified_personal_information_with_loa(loa, user_gql_client, servic ) full_dump = json.loads(executed["data"]["downloadMyProfile"]) + profile_dump = next( child for child in full_dump["children"] if child["key"] == "PROFILE" ) @@ -154,16 +155,18 @@ def test_verified_personal_information_is_included_in_the_downloaded_profile_whe @pytest.mark.parametrize("loa", [None, "foo", "low"]) def test_verified_personal_information_is_replaced_with_an_error_when_loa_is_not_high_enough( - loa, user_gql_client, profile_service + loa, user_gql_client, profile_service, service ): - vpi_dump = download_verified_personal_information_with_loa( - loa, user_gql_client, profile_service - ) - - assert vpi_dump == { - "key": "VERIFIEDPERSONALINFORMATION", - "error": _("No permission to read verified personal information."), + VerifiedPersonalInformationFactory(profile__user=user_gql_client.user) + token_payload = { + "loa": loa, } + executed = user_gql_client.execute( + DOWNLOAD_MY_PROFILE_MUTATION, service=service, auth_token_payload=token_payload + ) + assert executed["data"]["downloadMyProfile"] is None + assert len(executed["errors"]) == 1 + assert executed["errors"][0]["extensions"]["code"] == "PERMISSION_DENIED_ERROR" def test_downloading_non_existent_profile_doesnt_return_errors(user_gql_client): diff --git a/profiles/tests/test_audit_log_to_db.py b/profiles/tests/test_audit_log_to_db.py index f8779820..19d467f1 100644 --- a/profiles/tests/test_audit_log_to_db.py +++ b/profiles/tests/test_audit_log_to_db.py @@ -414,7 +414,9 @@ def test_audit_log_delete(live_server, profile_with_related): } } """ - do_graphql_call_as_user(live_server, user, query=query) + do_graphql_call_as_user( + live_server, user, query=query, extra_claims={"loa": "substantial"} + ) log_entries = list(LogEntry.objects.all()) # Audit logging the Profile DELETE with a related object causes some READs diff --git a/profiles/tests/test_audit_log_to_logger.py b/profiles/tests/test_audit_log_to_logger.py index 1e1610d6..794ba02b 100644 --- a/profiles/tests/test_audit_log_to_logger.py +++ b/profiles/tests/test_audit_log_to_logger.py @@ -442,7 +442,9 @@ def test_audit_log_delete(live_server, profile_with_related, cap_audit_log): } } """ - do_graphql_call_as_user(live_server, user, query=query) + do_graphql_call_as_user( + live_server, user, query=query, extra_claims={"loa": "substantial"} + ) audit_logs = cap_audit_log.get_logs() # Audit logging the Profile DELETE with a related object causes some READs diff --git a/profiles/utils.py b/profiles/utils.py index 8f06eece..cad1192c 100644 --- a/profiles/utils.py +++ b/profiles/utils.py @@ -29,3 +29,15 @@ def requester_can_view_verified_personal_information(request): or request.user_auth.data.get("amr") in settings.VERIFIED_PERSONAL_INFORMATION_ACCESS_AMR_LIST ) + + +def requester_has_sufficient_loa_to_perform_gdpr_request(request): + user = request.user + profile = user.profile + if not profile: + return False + loa = request.user_auth.data.get("loa") + return not hasattr(profile, "verified_personal_information") or loa in [ + "substantial", + "high", + ]