From 05a83b1ff27de2908731915e6b3d2761aa34d3da Mon Sep 17 00:00:00 2001 From: Benoit Orihuela Date: Mon, 22 Apr 2024 11:23:44 +0200 Subject: [PATCH] fix(authz): incorrect handling of multi-types in get subject access rights (#1140) --- .../EntityAccessRightsService.kt | 4 +-- .../EntityAccessRightsServiceTests.kt | 30 +++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/search-service/src/main/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsService.kt b/search-service/src/main/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsService.kt index c52f4dca8..4515c6873 100644 --- a/search-service/src/main/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsService.kt +++ b/search-service/src/main/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsService.kt @@ -176,7 +176,7 @@ class EntityAccessRightsService( LEFT JOIN entity_payload ep ON ear.entity_id = ep.entity_id WHERE ${if (isStellioAdmin) "1 = 1" else "subject_id IN (:subject_uuids)" } ${if (accessRights.isNotEmpty()) " AND access_right IN (:access_rights)" else ""} - ${if (!type.isNullOrEmpty()) " AND ${buildTypeQuery(type)}" else ""} + ${if (!type.isNullOrEmpty()) " AND (${buildTypeQuery(type)})" else ""} ${if (!ids.isNullOrEmpty()) " AND ear.entity_id IN (:entities_ids)" else ""} ORDER BY entity_id LIMIT :limit @@ -232,7 +232,7 @@ class EntityAccessRightsService( LEFT JOIN entity_payload ep ON ear.entity_id = ep.entity_id WHERE ${if (isStellioAdmin) "1 = 1" else "subject_id IN (:subject_uuids)" } ${if (accessRights.isNotEmpty()) " AND access_right IN (:access_rights)" else ""} - ${if (!type.isNullOrEmpty()) " AND ${buildTypeQuery(type)}" else ""} + ${if (!type.isNullOrEmpty()) " AND (${buildTypeQuery(type)})" else ""} ${if (!ids.isNullOrEmpty()) " AND ear.entity_id IN (:entities_ids)" else ""} """.trimIndent() ) diff --git a/search-service/src/test/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsServiceTests.kt b/search-service/src/test/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsServiceTests.kt index 6f88e1847..8b545b308 100644 --- a/search-service/src/test/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsServiceTests.kt +++ b/search-service/src/test/kotlin/com/egm/stellio/search/authorization/EntityAccessRightsServiceTests.kt @@ -435,6 +435,36 @@ class EntityAccessRightsServiceTests : WithTimescaleContainer { } } + @Test + fun `it should get all entities an user has access to wrt access rights and types`() = runTest { + val entityId03 = "urn:ngsi-ld:Entity:03".toUri() + + createEntityPayload(entityId01, setOf(BEEHIVE_TYPE), AUTH_READ) + createEntityPayload(entityId02, setOf(BEEHIVE_TYPE)) + createEntityPayload(entityId03, setOf(APIARY_TYPE)) + entityAccessRightsService.setRoleOnEntity(subjectUuid, entityId01, AccessRight.R_CAN_READ).shouldSucceed() + entityAccessRightsService.setRoleOnEntity(subjectUuid, entityId02, AccessRight.R_CAN_WRITE).shouldSucceed() + entityAccessRightsService.setRoleOnEntity(subjectUuid, entityId03, AccessRight.R_CAN_READ).shouldSucceed() + + entityAccessRightsService.getSubjectAccessRights( + Some(subjectUuid), + listOf(AccessRight.R_CAN_WRITE), + "$BEEHIVE_TYPE,$APIARY_TYPE", + paginationQuery = PaginationQuery(limit = 100, offset = 0) + ).shouldSucceedWith { + assertEquals(1, it.size) + val entityAccessControl = it[0] + assertEquals(entityId02, entityAccessControl.id) + } + + entityAccessRightsService.getSubjectAccessRightsCount( + Some(subjectUuid), + listOf(AccessRight.R_CAN_WRITE) + ).shouldSucceedWith { + assertEquals(1, it) + } + } + @Test fun `it should return only one entity with higher right if user has access through different paths`() = runTest { createEntityPayload(entityId01, setOf(BEEHIVE_TYPE))