add role verification for security visibility + tests in scenario service

Author: Leopold-Cramer

api/src/main/resources/GandiRSADomainValidationSecureServerCA3.pem

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGXDCCBESgAwIBAgIRAOkH5f+AdSJBCZB9ZyjKABAwDQYJKoZIhvcNAQEMBQAw
+gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
+ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
+VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIz
+MDgwMjAwMDAwMFoXDTMzMDgwMTIzNTk1OVowVjELMAkGA1UEBhMCRlIxDjAMBgNV
+BAoTBUdhbmRpMTcwNQYDVQQDEy5HYW5kaSBSU0EgRG9tYWluIFZhbGlkYXRpb24g
+U2VjdXJlIFNlcnZlciBDQSAzMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKC
+AYEAwrwuXKdKIiD9eu4fsNjLN0mS8HsTdDFyPPB5F5uUd6SJGutc7sqDd3T/p+gn
+VoAZERvzAz8+OEux1GN1UJ+Gd8s5btXJCbDV5DpvzJOhfztk5JmFKz2XBka+MvDA
+giyiZKs3G6yoMk8lEOu6NOsK3X8D1w0E6/C/ROa6Ml0ROnKm7vHGNVTfXTP5IqiN
+h2JXmp4vD23gemf8nfuI2FngayMNsjm6SwpVYWfT3S8jn5el52FKzwo+uKVZAjNH
+1ulgWoyO8p+PCsP+CvaEGDId3leSUVhPBBPRsxL42jjqo9aOKREgmrGco39JGf4O
+ImxM8vKxQ9AjDrRTRETB9V9jbRf3v3Tojt3vBBwa3xQelVp9xUWQxo/5dV73g/c7
+WWAvZ628XUw6k6vn6bY7qWuhehUO02plRLd5zP8nBORCbPmFCI97lZAnDYLprB4e
+9IgCPJp+0zQDLr9o+eNKtR0a2Txb6nzGahIPi3a7QCH6+Yq4iwYVEQm+e6KBJZOm
++YiLAgMBAAGjggFwMIIBbDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNm
+yzAdBgNVHQ4EFgQUgRGS3mYypbBbMz1lQ4X81AQt8a4wDgYDVR0PAQH/BAQDAgGG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
+BwMCMCIGA1UdIAQbMBkwDQYLKwYBBAGyMQECAhowCAYGZ4EMAQIBMFAGA1UdHwRJ
+MEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FD
+ZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOgYIKwYB
+BQUHMAKGLmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9VU0VSVHJ1c3RSU0FBQUFD
+QS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJ
+KoZIhvcNAQEMBQADggIBADvVncOMStREyA00ZSRUmrkmR3KzAlHVz06X1ydG9EpZ
+z+JTQMWO809buLbDnr6t9z9jVnsDTQnWcMG4qiIkwhJVLxOVXUO+LFSBMskOe1SP
+BtHwHS42DeZ8QTgbRlW9p/Ey9wIo+MS2tryQ9eaDTkc2FBed/82VjrdsQoeoTyuD
+dp4tqarixjM/iJMgyEAMCpTkx4EqXJ/z7qgXusacsxMzt6NLv7FYcaKGbwjKqzrR
+vEk/+ZYnZc5mxnautf0uwRCcOe0kCOh1fd+g6Tyd+cSj6oGcJY/f/Db0sxELpzGq
+jRkbXan+eMojQfsgIe1n7SVyI5Yxz2RnQQL5ZT5K1mBcucqsTqkk3C7L3hF4hkwC
+/Otm+badymHQcnbE1Pmz6ymqj2vtwT0mEQzetQdbvv3jc3ey4YcxirAM1ihxtXeI
+NsEP1ndUV/0v+qqmk9iCoIjZQce8vAdziZqBYxO3NiZwTRAtqseiZWLJqQ077fy3
+ebdjmw6y5U+DhDW2kxF/e+FJnu53DuY5/bE+oUneY770A7BfCuH+6uhEOaMNsn21
+AHymLr1xlRPQYR0DMgHmsGTqdINcQfot1mlIXr05HQUK0b84CPgEU0zvVQL+j9dc
+/4rh2sR6rl//tjG01Q+zQKStnR2NlNNrElDUC9IDmvL9JcF20cvOlE4R0lfTXa1k
+-----END CERTIFICATE-----

build.gradle.kts

@@ -54,7 +54,7 @@ val springWebVersion = "6.1.4"
 
 // Implementation
 val kotlinJvmTarget = 21
-val cosmotechApiCommonVersion = "1.0.6"
+val cosmotechApiCommonVersion = "1.0.7-SNAPSHOT"
 val cosmotechApiAzureVersion = "1.0.1"
 val jedisVersion = "4.4.6"
 val springOauthVersion = "6.2.2"
@@ -132,6 +132,7 @@ allprojects {
   configurations { all { resolutionStrategy { force("com.redis.om:redis-om-spring:0.9.1") } } }
 
   repositories {
+    mavenLocal()
     maven {
       name = "GitHubPackages"
       url = uri("https://maven.pkg.github.com/Cosmo-Tech/cosmotech-api-common")

doc/.openapi-generator/VERSION

@@ -1 +1 @@
-7.3.0
+7.8.0

runner/src/main/kotlin/com/cosmotech/runner/service/RunnerApiServiceImpl.kt

@@ -12,9 +12,7 @@ import com.cosmotech.api.rbac.PERMISSION_WRITE
 import com.cosmotech.api.rbac.PERMISSION_WRITE_SECURITY
 import com.cosmotech.api.rbac.getScenarioRolesDefinition
 import com.cosmotech.api.utils.constructPageRequest
-import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import com.cosmotech.runner.RunnerApiServiceInterface
-import com.cosmotech.runner.domain.CreatedRun
 import com.cosmotech.runner.domain.Runner
 import com.cosmotech.runner.domain.RunnerAccessControl
 import com.cosmotech.runner.domain.RunnerRole
@@ -38,12 +36,7 @@ internal class RunnerApiServiceImpl(
             .inWorkspace(workspaceId)
             .userHasPermissionOnWorkspace(PERMISSION_CREATE_CHILDREN)
     val runnerInstance =
-        runnerService
-            .getNewInstance()
-            .setValueFrom(runner)
-            .initSecurity(runner)
-            .initParameters()
-            .initDatasetList()
+        runnerService.getNewInstance().setValueFrom(runner).initSecurity(runner).initParameters()
 
     return runnerService.saveInstance(runnerInstance)
   }

scenario/src/integrationTest/kotlin/com/cosmotech/scenario/service/ScenarioServiceIntegrationTest.kt

@@ -445,7 +445,7 @@ class ScenarioServiceIntegrationTest : CsmRedisTestBase() {
     scenarioList =
         scenarioApiService.findAllScenarios(
             organizationSaved.id!!, workspaceSaved.id!!, 0, expectedSize)
-    assertEquals(scenarioList.size, expectedSize)
+    assertEquals(expectedSize, scenarioList.size)
 
     logger.info("should find all Scenarios and assert it returns the second / last page")
     scenarioList =
@@ -1083,6 +1083,64 @@ class ScenarioServiceIntegrationTest : CsmRedisTestBase() {
     assertEquals(ROLE_VIEWER, datasetAC.role)
   }
 
+  @Test
+  fun `As a viewer, I can only see my information in security property for findScenarioById`() {
+    organization = makeOrganization(userName = TEST_USER_MAIL)
+    organizationSaved = organizationApiService.registerOrganization(organization)
+    solution = makeSolution(organizationId = organizationSaved.id!!)
+    solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, solution)
+    workspace = makeWorkspace(organizationId = organizationSaved.id!!, userName = TEST_USER_MAIL)
+    workspaceSaved = workspaceApiService.createWorkspace(organizationSaved.id!!, workspace)
+    dataset = makeDataset(organizationId = organizationSaved.id!!)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+    scenario
+    scenario =
+        makeScenario(
+            organizationId = organizationSaved.id!!, userName = TEST_USER_MAIL, role = ROLE_VIEWER)
+    scenarioSaved =
+        scenarioApiService.createScenario(organizationSaved.id!!, workspaceSaved.id!!, scenario)
+    every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+
+    scenarioSaved =
+        scenarioApiService.findScenarioById(
+            organizationSaved.id!!, workspaceSaved.id!!, scenarioSaved.id!!)
+    assertEquals(
+        ScenarioSecurity(
+            default = ROLE_NONE, mutableListOf(ScenarioAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+        scenarioSaved.security)
+    assertEquals(1, scenarioSaved.security!!.accessControlList.size)
+  }
+
+  @Test
+  fun `As a viewer, I can only see my information in security property for findAllScenarios`() {
+    organization = makeOrganization(userName = TEST_USER_MAIL)
+    organizationSaved = organizationApiService.registerOrganization(organization)
+    solution = makeSolution(organizationId = organizationSaved.id!!)
+    solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, solution)
+    workspace = makeWorkspace(organizationId = organizationSaved.id!!, userName = TEST_USER_MAIL)
+    workspaceSaved = workspaceApiService.createWorkspace(organizationSaved.id!!, workspace)
+    dataset = makeDataset(organizationId = organizationSaved.id!!)
+    datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset)
+    scenario
+    scenario =
+        makeScenario(
+            organizationId = organizationSaved.id!!, userName = TEST_USER_MAIL, role = ROLE_VIEWER)
+    scenarioSaved =
+        scenarioApiService.createScenario(organizationSaved.id!!, workspaceSaved.id!!, scenario)
+    every { getCurrentAccountIdentifier(any()) } returns TEST_USER_MAIL
+
+    val scenarios =
+        scenarioApiService.findAllScenarios(organizationSaved.id!!, workspaceSaved.id!!, null, null)
+    scenarios.forEach {
+      assertEquals(
+          ScenarioSecurity(
+              default = ROLE_NONE,
+              mutableListOf(ScenarioAccessControl(TEST_USER_MAIL, ROLE_VIEWER))),
+          it.security)
+      assertEquals(1, it.security!!.accessControlList.size)
+    }
+  }
+
   private fun makeWorkspaceEventHubInfo(eventHubAvailable: Boolean): WorkspaceEventHubInfo {
     return WorkspaceEventHubInfo(
         eventHubNamespace = "eventHubNamespace",

scenario/src/integrationTest/kotlin/com/cosmotech/scenario/service/ScenarioServiceRBACTest.kt

@@ -4480,7 +4480,7 @@ class ScenarioServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Scenario RBAC getScenarioPermissions`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_VALIDATOR to false,
               ROLE_NONE to true,
@@ -4802,7 +4802,7 @@ class ScenarioServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Scenario RBAC getScenarioSecurity`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_VALIDATOR to false,
               ROLE_NONE to true,
@@ -5902,7 +5902,7 @@ class ScenarioServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Scenario RBAC getScenarioAccessControl`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_VALIDATOR to false,
               ROLE_NONE to true,
@@ -6986,7 +6986,7 @@ class ScenarioServiceRBACTest : CsmRedisTestBase() {
   @TestFactory
   fun `test Scenario RBAC getScenarioSecurityUsers`() =
       mapOf(
-              ROLE_VIEWER to false,
+              ROLE_VIEWER to true,
               ROLE_EDITOR to false,
               ROLE_VALIDATOR to false,
               ROLE_NONE to true,

scenario/src/main/kotlin/com/cosmotech/scenario/service/ScenarioServiceImpl.kt

@@ -43,6 +43,7 @@ import com.cosmotech.dataset.DatasetApiServiceInterface
 import com.cosmotech.dataset.domain.IngestionStatusEnum
 import com.cosmotech.dataset.domain.SubDatasetGraphQuery
 import com.cosmotech.dataset.service.getRbac
+import com.cosmotech.organization.service.getRbac
 import com.cosmotech.scenario.ScenarioApiServiceInterface
 import com.cosmotech.scenario.domain.Scenario
 import com.cosmotech.scenario.domain.ScenarioAccessControl
@@ -432,15 +433,21 @@ internal class ScenarioServiceImpl(
     workspaceService.getVerifiedWorkspace(organizationId, workspaceId)
     val defaultPageSize = csmPlatformProperties.twincache.scenario.defaultPageSize
     val pageable = constructPageRequest(page, size, defaultPageSize)
+    var scenarios = listOf<Scenario>()
     if (pageable != null) {
-      return this.findPaginatedScenariosStateOption(
-          organizationId, workspaceId, pageable.pageNumber, pageable.pageSize, true)
-    }
-    return findAllPaginated(defaultPageSize) {
-      this.findPaginatedScenariosStateOption(
-              organizationId, workspaceId, it.pageNumber, it.pageSize, true)
-          .toMutableList()
+      scenarios =
+          this.findPaginatedScenariosStateOption(
+              organizationId, workspaceId, pageable.pageNumber, pageable.pageSize, true)
+    } else {
+      scenarios =
+          findAllPaginated(defaultPageSize) {
+            this.findPaginatedScenariosStateOption(
+                    organizationId, workspaceId, it.pageNumber, it.pageSize, true)
+                .toMutableList()
+          }
     }
+    scenarios.forEach { it.security = updateSecurityVisibility(it).security }
+    return scenarios
   }
 
   override fun findAllScenariosByValidationStatus(
@@ -590,7 +597,8 @@ internal class ScenarioServiceImpl(
       scenarioId: String
   ): Scenario {
     checkInternalResultDataServiceConfiguration()
-    return findScenarioById(organizationId, workspaceId, scenarioId, withState = true)
+    val scenario = findScenarioById(organizationId, workspaceId, scenarioId, withState = true)
+    return updateSecurityVisibility(scenario)
   }
 
   override fun findScenarioById(
@@ -1167,4 +1175,24 @@ internal class ScenarioServiceImpl(
       throw NotImplementedException(notImplementedExceptionMessage)
     }
   }
+
+  fun updateSecurityVisibility(scenario: Scenario): Scenario {
+    if (csmRbac.check(scenario.getRbac(), PERMISSION_READ_SECURITY).not()) {
+      val username = getCurrentAccountIdentifier(csmPlatformProperties)
+      val retrievedAC = scenario.security!!.accessControlList.firstOrNull { it.id == username }
+      return if (retrievedAC != null) {
+        scenario.copy(
+            security =
+                ScenarioSecurity(
+                    default = scenario.security!!.default,
+                    accessControlList = mutableListOf(retrievedAC)))
+      } else {
+        scenario.copy(
+            security =
+                ScenarioSecurity(
+                    default = scenario.security!!.default, accessControlList = mutableListOf()))
+      }
+    }
+    return scenario
+  }
 }

solution/src/integrationTest/kotlin/com/cosmotech/solution/service/SolutionServiceIntegrationTest.kt

@@ -126,8 +126,8 @@ class SolutionServiceIntegrationTest : CsmRedisTestBase() {
             runTemplates =
                 mutableListOf(RunTemplate(id = "one", name = "name_one"), RunTemplate(id = "two")))
     // Assert that no runTemplate were deleted
-    assertEquals(expectedSolution.runTemplates.size, endTemplates.size)
-    assertEquals(expectedSolution.runTemplates, endTemplates)
+    assertEquals(expectedSolution.runTemplates!!.size, endTemplates.size)
+    assertEquals(expectedSolution.runTemplates!!, endTemplates)
   }
 
   @Test
@@ -389,7 +389,7 @@ class SolutionServiceIntegrationTest : CsmRedisTestBase() {
 
     assertNotNull(solutionWithNullRunTemplatesSaved)
     assertNotNull(solutionWithNullRunTemplatesSaved.runTemplates)
-    assertEquals(0, solutionWithNullRunTemplatesSaved.runTemplates.size)
+    assertEquals(0, solutionWithNullRunTemplatesSaved.runTemplates!!.size)
   }
 
   @Test
@@ -402,7 +402,7 @@ class SolutionServiceIntegrationTest : CsmRedisTestBase() {
 
     assertNotNull(solutionWithNullRunTemplatesSaved)
     assertNotNull(solutionWithNullRunTemplatesSaved.runTemplates)
-    assertEquals(0, solutionWithNullRunTemplatesSaved.runTemplates.size)
+    assertEquals(0, solutionWithNullRunTemplatesSaved.runTemplates!!.size)
   }
 
   @Test
@@ -531,7 +531,10 @@ class SolutionServiceIntegrationTest : CsmRedisTestBase() {
   @Test
   fun `test update solution with runTemplates null`() {
 
-    val baseSolution = makeSolution(organizationSaved.id!!, runTemplates = null)
+    val baseSolution =
+        makeSolution(
+            organizationSaved.id!!,
+        )
     val baseSolutionSaved = solutionApiService.createSolution(organizationSaved.id!!, baseSolution)
 
     val assertThrows =