From b583fefb42f3babe543d60f11cad3a46a9c8edca Mon Sep 17 00:00:00 2001 From: Emmanuel Date: Fri, 29 Nov 2024 19:37:33 +0000 Subject: [PATCH 1/3] feat: when checking stamps for structure and component, contributors is an arrau --- .../auth/security/SecurityExpressionRootForBauhaus.java | 7 ++++++- .../authorizations/TestStructuresResourcesEnvProd.java | 3 +-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java b/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java index 5c15d49ff..48af8973e 100644 --- a/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java +++ b/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java @@ -4,6 +4,7 @@ import fr.insee.rmes.config.auth.roles.Roles; import fr.insee.rmes.config.auth.user.Stamp; import fr.insee.rmes.exceptions.RmesRuntimeBadRequestException; +import org.json.JSONArray; import org.json.JSONObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -173,6 +174,9 @@ private boolean checkStampIsContributor(String body) { private static @Nullable String extractContributorStampFromBody(String body) { return (new JSONObject(body)).optString("contributor"); } + private static @Nullable JSONArray extractContributorStampsFromBody(String body) { + return (new JSONObject(body)).optJSONArray("contributor"); + } //for PUT and DELETE structure public boolean isStructureContributor(String structureId){ @@ -183,7 +187,8 @@ public boolean isStructureContributor(String structureId){ // for POST structure or component public boolean isStructureAndComponentContributor(String body) { logger.trace("Check if {} can create the structure or component", methodSecurityExpressionRoot.getPrincipal()); - return hasRole(Roles.STRUCTURES_CONTRIBUTOR)&& checkStampIsContributor(body); + Optional stamp = getStamp(); + return hasRole(Roles.STRUCTURES_CONTRIBUTOR) && extractContributorStampsFromBody(body).toList().stream().anyMatch(s -> ((String) s).equalsIgnoreCase(stamp.get().stamp())); } diff --git a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java index 77d34a186..71addcbf1 100644 --- a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java +++ b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java @@ -68,7 +68,6 @@ class TestStructuresResourcesEnvProd { int structureId=10; int componentId=12; - ValidationStatus status= UNPUBLISHED; @Test void putStructureAdmin_ok() throws Exception { @@ -139,7 +138,7 @@ void postStructureAsStructureContributor_ok() throws Exception { mvc.perform(post("/structures/structure").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \""+timbre+"\"}")) + .content("{\"id\": \"1\",\"contributor\": [\""+timbre+"\"]}")) .andExpect(status().isOk()); } From eff8b87e4fd8e3d55722cfe3ce21f1ce61090706 Mon Sep 17 00:00:00 2001 From: Emmanuel Date: Fri, 29 Nov 2024 19:43:15 +0000 Subject: [PATCH 2/3] fix: solve unit test --- .../authorizations/TestStructuresResourcesEnvProd.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java index 71addcbf1..5ba8f63d4 100644 --- a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java +++ b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java @@ -167,7 +167,7 @@ void postStructureAsStructureContributorWrongStamp_ko() throws Exception { mvc.perform(post("/structures/structure").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \"wrong\"}")) + .content("{\"id\": \"1\",\"contributor\": [\"wrong\"]}")) .andExpect(status().isForbidden()); } @@ -227,7 +227,7 @@ void postComponentAsStructureContributor_ok() throws Exception { mvc.perform(post("/structures/components").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \""+timbre+"\"}")) + .content("{\"id\": \"1\",\"contributor\": [\""+timbre+"\"]}")) .andExpect(status().isCreated()); } @@ -256,7 +256,7 @@ void postComponentAsStructureContributorWrongStamp_ko() throws Exception { mvc.perform(post("/structures/components").header("Authorization", "Bearer toto") .contentType(MediaType.APPLICATION_JSON) .accept(MediaType.APPLICATION_JSON) - .content("{\"id\": \"1\",\"contributor\": \"wrong\"}")) + .content("{\"id\": \"1\",\"contributor\": [\"wrong\"]}")) .andExpect(status().isForbidden()); } From ef3cdce63bafc555b3c3a593f4aa01d3db7aae1b Mon Sep 17 00:00:00 2001 From: Emmanuel Date: Fri, 29 Nov 2024 19:55:41 +0000 Subject: [PATCH 3/3] fix: solve sonar issue --- .../auth/security/SecurityExpressionRootForBauhaus.java | 7 ++++++- .../authorizations/TestStructuresResourcesEnvProd.java | 2 -- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java b/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java index 48af8973e..8c1e485b4 100644 --- a/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java +++ b/src/main/java/fr/insee/rmes/config/auth/security/SecurityExpressionRootForBauhaus.java @@ -188,7 +188,12 @@ public boolean isStructureContributor(String structureId){ public boolean isStructureAndComponentContributor(String body) { logger.trace("Check if {} can create the structure or component", methodSecurityExpressionRoot.getPrincipal()); Optional stamp = getStamp(); - return hasRole(Roles.STRUCTURES_CONTRIBUTOR) && extractContributorStampsFromBody(body).toList().stream().anyMatch(s -> ((String) s).equalsIgnoreCase(stamp.get().stamp())); + JSONArray contributors = extractContributorStampsFromBody(body); + + if(contributors == null){ + return false; + } + return hasRole(Roles.STRUCTURES_CONTRIBUTOR) && contributors.toList().stream().anyMatch(s -> ((String) s).equalsIgnoreCase(stamp.get().stamp())); } diff --git a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java index 5ba8f63d4..f5e7fd295 100644 --- a/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java +++ b/src/test/java/fr/insee/rmes/integration/authorizations/TestStructuresResourcesEnvProd.java @@ -12,7 +12,6 @@ import fr.insee.rmes.config.auth.security.DefaultSecurityContext; import fr.insee.rmes.config.auth.security.OpenIDConnectSecurityContext; import fr.insee.rmes.config.auth.user.Stamp; -import fr.insee.rmes.model.ValidationStatus; import fr.insee.rmes.webservice.StructureResources; import org.junit.jupiter.api.Test; import org.mockito.Mockito; @@ -28,7 +27,6 @@ import static fr.insee.rmes.integration.authorizations.TokenForTestsConfiguration.*; import static fr.insee.rmes.integration.authorizations.TokenForTestsConfiguration.KEY_FOR_ROLES_IN_ROLE_CLAIM; -import static fr.insee.rmes.model.ValidationStatus.UNPUBLISHED; import static org.mockito.Mockito.when; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;