Add permission check for new endpoints

Signed-off-by: montesm <[email protected]>

Author: montesmoci

UnityAuth/src/main/java/io/unityfoundation/auth/AuthController.java

@@ -104,7 +104,19 @@ public HttpResponse<HasPermissionResponse> hasPermission(@Body HasPermissionRequ
   }
 
   @Get("/roles")
-  public HttpResponse<List<RoleDTO>> getRoles() {
+  public HttpResponse<List<RoleDTO>> getRoles(Authentication authentication) {
+
+    User user = userRepo.findByEmail(authentication.getName()).orElse(null);
+    if (checkUserStatus(user)) {
+      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user is disabled.");
+    }
+
+    List<String> commonPermissions = permissionsService.checkUserPermissionsAcrossAllTenants(
+            user, List.of("AUTH_SERVICE_VIEW-SYSTEM", "AUTH_SERVICE_VIEW-TENANT"));
+    if (commonPermissions.isEmpty()) {
+      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user does not have permission!");
+    }
+
     return HttpResponse.ok(roleRepo.findAll().stream()
             .map(role -> new RoleDTO(role.getId(), role.getName(), role.getDescription()))
             .toList());
@@ -114,6 +126,16 @@ public HttpResponse<List<RoleDTO>> getRoles() {
   public HttpResponse<List<TenantDTO>> getTenants(Authentication authentication) {
 
     String authenticatedUserEmail = authentication.getName();
+    User user = userRepo.findByEmail(authenticatedUserEmail).orElse(null);
+    if (checkUserStatus(user)) {
+      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user is disabled.");
+    }
+
+    List<String> commonPermissions = permissionsService.checkUserPermissionsAcrossAllTenants(
+            user, List.of("AUTH_SERVICE_VIEW-SYSTEM", "AUTH_SERVICE_VIEW-TENANT"));
+    if (commonPermissions.isEmpty()) {
+      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user does not have permission!");
+    }
 
     List<Tenant> tenants = userRepo.existsByEmailAndRoleEqualsUnityAdmin(authenticatedUserEmail) ?
             tenantRepo.findAll() : tenantRepo.findAllByUserEmail(authenticatedUserEmail);
@@ -127,14 +149,26 @@ public HttpResponse<List<TenantDTO>> getTenants(Authentication authentication) {
   public HttpResponse<List<UserResponse>> getTenantUsers(@PathVariable Long id, Authentication authentication) {
 
     // reject if the declared tenant does not exist
-    if (!tenantRepo.existsById(id)) {
-      return HttpResponse.badRequest();
+    Optional<Tenant> tenantOptional = tenantRepo.findById(id);
+    if (tenantOptional.isEmpty()) {
+      throw new HttpStatusException(HttpStatus.NOT_FOUND, "Tenant not found.");
+    }
+
+    User user = userRepo.findByEmail(authentication.getName()).orElse(null);
+    if (checkUserStatus(user)) {
+      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user is disabled.");
+    }
+
+    List<String> commonPermissions = permissionsService.checkUserPermission(user, tenantOptional.get(),
+            List.of("AUTH_SERVICE_VIEW-SYSTEM", "AUTH_SERVICE_VIEW-TENANT"));
+    if (commonPermissions.isEmpty()) {
+      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user does not have permission!");
     }
 
     // todo: it would be nice to capture the roles and have them automatically mapped to UserResponse.roles
-    List<UserResponse> tenantUsers = userRepo.findAllByTenantId(id).stream().map(user ->
-            new UserResponse(user.getId(), user.getEmail(), user.getFirstName(), user.getLastName(),
-                    userRepo.getUserRolesByUserId(user.getId())
+    List<UserResponse> tenantUsers = userRepo.findAllByTenantId(id).stream().map(tenantUser ->
+            new UserResponse(tenantUser.getId(), tenantUser.getEmail(), tenantUser.getFirstName(), tenantUser.getLastName(),
+                    userRepo.getUserRolesByUserId(tenantUser.getId())
                     )).toList();
 
     return HttpResponse.ok(tenantUsers);

UnityAuth/src/main/java/io/unityfoundation/auth/PermissionsService.java

@@ -9,6 +9,7 @@
 
 import java.util.List;
 import java.util.function.BiPredicate;
+import java.util.function.Predicate;
 
 @Singleton
 public class PermissionsService {
@@ -21,6 +22,11 @@ public class PermissionsService {
                             || Permission.PermissionScope.SUBTENANT.equals(tp.permissionScope()))
                             && tp.tenantId == t.getId());
 
+    private final Predicate<TenantPermission> isTenantOrSystemOrSubtenantScope = (tp) ->
+            Permission.PermissionScope.SYSTEM.equals(tp.permissionScope()) || (
+                    (Permission.PermissionScope.TENANT.equals(tp.permissionScope())
+                            || Permission.PermissionScope.SUBTENANT.equals(tp.permissionScope())));
+
     public PermissionsService(UserRepo userRepo) {
         this.userRepo = userRepo;
     }
@@ -38,6 +44,14 @@ public List<String> getPermissionsFor(User user, Tenant tenant) {
                 .toList();
     }
 
+    public List<String> checkUserPermissionsAcrossAllTenants(User user, List<String> permissions) {
+        return userRepo.getTenantPermissionsFor(user.getId()).stream()
+                .filter(isTenantOrSystemOrSubtenantScope)
+                .map(TenantPermission::permissionName)
+                .filter(permissions::contains)
+                .toList();
+    }
+
     @Introspected
     public record TenantPermission(
             long tenantId,

UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java

@@ -26,12 +26,14 @@ public class UserController {
     private final TenantRepo tenantRepo;
     private final RoleRepo roleRepo;
     private final PasswordEncoder passwordEncoder;
+    private final PermissionsService permissionsService;
 
-    public UserController(UserRepo userRepo, TenantRepo tenantRepo, RoleRepo roleRepo, PasswordEncoder passwordEncoder) {
+    public UserController(UserRepo userRepo, TenantRepo tenantRepo, RoleRepo roleRepo, PasswordEncoder passwordEncoder, PermissionsService permissionsService) {
         this.userRepo = userRepo;
         this.tenantRepo = tenantRepo;
         this.roleRepo = roleRepo;
         this.passwordEncoder = passwordEncoder;
+        this.permissionsService = permissionsService;
     }
 
     @Post
@@ -40,23 +42,31 @@ public HttpResponse<UserResponse> createUser(@Body AddUserRequest requestDTO,
 
         Long requestTenantId = requestDTO.tenantId();
 
-        // reject if the declared tenant does not exist
-        if (!tenantRepo.existsById(requestTenantId)) {
-            throw new HttpStatusException(HttpStatus.NOT_FOUND, "Tenant not found");
+        Optional<Tenant> tenantOptional = tenantRepo.findById(requestTenantId);
+        if (tenantOptional.isEmpty()) {
+            throw new HttpStatusException(HttpStatus.NOT_FOUND, "Tenant not found.");
         }
 
-        Role unityAdministrator = roleRepo.findByName("Unity Administrator");
+        Optional<User> adminOptional = userRepo.findByEmail(authentication.getName());
+        if (adminOptional.isEmpty()) {
+            throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user is disabled.");
+        }
 
-        // ignore roles not defined by application
+        User admin = adminOptional.get();
+
+        List<String> commonPermissions = permissionsService.checkUserPermission(admin, tenantOptional.get(),
+                List.of("AUTH_SERVICE_EDIT-SYSTEM", "AUTH_SERVICE_EDIT-TENANT"));
+        if (commonPermissions.isEmpty()) {
+            throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user does not have permission!");
+        }
+
+        // ignore roles not defined by system
         List<Long> rolesIntersection = getRolesIntersection(requestDTO.roles());
 
         // reject if caller is not a unity nor tenant admin of the declared tenant
-        String authUserEmail = authentication.getName();
-        if (!userRepo.existsByEmailAndRoleEqualsUnityAdmin(authUserEmail)) {
-            if (!userRepo.existsByEmailAndTenantEqualsAndIsTenantAdmin(authUserEmail, requestTenantId)) {
-                return HttpResponse.status(HttpStatus.FORBIDDEN,
-                        "Authenticated user is not authorized to make changes under declared tenant.");
-            } else if (rolesIntersection.stream().anyMatch(roleId -> roleId.equals(unityAdministrator.getId()))){
+        if (!commonPermissions.contains("AUTH_SERVICE_EDIT-SYSTEM")) {
+            Role unityAdministrator = roleRepo.findByName("Unity Administrator");
+            if (rolesIntersection.stream().anyMatch(roleId -> roleId.equals(unityAdministrator.getId()))){
                 // authenticated tenant admin user cannot grant unity admin role
                 return HttpResponse.status(HttpStatus.FORBIDDEN,
                         "Authenticated user is not authorized to grant Unity Admin");
@@ -97,30 +107,37 @@ public HttpResponse<UserResponse> createUser(@Body AddUserRequest requestDTO,
     public HttpResponse<UserResponse> updateUserRoles(@PathVariable Long id, @Body UpdateUserRolesRequest requestDTO,
                                                 Authentication authentication) {
         Long requestTenantId = requestDTO.tenantId();
+        Optional<Tenant> tenantOptional = tenantRepo.findById(requestTenantId);
+        if (tenantOptional.isEmpty()) {
+            throw new HttpStatusException(HttpStatus.NOT_FOUND, "Tenant not found.");
+        }
 
-        // reject if the declared tenant does not exist
-        if (!tenantRepo.existsById(requestTenantId)) {
-            throw new HttpStatusException(HttpStatus.NOT_FOUND, "Tenant not found");
+        String authUserEmail = authentication.getName();
+        Optional<User> adminOptional = userRepo.findByEmail(authUserEmail);
+        if (adminOptional.isEmpty()) {
+            throw new HttpStatusException(HttpStatus.NOT_FOUND, "Authenticated user does not exist");
         }
+        User admin = adminOptional.get();
 
         Optional<User> userOptional = userRepo.findById(id);
         if (userOptional.isEmpty()) {
             throw new HttpStatusException(HttpStatus.NOT_FOUND, "User not found");
         }
-
         User user = userOptional.get();
-        Role unityAdministrator = roleRepo.findByName("Unity Administrator");
 
         // ignore roles not defined by application
         List<Long> rolesIntersection = getRolesIntersection(requestDTO.roles());
 
         // if unity admin, proceed; otherwise, reject if roles exceed authenticated user's under same tenant.
-        String authUserEmail = authentication.getName();
-        if (!userRepo.existsByEmailAndRoleEqualsUnityAdmin(authUserEmail)) {
-            if (!userRepo.existsByEmailAndTenantEqualsAndIsTenantAdmin(authUserEmail, requestTenantId)) {
-                return HttpResponse.status(HttpStatus.FORBIDDEN,
-                        "Authenticated user is not authorized to make changes under declared tenant.");
-            } else if (rolesIntersection.stream().anyMatch(roleId -> roleId.equals(unityAdministrator.getId()))){
+        List<String> commonPermissions = permissionsService.checkUserPermission(admin, tenantOptional.get(),
+                List.of("AUTH_SERVICE_EDIT-SYSTEM", "AUTH_SERVICE_EDIT-TENANT"));
+        if (commonPermissions.isEmpty()) {
+            throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user does not have permission!");
+        }
+
+        if (!commonPermissions.contains("AUTH_SERVICE_VIEW-SYSTEM")) {
+            Role unityAdministrator = roleRepo.findByName("Unity Administrator");
+            if (rolesIntersection.stream().anyMatch(roleId -> roleId.equals(unityAdministrator.getId()))){
                 // authenticated tenant admin user cannot grant unity admin role
                 return HttpResponse.status(HttpStatus.FORBIDDEN,
                         "Authenticated user is not authorized to grant Unity Admin");

UnityAuth/src/test/java/io/unityfoundation/UnityIamTest.java

@@ -167,7 +167,7 @@ void testGetUserPermissionsHappyPath() {
     HttpResponse<UserPermissionsResponse.Success> response = client.toBlocking()
         .exchange(hasPermissionRequest, UserPermissionsResponse.Success.class);
 
-      assertEquals(response.getBody().get().permissions(), List.of("AUTH_SERVICE_EDIT-SYSTEM"));
+      assertTrue(response.getBody().get().permissions().contains("AUTH_SERVICE_EDIT-SYSTEM"));
   }
 
   @Test
@@ -237,6 +237,8 @@ void testCreateUsers() {
     assertFalse(user.roles().isEmpty());
 
     // Case: User does exist in system but not under tenant.
+    // Given that tenant = 2, this confirms that a Unity Admin can perform actions in a Tenant
+    // they are not associated to. (See afterMigrate.sql user_role table)
     createUserRequest = HttpRequest.POST("/api/users",
                     new UserController.AddUserRequest(
                             "[email protected]",

UnityAuth/src/test/resources/db/migration/afterMigrate.sql

@@ -18,12 +18,14 @@ INSERT INTO tenant_service (tenant_id, service_id, status) VALUES(2, 1, 'ENABLED
 INSERT INTO permission (id, name, description, scope) VALUES(1, 'AUTH_SERVICE_EDIT-SYSTEM', 'Description', 'SYSTEM');
 INSERT INTO permission (id, name, description, scope) VALUES(2, 'LIBRE311_REQUEST_EDIT-TENANT', 'Description', 'TENANT');
 INSERT INTO permission (id, name, description, scope) VALUES(3, 'LIBRE311_REQUEST_EDIT-SUBTENANT', 'Description', 'SUBTENANT');
+INSERT INTO permission (id, name, description, scope) VALUES(4, 'AUTH_SERVICE_VIEW-SYSTEM', 'Description', 'SYSTEM');
 INSERT INTO role (id, name, description) VALUES(1, 'Unity Administrator', 'System role');
 INSERT INTO role (id, name, description) VALUES(2, 'Tenant role', 'Tenant role');
 INSERT INTO role (id, name, description) VALUES(3, 'Subtenant role', 'Subtenant role');
 INSERT INTO role_permission (role_id, permission_id) VALUES(1, 1);
 INSERT INTO role_permission (role_id, permission_id) VALUES(2, 2);
 INSERT INTO role_permission (role_id, permission_id) VALUES(3, 3);
+INSERT INTO role_permission (role_id, permission_id) VALUES(1, 4);
 INSERT INTO user_role (tenant_id, user_id, role_id) VALUES(1, 1, 1);
 INSERT INTO user_role (tenant_id, user_id, role_id) VALUES(2, 1, 2);
 INSERT INTO user_role (tenant_id, user_id, role_id) VALUES(2, 1, 3);