diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt index 03de261fa..d8cea8c62 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceIntegrationTest.kt @@ -581,6 +581,39 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() { @Test fun `test AccessControls management on Runner as ressource Admin`() { + dataset = makeDataset(organizationSaved.id!!, "Dataset", connectorSaved, false) + datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset) + materializeTwingraph() + + solution = makeSolution(organizationSaved.id!!) + solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, solution) + + workspace = makeWorkspace(organizationSaved.id!!, solutionSaved.id!!, "Workspace") + workspaceSaved = workspaceApiService.createWorkspace(organizationSaved.id!!, workspace) + + parentRunner = + makeRunner( + organizationSaved.id!!, + workspaceSaved.id!!, + solutionSaved.id!!, + "RunnerParent", + mutableListOf(datasetSaved.id!!), + parametersValues = mutableListOf(runTemplateParameterValue1)) + + parentRunnerSaved = + runnerApiService.createRunner(organizationSaved.id!!, workspaceSaved.id!!, parentRunner) + + runner = + makeRunner( + organizationSaved.id!!, + workspaceSaved.id!!, + solutionSaved.id!!, + name = "Runner", + parentId = parentRunnerSaved.id!!, + datasetList = mutableListOf(datasetSaved.id!!), + parametersValues = mutableListOf(runTemplateParameterValue2)) + + runnerSaved = runnerApiService.createRunner(organizationSaved.id!!, workspaceSaved.id!!, runner) logger.info("should add an Access Control and assert it has been added") val runnerAccessControl = RunnerAccessControl(TEST_USER_MAIL, ROLE_VIEWER) var runnerAccessControlRegistered = @@ -647,6 +680,41 @@ class RunnerServiceIntegrationTest : CsmRedisTestBase() { @Test fun `test AccessControls management on Runner as Unauthorized User`() { + + dataset = makeDataset(organizationSaved.id!!, "Dataset", connectorSaved, isMain = false) + datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset) + materializeTwingraph() + + solution = makeSolution(organizationSaved.id!!) + solutionSaved = solutionApiService.createSolution(organizationSaved.id!!, solution) + + workspace = makeWorkspace(organizationSaved.id!!, solutionSaved.id!!, "Workspace") + workspaceSaved = workspaceApiService.createWorkspace(organizationSaved.id!!, workspace) + + parentRunner = + makeRunner( + organizationSaved.id!!, + workspaceSaved.id!!, + solutionSaved.id!!, + "RunnerParent", + mutableListOf(datasetSaved.id!!), + parametersValues = mutableListOf(runTemplateParameterValue1)) + + parentRunnerSaved = + runnerApiService.createRunner(organizationSaved.id!!, workspaceSaved.id!!, parentRunner) + + runner = + makeRunner( + organizationSaved.id!!, + workspaceSaved.id!!, + solutionSaved.id!!, + name = "Runner", + parentId = parentRunnerSaved.id!!, + datasetList = mutableListOf(datasetSaved.id!!), + parametersValues = mutableListOf(runTemplateParameterValue2)) + + runnerSaved = runnerApiService.createRunner(organizationSaved.id!!, workspaceSaved.id!!, runner) + every { getCurrentAccountIdentifier(any()) } returns CONNECTED_READER_USER logger.info("should throw CsmAccessForbiddenException when trying to add RunnerAccessControl") diff --git a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt index 20f8ef9ca..c623284da 100644 --- a/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt +++ b/runner/src/integrationTest/kotlin/com/cosmotech/runner/service/RunnerServiceRBACTest.kt @@ -3563,7 +3563,7 @@ class RunnerServiceRBACTest : CsmRedisTestBase() { val organization = makeOrganizationWithRole(id = TEST_USER_MAIL, role = ROLE_ADMIN) val organizationSaved = organizationApiService.registerOrganization(organization) val dataset = - makeDataset(organizationSaved.id!!, connectorSaved, TEST_USER_MAIL, role) + makeDataset(organizationSaved.id!!, connectorSaved, TEST_USER_MAIL, role, false) var datasetSaved = datasetApiService.createDataset(organizationSaved.id!!, dataset) datasetSaved = datasetRepository.save( @@ -4576,7 +4576,13 @@ class RunnerServiceRBACTest : CsmRedisTestBase() { ioTypes = listOf(IoTypesEnum.read)) } - fun makeDataset(organizationId: String, connector: Connector, id: String, role: String): Dataset { + fun makeDataset( + organizationId: String, + connector: Connector, + id: String, + role: String, + isMain: Boolean = true + ): Dataset { return Dataset( name = "Dataset", organizationId = organizationId, @@ -4588,6 +4594,7 @@ class RunnerServiceRBACTest : CsmRedisTestBase() { name = connector.name, version = connector.version, ), + main = isMain, security = DatasetSecurity( default = ROLE_NONE, diff --git a/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt b/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt index df9c2bd49..0798e3c26 100644 --- a/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt +++ b/runner/src/main/kotlin/com/cosmotech/runner/service/RunnerService.kt @@ -491,9 +491,10 @@ class RunnerService( private fun removeAccessControlToDatasets(userId: String) { val organizationId = this.runner.organizationId!! this.runner.datasetList!!.forEach { datasetId -> - val datasetACL = - datasetApiService.findDatasetById(organizationId, datasetId).getRbac().accessControlList + val dataset = datasetApiService.findDatasetById(organizationId, datasetId) + if (dataset.main!!) return@forEach + val datasetACL = dataset.getRbac().accessControlList if (datasetACL.any { it.id == userId }) datasetApiService.removeDatasetAccessControl(organizationId, datasetId, userId) }