Minor: Domain only access policy prevents bots from listing (#19017)

* Minor: Domain only access policy prevents bots listing

* Minor: Domain only access policy prevents bots listing

* Add Entity Type condition to limit the scope of NOT IN

---------

Co-authored-by: mohitdeuex <mohit.y@deuexsolutions.com>
(cherry picked from commit e04e2de)

openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java

@@ -14,6 +14,8 @@
 import org.openmetadata.service.util.FullyQualifiedName;
 
 public class ListFilter extends Filter<ListFilter> {
+  public static final String NULL_PARAM = "null";
+
   public ListFilter() {
     this(Include.NON_DELETED);
   }
@@ -107,12 +109,24 @@ public String getTestSuiteFQNCondition() {
 
   private String getDomainCondition(String tableName) {
     String domainId = getQueryParam("domainId");
-    return domainId == null
-        ? ""
-        : String.format(
-            "(%s in (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' AND entity_relationship.fromId IN (%s) AND "
-                + "relation=10))",
-            nullOrEmpty(tableName) ? "id" : String.format("%s.id", tableName), domainId);
+    String entityIdColumn = nullOrEmpty(tableName) ? "id" : (tableName + ".id");
+    if (domainId == null) {
+      return "";
+    } else if (NULL_PARAM.equals(domainId)) {
+      String entityType = getQueryParam("entityType");
+      String entityTypeCondition =
+          nullOrEmpty(entityType)
+              ? ""
+              : String.format("AND entity_relationship.toEntity='%s'", entityType);
+      return String.format(
+          "(%s NOT IN (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' %s AND relation=10))",
+          entityIdColumn, entityTypeCondition);
+    } else {
+      return String.format(
+          "(%s in (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' AND entity_relationship.fromId IN (%s) AND "
+              + "relation=10))",
+          entityIdColumn, domainId);
+    }
   }
 
   public String getApiCollectionCondition(String apiEndpoint) {

openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java

@@ -162,7 +162,7 @@ public ResultList<T> listInternal(
     authorizer.authorize(securityContext, operationContext, resourceContext);
 
     // Add Domain Filter
-    EntityUtil.addDomainQueryParam(securityContext, filter);
+    EntityUtil.addDomainQueryParam(securityContext, filter, entityType);
 
     // List
     ResultList<T> resultList;

openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java

@@ -17,6 +17,7 @@
 import static org.openmetadata.common.utils.CommonUtil.nullOrEmpty;
 import static org.openmetadata.schema.type.Include.ALL;
 import static org.openmetadata.schema.type.Include.NON_DELETED;
+import static org.openmetadata.service.jdbi3.ListFilter.NULL_PARAM;
 import static org.openmetadata.service.jdbi3.RoleRepository.DOMAIN_ONLY_ACCESS_ROLE;
 import static org.openmetadata.service.security.DefaultAuthorizer.getSubjectContext;
 
@@ -682,7 +683,8 @@ public static List<EntityReference> mergedInheritedEntityRefs(
     return result.stream().toList();
   }
 
-  public static void addDomainQueryParam(SecurityContext securityContext, ListFilter filter) {
+  public static void addDomainQueryParam(
+      SecurityContext securityContext, ListFilter filter, String entityType) {
     SubjectContext subjectContext = getSubjectContext(securityContext);
     // If the User is admin then no need to add domainId in the query param
     // Also if there are domain restriction on the subject context via role
@@ -691,8 +693,8 @@ public static void addDomainQueryParam(SecurityContext securityContext, ListFilt
         filter.addQueryParam(
             "domainId", getCommaSeparatedIdsFromRefs(subjectContext.getUserDomains()));
       } else {
-        // TODO: Hack :(
-        filter.addQueryParam("domainId", "null");
+        filter.addQueryParam("domainId", NULL_PARAM);
+        filter.addQueryParam("entityType", entityType);
       }
     }
   }