[ODS-6031] Modify error codes for missing references related to autho…

…rization (#857)
Ed-Fi-Alliance-OSS · Oct 24, 2023 · 5861114 · 5861114
1 parent 62c40e4
commit 5861114
Show file tree

Hide file tree

Showing 4 changed files with 136 additions and 6 deletions.
diff --git a/...ionStrategies/Relationships/RelationshipsAuthorizationStrategyFilterDefinitionsFactory.cs b/...ionStrategies/Relationships/RelationshipsAuthorizationStrategyFilterDefinitionsFactory.cs
@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using EdFi.Ods.Api.Security.Authorization;
+using EdFi.Ods.Api.Security.Authorization.Repositories;
 using EdFi.Ods.Api.Security.AuthorizationStrategies.Relationships.Filters;
 using EdFi.Ods.Common.Database.NamingConventions;
 using EdFi.Ods.Common.Database.Querying;
@@ -111,8 +112,10 @@ private InstanceAuthorizationResult AuthorizeInstance(
             {
                 if (filterContext.SubjectEndpointName.EndsWith("USI"))
                 {
-                    throw new EdFiSecurityConflictException(
-                        $"Access to the resource item could not be authorized because the '{filterContext.SubjectEndpointName.Substring(0, filterContext.SubjectEndpointName.Length - 3)}' was not found.");
+                    var subjectSubstring = filterContext.SubjectEndpointName.Substring(
+                        0, filterContext.SubjectEndpointName.Length - 3);
+                    throw new EdFiSecurityException(
+                        $"Authorization denied. Either referenced '{subjectSubstring}' was not found or no relationships have been established between the caller's education organization id claims ({string.Join(", ", filterContext.ClaimParameterValues)}) and the referenced '{subjectSubstring}'.");
                 }
 
                 throw new EdFiSecurityException(

diff --git a/Application/EdFi.Ods.Common/Attributes/RequiredWithNonDefaultAttribute.cs b/Application/EdFi.Ods.Common/Attributes/RequiredWithNonDefaultAttribute.cs
@@ -5,6 +5,7 @@
 
 using System.ComponentModel.DataAnnotations;
 using EdFi.Ods.Common.Extensions;
+using EdFi.Ods.Common.Security;
 
 namespace EdFi.Ods.Common.Attributes
 {
@@ -53,11 +54,12 @@ protected override ValidationResult IsValid(object value, ValidationContext vali
                 return ValidationResult.Success;
             }
 
-            var validationMessage = _referenceName != null
-                ? $"{_referenceName} reference could not be resolved."
-                : $"{validationContext.DisplayName} is required.";
+            if (_referenceName != null)
+            {
+                throw new EdFiSecurityConflictException($"Access to the resource item could not be authorized because the '{_referenceName}' was not found.");
+            }
 
-            return new ValidationResult(validationMessage);
+            return new ValidationResult($"{validationContext.DisplayName} is required.");
         }
     }
 }
diff --git a/Application/EdFi.Ods.Common/Extensions/ValidatorExtensions.cs b/Application/EdFi.Ods.Common/Extensions/ValidatorExtensions.cs
@@ -8,6 +8,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.Reflection;
 using EdFi.Ods.Common.Exceptions;
+using EdFi.Ods.Common.Security;
 using log4net;
 
 namespace EdFi.Ods.Common.Extensions
@@ -38,6 +39,11 @@ public static ICollection<ValidationResult> ValidateObject(this IEnumerable<IObj
                         // Allow error translation to be performed for desired HTTP response status
                         throw;
                     }
+                    catch (EdFiSecurityConflictException)
+                    {
+                        // Allow error translation to be performed for desired HTTP response status
+                        throw;
+                    }
                     catch (Exception ex)
                     {
                         _logger.Error($"Validation exception [{ex.GetType()}]: {ex.StackTrace}", ex);

diff --git a/...man Test Suite/Ed-Fi ODS-API Integration Test Suite ResponseTests.postman_collection.json b/...man Test Suite/Ed-Fi ODS-API Integration Test Suite ResponseTests.postman_collection.json
@@ -5250,6 +5250,125 @@
 									]
 								}
 							]
+						},
+						{
+							"name": "when_posting_an_association_where_resource_does_not_exist",
+							"item": [
+								{
+									"name": "api_should_fail_with_403_code",
+									"item": [
+										{
+											"name": "api_should_fail_with_403_forbidden",
+											"event": [
+												{
+													"listen": "test",
+													"script": {
+														"exec": [
+															"pm.test(\"Status code is 403\", () => {\r",
+															"    pm.expect(pm.response.code).to.equal(403);\r",
+															"});\r",
+															"\r",
+															"pm.test(\"Should return a message indicating that authorization was denied, staff was not found.\", () => {\r",
+															"    const responseItem = pm.response.json();\r",
+															"     pm.expect(responseItem).to.deep.include({\r",
+															"      \"message\": \"Authorization denied. Either referenced \\'Staff\\' was not found or no relationships have been established between the caller\\'s education organization id claims (255901) and the referenced \\'Staff\\'.\",\r",
+															"      \"correlationId\": pm.environment.get('correlationId')\r",
+															"    });\r",
+															"});\r",
+															"\r",
+															""
+														],
+														"type": "text/javascript"
+													}
+												}
+											],
+											"request": {
+												"method": "POST",
+												"header": [
+													{
+														"key": "Content-Type",
+														"value": "application/json",
+														"type": "text"
+													}
+												],
+												"body": {
+													"mode": "raw",
+													"raw": "{    \r\n    \"staffReference\": {\r\n      \"staffUniqueId\": \"999999\"\r\n    },\r\n    \"beginDate\": \"2022-08-26\",\r\n    \"staffLeaveEventCategoryDescriptor\": \"uri://ed-fi.org/StaffLeaveEventCategoryDescriptor#Personal\"\r\n}"
+												},
+												"url": {
+													"raw": "{{ApiBaseUrl}}/data/v3/ed-fi/staffLeaves",
+													"host": [
+														"{{ApiBaseUrl}}"
+													],
+													"path": [
+														"data",
+														"v3",
+														"ed-fi",
+														"staffLeaves"
+													]
+												}
+											},
+											"response": []
+										}
+									]
+								},
+								{
+									"name": "api_should_fail_with_409_code",
+									"item": [
+										{
+											"name": "api_should_fail_with_409_conflict",
+											"event": [
+												{
+													"listen": "test",
+													"script": {
+														"exec": [
+															"pm.test(\"Status code is 409\", () => {\r",
+															"    pm.expect(pm.response.code).to.equal(409);\r",
+															"});\r",
+															"\r",
+															"pm.test(\"Should return a message indicating that access was denied, student was not found.\", () => {\r",
+															"    const responseItem = pm.response.json();\r",
+															"     pm.expect(responseItem).to.deep.include({\r",
+															"      \"message\": \"Access to the resource item could not be authorized because the \\'Student\\' was not found.\",\r",
+															"      \"correlationId\": pm.environment.get('correlationId')\r",
+															"    });\r",
+															"});"
+														],
+														"type": "text/javascript"
+													}
+												}
+											],
+											"request": {
+												"method": "POST",
+												"header": [
+													{
+														"key": "Content-Type",
+														"value": "application/json",
+														"type": "text"
+													}
+												],
+												"body": {
+													"mode": "raw",
+													"raw": "{    \r\n    \"schoolReference\": {\r\n      \"schoolId\": \"255901001\"\r\n    },\r\n    \"studentReference\": {\r\n      \"studentUniqueId\": \"999999\"\r\n    },\r\n    \"entryDate\": \"2021-08-23\",\r\n    \"entryGradeLevelDescriptor\": \"uri://ed-fi.org/GradeLevelDescriptor#Ninth grade\"\r\n  }"
+												},
+												"url": {
+													"raw": "{{ApiBaseUrl}}/data/v3/ed-fi/studentSchoolAssociations",
+													"host": [
+														"{{ApiBaseUrl}}"
+													],
+													"path": [
+														"data",
+														"v3",
+														"ed-fi",
+														"studentSchoolAssociations"
+													]
+												}
+											},
+											"response": []
+										}
+									]
+								}
+							]
 						}
 					]
 				},