Allow access to no org resources to logged-in users

gisaia · Dec 14, 2023 · 82bf122 · 82bf122
1 parent 2e26368
commit 82bf122
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 3 deletions.
diff --git a/...src/main/java/io/arlas/persistence/server/impl/GoogleFirestorePersistenceServiceImpl.java b/...src/main/java/io/arlas/persistence/server/impl/GoogleFirestorePersistenceServiceImpl.java
@@ -234,7 +234,7 @@ public Pair<Long, List<Data>> list(String zone, IdentityParam identityParam, Int
 
     @Override
     public Data get(String zone, String key, IdentityParam identityParam) throws ArlasException {
-        Optional<Data> data = getByZoneKeyOrga(zone, key, identityParam.organisation);
+        Optional<Data> data = getByZoneKeyOrga(zone, key, identityParam);
         if (data.isPresent()) {
             if (PersistenceService.isReaderOnData(identityParam, data.get()) ||
                     PersistenceService.isWriterOnData(identityParam, data.get())) {
@@ -298,7 +298,7 @@ public Data update(String id, String key, IdentityParam identityParam, Set<Strin
                 String zone = data.getDocZone();
                 PersistenceService.checkReadersWritersGroups(zone, identityParam, readers,writers);
                 // If the key is updated, we need to check if a triplet Zone/Key/orga already exist with this new key
-                if(Optional.ofNullable(key).isPresent() && !Optional.ofNullable(key).get().equals(data.getDocKey())){
+                if(key != null && !key.equals(data.getDocKey())){
                     Optional<Data> alreadyExisting = getByZoneKeyOrga(zone, key, List.of(data.getDocOrganization()));
                     if (alreadyExisting.isPresent()) {
                         throw new ArlasException("A resource with zone " + zone + " and key " + key + " already exists.");
@@ -373,6 +373,42 @@ private Optional<Data> getByZoneKeyOrga(String zone, String key, List<String> or
         }
     }
 
+    private Optional<Data> getByZoneKeyOrga(String zone, String key, IdentityParam idp) throws ArlasException {
+
+        try {
+             // get the data matching zone+key whatever the organisation
+            List<Data> res = db.collection(this.collection)
+                    .whereEqualTo(Data.zoneColumn, zone)
+                    .whereEqualTo(Data.keyColumn, key)
+                    .get().get()
+                    .getDocuments()
+                    .stream()
+                    .map(d -> {
+                        try {
+                            return toData(d.getId(), d);
+                        } catch (NotFoundException e) { //can't happen in this case
+                            return null;
+                        }
+                    })
+                    .filter(Objects::nonNull)
+                    // if the data's organisation is the org of the user
+                    .filter(d -> idp.organisation.contains(d.getDocOrganization())
+                            // or the user is anonymous (we don't have an organisation to match with)
+                            || idp.isAnonymous)
+                    .toList();
+
+            if (res.isEmpty()) {
+                return Optional.empty();
+            } else if (res.size() == 1) {
+                return Optional.of(res.get(0));
+            } else {
+                throw new ArlasException("More than one doc for key/zone: need one org to filter properly");
+            }
+        } catch (InterruptedException | ExecutionException e) {
+            throw new ArlasException("Error listing document: " + e.getMessage());
+        }
+    }
+
     private Data getById(String id) throws ArlasException {
         try {
             return toData(id, db.collection(collection).document(id).get().get());

diff --git a/...-core/src/main/java/io/arlas/persistence/server/impl/HibernatePersistenceServiceImpl.java b/...-core/src/main/java/io/arlas/persistence/server/impl/HibernatePersistenceServiceImpl.java
@@ -79,7 +79,7 @@ public Pair list(String zone, IdentityParam identityParam, Integer size, Integer
 
     @Override
     public Data get(String zone, String key, IdentityParam identityParam) throws ArlasException {
-        Optional<Data> data = getByZoneKeyOrga(zone, key, identityParam.organisation);
+        Optional<Data> data = getByZoneKeyOrga(zone, key, identityParam);
         if (data.isPresent()) {
             if (PersistenceService.isReaderOnData(identityParam, data.get()) ||
                     PersistenceService.isWriterOnData(identityParam, data.get())) {
@@ -192,6 +192,29 @@ private Optional<Data> getByZoneKeyOrga(String zone, String key, List<String> or
         return Optional.ofNullable(data);
     }
 
+    private Optional<Data> getByZoneKeyOrga(String zone, String key, IdentityParam idp) throws ArlasException {
+        List<Data> res = currentSession().createQuery("from Data ud"
+                + "    where ud." + Data.zoneColumn + "=:zone"
+                + "    and ud." + Data.keyColumn + "=:key", Data.class)
+                .setParameter("zone", zone)
+                .setParameter("key", key)
+                .list()
+                .stream()
+                // if the data's organisation is the org of the user
+                .filter(d -> idp.organisation.contains(d.getDocOrganization())
+                        // or the user is anonymous (we don't have an organisation to match with)
+                        || idp.isAnonymous)
+                .toList();
+
+        if (res.isEmpty()) {
+            return Optional.empty();
+        } else if (res.size() == 1) {
+            return Optional.of(res.get(0));
+        } else {
+            throw new ArlasException("More than one doc for key/zone: need one org to filter properly");
+        }
+    }
+
     private Data deleteData(Data data, IdentityParam identityParam) throws ForbiddenException {
         if (PersistenceService.isWriterOnData(identityParam, data)) {
             currentSession().delete(data);