Skip to content

Commit

Permalink
fix: SB-29753 optional request.asset.createdBy in createAsset API
Browse files Browse the repository at this point in the history
  • Loading branch information
beepdot committed Apr 29, 2022
1 parent 2fd2fb6 commit 1a6dd4e
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 1 deletion.
13 changes: 13 additions & 0 deletions kubernetes/opa/content/policies.rego
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,19 @@ createAsset {
input.parsed_body.request.asset.createdBy == super.userid
}

# Optional request.asset.createdBy in payload - https://project-sunbird.atlassian.net/browse/SB-29753
createAsset {
acls := ["createAsset"]
roles := ["BOOK_CREATOR", "CONTENT_CREATOR", "COURSE_CREATOR"]
super.acls_check(acls)
# Org check will do an implicit role check so there is no need to invoke super.role_check(roles)
token_organisationids := super.org_check(roles)
x_channel_id in token_organisationids
input.parsed_body.request.asset.channel in token_organisationids
input.parsed_body.request.asset.channel == x_channel_id
not input.parsed_body.request.asset.createdBy
}

updateAsset {
acls := ["updateAsset"]
roles := ["BOOK_CREATOR", "CONTENT_CREATOR", "COURSE_CREATOR"]
Expand Down
37 changes: 37 additions & 0 deletions kubernetes/opa/content/policies_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,43 @@ test_create_asset {
}
}

test_create_asset_without_userid {
data.main.allow.allowed
with data.common.current_time as current_time
with data.common.iss as iss
with input as
{
"attributes": {
"request": {
"http": {
"headers": {
"x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiQk9PS19DUkVBVE9SIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifSx7Im9yZ2FuaXNhdGlvbklkIjoiMDE0NzE5MjM1Njc4MTIzNDU2NzgifV19LHsicm9sZSI6IkNPTlRFTlRfQ1JFQVRPUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJDT05URU5UX1JFVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPVVJTRV9NRU5UT1IiLCJzY29wZSI6W3sib3JnYW5pc2F0aW9uSWQiOiIwMTM2OTg3ODc5NzUwMzY5MjgxMCJ9XX0seyJyb2xlIjoiUFJPR1JBTV9ERVNJR05FUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJSRVBPUlRfVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6Ik9SR19BRE1JTiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn0seyJvcmdhbmlzYXRpb25JZCI6IjAxNDcxOTIzNTY3ODEyMzQ1Njc4In1dfSx7InJvbGUiOiJQVUJMSUMiLCJzY29wZSI6W119XSwiaXNzIjoiaHR0cHM6Ly9zdW5iaXJkZWQub3JnL2F1dGgvcmVhbG1zL3N1bmJpcmQiLCJuYW1lIjoiZGVtbyIsInR5cCI6IkJlYXJlciIsImV4cCI6MTY0MDIzNjEwMiwiaWF0IjoxNjQwMTQ5NzA1fQ.rdczGSAV-wwRrrYDhR4iT12zpWVPjj4tanvp1QV8So6yzbQPEl1Xf6W7REMBPuodqmpum0v1xQelTaMRYfr4YF-wDDwsgpW9o6xIxo1E-pUk0Rev-Rgr1gU9sswXnqI4jQhBzmB-pXak7LqNlHFLUIsC_92UuZaAYPHMlHJPRxXiGRuiFE4-j5pG05JXXagu7FmdJvTimsXy79xKkMfpZXhl_R0lP8dOlDBOZQwejnt8IH2KNQUBuqmOEVNT2AmsIL_AsxTe8lw_-4Wk4fY_KkDQccfOi8P5wzfswFxwyjA-AQFzr5cLuivWGbG6Bu9dn-kXFfab7MjFXkQ-rNB2wQ",
"x-channel-id": "01369878797503692810"
},
"path": "/asset/v4/create"
}
}
},
"parsed_body": {
"request": {
"asset": {
"primaryCategory": "asset",
"language": [
"English"
],
"code": "fe59eba6-5232-2109-f38e-0cee4a86efbd",
"name": "mountainImage",
"mediaType": "image",
"mimeType": "image/jpeg",
"creator": "N11",
"channel": "01369878797503692810",
"keywords": ""
}
}
}
}
}

test_update_asset {
data.main.allow.allowed
with data.common.current_time as current_time
Expand Down
3 changes: 2 additions & 1 deletion kubernetes/opa/learner/policies.rego
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ acceptTermsAndCondition {
input.parsed_body.request.userId == super.userid
}

# Optional request.userId - https://project-sunbird.atlassian.net/browse/SB-29723
acceptTermsAndCondition {
super.public_role_check
not input.parsed_body.request.tncType
Expand Down Expand Up @@ -122,7 +123,7 @@ getUserProfileV5 {
super.role_check(roles)
}

# Allow the API call when using ?withTokens=true as query param since we are retrieving the managed user details and service is already making parent and child check in this endpoint
# Allow the API call when using ?withTokens=true as query param - https://project-sunbird.atlassian.net/browse/SB-29676
getUserProfileV5 {
super.public_role_check
contains(http_request.path, "?withTokens=true")
Expand Down

0 comments on commit 1a6dd4e

Please sign in to comment.