Create Latest Release - sec fixes (#491)

* First pass at new consumers table. * Stub out filters. * Finish base filter behavior. * Finish basic POC of filters. * Fix up consumers list page. * Add proper id to search logic * First pass at approval dialog * First pass at laying out access request dialog. * Add working forms. * Fix possible empty object * Proxy access requests. * Add missing allowed query. * Touch up some files. * Wire up conditional select options. * Wire up auth and controls. * Bubble controls up to the top level. * Finish forms and add data-testids * First pass at new consumers table. * Stub out filters. * Finish base filter behavior. * Finish basic POC of filters. * Fix up consumers list page. * Add proper id to search logic * First pass at consumers unit tests. * Fix type error. * Unit tests for consumers index page functionality. * Add mocks for access request * Fix some tests, start grant access dialog * Add tests for request details and controls * Add more unit tests for access requests so consumers page tests can be lighter * Dialog and controls tests. * Add grant access dialog tests. * Clean up consumers tests. * First pass at detail page layout. * Add restrictions. * Handle restrictions * UI layout tweaks and add edit form. * First pass at editing controls. * Finish first pass at refactor of consumers. * Update tests. * Finish IP restrictions test. * Fix up tests. * Add some coverage and fix broken tests. * Add some edit dialog tests * initial backend changes for getFilteredNamespaceConsumers * add backend for getNamespaceConsumerAccess * put back application owner in detail page * upd backend support for getConsumerProdEnvAccess * Update tests, organize MSW directory and add new consumers page query * backend getConsumerProdEnvAccess query * upd tests for backend * upd backend ConsumerProdEnvAccess object * Wire up auth, wire up UI for new API changes. * upd services for consumer access detail * Wire up edit dialog with new API. * Fix type errors * Fix some props access on the consumers detail page. * Remove debugger * upd backend updateConsumerAccess and saveConsumerLabels * adj request details on consumer * Update edit dialog and mock data. * Add app owner. * upd app owner for consumer detail and graphql whitelist * upd whitelist for access review * add allConsumerGroupLabels * Add new manage labels dialog. * tweak grant access dialog * upd permissions and whitelist for saving labels * Added Scenarios for Refresh Credentials, API Test and update existing client credential scenarios * Wire up manage labels on consumers index page. * Update grant access dialog * add filter for consumer list * add filter for consumer list * add revokeAccessFromConsumer backend call * for grant access scopes and roles are optional * add revokeAccessFromConsumer backend call * request details optional on edit dialog * 1) Change config of oauth2 proxy and keycloak 2) Update cypress tests * Refactor filters. * filters structure for labels changed a bit * Use names in filters instead of ids. Prevent duplicates * wire up filtering for consumers * wire up consumer scope and role backend for filter selection * Wire up labels to the UI * fix failing build * add backend scope search logic * Add loading state to filters. * Add new add label group interface. * new whitelist query for manage labels * save labels remove blank label * Update labels functionality, rework filters. * add whitelist for consumer list query * consumer read for api owner * fix a ssr invalid query * Cache fixes, proper naming in request dialog * Add caching to filters, minor UI improvements. * updates for consumer plugins * fix edit consumer * disable filtering * handle services not linked to products * inc whitelist for reject request * fix plugin matching for consumer detail * filter bug * Fix the filters when no session storage. * upd plugin service and route lisst * add role update for consumer * Add labels to access request * Add test-ids * resource tune for proto-generic-api and -mongodb * wire up labels on access request * remove dev,test,prod on push from ci-build-deploy * Add revoke and hide application row if null * fix for revoking access * missing whitelist for revoke access * 1)updated scenarios as per new Consumer UI 2)Added data-testid in filrwes.tsx page 3)Update keystone db schema as per new changes * upd query types * upd types * remove svc accts from consumer list and fix plugin error * stop using service access id in consumer list * fix consumer product edit dialog * improve plugin update comparison * upd plugins when grant new product to consumer * remove from whitelist the deleteGatewayConsumer * delete consumer upds * fix my access and access lists * dedup list of scopes * Add some custom error messages * Remove bcsc user menu option * Use unified error in toasts * fix 427 api key not getting deleted * resolve 443 creds for jwt key pair * fix org dataset operations * Standardize toasts to all be closable with only a startcase capitalized * add test branch back in to ci-build-deploy * fix revoke access whitelist * Comment out flaky verification step * fix ci-build-deploy indent * Fix yaml formatting * add in resources * run as production when starting keystone * fix allProductsByNamespace showing too much * fix unable to load form for access request * fix gateway services showing too many services * Added Test to verify directory details for the namespace that has no directory * Added test to verify namespace having no directory * improve log security * fix wrong role for identity provider * fix ds api error response dataset * fix business profile not displaying * remove old pages for requests * Update expected status code when call the API with non exist directory ID Co-authored-by: Joshua Jones <[email protected]> Co-authored-by: ikethecoder <[email protected]> Co-authored-by: Niraj Patel <[email protected]> Co-authored-by: nirajCITZ <[email protected]> Co-authored-by: Justin Tendeck <[email protected]> Co-authored-by: ikethecoder <[email protected]> Co-authored-by: jTendeck <[email protected]>
bcgov · Aug 17, 2022 · 3ae1d2b · 3ae1d2b
1 parent f1aae30
commit 3ae1d2b
Show file tree

Hide file tree

Showing 31 changed files with 448 additions and 586 deletions.
diff --git a/e2e/cypress/tests/08-aps-api/06-api-directory.ts b/e2e/cypress/tests/08-aps-api/06-api-directory.ts
@@ -160,10 +160,21 @@ describe('API Tests for Updating dataset', () => {
         })
     })
 
-    it('Get the namespace directory details (/namespaces/{ns}/directory) and verify the success code in the response', () => {
+    it('Get the namespace directory details (/namespaces/{ns}/directory) and verify the success code and empty response for the namespace with no directory', () => {
         cy.get('@apiowner').then(({ apiTest }: any) => {
             cy.get('@api').then(({ apiDirectory }: any) => {
                 cy.makeAPIRequest(apiDirectory.endPoint + '/' + apiTest.namespace + '/directory', 'GET').then((res) => {
+                    expect(res.status).to.be.equal(200)
+                    expect(res.body).to.be.empty
+                })
+            })
+        })
+    })
+
+    it('Get the namespace directory details (/namespaces/{ns}/directory) and verify the success code in the response', () => {
+        cy.get('@apiowner').then(({ namespace }: any) => {
+            cy.get('@api').then(({ apiDirectory }: any) => {
+                cy.makeAPIRequest(apiDirectory.endPoint + '/' + namespace + '/directory', 'GET').then((res) => {
                     expect(res.status).to.be.equal(200)
                     response = res.body[0]
                     directoryID = res.body[0].id
@@ -180,16 +191,26 @@ describe('API Tests for Updating dataset', () => {
     // })
 
     it('Get the namespace directory details by its ID (/namespaces/{ns}/directory/{id}) and verify the success code in the response', () => {
-        cy.get('@apiowner').then(({ apiTest }: any) => {
+        cy.get('@apiowner').then(({ namespace }: any) => {
             cy.get('@api').then(({ apiDirectory }: any) => {
-                cy.makeAPIRequest(apiDirectory.endPoint + '/' + apiTest.namespace + '/directory' + '/' + directoryID, 'GET').then((res) => {
+                cy.makeAPIRequest(apiDirectory.endPoint + '/' + namespace + '/directory' + '/' + directoryID, 'GET').then((res) => {
                     expect(res.status).to.be.equal(200)
                     expect(res.body.name).to.be.equal(directoryName)
                 })
             })
         })
     })
 
+    it('Get the namespace directory details (/namespaces/{ns}/directory/{id}) for non exist directory ID and verify the response code', () => {
+        cy.get('@apiowner').then(({ namespace }: any) => {
+            cy.get('@api').then(({ apiDirectory }: any) => {
+                cy.makeAPIRequest(apiDirectory.endPoint + '/' + namespace + '/directory' + '/99' , 'GET').then((res) => {
+                    expect(res.status).to.be.oneOf([404,422])
+                })
+            })
+        })
+    })
+
     it('Delete the dataset (/organizations/{org}/datasets/{name}) and verify the success code in the response', () => {
         cy.get('@apiowner').then(({ apiTest }: any) => {
             cy.get('@api').then(({ apiDirectory, organization }: any) => {

diff --git a/src/admin-hooks.js b/src/admin-hooks.js
@@ -1,42 +1,44 @@
-
-
-const HelloPage = require.resolve('./pages/hello')
-const Placeholder = require.resolve('./pages/placeholder')
-
 module.exports = {
-    pages: [
-        {
-            label: 'Dashboard',
-            path: '',
-            component: Placeholder,
-        },
-        {
-            label: 'Workflow',
-            children: ['AccessRequest', 'Application', 'ServiceAccess', 'Activity'],
-        },
-        {
-            label: 'Products',
-            children: ['Product', 'Environment', 'CredentialIssuer', 'Content', 'Legal'],
-        },
-        {
-            label: 'Monitoring',
-            children: ['Alert', 'Metric'],
-        },
-        {
-            label: 'Session',
-            children: ['TemporaryIdentity'],
-        },
-        {
-            label: 'Keycloak',
-            children: ['User'],
-        },
-        {
-            label: 'Kong',
-            children: ['GatewayService', 'GatewayRoute', 'GatewayConsumer', 'GatewayGroup', 'GatewayPlugin'],
-        },
-        {
-            label: 'BCDC',
-            children: ['Organization', 'OrganizationUnit', 'Dataset'],
-        }
-    ]
-}
+  pages: [
+    {
+      label: 'Workflow',
+      children: ['AccessRequest', 'Application', 'ServiceAccess', 'Activity'],
+    },
+    {
+      label: 'Products',
+      children: [
+        'Product',
+        'Environment',
+        'CredentialIssuer',
+        'Content',
+        'Legal',
+      ],
+    },
+    {
+      label: 'Monitoring',
+      children: ['Alert', 'Metric'],
+    },
+    {
+      label: 'Session',
+      children: ['TemporaryIdentity'],
+    },
+    {
+      label: 'Keycloak',
+      children: ['User'],
+    },
+    {
+      label: 'Kong',
+      children: [
+        'GatewayService',
+        'GatewayRoute',
+        'GatewayConsumer',
+        'GatewayGroup',
+        'GatewayPlugin',
+      ],
+    },
+    {
+      label: 'BCDC',
+      children: ['Organization', 'OrganizationUnit', 'Dataset'],
+    },
+  ],
+};
diff --git a/src/api-openapi.js b/src/api-openapi.js
@@ -92,23 +92,26 @@ class ApiOpenapiApp {
           code: err.code,
           message: err.message,
         });
-      }
-      if (err instanceof ValidateError) {
+      } else if (err instanceof ValidateError) {
         console.warn(`Caught Validation Error for ${req.path}:`, err.fields);
         return res.status(422).json({
           message: 'Validation Failed',
           details: err?.fields,
         });
-      }
-      if (err instanceof AssertionError) {
-        logger.error(err);
-        logger.error('AssertionError PATH: %s', req.path);
-        return res.status(422).json({
-          message: err.message,
-        });
-      }
-
-      if (err instanceof Error) {
+      } else if (err instanceof AssertionError) {
+        // For some reason `message` is what the `stack` is normally
+        // so just grab the first line and return that
+        const response = {
+          message: 'Failed an assertion',
+        };
+        try {
+          logger.warn('Error message %s', err.message);
+          response.message = err.message.split('\n')[0];
+        } catch (e) {
+          logger.warn('Failed to parse error message %s', e);
+        }
+        return res.status(422).json(response);
+      } else if (err instanceof Error) {
         logger.error(err);
         logger.error('Error PATH: %s', req.path);
         return res.status(500).json({

diff --git a/src/auth/auth-oauth2-proxy.js b/src/auth/auth-oauth2-proxy.js
@@ -228,7 +228,7 @@ class Oauth2ProxyAuthStrategy {
         try {
           const rpt = jwtDecoder(accessToken);
           const jti = req['oauth_user']['jti']; // JWT ID - Unique Identifier for the token
-          const username = req['oauth_user']['preferred_username']; // Username included in token
+          const identityProvider = req['oauth_user']['identity_provider']; // Identity Provider included in token
           // The oauth2_proxy is handling the refresh token; so there can be a new jti
           logger.info(
             '[ns-switch] %s -> %s : %s',
@@ -239,7 +239,7 @@ class Oauth2ProxyAuthStrategy {
           await this.assign_namespace(
             req.user.jti,
             jti,
-            username,
+            identityProvider,
             rpt['authorization']['permissions'][0]
           );
           res.json({ switch: true });

diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-3a56c3.gql b/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-3a56c3.gql
@@ -0,0 +1,18 @@
+
+  query GetBusinessProfile($consumerId: ID!) {
+    BusinessProfile(serviceAccessId: $consumerId) {
+      institution {
+        legalName
+        address {
+          addressLine1
+          addressLine2
+          city
+          postal
+          province
+          country
+        }
+        isSuspended
+        businessTypeOther
+      }
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-4dbd7b.gql b/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-4dbd7b.gql
@@ -0,0 +1,18 @@
+
+  query GetBusinessProfile($consumerId: ID!) {
+    BusinessProfile(consumerId: $consumerId) {
+      institution {
+        legalName
+        address {
+          addressLine1
+          addressLine2
+          city
+          postal
+          province
+          country
+        }
+        isSuspended
+        businessTypeOther
+      }
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-5d889f.gql b/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-5d889f.gql
@@ -0,0 +1,29 @@
+
+  query GetAccessRequests {
+    allAccessRequestsByNamespace(where: { isComplete_not: true }) {
+      id
+      name
+      additionalDetails
+      communication
+      createdAt
+      requestor {
+        name
+      }
+      application {
+        name
+      }
+      productEnvironment {
+        id
+        name
+        additionalDetailsToRequest
+        product {
+          name
+        }
+      }
+      serviceAccess {
+        consumer {
+          id
+        }
+      }
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-f5a769.gql b/src/authz/graphql-whitelist/httplocalhost4180managerconsumers-f5a769.gql
@@ -0,0 +1,16 @@
+
+  query RequestDetailsBusinessProfile($consumerId: ID!) {
+    BusinessProfile(consumerId: $consumerId) {
+      institution {
+        legalName
+        address {
+          addressLine1
+          addressLine2
+          city
+          postal
+          province
+          country
+        }
+      }
+    }
+  }
diff --git a/src/authz/matrix.csv b/src/authz/matrix.csv
@@ -67,9 +67,9 @@ NS MANAGER,,getNamespaceConsumerAccess,,,,,,,api-owner,,,allow,
 NS MANAGER,,allConsumerGroupLabels,,,,,,,api-owner,,,allow,
 NS MANAGER,,allConsumerScopesAndRoles,,,,,,,api-owner,,,allow,
 NS MANAGER,,getConsumerProdEnvAccess,,,,,,,api-owner,,,allow,
-NS MANAGER,,allProductsByNamespace,,,,,,,api-owner,,,allow,
-NS MANAGER,,allGatewayServicesByNamespace,,,,,,,api-owner,,,allow,
-NS MANAGER,,getFilteredNamespaceConsumers,,,,,,,api-owner,,,allow,
+NS MANAGER,,allProductsByNamespace,,,,,,,api-owner,,,allow,filterByUserNS
+NS MANAGER,,allGatewayServicesByNamespace,,,,,,,api-owner,,,allow,filterByUserNS
+NS MANAGER,,getFilteredNamespaceConsumers,,,,,,,api-owner,,,allow,filterByUserNS
 API Owner Role Rules,,,AccessRequest,read,,,,,,,"api-owner,provider-user",allow,
 API Owner Role Rules,,,Activity,read,,,,,,,"api-owner,provider-user",allow,filterByUserNS
 API Owner Role Rules,,,Alert,,read,,,,,,"api-owner,provider-user",allow,
@@ -87,7 +87,6 @@ API Owner Role Rules,,forceDeleteEnvironment,,,,,,,api-owner,,,allow,
 API Owner Role Rules,,,Environment,read,,,,,,,"api-owner,provider-user",allow,
 API Owner Role Rules,,,Environment,create,,,,,api-owner,,,allow,
 API Owner Role Rules,,,Environment,update,,,,,api-owner,,,allow,
-,,,,,,,,,,,,,
 API Owner Role Rules,,,Label,read,,,,,api-owner,,,allow,
 API Owner Role Rules,,,GatewayConsumer,,"read,update,delete",,,,api-owner,,,allow,
 API Owner Role Rules,,,GatewayConsumer,create,,,,,api-owner,,,allow,
@@ -199,8 +198,7 @@ API Owner Role Rules,,allGatewayRoutesByNamespace,,,,,,,,,"api-owner,provider-us
 API Owner Role Rules,,allProductsByNamespace,,,,,,,,,"api-owner,provider-user",allow,filterByUserNS
 API Owner Role Rules,,allNamespaceServiceAccounts,,,,,,,,,"api-owner,provider-user",allow,filterByUserNS
 API Owner Role Rules,,allCredentialIssuersByNamespace,,,,,,,,,"api-owner,provider-user",allow,filterByUserNS
-,,allProductsByNamespace,,,,,,,,,portal-user,allow,
-,,,,,,,,,,,,,
+Portal User or Guest,,allProductsByNamespace,,,,,,,,,portal-user,allow,filterByUserNS
 Portal User or Guest,,allDiscoverableContents,,,,,,,,,"portal-user,guest",allow,filterByNamespaceOrPublic
 Portal User or Guest,,allDiscoverableProducts,,,,,,,,,"portal-user,guest",allow,filterByActiveEnvironment
 Portal User or Guest,,allProducts,,,,,,,,,"portal-user,guest",allow,

diff --git a/src/controllers/v2/NamespaceDirectoryController.ts b/src/controllers/v2/NamespaceDirectoryController.ts
@@ -12,6 +12,7 @@ import { KeystoneService } from '../ioc/keystoneInjector';
 import { inject, injectable } from 'tsyringe';
 import { transform, transformSetAnonymous } from './DirectoryController';
 import { gql } from 'graphql-request';
+import { strict as assert } from 'assert';
 
 @injectable()
 @Route('/namespaces/{ns}/directory')
@@ -47,9 +48,11 @@ export class NamespaceDirectoryController extends Controller {
       variables: { id },
     });
 
-    if (result.data.allProductsByNamespace.length == 0) {
-      return null;
-    }
+    assert.strictEqual(
+      result.data.allProductsByNamespace?.length === 1,
+      true,
+      'Dataset not found'
+    );
 
     return transform(
       transformSetAnonymous(result.data.allProductsByNamespace)

diff --git a/src/lists/extensions/BusinessProfile.ts b/src/lists/extensions/BusinessProfile.ts
@@ -1,9 +1,10 @@
 import { EnforcementPoint } from '../../authz/enforcement';
-
-import { lookupCredentialReferenceByServiceAccess } from '../../services/keystone';
-
 import { ConfigService } from '../../services/config.service';
 import { BCeIDService } from '../../services/bceid/bceid.service';
+import { getNamespaceConsumerAccess } from '../../services/workflow';
+import { Logger } from '../../logger';
+
+const logger = Logger('List.Ext.BusProfile');
 
 const typeBusinessProfile = `
 type BusinessProfile {
@@ -58,29 +59,24 @@ module.exports = {
         ],
         queries: [
           {
-            schema: 'BusinessProfile(serviceAccessId: ID!): BusinessProfile',
+            schema: 'BusinessProfile(consumerId: ID!): BusinessProfile',
             resolver: async (
               item: any,
-              args: any,
+              { consumerId }: any,
               context: any,
               info: any,
               { query, access }: any
             ) => {
-              const serviceAccess = await lookupCredentialReferenceByServiceAccess(
+              const namespace = context.req.user.namespace;
+              const consumer = await getNamespaceConsumerAccess(
                 context,
-                args.serviceAccessId
+                namespace,
+                consumerId
               );
+              logger.debug('%s -> %j', consumerId, consumer.owner);
 
-              const fullUsername = serviceAccess.application?.owner.username;
-
-              if (
-                fullUsername != null &&
-                fullUsername.endsWith('@bceid-business')
-              ) {
-                const username = fullUsername.substring(
-                  0,
-                  fullUsername.lastIndexOf('@')
-                );
+              if (consumer.owner?.provider === 'bceid-business') {
+                const username = consumer.owner?.providerUsername;
 
                 const bc = new BCeIDService(new ConfigService());
                 return await bc.getAccountDetails(username);

diff --git a/src/nextapp/components/access-request/access-requests-list.tsx b/src/nextapp/components/access-request/access-requests-list.tsx
@@ -60,6 +60,11 @@ const query = gql`
           name
         }
       }
+      serviceAccess {
+        consumer {
+          id
+        }
+      }
     }
   }
 `;
-Original file line number
+Diff line change
@@ Expand Up / @@ -60,6 +60,11 @@ const query = gql` @@
               name
             }
           }
+          serviceAccess {
+            consumer {
+              id
+            }
+          }
         }
       }
     `;