GQL-124: Updates permissions for groups (#173)

* GQL-124: Updates permissions for groups

* GQL-124: Adds missing tests, removes console logs

* GQL-124: Adds comments, remove unnecessary test

Author: macrouch

magidoc-template/src/routes/+layout.svelte

@@ -47,7 +47,6 @@ let innerWidth = -1
 let mobile = false
 
 const favicon = get(templates.APP_FAVICON)
-console.log('🚀 ~ +layout.svelte:50 ~ favicon:', favicon)
 
 const unsubscribe = page.subscribe(() => {
   // Mobile

magidoc-template/svelte.config.js

@@ -7,7 +7,6 @@ import { loadVariables } from './magidoc.config.js'
 
 const variables = loadVariables()
 const base = templates.SITE_ROOT.getOrDefault(variables, '')
-console.log('🚀 ~ svelte.config.js:10 ~ base:', base)
 
 /**
  * @type {import('@sveltejs/kit').Config}

src/permissions/__tests__/fallbackError.test.js

@@ -47,8 +47,8 @@ const setupServer = () => (
 )
 const contextValue = {
   dataSources: {},
-  requestId: 'mock-request-id',
-  user: { ursId: 'testUser' }
+  edlUsername: 'testUser',
+  requestId: 'mock-request-id'
 }
 
 describe('fallbackError', () => {
@@ -118,7 +118,9 @@ describe('fallbackError', () => {
       `
 
       const variables = {
-        params: {}
+        params: {
+          tags: ['CMR']
+        }
       }
 
       const result = await server.executeOperation({

src/permissions/__tests__/permissions.test.js

@@ -6,6 +6,8 @@ import permissions from '../index'
 
 import { canCreateProviderGroups } from '../acls/canCreateProviderGroups'
 import { canCreateSystemGroups } from '../acls/canCreateSystemGroups'
+import { canReadGroup } from '../acls/canReadGroup'
+import { canReadProviderGroups } from '../acls/canReadProviderGroups'
 import { canReadSystemGroups } from '../acls/canReadSystemGroups'
 
 import { isLocalMMT } from '../rules/isLocalMMT'
@@ -26,11 +28,12 @@ describe('permissions', () => {
       Query: {
         group: race(
           isLocalMMT,
-          canReadSystemGroups
+          canReadGroup
         ),
         groups: race(
           isLocalMMT,
-          canReadSystemGroups
+          canReadSystemGroups,
+          canReadProviderGroups
         )
       },
       Mutation: {

src/permissions/acls/__tests__/canCreateSystemGroups.test.js

@@ -4,27 +4,28 @@ import * as hasPermission from '../../../utils/hasPermission'
 import { forbiddenError } from '../../../utils/forbiddenError'
 
 describe('canCreateSystemGroups', () => {
-  test('returns true if the user has permission', async () => {
+  test('returns true if the tag is CMR and the user has system permission', async () => {
     vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
 
     const result = await canCreateSystemGroups.resolve(
       null,
-      {},
+      {
+        tag: 'CMR'
+      },
       {
         edlUsername: 'test-user'
       }
     )
-
     expect(result).toEqual(true)
   })
 
-  test('throws a ForbiddenError if the user does not have permission', async () => {
-    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
+  test('throws a ForbiddenError if the tag is not CMR', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
 
     const result = await canCreateSystemGroups.resolve(
       null,
       {
-        tag: 'CMR'
+        tag: 'GQL'
       },
       {
         edlUsername: 'test-user'
@@ -34,8 +35,8 @@ describe('canCreateSystemGroups', () => {
     expect(result).toEqual(forbiddenError('Not authorized to perform [create] on system object [GROUP]'))
   })
 
-  test('returns true if the tag is CMR and the user has system permission', async () => {
-    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
+  test('throws a ForbiddenError if the user does not have permission', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
 
     const result = await canCreateSystemGroups.resolve(
       null,
@@ -46,6 +47,7 @@ describe('canCreateSystemGroups', () => {
         edlUsername: 'test-user'
       }
     )
-    expect(result).toEqual(true)
+
+    expect(result).toEqual(forbiddenError('Not authorized to perform [create] on system object [GROUP]'))
   })
 })

src/permissions/acls/__tests__/canReadGroup.test.js

@@ -0,0 +1,167 @@
+import { canReadGroup } from '../canReadGroup'
+
+import * as hasPermission from '../../../utils/hasPermission'
+import { forbiddenError } from '../../../utils/forbiddenError'
+
+vi.mock('graphql-parse-resolve-info')
+vi.mock('../../../utils/parseRequestedFields')
+
+describe('canReadGroup', () => {
+  describe('when the group is a CMR group', () => {
+    test('returns true if the user has permission', async () => {
+      const hasPermissionMock = vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
+
+      const result = await canReadGroup.resolve(
+        null,
+        {
+          params: {
+            id: '1234-abcd-5678'
+          }
+        },
+        {
+          dataSources: {
+            groupSourceFetch: vi.fn().mockResolvedValue({ tag: 'CMR' })
+          },
+          edlUsername: 'test-user'
+        },
+        {}
+      )
+
+      expect(result).toEqual(true)
+
+      expect(hasPermissionMock).toHaveBeenCalledTimes(1)
+      expect(hasPermissionMock).toHaveBeenCalledWith(
+        expect.any(Object),
+        {
+          permissions: 'read',
+          permissionOptions: {
+            user_id: 'test-user',
+            system_object: 'GROUP'
+          }
+        }
+      )
+    })
+
+    test('throws a ForbiddenError if the user does not have permission', async () => {
+      const hasPermissionMock = vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
+
+      const result = await canReadGroup.resolve(
+        null,
+        {
+          params: {
+            id: '1234-abcd-5678'
+          }
+        },
+        {
+          dataSources: {
+            groupSourceFetch: vi.fn().mockResolvedValue({ tag: 'CMR' })
+          },
+          edlUsername: 'test-user'
+        }
+      )
+
+      expect(result).toEqual(forbiddenError('Not authorized to perform [read] on system object [GROUP]'))
+
+      expect(hasPermissionMock).toHaveBeenCalledTimes(1)
+      expect(hasPermissionMock).toHaveBeenCalledWith(
+        expect.any(Object),
+        {
+          permissions: 'read',
+          permissionOptions: {
+            user_id: 'test-user',
+            system_object: 'GROUP'
+          }
+        }
+      )
+    })
+  })
+
+  describe('when the group is a provider group', () => {
+    test('returns true if the user has permission', async () => {
+      const hasPermissionMock = vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
+
+      const result = await canReadGroup.resolve(
+        null,
+        {
+          params: {
+            id: '1234-abcd-5678'
+          }
+        },
+        {
+          dataSources: {
+            groupSourceFetch: vi.fn().mockResolvedValue({ tag: 'GQL' })
+          },
+          edlUsername: 'test-user'
+        },
+        {}
+      )
+
+      expect(result).toEqual(true)
+
+      expect(hasPermissionMock).toHaveBeenCalledTimes(1)
+      expect(hasPermissionMock).toHaveBeenCalledWith(
+        expect.any(Object),
+        {
+          permissions: 'read',
+          permissionOptions: {
+            provider: 'GQL',
+            target: 'GROUP',
+            user_id: 'test-user'
+          }
+        }
+      )
+    })
+
+    test('throws a ForbiddenError if the user does not have permission', async () => {
+      const hasPermissionMock = vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
+
+      const result = await canReadGroup.resolve(
+        null,
+        {
+          params: {
+            id: '1234-abcd-5678'
+          }
+        },
+        {
+          dataSources: {
+            groupSourceFetch: vi.fn().mockResolvedValue({ tag: 'GQL' })
+          },
+          edlUsername: 'test-user'
+        }
+      )
+
+      expect(result).toEqual(forbiddenError('Not authorized to perform [read] on provider object [GROUP]'))
+
+      expect(hasPermissionMock).toHaveBeenCalledTimes(1)
+      expect(hasPermissionMock).toHaveBeenCalledWith(
+        expect.any(Object),
+        {
+          permissions: 'read',
+          permissionOptions: {
+            provider: 'GQL',
+            target: 'GROUP',
+            user_id: 'test-user'
+          }
+        }
+      )
+    })
+  })
+
+  test('throws a ForbiddenError if the user does not exist', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
+
+    const result = await canReadGroup.resolve(
+      null,
+      {
+        params: {
+          id: '1234-abcd-5678'
+        }
+      },
+      {
+        edlUsername: null
+      }
+    )
+
+    expect(result).toEqual(forbiddenError('Not authorized to perform [read] on system object [GROUP]'))
+  })
+})

src/permissions/acls/__tests__/canReadProviderGroups.test.js

@@ -0,0 +1,97 @@
+import { canReadProviderGroups } from '../canReadProviderGroups'
+
+import * as hasPermission from '../../../utils/hasPermission'
+import { forbiddenError } from '../../../utils/forbiddenError'
+
+describe('canReadProviderGroups', () => {
+  test('returns true if the user has permission', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
+
+    const result = await canReadProviderGroups.resolve(
+      null,
+      {
+        params: {
+          tags: ['GQL']
+        }
+      },
+      {
+        edlUsername: 'test-user'
+      }
+    )
+
+    expect(result).toEqual(true)
+  })
+
+  test('returns true if the user has permission for all tags', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(true)
+
+    const result = await canReadProviderGroups.resolve(
+      null,
+      {
+        params: {
+          tags: ['GQL', 'TEST']
+        }
+      },
+      {
+        edlUsername: 'test-user'
+      }
+    )
+
+    expect(result).toEqual(true)
+  })
+
+  test('throws a ForbiddenError if the user does not have permission', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
+
+    const result = await canReadProviderGroups.resolve(
+      null,
+      {
+        params: {
+          tags: ['GQL']
+        }
+      },
+      {
+        edlUsername: 'test-user'
+      }
+    )
+
+    expect(result).toEqual(forbiddenError('Not authorized to perform [read] on provider object [GROUP]'))
+  })
+
+  test('throws a ForbiddenError if the user does not have permission for all tags', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValueOnce(true)
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValueOnce(false)
+
+    const result = await canReadProviderGroups.resolve(
+      null,
+      {
+        params: {
+          tags: ['GQL', 'TEST']
+        }
+      },
+      {
+        edlUsername: 'test-user'
+      }
+    )
+
+    expect(result).toEqual(forbiddenError('Not authorized to perform [read] on provider object [GROUP]'))
+  })
+
+  test('throws a ForbiddenError if the user does not exist', async () => {
+    vi.spyOn(hasPermission, 'hasPermission').mockResolvedValue(false)
+
+    const result = await canReadProviderGroups.resolve(
+      null,
+      {
+        params: {
+          tags: ['GQL']
+        }
+      },
+      {
+        edlUsername: null
+      }
+    )
+
+    expect(result).toEqual(forbiddenError('Not authorized to perform [read] on provider object [GROUP]'))
+  })
+})