fix: ensure project exists and is accessible when creating resource #4005

Author: ymarcon

opal-core-ws/src/main/java/org/obiba/opal/web/project/resource/ProjectResourceReferenceResource.java

@@ -14,6 +14,8 @@
 import org.obiba.magma.security.Authorizer;
 import org.obiba.magma.security.shiro.ShiroAuthorizer;
 import org.obiba.opal.core.domain.ResourceReference;
+import org.obiba.opal.core.service.NoSuchProjectException;
+import org.obiba.opal.core.service.ProjectService;
 import org.obiba.opal.core.service.ResourceReferenceService;
 import org.obiba.opal.r.service.RServerManagerService;
 import org.obiba.opal.spi.r.RServerException;
@@ -37,14 +39,18 @@ public class ProjectResourceReferenceResource implements BaseResource {
 
   private final RServerManagerService rServerManagerService;
 
+  private final ProjectService projectService;
+
   @Autowired
-  public ProjectResourceReferenceResource(ResourceReferenceService resourceReferenceService, RServerManagerService rServerManagerService) {
+  public ProjectResourceReferenceResource(ResourceReferenceService resourceReferenceService, RServerManagerService rServerManagerService, ProjectService projectService) {
     this.resourceReferenceService = resourceReferenceService;
     this.rServerManagerService = rServerManagerService;
+    this.projectService = projectService;
   }
 
   @GET
   public Projects.ResourceReferenceDto get(@PathParam("project") String project, @PathParam("name") String name) {
+    checkProject(project);
     ResourceReference reference = resourceReferenceService.getResourceReference(project, name);
     return Dtos.asDto(reference, resourceReferenceService.createResource(reference), isEditable(project, name));
   }
@@ -54,6 +60,7 @@ public Response update(@PathParam("project") String project, @PathParam("name")
     // check same project
     if (!project.equals(referenceDto.getProject()))
       throw new IllegalArgumentException("Expecting a resource of project: " + project);
+    checkProject(project);
     // check it is not a creation
     ResourceReference originalReference = resourceReferenceService.getResourceReference(project, name);
     ResourceReference updatedReference = Dtos.fromDto(referenceDto);
@@ -70,6 +77,7 @@ public Response update(@PathParam("project") String project, @PathParam("name")
   @PUT
   @Path("_test")
   public Response test(@PathParam("project") String project, @PathParam("name") String name) throws RServerException {
+    checkProject(project);
     ResourceAssignROperation rop = resourceReferenceService.asAssignOperation(project, name, "rsrc");
     // test in the R server where the resource provider is defined
     rServerManagerService.getRServerWithPackages(rop.getRequiredPackages()).execute(rop);
@@ -78,6 +86,7 @@ public Response test(@PathParam("project") String project, @PathParam("name") St
 
   @DELETE
   public Response delete(@PathParam("project") String project, @PathParam("name") String name) {
+    checkProject(project);
     resourceReferenceService.delete(project, name);
     return Response.noContent().build();
   }
@@ -86,4 +95,16 @@ private boolean isEditable(String project, String name) {
     return authorizer.isPermitted("rest:/project/" + project + "/resource/" + name + ":PUT");
   }
 
+  private boolean isReadable(String project) {
+    return authorizer.isPermitted("rest:/project/" + project + ":GET");
+  }
+
+  /**
+   * Ensure project exists and is readable.
+   *
+   * @param name
+   */
+  private void checkProject(String name) {
+    if (!projectService.hasProject(name) || !isReadable(name)) throw new NoSuchProjectException(name);
+  }
 }

opal-core-ws/src/main/java/org/obiba/opal/web/project/resource/ProjectResourceReferencesResource.java

@@ -14,6 +14,8 @@
 import org.obiba.magma.security.Authorizer;
 import org.obiba.magma.security.shiro.ShiroAuthorizer;
 import org.obiba.opal.core.domain.ResourceReference;
+import org.obiba.opal.core.service.NoSuchProjectException;
+import org.obiba.opal.core.service.ProjectService;
 import org.obiba.opal.core.service.ResourceReferenceService;
 import org.obiba.opal.web.BaseResource;
 import org.obiba.opal.web.model.Projects;
@@ -29,7 +31,6 @@
 import java.util.Comparator;
 import java.util.List;
 import java.util.stream.Collectors;
-import java.util.stream.StreamSupport;
 
 @Component
 @Path("/project/{name}/resources")
@@ -39,13 +40,17 @@ public class ProjectResourceReferencesResource implements BaseResource {
 
   private final ResourceReferenceService resourceReferenceService;
 
+  private final ProjectService projectService;
+
   @Autowired
-  public ProjectResourceReferencesResource(ResourceReferenceService resourceReferenceService) {
+  public ProjectResourceReferencesResource(ResourceReferenceService resourceReferenceService, ProjectService projectService) {
     this.resourceReferenceService = resourceReferenceService;
+    this.projectService = projectService;
   }
 
   @GET
   public List<Projects.ResourceReferenceDto> list(@PathParam("name") String name, @QueryParam("safe") @DefaultValue("true") Boolean safe) {
+    checkProject(name);
     return resourceReferenceService.getResourceReferences(name).stream()
         .sorted(Comparator.comparing(ResourceReference::getName))
         .map(ref -> Dtos.asDto(ref, resourceReferenceService.createResource(ref), !safe && isEditable(name, ref.getName())))
@@ -56,6 +61,7 @@ public List<Projects.ResourceReferenceDto> list(@PathParam("name") String name,
   public Response createResourceReference(@Context UriInfo uriInfo, @PathParam("name") String name, Projects.ResourceReferenceDto referenceDto) {
     if (!name.equals(referenceDto.getProject()))
       throw new IllegalArgumentException("Expected project name: " + name);
+    checkProject(referenceDto.getProject());
 
     ResourceReference reference = Dtos.fromDto(referenceDto);
     resourceReferenceService.save(reference);
@@ -65,6 +71,7 @@ public Response createResourceReference(@Context UriInfo uriInfo, @PathParam("na
 
   @DELETE
   public Response deleteAll(@PathParam("name") String name, @QueryParam("names") List<String> names) {
+    checkProject(name);
     if (names != null && !names.isEmpty())
       names.forEach(n -> resourceReferenceService.delete(name, n));
     else
@@ -75,4 +82,17 @@ public Response deleteAll(@PathParam("name") String name, @QueryParam("names") L
   private boolean isEditable(String project, String name) {
     return authorizer.isPermitted("rest:/project/" + project + "/resource/" + name + ":PUT");
   }
+
+  private boolean isReadable(String project) {
+    return authorizer.isPermitted("rest:/project/" + project + ":GET");
+  }
+
+  /**
+   * Ensure project exists and is readable.
+   *
+   * @param name
+   */
+  private void checkProject(String name) {
+    if (!projectService.hasProject(name) || !isReadable(name)) throw new NoSuchProjectException(name);
+  }
 }