Fixed some more tests

dbrepo-database-service/rest-service/src/main/java/at/tuwien/endpoints/DatabaseEndpoint.java

@@ -274,7 +274,7 @@ public class DatabaseEndpoint {
         log.debug("endpoint find database, containerId={}, databaseId={}", containerId, databaseId);
         final Database database = databaseService.findById(containerId, databaseId);
         final DatabaseDto dto = databaseMapper.databaseToDatabaseDto(database);
-        if (principal != null && database.getOwner().equals(principal)) {
+        if (principal != null && database.getOwner().equalsPrincipal(principal)) {
             /* only owner sees the access rights */ // TODO improve this by proper mapping
             final List<DatabaseAccess> accesses = accessService.list(databaseId);
             dto.setAccesses(accesses.stream()

dbrepo-database-service/rest-service/src/test/java/at/tuwien/service/AccessServiceIntegrationTest.java

@@ -100,7 +100,7 @@ public class AccessServiceIntegrationTest extends BaseUnitTest {
         userRepository.save(USER_2_SIMPLE);
         userRepository.save(USER_3_SIMPLE);
         containerRepository.save(CONTAINER_1_SIMPLE);
-        databaseRepository.save(DATABASE_1);
+        databaseRepository.save(DATABASE_1_SIMPLE);
     }
 
     @AfterEach

dbrepo-metadata-db/entities/src/main/java/at/tuwien/entities/user/User.java

@@ -110,7 +110,7 @@ public class User {
      * @param principal The user principal.
      * @return True if the user are equal, false otherwise.
      */
-    public boolean equals(Principal principal) {
+    public boolean equalsPrincipal(Principal principal) {
         if (principal == null) {
             return false;
         }

dbrepo-query-service/rest-service/src/main/java/at/tuwien/endpoint/StoreEndpoint.java

@@ -12,6 +12,7 @@ import at.tuwien.querystore.Query;
 import at.tuwien.exception.*;
 import at.tuwien.mapper.QueryMapper;
 import at.tuwien.service.*;
+import at.tuwien.validation.EndpointValidator;
 import io.micrometer.core.annotation.Timed;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
@@ -43,17 +44,19 @@ public class StoreEndpoint {
     private final UserService userService;
     private final StoreService storeService;
     private final IdentifierMapper identifierMapper;
+    private final EndpointValidator endpointValidator;
     private final IdentifierService identifierService;
 
     @Autowired
     public StoreEndpoint(UserMapper userMapper, QueryMapper queryMapper, UserService userService,
                          StoreService storeService, IdentifierMapper identifierMapper,
-                         IdentifierService identifierService) {
+                         EndpointValidator endpointValidator, IdentifierService identifierService) {
         this.userMapper = userMapper;
         this.queryMapper = queryMapper;
         this.userService = userService;
         this.storeService = storeService;
         this.identifierMapper = identifierMapper;
+        this.endpointValidator = endpointValidator;
         this.identifierService = identifierService;
     }
 
@@ -103,9 +106,10 @@ public class StoreEndpoint {
                                                        @RequestParam(value = "persisted", required = false) Boolean persisted,
                                                        Principal principal) throws QueryStoreException,
             DatabaseNotFoundException, ImageNotSupportedException, ContainerNotFoundException,
-            DatabaseConnectionException, TableMalformedException, UserNotFoundException {
+            DatabaseConnectionException, TableMalformedException, UserNotFoundException, NotAllowedException {
         log.debug("endpoint list queries, containerId={}, databaseId={}, persisted={}, principal={}", containerId,
                 databaseId, persisted, principal);
+        endpointValidator.validateOnlyAccess(containerId, databaseId, principal);
         final List<Query> queries = storeService.findAll(containerId, databaseId, persisted, principal);
         final List<Identifier> identifiers = identifierService.findAll();
         final List<User> users = userService.findAll();
@@ -172,6 +176,7 @@ public class StoreEndpoint {
             DatabaseConnectionException {
         log.debug("endpoint find query, containerId={}, databaseId={}, queryId={}, principal={}", containerId, databaseId,
                 queryId, principal);
+        endpointValidator.validateOnlyAccess(containerId, databaseId, principal);
         final Query query = storeService.findOne(containerId, databaseId, queryId, principal);
         final QueryDto dto = queryMapper.queryToQueryDto(query);
         final User creator = userService.findByUsername(query.getCreatedBy());
@@ -229,10 +234,15 @@ public class StoreEndpoint {
                                             @NotNull Principal principal)
             throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
             DatabaseConnectionException, UserNotFoundException, QueryNotFoundException,
-            QueryAlreadyPersistedException {
+            QueryAlreadyPersistedException, NotAllowedException {
         log.debug("endpoint persist query, container, containerId={}, databaseId={}, queryId={}, principal={}",
                 containerId, databaseId, queryId, principal);
+        endpointValidator.validateOnlyAccess(containerId, databaseId, principal);
         final Query check = storeService.findOne(containerId, databaseId, queryId, principal);
+        if (!check.getCreatedBy().equals(principal.getName())) {
+            log.error("Cannot persist foreign query: created by {}", check.getCreatedBy());
+            throw new NotAllowedException("Cannot persist foreign query: created by " + check.getCreatedBy());
+        }
         if (check.getIsPersisted()) {
             log.error("Failed to persist, is already persisted");
             throw new QueryAlreadyPersistedException("Failed to persist");

dbrepo-query-service/rest-service/src/main/java/at/tuwien/endpoint/ViewEndpoint.java

@@ -24,7 +24,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.core.Authentication;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.*;
 
@@ -150,7 +149,7 @@ public class ViewEndpoint {
                 databaseId, data, principal);
         /* check */
         final Database database = databaseService.find(containerId, databaseId);
-        if (!database.getOwner().equals(principal)) {
+        if (!database.getOwner().equalsPrincipal(principal)) {
             log.error("Failed to create view: not the database owner");
             throw new NotAllowedException("Failed to create view: not the database owner");
         }
@@ -253,7 +252,7 @@ public class ViewEndpoint {
                 databaseId, viewId, principal);
         /* check */
         final Database database = databaseService.find(containerId, databaseId);
-        if (!database.getOwner().equals(principal)) {
+        if (!database.getOwner().equalsPrincipal(principal)) {
             log.error("Failed to delete view: not the database owner");
             throw new NotAllowedException("Failed to delete view: not the database owner");
         }

dbrepo-query-service/rest-service/src/main/java/at/tuwien/validation/EndpointValidator.java

@@ -3,12 +3,18 @@ package at.tuwien.validation;
 import at.tuwien.SortType;
 import at.tuwien.api.database.query.ExecuteStatementDto;
 import at.tuwien.config.QueryConfig;
-import at.tuwien.exception.PaginationException;
-import at.tuwien.exception.QueryMalformedException;
-import at.tuwien.exception.SortException;
+import at.tuwien.entities.database.Database;
+import at.tuwien.entities.database.DatabaseAccess;
+import at.tuwien.entities.user.User;
+import at.tuwien.exception.*;
+import at.tuwien.service.AccessService;
+import at.tuwien.service.DatabaseService;
+import at.tuwien.service.UserService;
 import lombok.extern.log4j.Log4j2;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
+import java.security.Principal;
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
@@ -19,10 +25,18 @@ import java.util.regex.Pattern;
 @Component
 public class EndpointValidator {
 
+    private final UserService userService;
     private final QueryConfig queryConfig;
+    private final AccessService accessService;
+    private final DatabaseService databaseService;
 
-    public EndpointValidator(QueryConfig queryConfig) {
+    @Autowired
+    public EndpointValidator(UserService userService, QueryConfig queryConfig, AccessService accessService,
+                             DatabaseService databaseService) {
+        this.userService = userService;
         this.queryConfig = queryConfig;
+        this.accessService = accessService;
+        this.databaseService = databaseService;
     }
 
     public void validateDataParams(Long page, Long size) throws PaginationException {
@@ -74,4 +88,20 @@ public class EndpointValidator {
         throw new QueryMalformedException("Query contains forbidden keyword(s): " + Arrays.toString(words.toArray()));
     }
 
+    public void validateOnlyAccess(Long containerId, Long databaseId, Principal principal) throws DatabaseNotFoundException, NotAllowedException {
+        final Database database = databaseService.find(containerId, databaseId);
+        if (database.getIsPublic()) {
+            log.trace("database with id {} is public: no access needed", databaseId);
+            return;
+        }
+        log.trace("database with id {} is private", databaseId);
+        if (principal == null) {
+            log.error("Access not allowed: database with id {} is not public and no authorization provided", databaseId);
+            throw new NotAllowedException("Access not allowed: database with id " + databaseId + " is not public and no authorization provided");
+        }
+        log.trace("principal is {}", principal);
+        final DatabaseAccess access = accessService.find(databaseId, principal.getName());
+        log.trace("found access {}", access);
+    }
+
 }

dbrepo-query-service/rest-service/src/test/java/at/tuwien/endpoint/StoreEndpointUnitTest.java

@@ -33,11 +33,9 @@ import org.springframework.test.context.junit.jupiter.SpringExtension;
 import java.security.Principal;
 import java.util.List;
 import java.util.Optional;
-import java.util.UUID;
 
 import static org.junit.jupiter.api.Assertions.*;
-import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;
 
 @Log4j2
 @SpringBootTest
@@ -68,9 +66,6 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
     @MockBean
     private DatabaseService databaseService;
 
-    @MockBean
-    private DatabaseAccessRepository accessRepository;
-
     @MockBean
     private AccessService accessService;
 
@@ -79,17 +74,27 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
 
     @Test
     @WithAnonymousUser
-    public void findAll_anonymous_succeeds() throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
-            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException {
+    public void findAll_privateAnonymous_fails() {
 
         /* test */
+        assertThrows(NotAllowedException.class, () -> {
             findAll_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, null);
+        });
+    }
+
+    @Test
+    @WithAnonymousUser
+    public void findAll_publicAnonymous_succeeds() throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
+            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException, NotAllowedException {
+
+        /* test */
+        findAll_generic(CONTAINER_3_ID, DATABASE_3_ID, DATABASE_3, null);
     }
 
     @Test
     @WithMockUser(username = USER_1_USERNAME)
     public void findAll_noRole_succeeds() throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
-            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException {
+            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException, NotAllowedException {
 
         /* test */
         findAll_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, USER_1_PRINCIPAL);
@@ -98,67 +103,83 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
     @Test
     @WithMockUser(username = USER_1_USERNAME, authorities = {"list-queries"})
     public void findAll_hasRole_succeeds() throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
-            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException {
+            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException, NotAllowedException {
 
         /* test */
         findAll_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, USER_1_PRINCIPAL);
     }
 
     @Test
-    @WithMockUser(username = USER_1_USERNAME, authorities = {"list-queries"})
-    public void findAll_noAccess_fails() {
+    @WithMockUser(username = USER_2_USERNAME, authorities = {"list-queries"})
+    public void findAll_privateNoAccess_fails() throws NotAllowedException {
+
+        /* mock */
+        doThrow(NotAllowedException.class)
+                .when(accessService)
+                .find(DATABASE_1_ID, USER_2_USERNAME);
 
         /* test */
         assertThrows(NotAllowedException.class, () -> {
-            findAll_generic(CONTAINER_2_ID, DATABASE_2_ID, DATABASE_2, USER_1_PRINCIPAL);
+            findAll_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, USER_2_PRINCIPAL);
         });
     }
 
     @Test
-    @WithMockUser(username = USER_1_USERNAME, authorities = {"list-queries"})
-    public void findAll_hasAccess_succeeds() throws UserNotFoundException, QueryStoreException,
-            DatabaseConnectionException, TableMalformedException, DatabaseNotFoundException, ImageNotSupportedException,
-            ContainerNotFoundException {
+    @WithMockUser(username = USER_2_USERNAME, authorities = {"list-queries"})
+    public void findAll_publicNoAccess_succeeds() throws UserNotFoundException, QueryStoreException,
+            DatabaseConnectionException, TableMalformedException, NotAllowedException, DatabaseNotFoundException,
+            ImageNotSupportedException, ContainerNotFoundException {
 
         /* mock */
-        when(accessRepository.findByDatabaseIdAndUsername(DATABASE_2_ID, USER_1_USERNAME))
-                .thenReturn(Optional.of(DATABASE_1_RESEARCHER_READ_ACCESS));
+        doThrow(NotAllowedException.class)
+                .when(accessService)
+                .find(DATABASE_3_ID, USER_2_USERNAME);
 
         /* test */
-        findAll_generic(CONTAINER_2_ID, DATABASE_2_ID, DATABASE_2, USER_1_PRINCIPAL);
+        findAll_generic(CONTAINER_3_ID, DATABASE_3_ID, DATABASE_3, USER_2_PRINCIPAL);
     }
 
     @Test
-    @WithMockUser(username = USER_2_USERNAME)
-    public void findAll_dataSteward_succeeds() throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
-            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException {
+    @WithMockUser(username = USER_1_USERNAME, authorities = {"list-queries"})
+    public void findAll_hasAccess_succeeds() throws UserNotFoundException, QueryStoreException,
+            DatabaseConnectionException, TableMalformedException, DatabaseNotFoundException, ImageNotSupportedException,
+            ContainerNotFoundException, NotAllowedException {
+
+        /* mock */
+        when(accessService.find(DATABASE_2_ID, USER_1_USERNAME))
+                .thenReturn(DATABASE_1_RESEARCHER_READ_ACCESS);
 
         /* test */
-        findAll_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, USER_2_PRINCIPAL);
+        findAll_generic(CONTAINER_2_ID, DATABASE_2_ID, DATABASE_2, USER_1_PRINCIPAL);
     }
 
     @Test
-    @WithMockUser(username = USER_3_USERNAME)
-    public void findAll_developer_succeeds() throws QueryStoreException, DatabaseNotFoundException, ImageNotSupportedException,
-            ContainerNotFoundException, DatabaseConnectionException, TableMalformedException, UserNotFoundException {
+    @WithAnonymousUser
+    public void find_publicAnonymous_succeeds() throws QueryStoreException, QueryNotFoundException, DatabaseNotFoundException,
+            ImageNotSupportedException, UserNotFoundException, NotAllowedException, DatabaseConnectionException {
+
+        /* mock */
+        when(userRepository.findByUsername(USER_1_USERNAME))
+                .thenReturn(Optional.of(USER_1));
 
         /* test */
-        findAll_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, USER_3_PRINCIPAL);
+        final QueryDto response = find_generic(CONTAINER_3_ID, DATABASE_3_ID, DATABASE_3, QUERY_4_ID, QUERY_4, null, null, null);
+        assertEquals(QUERY_4_ID, response.getId());
+        assertEquals(QUERY_4_STATEMENT, response.getQuery());
     }
 
     @Test
     @WithAnonymousUser
-    public void find_anonymous_succeeds() throws QueryStoreException, QueryNotFoundException, DatabaseNotFoundException,
-            ImageNotSupportedException, UserNotFoundException, NotAllowedException, DatabaseConnectionException {
+    public void find_privateAnonymous_fails() {
 
         /* mock */
         when(userRepository.findByUsername(USER_1_USERNAME))
                 .thenReturn(Optional.of(USER_1));
 
         /* test */
-        final QueryDto response = find_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, QUERY_1_ID, QUERY_1, USER_1_USERNAME, null, null);
-        assertEquals(QUERY_1_ID, response.getId());
-        assertEquals(QUERY_1_STATEMENT, response.getQuery());
+        assertThrows(NotAllowedException.class, () -> {
+            find_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, QUERY_1_ID, QUERY_1, null, null, null);
+        });
     }
 
     @Test
@@ -198,7 +219,7 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
     public void find_databaseNotFound_fails() {
 
         /* test */
-        assertThrows(NotAllowedException.class, () -> {
+        assertThrows(DatabaseNotFoundException.class, () -> {
             find_generic(CONTAINER_1_ID, DATABASE_1_ID, null, QUERY_1_ID, QUERY_1, USER_1_USERNAME, USER_1, USER_1_PRINCIPAL);
         });
     }
@@ -241,18 +262,17 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
 
     @Test
     @WithMockUser(username = USER_2_USERNAME, authorities = "persist-query")
-    public void persist_foreignWriteAll_succeeds() throws UserNotFoundException, QueryStoreException,
-            NotAllowedException, DatabaseConnectionException, QueryAlreadyPersistedException, QueryNotFoundException,
-            DatabaseNotFoundException, ImageNotSupportedException {
+    public void persist_foreignWriteAll_fails() {
 
         /* mock */
         when(userRepository.findByUsername(USER_1_USERNAME))
                 .thenReturn(Optional.of(USER_1));
 
         /* test */
-        final QueryDto response = persist_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, QUERY_1_ID, QUERY_1, USER_2_USERNAME, USER_2, USER_2_PRINCIPAL, DATABASE_1_DEVELOPER_WRITE_ALL_ACCESS);
-        assertEquals(QUERY_1_ID, response.getId());
-        assertEquals(QUERY_1_STATEMENT, response.getQuery());
+        assertThrows(NotAllowedException.class, () -> {
+            persist_generic(CONTAINER_1_ID, DATABASE_1_ID, DATABASE_1, QUERY_1_ID, QUERY_1, USER_2_USERNAME, USER_2, USER_2_PRINCIPAL, DATABASE_1_DEVELOPER_WRITE_ALL_ACCESS);
+        });
+
     }
 
     /* ################################################################################################### */
@@ -293,7 +313,7 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
 
     protected void findAll_generic(Long containerId, Long databaseId, Database database, Principal principal)
             throws UserNotFoundException, QueryStoreException, DatabaseConnectionException, TableMalformedException,
-            DatabaseNotFoundException, ImageNotSupportedException, ContainerNotFoundException {
+            DatabaseNotFoundException, ImageNotSupportedException, ContainerNotFoundException, NotAllowedException {
 
         /* mock */
         doReturn(List.of(QUERY_1)).when(storeService)
@@ -340,7 +360,7 @@ public class StoreEndpointUnitTest extends BaseUnitTest {
         }
 
         /* test */
-        final ResponseEntity<QueryDto> response = storeEndpoint.find(CONTAINER_1_ID, DATABASE_1_ID, QUERY_1_ID, principal);
+        final ResponseEntity<QueryDto> response = storeEndpoint.find(containerId, databaseId, queryId, principal);
         assertEquals(HttpStatus.OK, response.getStatusCode());
         final QueryDto body = response.getBody();
         assertNotNull(body);

dbrepo-user-service/rest-service/src/main/java/at/tuwien/endpoint/UserEndpoint.java

@@ -107,7 +107,7 @@ public class UserEndpoint {
             throws UserNotFoundException, ForeignUserException, UserAttributeNotFoundException {
         log.debug("endpoint modify a user, id={}, data={}, principal={}", id, data, principal);
         final User user = userService.find(UUID.fromString(id));
-        if (!user.equals(principal)) {
+        if (!user.equalsPrincipal(principal)) {
             log.error("Failed to modify user: attempting to modify other user");
             throw new ForeignUserException("Failed to modify user: attempting to modify other user");
         }
@@ -128,7 +128,7 @@ public class UserEndpoint {
             throws UserNotFoundException, ForeignUserException, UserAttributeNotFoundException {
         log.debug("endpoint modify a user theme, id={}, data={}, principal={}", id, data, principal);
         final User user = userService.find(UUID.fromString(id));
-        if (!user.equals(principal)) {
+        if (!user.equalsPrincipal(principal)) {
             log.error("Failed to modify user: attempting to modify other user");
             throw new ForeignUserException("Failed to modify user: attempting to modify other user");
         }
@@ -149,7 +149,7 @@ public class UserEndpoint {
             throws UserNotFoundException, ForeignUserException {
         log.debug("endpoint modify a user password, id={}, data={}, principal={}", id, data, principal);
         final User user = userService.find(UUID.fromString(id));
-        if (!user.equals(principal)) {
+        if (!user.equalsPrincipal(principal)) {
             log.error("Failed to modify user: attempting to modify other user");
             throw new ForeignUserException("Failed to modify user: attempting to modify other user");
         }

dbrepo-user-service/rest-service/src/test/java/at/tuwien/mapper/UserMapperTest.java

@@ -21,7 +21,7 @@ public class UserMapperTest extends BaseUnitTest {
     }
 
     @Test
-    public void equals_identitiy_succeeds() {
+    public void equals_identity_succeeds() {
 
         /* test */
         assertEquals(USER_1, USER_1);

dbrepo-user-service/services/src/main/java/at/tuwien/service/impl/UserServiceImpl.java

@@ -127,7 +127,7 @@ public class UserServiceImpl implements UserService {
             ForeignUserException, UserAttributeNotFoundException {
         /* check */
         User user = find(id);
-        if (!user.getUsername().equals(principal.getName())) {
+        if (!user.equalsPrincipal(principal)) {
             log.error("Failed to modify user: attempting to modify other user");
             throw new ForeignUserException("Failed to modify user: attempting to modify other user");
         }
@@ -147,7 +147,7 @@ public class UserServiceImpl implements UserService {
             ForeignUserException {
         /* check */
         final User user = find(id);
-        if (!user.getUsername().equals(principal.getName())) {
+        if (!user.equalsPrincipal(principal)) {
             log.error("Failed to modify user: attempting to modify other user");
             throw new ForeignUserException("Failed to modify user: attempting to modify other user");
         }