From 0b91c75f85a5f98b8c10c48a69896caa9ed7fa1d Mon Sep 17 00:00:00 2001
From: pkupczyk <piotr.kupczyk@id.ethz.ch>
Date: Mon, 12 Jun 2023 15:02:01 +0200
Subject: [PATCH] SSDM-13718 : Fix user rights for creation and update : sample
 creation

---
 .../systemtest/asapi/v3/AbstractTest.java     | 23 ++++++-
 .../systemtest/asapi/v3/CreateSampleTest.java | 61 +++++++++++++++++++
 2 files changed, 81 insertions(+), 3 deletions(-)

diff --git a/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/AbstractTest.java b/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/AbstractTest.java
index 651b1fefda5..7d7883be4db 100644
--- a/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/AbstractTest.java
+++ b/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/AbstractTest.java
@@ -53,6 +53,7 @@ import org.testng.annotations.AfterClass;
 import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.DataProvider;
 
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.attachment.Attachment;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.attachment.create.AttachmentCreation;
@@ -154,6 +155,7 @@ import ch.systemsx.cisd.common.logging.BufferedAppender;
 import ch.systemsx.cisd.common.test.AssertionUtil;
 import ch.systemsx.cisd.openbis.generic.shared.api.v1.IGeneralInformationService;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.MaterialIdentifier;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
 import ch.systemsx.cisd.openbis.generic.shared.dto.DataPE;
 import ch.systemsx.cisd.openbis.generic.shared.dto.EventPE;
 import ch.systemsx.cisd.openbis.generic.shared.dto.EventPE.EntityType;
@@ -181,6 +183,8 @@ public class AbstractTest extends SystemTestCase
         }
     };
 
+    protected static final String USER_ROLES_PROVIDER = "provideUserRoles";
+
     protected BufferedAppender logRecorder;
 
     @Autowired
@@ -1328,10 +1332,15 @@ public class AbstractTest extends SystemTestCase
 
     protected Object[][] createTestUsersProvider(String... users)
     {
-        Object[][] objects = new Object[users.length][];
-        for (int i = 0; i < users.length; i++)
+        return createProvider(users);
+    }
+
+    protected <T> Object[][] createProvider(T... values)
+    {
+        Object[][] objects = new Object[values.length][];
+        for (int i = 0; i < values.length; i++)
         {
-            objects[i] = new Object[] { users[i] };
+            objects[i] = new Object[] { values[i] };
         }
         return objects;
     }
@@ -1814,4 +1823,12 @@ public class AbstractTest extends SystemTestCase
         return map.get(tokenId);
     }
 
+    @DataProvider
+    protected Object[][] provideUserRoles()
+    {
+        return createProvider(RoleWithHierarchy.INSTANCE_ADMIN, RoleWithHierarchy.INSTANCE_OBSERVER, RoleWithHierarchy.SPACE_ADMIN,
+                RoleWithHierarchy.SPACE_POWER_USER, RoleWithHierarchy.SPACE_USER, RoleWithHierarchy.SPACE_OBSERVER, RoleWithHierarchy.PROJECT_ADMIN,
+                RoleWithHierarchy.PROJECT_POWER_USER, RoleWithHierarchy.PROJECT_USER, RoleWithHierarchy.PROJECT_OBSERVER);
+    }
+
 }
diff --git a/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateSampleTest.java b/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateSampleTest.java
index 14986088455..b8ea0137ee8 100644
--- a/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateSampleTest.java
+++ b/server-application-server/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/CreateSampleTest.java
@@ -26,6 +26,7 @@ import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.UUID;
 
 import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
@@ -39,15 +40,23 @@ import ch.ethz.sis.openbis.generic.asapi.v3.dto.entitytype.id.IEntityTypeId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.experiment.id.ExperimentIdentifier;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.experiment.id.ExperimentPermId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.experiment.id.IExperimentId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.create.PersonCreation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.id.PersonPermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.project.create.ProjectCreation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.project.id.IProjectId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.project.id.ProjectIdentifier;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.project.id.ProjectPermId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.property.DataType;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.property.id.PropertyTypePermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.Role;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.create.RoleAssignmentCreation;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.sample.Sample;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.sample.create.SampleCreation;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.sample.fetchoptions.SampleFetchOptions;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.sample.id.ISampleId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.sample.id.SampleIdentifier;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.sample.id.SamplePermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.create.SpaceCreation;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.id.ISpaceId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.id.SpacePermId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.tag.Tag;
@@ -55,7 +64,9 @@ import ch.ethz.sis.openbis.generic.asapi.v3.dto.tag.id.ITagId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.tag.id.TagPermId;
 import ch.ethz.sis.openbis.generic.server.asapi.v3.helper.common.batch.Batch;
 import ch.systemsx.cisd.common.action.IDelegatedAction;
+import ch.systemsx.cisd.common.exceptions.AuthorizationFailureException;
 import ch.systemsx.cisd.common.test.AssertionUtil;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
 import ch.systemsx.cisd.openbis.generic.shared.dto.SamplePE;
 import ch.systemsx.cisd.openbis.systemtest.authorization.ProjectAuthorizationUser;
 import junit.framework.Assert;
@@ -515,6 +526,56 @@ public class CreateSampleTest extends AbstractSampleTest
                 patternContains("setting relation sample-experiment (1/1)", toDblQuotes("'identifier' : '/TEST-SPACE/UNAUTHORIZED_EXPERIMENT'")));
     }
 
+    @Test(dataProvider = USER_ROLES_PROVIDER)
+    public void testCreateWithProjectWithDifferentRoles(RoleWithHierarchy role)
+    {
+        final String adminSessionToken = v3api.login(TEST_USER, PASSWORD);
+
+        // userId needs to end with "_pa_on" for the user's project roles to be taken into consideration (see project authorization settings in service.properties)
+        final PersonCreation personCreation = new PersonCreation();
+        personCreation.setUserId("test_user_with_role_" + role + "_pa_on");
+        v3api.createPersons(adminSessionToken, List.of(personCreation));
+
+        final SpaceCreation spaceCreation = new SpaceCreation();
+        spaceCreation.setCode("TEST_SPACE_" + UUID.randomUUID());
+        SpacePermId spaceId = v3api.createSpaces(adminSessionToken, List.of(spaceCreation)).get(0);
+
+        final ProjectCreation projectCreation = new ProjectCreation();
+        projectCreation.setCode("TEST_PROJECT_" + UUID.randomUUID());
+        projectCreation.setSpaceId(new SpacePermId(spaceCreation.getCode()));
+        ProjectPermId projectId = v3api.createProjects(adminSessionToken, List.of(projectCreation)).get(0);
+
+        final RoleAssignmentCreation roleCreation = new RoleAssignmentCreation();
+        roleCreation.setUserId(new PersonPermId(personCreation.getUserId()));
+        roleCreation.setRole(Role.valueOf(role.getRoleCode().name()));
+
+        if (role.isSpaceLevel())
+        {
+            roleCreation.setSpaceId(spaceId);
+        } else if (role.isProjectLevel())
+        {
+            roleCreation.setProjectId(projectId);
+        }
+
+        v3api.createRoleAssignments(adminSessionToken, List.of(roleCreation));
+
+        final String userSessionToken = v3api.login(personCreation.getUserId(), PASSWORD);
+
+        final SampleCreation sampleCreation = new SampleCreation();
+        sampleCreation.setCode("TEST_SAMPLE_" + UUID.randomUUID());
+        sampleCreation.setTypeId(new EntityTypePermId("CELL_PLATE"));
+        sampleCreation.setSpaceId(spaceId);
+        sampleCreation.setProjectId(projectId);
+
+        if (List.of(RoleWithHierarchy.RoleCode.OBSERVER).contains(role.getRoleCode()))
+        {
+            assertAuthorizationFailureException(() -> v3api.createSamples(userSessionToken, Collections.singletonList(sampleCreation)));
+        } else
+        {
+            v3api.createSamples(userSessionToken, Collections.singletonList(sampleCreation));
+        }
+    }
+
     @Test
     public void testCreateWithExperimentNonexistent()
     {
-- 
GitLab