Aws remove sp validation

7d8d0135 · Derek Hudson · 3f7385f5 · 7d8d0135 · 7d8d0135 · 7d8d0135
Commit 7d8d0135 authored 9 months ago by Derek Hudson
--- a/provider/storage-aws/src/main/java/org/opengroup/osdu/storage/provider/aws/security/UserAccessService.java
+++ b/provider/storage-aws/src/main/java/org/opengroup/osdu/storage/provider/aws/security/UserAccessService.java
@@ -14,6 +14,8 @@

 package org.opengroup.osdu.storage.provider.aws.security;

+import static org.opengroup.osdu.storage.util.RecordConstants.OPA_FEATURE_NAME;
+
 import java.util.HashSet;
 import java.util.List;

@@ -22,6 +24,7 @@ import jakarta.inject.Inject;

 import org.apache.http.HttpStatus;

+import org.opengroup.osdu.core.common.feature.IFeatureFlag;
 import org.opengroup.osdu.core.common.model.entitlements.Acl;
 import org.opengroup.osdu.core.common.model.entitlements.GroupInfo;
 import org.opengroup.osdu.core.common.model.entitlements.Groups;
@@ -30,6 +33,7 @@ import org.opengroup.osdu.core.common.model.http.DpsHeaders;
 import org.opengroup.osdu.core.common.model.storage.RecordProcessing;
 import org.opengroup.osdu.core.common.util.IServiceAccountJwtClient;
 import org.opengroup.osdu.storage.service.IEntitlementsExtensionService;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;

 @Service
@@ -42,7 +46,10 @@ public class UserAccessService {
    private IEntitlementsExtensionService entitlementsExtensions;
    @Inject
    IServiceAccountJwtClient serviceAccountClient;
-    
+
+    @Autowired
+    private IFeatureFlag featureFlag;
+
    private static final String SERVICE_PRINCIPAL_ID = "";

    /**
@@ -78,6 +85,9 @@ public class UserAccessService {
    }

    public void validateRecordAcl (RecordProcessing... records){
+        // If OPA is enabled, then this check is redundant as OPA validates the record.
+        if (featureFlag.isFeatureEnabled(OPA_FEATURE_NAME)) return;
+
        //Records can be written by a user using ANY existing valid ACL
        List<String> groupNames = this.getPartitionGroupsforServicePrincipal(dpsHeaders);


--- a/provider/storage-aws/src/test/java/org/opengroup/osdu/storage/provider/aws/CloudStorageImplTest.java
+++ b/provider/storage-aws/src/test/java/org/opengroup/osdu/storage/provider/aws/CloudStorageImplTest.java
@@ -133,6 +133,7 @@ class CloudStorageImplTest {
        repo.write(recordProcessing);

        verify(record, times(1)).getId();
+        verify(userAccessService, times(1)).validateRecordAcl(recordProcessing);
    }

    @Test

--- a/provider/storage-aws/src/test/java/org/opengroup/osdu/storage/provider/aws/security/UserAccessServiceTest.java
+++ b/provider/storage-aws/src/test/java/org/opengroup/osdu/storage/provider/aws/security/UserAccessServiceTest.java
@@ -25,6 +25,7 @@ import org.mockito.Mockito;
 import org.opengroup.osdu.core.common.entitlements.EntitlementsService;
 import org.opengroup.osdu.core.common.entitlements.IEntitlementsFactory;
 import org.opengroup.osdu.core.common.entitlements.IEntitlementsService;
+import org.opengroup.osdu.core.common.feature.IFeatureFlag;
 import org.opengroup.osdu.core.common.model.entitlements.Acl;
 import org.opengroup.osdu.core.common.model.entitlements.GroupInfo;
 import org.opengroup.osdu.core.common.model.entitlements.Groups;
@@ -36,6 +37,7 @@ import org.opengroup.osdu.core.common.util.IServiceAccountJwtClient;
 import org.opengroup.osdu.storage.provider.aws.cache.GroupCache;
 import org.opengroup.osdu.storage.provider.aws.util.CacheHelper;
 import org.opengroup.osdu.storage.service.EntitlementsAndCacheServiceImpl;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.util.ReflectionTestUtils;

 import java.util.ArrayList;
@@ -43,10 +45,15 @@ import java.util.List;

 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.openMocks;
+import static org.opengroup.osdu.storage.util.RecordConstants.OPA_FEATURE_NAME;


 class UserAccessServiceTest {
@@ -80,6 +87,9 @@ class UserAccessServiceTest {
    @Mock
    private IServiceAccountJwtClient serviceAccountClient;

+    @Mock
+    private IFeatureFlag featureFlag;
+
    private Groups groups = new Groups();

    private GroupInfo groupInfo = new GroupInfo();
@@ -168,4 +178,12 @@ class UserAccessServiceTest {
        });
    }

+    @Test
+    void validateRecordAcl_shouldNotCheck_whenOPAIsEnabled() {
+        RecordProcessing recordProcessing = mock(RecordProcessing.class);
+        when(featureFlag.isFeatureEnabled(OPA_FEATURE_NAME)).thenReturn(true);
+        CUT.validateRecordAcl(recordProcessing);
+        verify(featureFlag, times(1)).isFeatureEnabled(OPA_FEATURE_NAME);
+        verify(entitlementsExtension, never()).getGroups(any());
+    }
 }