fix(services): permission queries (#1080)

* Filter out hidden providers only in root collection

* Adjust view of user permitted resources; Ensure unique provider permissions

* Update column name

* Test priority filter

* Test dataset deletion with owner and read permission

Author: dbrandenstein

services/src/api/handlers/datasets.rs

@@ -1383,7 +1383,7 @@ mod tests {
     use crate::ge_context;
     use crate::projects::{PointSymbology, RasterSymbology, Symbology};
     use crate::test_data;
-    use crate::users::UserAuth;
+    use crate::users::{RoleDb, UserAuth};
     use crate::util::tests::admin_login;
     use crate::util::tests::{
         MockQueryContext, SetMultipartBody, TestDataUploads, add_file_definition_to_datasets,
@@ -3059,6 +3059,60 @@ mod tests {
         Ok(())
     }
 
+    #[ge_context::test]
+    async fn it_deletes_dataset_with_additional_read_permission(
+        app_ctx: PostgresContext<NoTls>,
+    ) -> Result<()> {
+        let mut test_data = TestDataUploads::default(); // remember created folder and remove them on drop
+
+        let session = app_ctx.create_anonymous_session().await.unwrap();
+        let session_id = session.id();
+        let ctx = app_ctx.session_context(session);
+
+        let upload_id = upload_ne_10m_ports_files(app_ctx.clone(), session_id).await?;
+        test_data.uploads.push(upload_id);
+
+        let dataset_name =
+            construct_dataset_from_upload(app_ctx.clone(), upload_id, session_id).await;
+
+        let db = ctx.db();
+        let dataset_id = db
+            .resolve_dataset_name_to_id(&dataset_name)
+            .await
+            .unwrap()
+            .unwrap();
+
+        assert!(db.load_dataset(&dataset_id).await.is_ok());
+
+        let admin_session = admin_login(&app_ctx).await;
+        let admin_ctx = app_ctx.session_context(admin_session);
+        let admin_db = admin_ctx.db();
+
+        let role_id = admin_db.add_role("test_role").await.unwrap();
+        admin_db
+            .assign_role(&role_id, &ctx.session().user.id)
+            .await
+            .unwrap();
+
+        db.add_permission(role_id, dataset_id, Permission::Read)
+            .await
+            .unwrap();
+
+        let req = actix_web::test::TestRequest::delete()
+            .uri(&format!("/dataset/{dataset_name}"))
+            .append_header((header::CONTENT_LENGTH, 0))
+            .append_header((header::AUTHORIZATION, Bearer::new(session_id.to_string())))
+            .append_header((header::CONTENT_TYPE, "application/json"));
+
+        let res = send_test_request(req, app_ctx.clone()).await;
+
+        assert_eq!(res.status(), 200, "response: {res:?}");
+
+        assert!(db.load_dataset(&dataset_id).await.is_err());
+
+        Ok(())
+    }
+
     #[ge_context::test]
     async fn it_deletes_volume_dataset(app_ctx: PostgresContext<NoTls>) -> Result<()> {
         let volume = VolumeName("test_data".to_string());

services/src/api/handlers/layers.rs

@@ -2072,6 +2072,175 @@ mod tests {
         }
     }
 
+    #[ge_context::test]
+    async fn test_list_providers(app_ctx: PostgresContext<NoTls>) {
+        let session = admin_login(&app_ctx).await;
+        let ctx = app_ctx.session_context(session.clone());
+
+        let session_id = session.id();
+
+        let dataset_listing_provider = default_dataset_layer_listing_provider_definition();
+
+        ctx.db()
+            .add_layer_provider(
+                crate::layers::external::TypedDataProviderDefinition::DatasetLayerListingProviderDefinition(
+                    dataset_listing_provider.clone(),
+                ),
+            )
+            .await.unwrap();
+
+        let req = test::TestRequest::get()
+            .uri("/layerDb/providers?limit=5&offset=0")
+            .append_header((header::AUTHORIZATION, Bearer::new(session_id.to_string())));
+        let response = send_test_request(req, app_ctx.clone()).await;
+
+        assert!(response.status().is_success(), "{response:?}");
+
+        let response_provider =
+            serde_json::from_str::<Vec<LayerProviderListing>>(&read_body_string(response).await)
+                .unwrap();
+
+        let listing = LayerProviderListing {
+            id: DataProviderId::from_u128(0xcbb2_1ee3_d15d_45c5_a175_6696_4adf_4e85).into(),
+            name: "User Data Listing".to_string(),
+            priority: 0,
+        };
+
+        assert_eq!(response_provider, vec![listing.clone()]);
+
+        let dataset_listing_provider = DatasetLayerListingProviderDefinition {
+            priority: Some(-1000),
+            ..dataset_listing_provider
+        };
+
+        ctx.db()
+            .update_layer_provider_definition(
+                DataProviderId::from_u128(0xcbb2_1ee3_d15d_45c5_a175_6696_4adf_4e85),
+                crate::layers::external::TypedDataProviderDefinition::DatasetLayerListingProviderDefinition(
+                    dataset_listing_provider,
+                ),
+            )
+            .await.unwrap();
+
+        let req = test::TestRequest::get()
+            .uri("/layerDb/providers?limit=5&offset=0")
+            .append_header((header::AUTHORIZATION, Bearer::new(session_id.to_string())));
+        let response = send_test_request(req, app_ctx.clone()).await;
+
+        assert!(response.status().is_success(), "{response:?}");
+
+        let response_provider =
+            serde_json::from_str::<Vec<LayerProviderListing>>(&read_body_string(response).await)
+                .unwrap();
+
+        let listing = LayerProviderListing {
+            priority: -1000,
+            ..listing
+        };
+
+        // No filtering for priority is applied here
+        assert_eq!(response_provider, vec![listing]);
+    }
+
+    #[ge_context::test]
+    async fn test_list_root_collections(app_ctx: PostgresContext<NoTls>) {
+        let session = admin_login(&app_ctx).await;
+        let ctx = app_ctx.session_context(session.clone());
+
+        let session_id = session.id();
+
+        let dataset_listing_provider = default_dataset_layer_listing_provider_definition();
+
+        ctx.db()
+            .add_layer_provider(
+                crate::layers::external::TypedDataProviderDefinition::DatasetLayerListingProviderDefinition(
+                    dataset_listing_provider.clone(),
+                ),
+            )
+            .await.unwrap();
+
+        let req = test::TestRequest::get()
+            .uri("/layers/collections?limit=5&offset=0")
+            .append_header((header::AUTHORIZATION, Bearer::new(session_id.to_string())));
+        let response = send_test_request(req, app_ctx.clone()).await;
+
+        assert!(response.status().is_success(), "{response:?}");
+
+        let response_collection =
+            serde_json::from_str::<LayerCollection>(&read_body_string(response).await).unwrap();
+
+        let data_catalog_item = CollectionItem::Collection(LayerCollectionListing {
+            r#type: Default::default(),
+            id: ProviderLayerCollectionId {
+                provider_id: INTERNAL_PROVIDER_ID,
+                collection_id: LayerCollectionId(
+                    crate::layers::storage::INTERNAL_LAYER_DB_ROOT_COLLECTION_ID.to_string(),
+                ),
+            },
+            name: "Data Catalog".to_string(),
+            description: "Catalog of data and workflows".to_string(),
+            properties: vec![],
+        });
+
+        let collection = LayerCollection {
+            id: ProviderLayerCollectionId {
+                provider_id: ROOT_PROVIDER_ID,
+                collection_id: LayerCollectionId(ROOT_COLLECTION_ID.to_string()),
+            },
+            name: "Layer Providers".to_string(),
+            description: "All available Geo Engine layer providers".to_string(),
+            items: vec![
+                data_catalog_item.clone(),
+                CollectionItem::Collection(LayerCollectionListing {
+                    r#type: Default::default(),
+                    id: ProviderLayerCollectionId {
+                        provider_id: dataset_listing_provider.id,
+                        collection_id: LayerCollectionId("root".to_string()),
+                    },
+                    name: dataset_listing_provider.name.clone(),
+                    description: dataset_listing_provider.description.clone(),
+                    properties: Default::default(),
+                }),
+            ],
+            entry_label: None,
+            properties: vec![],
+        };
+
+        assert_eq!(response_collection, collection.clone());
+
+        let dataset_listing_provider = DatasetLayerListingProviderDefinition {
+            priority: Some(-1000),
+            ..dataset_listing_provider
+        };
+
+        ctx.db()
+            .update_layer_provider_definition(
+                DataProviderId::from_u128(0xcbb2_1ee3_d15d_45c5_a175_6696_4adf_4e85),
+                crate::layers::external::TypedDataProviderDefinition::DatasetLayerListingProviderDefinition(
+                    dataset_listing_provider,
+                ),
+            )
+            .await.unwrap();
+
+        let req = test::TestRequest::get()
+            .uri("/layers/collections?limit=5&offset=0")
+            .append_header((header::AUTHORIZATION, Bearer::new(session_id.to_string())));
+        let response = send_test_request(req, app_ctx.clone()).await;
+
+        assert!(response.status().is_success(), "{response:?}");
+
+        let response_collection =
+            serde_json::from_str::<LayerCollection>(&read_body_string(response).await).unwrap();
+
+        let collection = LayerCollection {
+            items: vec![data_catalog_item],
+            ..collection
+        };
+
+        // Provider with priority -1000 is filtered out
+        assert_eq!(response_collection, collection);
+    }
+
     #[ge_context::test]
     async fn test_get_provider_definition(app_ctx: PostgresContext<NoTls>) {
         let session = admin_login(&app_ctx).await;

services/src/api/model/services.rs

@@ -218,7 +218,7 @@ pub struct Volume {
     pub path: Option<String>,
 }
 
-#[derive(Debug, Clone, PartialEq, Eq, ToSchema, Serialize)]
+#[derive(Debug, Clone, PartialEq, Eq, ToSchema, Serialize, Deserialize)]
 pub struct LayerProviderListing {
     pub id: DataProviderId,
     pub name: String,

services/src/contexts/migrations/current_schema.sql

@@ -1168,60 +1168,76 @@ CREATE UNIQUE INDEX ON permissions (
     ml_model_id
 );
 
+CREATE UNIQUE INDEX ON permissions (
+    role_id,
+    permission,
+    provider_id
+);
+
 CREATE VIEW user_permitted_datasets
 AS
 SELECT
     r.user_id,
     p.dataset_id,
-    p.permission
+    MAX(p.permission) AS max_permission
 FROM user_roles AS r
-INNER JOIN permissions AS p ON (
-    r.role_id = p.role_id AND p.dataset_id IS NOT NULL
-);
+INNER JOIN permissions AS p
+    ON (
+        r.role_id = p.role_id AND p.dataset_id IS NOT NULL
+    )
+GROUP BY r.user_id, p.dataset_id;
 
 CREATE VIEW user_permitted_projects
 AS
 SELECT
     r.user_id,
     p.project_id,
-    p.permission
+    MAX(p.permission) AS max_permission
 FROM user_roles AS r
-INNER JOIN permissions AS p ON (
-    r.role_id = p.role_id AND p.project_id IS NOT NULL
-);
+INNER JOIN permissions AS p
+    ON (
+        r.role_id = p.role_id AND p.project_id IS NOT NULL
+    )
+GROUP BY r.user_id, p.project_id;
 
 CREATE VIEW user_permitted_layer_collections
 AS
 SELECT
     r.user_id,
     p.layer_collection_id,
-    p.permission
+    MAX(p.permission) AS max_permission
 FROM user_roles AS r
-INNER JOIN permissions AS p ON (
-    r.role_id = p.role_id AND p.layer_collection_id IS NOT NULL
-);
+INNER JOIN permissions AS p
+    ON (
+        r.role_id = p.role_id AND p.layer_collection_id IS NOT NULL
+    )
+GROUP BY r.user_id, p.layer_collection_id;
 
 CREATE VIEW user_permitted_layers
 AS
 SELECT
     r.user_id,
     p.layer_id,
-    p.permission
+    MAX(p.permission) AS max_permission
 FROM user_roles AS r
-INNER JOIN permissions AS p ON (
-    r.role_id = p.role_id AND p.layer_id IS NOT NULL
-);
+INNER JOIN permissions AS p
+    ON (
+        r.role_id = p.role_id AND p.layer_id IS NOT NULL
+    )
+GROUP BY r.user_id, p.layer_id;
 
 CREATE VIEW user_permitted_providers
 AS
 SELECT
     r.user_id,
     p.provider_id,
-    p.permission
+    MAX(p.permission) AS max_permission
 FROM user_roles AS r
-INNER JOIN permissions AS p ON (
-    r.role_id = p.role_id AND p.provider_id IS NOT NULL
-);
+INNER JOIN permissions AS p
+    ON (
+        r.role_id = p.role_id AND p.provider_id IS NOT NULL
+    )
+GROUP BY r.user_id, p.provider_id;
 
 CREATE TABLE oidc_session_tokens (
     session_id uuid PRIMARY KEY REFERENCES sessions (
@@ -1239,11 +1255,13 @@ AS
 SELECT
     r.user_id,
     p.ml_model_id,
-    p.permission
+    MAX(p.permission) AS max_permission
 FROM user_roles AS r
-INNER JOIN permissions AS p ON (
-    r.role_id = p.role_id AND p.ml_model_id IS NOT NULL
-);
+INNER JOIN permissions AS p
+    ON (
+        r.role_id = p.role_id AND p.ml_model_id IS NOT NULL
+    )
+GROUP BY r.user_id, p.ml_model_id;
 
 CREATE TABLE quota_log (
     timestamp timestamp with time zone NOT NULL DEFAULT CURRENT_TIMESTAMP,

services/src/contexts/migrations/migration_0022_permission_queries.rs

@@ -0,0 +1,26 @@
+use super::database_migration::{DatabaseVersion, Migration};
+use crate::contexts::migrations::migration_0021_default_permissions_for_existing_providers::Migration0021DefaultPermissionsForExistingProviders;
+use crate::error::Result;
+use async_trait::async_trait;
+use tokio_postgres::Transaction;
+
+/// This migration adds the provider permissions
+pub struct Migration0022PermissionQueries;
+
+#[async_trait]
+impl Migration for Migration0022PermissionQueries {
+    fn prev_version(&self) -> Option<DatabaseVersion> {
+        Some(Migration0021DefaultPermissionsForExistingProviders.version())
+    }
+
+    fn version(&self) -> DatabaseVersion {
+        "0022_permission_queries".into()
+    }
+
+    async fn migrate(&self, tx: &Transaction<'_>) -> Result<()> {
+        tx.batch_execute(include_str!("migration_0022_permission_queries.sql"))
+            .await?;
+
+        Ok(())
+    }
+}