Merge pull request #3345 from keshavprasadms/release-4.9.0

fix: SB-29996 tnc api check rewrite to handle different scenarios

Merge pull request #3345 from keshavprasadms/release-4.9.0
fix: SB-29996 tnc api check rewrite to handle different scenarios
44f4c5a6 · G33tha · GitHub · 6557d75a · 15ecc840 · 44f4c5a6
Unverified Commit 44f4c5a6 authored 2 years ago by G33tha Committed by GitHub 2 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 160 additions and 4 deletions
+160 -4
--- a/kubernetes/opa/learner/policies.rego
+++ b/kubernetes/opa/learner/policies.rego
@@ -30,32 +30,85 @@ urls_to_action_mapping := {
  "/v2/org/preferences/update": "updateTenantPreferences"
 }

+# Tnc API policy updates to handle different scenarios as explained below
+# When some or all payloads are missing:
+# 1. Missing userid and tnc type
+# 2. Missing tnc type
+# 3. Missing userid and tnc type not as orgAdminTnc / reportViewerTnc
+# 4. Missing userid but tnc type as orgAdminTnc / reportViewerTnc
+# When all payloads are present:
+# 5. Both userid, tnc type present and tnc type not as orgAdminTnc / reportViewerTnc
+# 6. Both userid, tnc type present and tnc type as orgAdminTnc / reportViewerTnc
+# Issue identified as part of -
+# - https://project-sunbird.atlassian.net/browse/SB-29723 
+# - https://project-sunbird.atlassian.net/browse/SB-29996
+
+# Point #1
+acceptTermsAndCondition {
+  super.public_role_check
+  not input.parsed_body.request.userId
+  not input.parsed_body.request.tncType
+}
+
+# Point #2
+acceptTermsAndCondition {
+  super.public_role_check
+  input.parsed_body.request.userId == super.userid
+  not input.parsed_body.request.tncType
+}
+
+# Point #3
+acceptTermsAndCondition {
+  super.public_role_check
+  not input.parsed_body.request.userId
+  not input.parsed_body.request.tncType in ["orgAdminTnc", "reportViewerTnc"]
+}
+
+# Point #4 - As orgAdminTnc
 acceptTermsAndCondition {
  acls := ["acceptTnc"]
  roles := ["ORG_ADMIN"]
  super.acls_check(acls)
  super.role_check(roles)
+  not input.parsed_body.request.userId
  "orgAdminTnc" == input.parsed_body.request.tncType
 }

+# Point #4 - As reportViewerTnc
 acceptTermsAndCondition {
  acls := ["acceptTnc"]
  roles := ["REPORT_VIEWER", "REPORT_ADMIN"]
  super.acls_check(acls)
  super.role_check(roles)
+  not input.parsed_body.request.userId
  "reportViewerTnc" == input.parsed_body.request.tncType
 }

+# Point #5
 acceptTermsAndCondition {
  super.public_role_check
  input.parsed_body.request.userId == super.userid
+  not input.parsed_body.request.tncType in ["orgAdminTnc", "reportViewerTnc"]
 }

-# Optional request.userId - https://project-sunbird.atlassian.net/browse/SB-29723
+# Point #6 - As orgAdminTnc
 acceptTermsAndCondition {
-  super.public_role_check
-  not input.parsed_body.request.tncType
-  not input.parsed_body.request.userId
+  acls := ["acceptTnc"]
+  roles := ["ORG_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+  input.parsed_body.request.userId == super.userid
+  "orgAdminTnc" == input.parsed_body.request.tncType
+}
+
+# Point #6 - As reportViewerTnc
+acceptTermsAndCondition {
+  acls := ["acceptTnc"]
+  roles := ["REPORT_VIEWER", "REPORT_ADMIN"]
+  super.acls_check(acls)
+  super.role_check(roles)
+  input.parsed_body.request.userId == super.userid
+  "reportViewerTnc" == input.parsed_body.request.tncType
 }

 updateUser {

--- a/kubernetes/opa/learner/policies_test.rego
+++ b/kubernetes/opa/learner/policies_test.rego
@@ -32,6 +32,32 @@ test_accept_terms_and_conditions_as_org_admin {
    }
 }

+test_accept_terms_and_conditions_as_org_admin_with_userid {
+    data.main.allow.allowed
+    with data.common.current_time as current_time
+    with data.common.iss as iss
+    with input as
+    {
+      "attributes": {
+        "request": {
+          "http": {
+            "headers": {
+              "x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiQk9PS19DUkVBVE9SIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPTlRFTlRfQ1JFQVRPUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJDT05URU5UX1JFVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPVVJTRV9NRU5UT1IiLCJzY29wZSI6W3sib3JnYW5pc2F0aW9uSWQiOiIwMTM2OTg3ODc5NzUwMzY5MjgxMCJ9XX0seyJyb2xlIjoiUFJPR1JBTV9ERVNJR05FUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJSRVBPUlRfVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6Ik9SR19BRE1JTiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn0seyJvcmdhbmlzYXRpb25JZCI6IjAxNDcxOTIzNTY3ODEyMzQ1Njc4In1dfSx7InJvbGUiOiJQVUJMSUMiLCJzY29wZSI6W119XSwiaXNzIjoiaHR0cHM6Ly9zdW5iaXJkZWQub3JnL2F1dGgvcmVhbG1zL3N1bmJpcmQiLCJuYW1lIjoiZGVtbyIsInR5cCI6IkJlYXJlciIsImV4cCI6MTY0MDIzNjEwMiwiaWF0IjoxNjQwMTQ5NzA1fQ.B3-TSdYSOlawPHjFdiRjXwvRbYQ_eH_HTiLKlH7vGS0rCOJ6HQbYyWOhZ7vbZPb3virkuyfhykFcYCEHBCkHY-fwGAeU58Pmhi0dnNJkR59Fa9y_75W98JXZW68HROp62ntEAKCA1oot_U4tYi-8UNoR17Gszj9iYzFEBc6TZA4Lrom_9gqhBOYzL0ISFWSS6oG94EaaKDYHyWzCSjU2nYRB_fn-tODmnVJ12GRJAc1oM9y54o8neNYsl4T_xPyD34v-CinUJM8jzDjFqK5_O3HnAbcmXvkZjFRgfk4mF1V4s5hlsTJGyhi2JOPh90C5N-HbAY8QsPBnzgYFQU_sww"
+            },
+            "path": "/v1/user/tnc/accept"
+          }
+        }
+      },
+      "parsed_body": {
+        "request": {
+          "userId": "28b0d08f-c2ea-40d1-bcd0-8ae00fca66be",
+          "tncType": "orgAdminTnc",
+           "version": "4.7.0"
+        }
+      }
+    }
+}
+
 test_accept_terms_and_conditions_as_report_viewer {
    data.main.allow.allowed
    with data.common.current_time as current_time
@@ -57,6 +83,32 @@ test_accept_terms_and_conditions_as_report_viewer {
    }
 }

+test_accept_terms_and_conditions_as_report_viewer_with_userid {
+    data.main.allow.allowed
+    with data.common.current_time as current_time
+    with data.common.iss as iss
+    with input as
+    {
+      "attributes": {
+        "request": {
+          "http": {
+            "headers": {
+              "x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiQk9PS19DUkVBVE9SIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPTlRFTlRfQ1JFQVRPUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJDT05URU5UX1JFVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPVVJTRV9NRU5UT1IiLCJzY29wZSI6W3sib3JnYW5pc2F0aW9uSWQiOiIwMTM2OTg3ODc5NzUwMzY5MjgxMCJ9XX0seyJyb2xlIjoiUFJPR1JBTV9ERVNJR05FUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJSRVBPUlRfVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6Ik9SR19BRE1JTiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn0seyJvcmdhbmlzYXRpb25JZCI6IjAxNDcxOTIzNTY3ODEyMzQ1Njc4In1dfSx7InJvbGUiOiJQVUJMSUMiLCJzY29wZSI6W119XSwiaXNzIjoiaHR0cHM6Ly9zdW5iaXJkZWQub3JnL2F1dGgvcmVhbG1zL3N1bmJpcmQiLCJuYW1lIjoiZGVtbyIsInR5cCI6IkJlYXJlciIsImV4cCI6MTY0MDIzNjEwMiwiaWF0IjoxNjQwMTQ5NzA1fQ.B3-TSdYSOlawPHjFdiRjXwvRbYQ_eH_HTiLKlH7vGS0rCOJ6HQbYyWOhZ7vbZPb3virkuyfhykFcYCEHBCkHY-fwGAeU58Pmhi0dnNJkR59Fa9y_75W98JXZW68HROp62ntEAKCA1oot_U4tYi-8UNoR17Gszj9iYzFEBc6TZA4Lrom_9gqhBOYzL0ISFWSS6oG94EaaKDYHyWzCSjU2nYRB_fn-tODmnVJ12GRJAc1oM9y54o8neNYsl4T_xPyD34v-CinUJM8jzDjFqK5_O3HnAbcmXvkZjFRgfk4mF1V4s5hlsTJGyhi2JOPh90C5N-HbAY8QsPBnzgYFQU_sww"
+            },
+            "path": "/v1/user/tnc/accept"
+          }
+        }
+      },
+      "parsed_body": {
+        "request": {
+          "userId": "28b0d08f-c2ea-40d1-bcd0-8ae00fca66be",
+          "tncType": "reportViewerTnc",
+          "version": "4.7.0"
+        }
+      }
+    }
+}
+
 test_accept_terms_and_conditions_as_public_user {
    data.main.allow.allowed
    with data.common.current_time as current_time
@@ -106,6 +158,57 @@ test_accept_terms_and_conditions_as_public_user_without_userid {
    }
 }

+test_accept_terms_and_conditions_as_public_user_without_userid_other_tnc_types {
+    data.main.allow.allowed
+    with data.common.current_time as current_time
+    with data.common.iss as iss
+    with input as
+    {
+      "attributes": {
+        "request": {
+          "http": {
+            "headers": {
+              "x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiUFVCTElDIiwic2NvcGUiOltdfV0sImlzcyI6Imh0dHBzOi8vc3VuYmlyZGVkLm9yZy9hdXRoL3JlYWxtcy9zdW5iaXJkIiwibmFtZSI6ImRlbW8iLCJ0eXAiOiJCZWFyZXIiLCJleHAiOjE2NDAyMzYxMDIsImlhdCI6MTY0MDE0OTcwNX0.iyFqdJG_9xF07S94bkfVDiWHmDWAmhCEmapu37Mto78s5OkOJQy-agXFjtQtgV5rFudHiVRukNpKXqlJ8GhasmW7fSEPL-fDKMilMIi4JCZi7d19AkFeq8mX0rI31m3zjCv-TcMPPWWNM4udR7kSj-tUOB-vupGZ1iRAtQU2lqrUCl1A84UYDqnJTokz6RVlr_Z4lRCzFn__aGsDZXO8h7juM4mAepVMy3wVhmbKR2R5WF5xQIvVjzEveRYj8P26VUg73wo_RtyRI5mQjbxyBaIX287pWe3kCu1KKwYQkBlRLx9da39g9TKZWXxD5ArCYMC83EmEeFI0LJicYDTXFg"
+            },
+            "path": "/v1/user/tnc/accept"
+          }
+        }
+      },
+      "parsed_body": {
+        "request": {
+          "version": "v8",
+          "tncType": "groupsTnc"
+        }
+      }
+    }
+}
+
+test_accept_terms_and_conditions_as_public_user_with_userid_other_tnc_types {
+    data.main.allow.allowed
+    with data.common.current_time as current_time
+    with data.common.iss as iss
+    with input as
+    {
+      "attributes": {
+        "request": {
+          "http": {
+            "headers": {
+              "x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiUFVCTElDIiwic2NvcGUiOltdfV0sImlzcyI6Imh0dHBzOi8vc3VuYmlyZGVkLm9yZy9hdXRoL3JlYWxtcy9zdW5iaXJkIiwibmFtZSI6ImRlbW8iLCJ0eXAiOiJCZWFyZXIiLCJleHAiOjE2NDAyMzYxMDIsImlhdCI6MTY0MDE0OTcwNX0.iyFqdJG_9xF07S94bkfVDiWHmDWAmhCEmapu37Mto78s5OkOJQy-agXFjtQtgV5rFudHiVRukNpKXqlJ8GhasmW7fSEPL-fDKMilMIi4JCZi7d19AkFeq8mX0rI31m3zjCv-TcMPPWWNM4udR7kSj-tUOB-vupGZ1iRAtQU2lqrUCl1A84UYDqnJTokz6RVlr_Z4lRCzFn__aGsDZXO8h7juM4mAepVMy3wVhmbKR2R5WF5xQIvVjzEveRYj8P26VUg73wo_RtyRI5mQjbxyBaIX287pWe3kCu1KKwYQkBlRLx9da39g9TKZWXxD5ArCYMC83EmEeFI0LJicYDTXFg"
+            },
+            "path": "/v1/user/tnc/accept"
+          }
+        }
+      },
+      "parsed_body": {
+        "request": {
+          "userId": "28b0d08f-c2ea-40d1-bcd0-8ae00fca66be",
+          "version": "v8",
+          "tncType": "groupsTnc"
+        }
+      }
+    }
+}
+
 test_update_user {
    data.main.allow.allowed
    with data.common.current_time as current_time