Add one more check.

epam · Feb 20, 2025 · 1d169fd · 1d169fd
1 parent 46780b6
commit 1d169fd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/server/src/main/java/com/epam/aidial/core/server/security/AccessService.java b/server/src/main/java/com/epam/aidial/core/server/security/AccessService.java
@@ -213,14 +213,9 @@ public static Map<ResourceDescriptor, Set<ResourceAccessType>> getAppResourceAcc
             }
 
             String parentPath = resource.getParentPath();
-            String filePath;
-            if (resource.isFolder()) {
-                filePath = parentPath;
-            } else {
-                filePath = parentPath == null
-                        ? resource.getName()
-                        : parentPath + ResourceDescriptor.PATH_SEPARATOR + resource.getName();
-            }
+            String filePath = (parentPath == null)
+                    ? resource.getName()
+                    : parentPath + ResourceDescriptor.PATH_SEPARATOR + resource.getName();
 
             if (filePath != null && filePath.startsWith(appPath)) {
                 result.put(resource, ResourceAccessType.ALL);

diff --git a/server/src/test/java/com/epam/aidial/core/server/FileApiTest.java b/server/src/test/java/com/epam/aidial/core/server/FileApiTest.java
@@ -1622,9 +1622,10 @@ public void testIfMatch(Vertx vertx, VertxTestContext context) {
     public void testAdminRightsNotInheritedByPerRequestKey(Vertx vertx, VertxTestContext context) {
         ApiKeyData perRequestKey = new ApiKeyData();
         perRequestKey.setExtractedClaims(createClaims("admin"));
+        perRequestKey.setSourceDeployment("testapp");
         apiKeyStore.assignPerRequestApiKey(perRequestKey);
 
-        Checkpoint checkpoint = context.checkpoint(3);
+        Checkpoint checkpoint = context.checkpoint(4);
         WebClient client = WebClient.create(vertx);
 
         String fileUrl = "/v1/files/3CcedGxCx23EwiVbVmscVktScRyf46KypuBQ65miviST/file.txt";
@@ -1658,6 +1659,20 @@ public void testAdminRightsNotInheritedByPerRequestKey(Vertx vertx, VertxTestCon
                         });
                     }));
             return promise.future();
+        }).compose((mapper) -> {
+            // Verify that a per-request key has access to the appdata inside admin's bucket
+            Promise<Void> promise = Promise.promise();
+            client.get(serverPort, "localhost", "/v1/metadata/files/4X25dj1mja51jykqxsXnCH/appdata/testapp/")
+                    .putHeader("Api-key", perRequestKey.getPerRequestKey())
+                    .as(BodyCodec.string())
+                    .send(context.succeeding(response -> {
+                        context.verify(() -> {
+                            assertEquals(200, response.statusCode());
+                            checkpoint.flag();
+                            promise.complete();
+                        });
+                    }));
+            return promise.future();
         }).andThen((mapper) -> {
             // Ensure that a per-request key derived from admin key does not grant access to the file
             client.get(serverPort, "localhost", fileUrl)