Feat: add missing CF header in public case

gisaia · Feb 17, 2025 · c43529a · c43529a
1 parent f3ce733
commit c43529a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/arlas-commons/src/main/java/io/arlas/filter/impl/AbstractPolicyEnforcer.java b/arlas-commons/src/main/java/io/arlas/filter/impl/AbstractPolicyEnforcer.java
@@ -73,6 +73,8 @@ public abstract class AbstractPolicyEnforcer implements PolicyEnforcer {
     public static final String ORGANIZATION_NAME = "organization.name";
     public static final String USER_ID = "user.id";
     public static final String USER_EMAIL = "user.emaild";
+    // This filter is used to protect private collection in public endpoint
+    public static final String DUMMY_COLUMN_FILTER = "dummy:*";
 
     private final Logger LOGGER = LoggerFactory.getLogger(AbstractPolicyEnforcer.class);
     protected ArlasAuthConfiguration authConf;
@@ -214,7 +216,7 @@ public void filter(ContainerRequestContext ctx, String method, String path, Stri
                             logUAM(LOGGER::debug, ALLOWED, "public (no token): " + log);
                         }
                         // use a dummy CF in order to bypass the CFUtil and give access to public collections
-                        ctx.getHeaders().add(COLUMN_FILTER, "*:*");
+                        ctx.getHeaders().add(COLUMN_FILTER, DUMMY_COLUMN_FILTER);
                     }
                     return;
                 }
@@ -281,6 +283,7 @@ public void filter(ContainerRequestContext ctx, String method, String path, Stri
                 }
                 if (isPublic) {
                     putDecision(getDecisionCacheKey(ctx, method, fullPath, accessToken), Boolean.TRUE);
+                    ctx.getHeaders().add(COLUMN_FILTER, DUMMY_COLUMN_FILTER);
                     logUAM(LOGGER::debug, ALLOWED, "public (with token): " + log);
                     return;
                 }
@@ -290,6 +293,7 @@ public void filter(ContainerRequestContext ctx, String method, String path, Stri
                     logUAM(LOGGER::warn, DENIED,"unauthorized (invalid token): " + log);
                     ctx.abortWith(Response.status(UNAUTHORIZED).build());
                 } else {
+                    ctx.getHeaders().add(COLUMN_FILTER, DUMMY_COLUMN_FILTER);
                     logUAM(LOGGER::debug, ALLOWED,"public (invalid token): " + log);
                 }
                 return;

diff --git a/arlas-rest/src/main/java/io/arlas/server/rest/collections/CollectionService.java b/arlas-rest/src/main/java/io/arlas/server/rest/collections/CollectionService.java
@@ -172,8 +172,9 @@ public Response importCollections(
         Set<String> allowedCollections = ColumnFilterUtil.getAllowedCollections(Optional.ofNullable(columnFilter));
         for (CollectionReference collection : collections) {
             for (String c : allowedCollections) {
+                // In case of collection/* POST is public, we import only public collection, because of dummy column filter ctx.getHeaders().add(COLUMN_FILTER, "dummy:*");
                 if ((c.endsWith("*") && collection.collectionName.startsWith(c.substring(0, c.indexOf("*"))))
-                        || collection.collectionName.equals(c)) {
+                        || collection.collectionName.equals(c) || collection.params.collectionOrganisations.isPublic) {
                     try {
                         savedCollections.add(save(collection.collectionName, collection.params, true, organisations));
                     } catch (Exception e) {
@@ -531,6 +532,8 @@ public CollectionReference save(String collection, CollectionReferenceParameters
     })
 
     public Response delete(
+            @Parameter(hidden = true)
+            @HeaderParam(value = ARLAS_ORGANISATION) String organisations,
             @Parameter(name = "collection",
                     description = "collection",
                     required = true)
@@ -547,6 +550,8 @@ public Response delete(
         if (collection != null && collection.equals(META_COLLECTION_NAME)) {
             throw new NotAllowedException("Forbidden operation on '" + META_COLLECTION_NAME + "'");
         }
+        CollectionReference collectionReference = collectionReferenceService.getCollectionReference(collection,Optional.ofNullable(organisations));
+        collectionReferenceService.checkIfAllowedForOrganisations(collectionReference, Optional.ofNullable(organisations), true);
         collectionReferenceService.deleteCollectionReference(collection);
         return ResponseFormatter.getSuccessResponse("Collection " + collection + " deleted.");
     }

diff --git a/arlas-tests/src/test/java/io/arlas/server/tests/CollectionTool.java b/arlas-tests/src/test/java/io/arlas/server/tests/CollectionTool.java
@@ -34,6 +34,7 @@
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.net.UnknownHostException;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
@@ -153,6 +154,10 @@ public  void loadCsw(long sleepAfter) throws IOException {
                     params.rasterTileURL = DataSetTool.DATASET_TILE_URL;
                     params.dublinCoreElementName=dublinCoreElementName;
                     params.inspire = new Inspire();
+                    params.collectionOrganisations = new CollectionOrganisations();
+                    params.collectionOrganisations.isPublic = true;
+                    params.collectionOrganisations.owner="";
+                    params.collectionOrganisations.sharedWith = new ArrayList<>();
                     params.inspire.lineage = DataSetTool.DATASET_INSPIRE_LINEAGE;
                     params.inspire.topicCategories = Arrays.asList(DataSetTool.DATASET_INSPIRE_TOPIC_CATEGORY);
                     String url = arlasPath + "collections/" + dublinCoreElementName.title.split(" ")[0].toLowerCase();