From 5991705083f50e0d40b9f9482c567b062f142415 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Sat, 9 Jan 2021 10:57:43 +0100
Subject: [PATCH] Added check for ownerId on file download

---
 .../ia2/transfer/controller/FileInfo.java     |  9 ++++++
 .../controller/GetFileController.java         | 10 +++++-
 .../ia2/transfer/persistence/FileDAO.java     |  3 +-
 .../controller/GetFileControllerTest.java     | 32 +++++++++++++++++++
 4 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/src/main/java/it/inaf/ia2/transfer/controller/FileInfo.java b/src/main/java/it/inaf/ia2/transfer/controller/FileInfo.java
index e8ad243..2f339af 100644
--- a/src/main/java/it/inaf/ia2/transfer/controller/FileInfo.java
+++ b/src/main/java/it/inaf/ia2/transfer/controller/FileInfo.java
@@ -8,6 +8,7 @@ public class FileInfo {
     private boolean isPublic;
     private List<String> groupRead;
     private List<String> groupWrite;
+    private String ownerId;
     private boolean asyncTrans;
 
     public String getOsRelPath() {
@@ -42,6 +43,14 @@ public class FileInfo {
         this.groupWrite = groupWrite;
     }
 
+    public String getOwnerId() {
+        return ownerId;
+    }
+
+    public void setOwnerId(String ownerId) {
+        this.ownerId = ownerId;
+    }
+
     public boolean isAsyncTrans() {
         return asyncTrans;
     }
diff --git a/src/main/java/it/inaf/ia2/transfer/controller/GetFileController.java b/src/main/java/it/inaf/ia2/transfer/controller/GetFileController.java
index eb386d9..50a5c1d 100644
--- a/src/main/java/it/inaf/ia2/transfer/controller/GetFileController.java
+++ b/src/main/java/it/inaf/ia2/transfer/controller/GetFileController.java
@@ -64,10 +64,18 @@ public class GetFileController {
     }
 
     private boolean privateButDownloadable(FileInfo fileInfo) {
-        String token = ((TokenPrincipal) request.getUserPrincipal()).getToken();
+
+        TokenPrincipal principal = (TokenPrincipal) request.getUserPrincipal();
+
+        String token = principal.getToken();
         if (token == null) {
             return false;
         }
+
+        if (principal.getName().equals(fileInfo.getOwnerId())) {
+            return true;
+        }
+
         // TODO: configure cache
         if (fileInfo.getGroupRead() == null) {
             return false;
diff --git a/src/main/java/it/inaf/ia2/transfer/persistence/FileDAO.java b/src/main/java/it/inaf/ia2/transfer/persistence/FileDAO.java
index 89c4354..9e6928b 100644
--- a/src/main/java/it/inaf/ia2/transfer/persistence/FileDAO.java
+++ b/src/main/java/it/inaf/ia2/transfer/persistence/FileDAO.java
@@ -25,7 +25,7 @@ public class FileDAO {
 
     public Optional<FileInfo> getFileInfo(String virtualPath) {
 
-        String sql = "select os_path, is_public, group_read, group_write, async_trans from\n"
+        String sql = "select os_path, is_public, group_read, group_write, owner_id, async_trans from\n"
                 + "node n join node_path p on n.node_id = p.node_id\n"
                 + "and vos_path = ?";
 
@@ -40,6 +40,7 @@ public class FileDAO {
                 fi.setIsPublic(rs.getBoolean("is_public"));
                 fi.setGroupRead(toList(rs.getArray("group_read")));
                 fi.setGroupWrite(toList(rs.getArray("group_write")));
+                fi.setOwnerId(rs.getString("owner_id"));
                 fi.setAsyncTrans(rs.getBoolean("async_trans"));
                 return fi;
             }
diff --git a/src/test/java/it/inaf/ia2/transfer/controller/GetFileControllerTest.java b/src/test/java/it/inaf/ia2/transfer/controller/GetFileControllerTest.java
index 3f2a2d1..9eddbfa 100644
--- a/src/test/java/it/inaf/ia2/transfer/controller/GetFileControllerTest.java
+++ b/src/test/java/it/inaf/ia2/transfer/controller/GetFileControllerTest.java
@@ -130,4 +130,36 @@ public class GetFileControllerTest {
 
         when(fileDao.getFileInfo(any())).thenReturn(Optional.of(fileInfo));
     }
+
+    @Test
+    public void getPrivateFileByOwnerId() throws Exception {
+
+        Map<String, Object> claims = new HashMap<>();
+        claims.put("sub", "123");
+
+        when(tokenParser.getClaims(any())).thenReturn(claims);
+
+        FileInfo fileInfo = new FileInfo();
+        fileInfo.setOsRelPath(tempFile.getAbsolutePath());
+        fileInfo.setOwnerId("123");
+
+        when(fileDao.getFileInfo(any())).thenReturn(Optional.of(fileInfo));
+
+        mockMvc.perform(get("/path/to/myfile")
+                .header("Authorization", "Bearer: <token>"))
+                .andDo(print())
+                .andExpect(status().isOk());
+    }
+
+    @Test
+    public void testPrivateFileNullToken() throws Exception {
+
+        FileInfo fileInfo = new FileInfo();
+
+        when(fileDao.getFileInfo(any())).thenReturn(Optional.of(fileInfo));
+
+        mockMvc.perform(get("/path/to/myfile"))
+                .andDo(print())
+                .andExpect(status().isUnauthorized());
+    }
 }
-- 
GitLab