From d0dea25aadf53b54dfe20b5a6faed277e472c9e5 Mon Sep 17 00:00:00 2001
From: ggmaleva <ggmaleva@yandex.ru>
Date: Wed, 10 Mar 2021 13:30:39 +0300
Subject: [PATCH] add checking invitation method with id

---
 .../orgmanager/controller/OrgsController.java |  4 +--
 .../service/ResourceAccessService.java        |  2 ++
 .../service/ResourceAccessServiceImpl.java    | 23 +++++++++++++
 .../controller/OrgsControllerTest.java        | 16 +++++++++
 .../ResourceAccessServiceImplTest.java        | 34 +++++++++++++++++++
 5 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java b/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
index 3745202..b0e2964 100644
--- a/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
+++ b/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
@@ -88,13 +88,13 @@ public class OrgsController implements OrgsApi {
         return invitationService.create(orgId, invitationRequest, xIdempotencyKey);
     }
 
-    // TODO что брать в контекст? (invitationId?)
     @Override
     public ResponseEntity<Invitation> getInvitation(
             String xRequestID,
             String orgId,
             String invitationId) {
         log.info("Get invitation: requestId={}, orgId={}, invitationId={}", xRequestID, orgId, invitationId);
+        resourceAccessService.checkInvitationRights(orgId, invitationId);
         return invitationService.get(invitationId);
     }
 
@@ -105,11 +105,11 @@ public class OrgsController implements OrgsApi {
         return invitationService.list(orgId, status);
     }
 
-    // TODO что брать в контекст? (invitationId?)
     @Override
     public ResponseEntity<Void> revokeInvitation(String xRequestID, String orgId, String invitationId, InlineObject1 inlineObject1) {
         log.info("Revoke invitation: requestId={}, orgId={}, invitationId={}, payload={}",
                 xRequestID, orgId, invitationId, inlineObject1);
+        resourceAccessService.checkInvitationRights(orgId, invitationId);
         return invitationService.revoke(orgId, invitationId, inlineObject1);
     }
 
diff --git a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
index e0608eb..8681e05 100644
--- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
@@ -20,4 +20,6 @@ public interface ResourceAccessService {
 
     void checkInvitationRights(String orgId, InvitationRequest invitationRequest);
 
+    void checkInvitationRights(String orgId, String invitationId);
+
 }
diff --git a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
index c7d9fca..97b92c9 100644
--- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
@@ -159,4 +159,27 @@ public class ResourceAccessServiceImpl implements ResourceAccessService {
                             invitation.getEmail()));
         }
     }
+
+    @Override
+    public void checkInvitationRights(String orgId, String invitationId) {
+        if (isCheckAccessDisabled()) {
+            return;
+        }
+        String callerMethodName = StackUtils.getCallerMethodName();
+        InvitationDto invitation = InvitationDto.builder()
+                .invitationId(invitationId)
+                .build();
+        BouncerContextDto bouncerContext = BouncerContextDto.builder()
+                .operationName(callerMethodName)
+                .organizationId(orgId)
+                .invitation(invitation)
+                .build();
+        log.info("Check the user's rights to perform the operation {} in organization {} with invitation {}",
+                callerMethodName, orgId, invitationId);
+        if (!bouncerService.havePrivileges(bouncerContext)) {
+            throw new AccessDeniedException(
+                    String.format("No rights to perform %s in %s with invitation %s", callerMethodName, orgId,
+                            invitationId));
+        }
+    }
 }
diff --git a/src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java b/src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java
index 294776a..fd65da6 100644
--- a/src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java
+++ b/src/test/java/com/rbkmoney/orgmanager/controller/OrgsControllerTest.java
@@ -168,6 +168,22 @@ public class OrgsControllerTest extends AbstractControllerTest {
                 .anyMatch(memberRoleEntity -> memberRoleEntity.getId().equals(MEMBER_ID)));
     }
 
+    @Test
+    public void createInvitationWithoutAccess() throws Exception {
+        InvitationRequest invitation = TestData.buildInvitationRequest();
+        String body = objectMapper.writeValueAsString(invitation);
+
+        doThrow(new AccessDeniedException("Access denied")).when(resourceAccessService)
+                .checkInvitationRights(ORGANIZATION_ID, invitation);
+
+        mockMvc.perform(post(String.format("/orgs/%s/invitations", ORGANIZATION_ID))
+                .contentType("application/json")
+                .content(body)
+                .header("Authorization", "Bearer " + generateRBKadminJwt())
+                .header("X-Request-ID", "testRequestId"))
+                .andExpect(status().isForbidden());
+    }
+
     @Test
     public void createInvitationTest() throws Exception {
         InvitationRequest invitation = TestData.buildInvitationRequest();
diff --git a/src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java b/src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java
index e76276f..45b9e13 100644
--- a/src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java
+++ b/src/test/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImplTest.java
@@ -234,4 +234,38 @@ class ResourceAccessServiceImplTest {
         assertDoesNotThrow(() -> resourceAccessService.checkInvitationRights(orgId, invitationRequest));
     }
 
+    @Test
+    void checkInvitationWithIdNotEnabled() {
+        accessProperties.setEnabled(false);
+        var orgId = TestObjectFactory.randomString();
+        var invitationId = TestObjectFactory.randomString();
+
+        assertDoesNotThrow(() -> resourceAccessService.checkInvitationRights(orgId, invitationId));
+
+        verify(bouncerService, times(0)).havePrivileges(any(BouncerContextDto.class));
+    }
+
+    @Test
+    void checkInvitationWithIdWithoutAccess() {
+        var orgId = TestObjectFactory.randomString();
+        var invitationId = TestObjectFactory.randomString();
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(false);
+
+        var exception = assertThrows(AccessDeniedException.class,
+                () -> resourceAccessService.checkInvitationRights(orgId, invitationId));
+
+        assertThat(exception.getMessage(),
+                stringContainsInOrder("No rights to perform", orgId,
+                        invitationId));
+    }
+
+    @Test
+    void checkInvitationWithIdSuccess() {
+        var orgId = TestObjectFactory.randomString();
+        var invitationId = TestObjectFactory.randomString();
+        when(bouncerService.havePrivileges(any(BouncerContextDto.class))).thenReturn(true);
+
+        assertDoesNotThrow(() -> resourceAccessService.checkInvitationRights(orgId, invitationId));
+    }
+
 }
\ No newline at end of file