Merge pull request #7 from agorapulse/fix/verify-all-method-arguments

Verify all method arguments

libs/micronaut-permissions/src/main/groovy/com/agorapulse/permissions/RequiresPermissionInterceptor.java

@@ -44,6 +44,7 @@ public Object intercept(MethodInvocationContext<Object, Object> context) {
                 .orElseThrow(() -> new PermissionException(null, context.getTargetMethod(), "Method without @RequiresPermission annotation!"));
 
         String permissionString = annotation.getRequiredValue(String.class);
+        boolean atLeastOneAllowed = false;
         for (Map.Entry<String, MutableArgumentValue<?>> e : context.getParameters().entrySet()) {
             Object value = e.getValue().getValue();
             Argument<Object> argument = (Argument<Object>) e.getValue();
@@ -52,13 +53,17 @@ public Object intercept(MethodInvocationContext<Object, Object> context) {
                 case DENY:
                     throw new PermissionException(permissionString, value, "The user does not have a permissions to perform operation");
                 case ALLOW:
-                    return context.proceed();
+                    atLeastOneAllowed = true;
                 case UNKNOWN:
                 default:
                     // continue to the next argument
             }
         }
 
+        if (atLeastOneAllowed) {
+            return context.proceed();
+        }
+
         throw new PermissionException(permissionString, context.getTargetMethod(), "Cannot determine if the user has the permissions to perform operation");
     }
 

libs/micronaut-permissions/src/test/groovy/com/agorapulse/permissions/EditPostAdvisor.java

@@ -20,12 +20,15 @@
 import io.micronaut.core.type.Argument;
 
 import javax.inject.Singleton;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;
 
 @Singleton
 public class EditPostAdvisor implements PermissionAdvisor<Post> {
 
     private final UserProvider provider;
+    private final static List<String> PERMISSIONS = Arrays.asList("edit", "read");
 
     public EditPostAdvisor(UserProvider provider) {
         this.provider = provider;
@@ -42,7 +45,7 @@ public PermissionCheckResult checkPermissions(
         Post value,
         Argument<Post> argument
     ) {
-        if (provider == null || value == null || !"edit".equals(permissionDefinition)) {
+        if (provider == null || value == null || !PERMISSIONS.contains(permissionDefinition)) {
             return PermissionCheckResult.UNKNOWN;                                       // <2>
         }
 

libs/micronaut-permissions/src/test/groovy/com/agorapulse/permissions/PostController.java

@@ -52,6 +52,15 @@ public Post publish(Long id) {
         return postRepository.save(postService.publish(postRepository.get(id)));
     }
 
+    @Status(HttpStatus.CREATED)
+    @io.micronaut.http.annotation.Post("/merge")
+    public Post compare(@Nullable @Header("X-User-Id") Long userId, @Body PostMergeRequest postMergeRequest) {
+        Post mergedPost = postService.merge(userId,
+            postRepository.get(postMergeRequest.getId1()),
+            postRepository.get(postMergeRequest.getId2()));
+        return postRepository.save(mergedPost);
+    }
+
     // tag::error[]
     @Error(PermissionException.class)
     public HttpResponse<JsonError> permissionException(PermissionException ex) {

libs/micronaut-permissions/src/test/groovy/com/agorapulse/permissions/PostControllerSpec.groovy

@@ -62,6 +62,34 @@ class PostControllerSpec extends Specification {
             }
     }
 
+    void 'create post with same auth'() {
+        expect:
+            gru.test {
+                post '/post', {
+                    headers 'X-User-Id': '1'
+                    json message: 'Hello'
+                }
+                expect {
+                    status CREATED
+                    json 'newPost2.json'
+                }
+            }
+    }
+
+    void 'create post with another auth'() {
+        expect:
+            gru.test {
+                post '/post', {
+                    headers 'X-User-Id': '2'
+                    json message: 'Hello'
+                }
+                expect {
+                    status CREATED
+                    json 'newPostOtherAuth.json'
+                }
+            }
+    }
+
     void 'publish post without any auth'() {
         expect:
             gru.test {
@@ -85,6 +113,19 @@ class PostControllerSpec extends Specification {
             }
     }
 
+    void 'publish post with wrong auth'() {
+        expect:
+            gru.test {
+                put '/post/1', {
+                    headers 'X-User-Id': '3'
+                }
+                expect {
+                    status UNAUTHORIZED
+                    json 'failedPublish.json'
+                }
+            }
+    }
+
     void 'archive post without any auth'() {
         expect:
             gru.test {
@@ -108,4 +149,32 @@ class PostControllerSpec extends Specification {
             }
     }
 
+    void 'merge posts with one not allowed'() {
+        expect:
+            gru.test {
+                post '/post/merge', {
+                    headers 'X-User-Id': '1'
+                    json id1: '1', id2: '3'
+                }
+                expect {
+                    status UNAUTHORIZED
+                    json 'failedMerge.json'
+                }
+            }
+    }
+
+    void 'merge posts'() {
+        expect:
+            gru.test {
+                post '/post/merge', {
+                    headers 'X-User-Id': '1'
+                    json id1: '1', id2: '2'
+                }
+                expect {
+                    status CREATED
+                    json 'mergedPost.json'
+                }
+            }
+    }
+
 }

libs/micronaut-permissions/src/test/groovy/com/agorapulse/permissions/PostMergeRequest.java

@@ -0,0 +1,39 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright 2023 Agorapulse.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.agorapulse.permissions;
+
+public class PostMergeRequest {
+    private Long id1;
+    private Long id2;
+
+    public Long getId1() {
+        return id1;
+    }
+
+    public void setId1(Long id1) {
+        this.id1 = id1;
+    }
+
+    public Long getId2() {
+        return id2;
+    }
+
+    public void setId2(Long id2) {
+        this.id2 = id2;
+    }
+}

libs/micronaut-permissions/src/test/groovy/com/agorapulse/permissions/PostService.java

@@ -39,4 +39,9 @@ public Post publish(Post post) {
         return post.publish();
     }
 
+    @RequiresPermission("read")
+    public Post merge(Long userId, Post post1, Post post2) {
+        return Post.createDraft(userId, post1.getMessage() + post2.getMessage());
+    }
+
 }

libs/micronaut-permissions/src/test/resources/com/agorapulse/permissions/PostControllerSpec/failedMerge.json

@@ -0,0 +1,3 @@
+{
+    "message": "The user does not have a permissions to perform operation"
+}

libs/micronaut-permissions/src/test/resources/com/agorapulse/permissions/PostControllerSpec/mergedPost.json

@@ -0,0 +1 @@
+{"id":4,"status":"DRAFT","authorId":1,"message":"HelloHello"}

libs/micronaut-permissions/src/test/resources/com/agorapulse/permissions/PostControllerSpec/newPost2.json

@@ -0,0 +1 @@
+{"id":2,"status":"DRAFT","authorId":1,"message":"Hello"}

libs/micronaut-permissions/src/test/resources/com/agorapulse/permissions/PostControllerSpec/newPostOtherAuth.json

@@ -0,0 +1 @@
+{"id":3,"status":"DRAFT","authorId":2,"message":"Hello"}