eclipse · Coduz · Jul 30, 2019 · Jul 25, 2019
diff --git a/...gine/jbatch/src/main/java/org/eclipse/kapua/job/engine/jbatch/JobEngineServiceJbatch.java b/...gine/jbatch/src/main/java/org/eclipse/kapua/job/engine/jbatch/JobEngineServiceJbatch.java
@@ -139,7 +139,7 @@ public boolean isRunning(KapuaId scopeId, KapuaId jobId) throws KapuaException {
 
         //
         // Check Access
-        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(JobDomains.JOB_DOMAIN, Actions.execute, scopeId));
+        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(JobDomains.JOB_DOMAIN, Actions.read, scopeId));
 
         //
         // Check existence

diff --git a/...src/test/java/org/eclipse/kapua/integration/service/account/RunAccountServiceI9nTest.java b/...src/test/java/org/eclipse/kapua/integration/service/account/RunAccountServiceI9nTest.java
@@ -18,7 +18,8 @@
 
 @RunWith(CucumberWithProperties.class)
 @CucumberOptions(
-        features = "classpath:features/account/AccountExpirationI9n.feature",
+        features = {"classpath:features/account/AccountExpirationI9n.feature",
+                    "classpath:features/account/FindSelfAccount.feature"},
         glue = {"org.eclipse.kapua.qa.common",
                 "org.eclipse.kapua.service.account.steps",
                 "org.eclipse.kapua.service.user.steps"

diff --git a/qa/integration/src/test/resources/features/account/FindSelfAccount.feature b/qa/integration/src/test/resources/features/account/FindSelfAccount.feature
@@ -0,0 +1,93 @@
+###############################################################################
+# Copyright (c) 2019 Eurotech and/or its affiliates and others
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+#     Eurotech - initial API and implementation
+###############################################################################
+@user
+@integration
+Feature: Self account find feature
+  Finding self accounts require a different logic to be applied to the permission
+
+  Scenario: Find self account by id
+    When I login as user with name "kapua-sys" and password "kapua-password"
+    And I configure account service
+      | type    | name                   | value |
+      | boolean | infiniteChildEntities  | true  |
+      | integer | maxNumberChildEntities | 50    |
+    Given Account
+      | name         | scopeId |
+      | test-account | 1       |
+    And I configure user service
+      | type    | name                   | value |
+      | boolean | infiniteChildEntities  | true  |
+      | integer | maxNumberChildEntities | 50    |
+    And A generic user
+      | name      | displayName | email             | phoneNumber     | status  | userType |
+      | test-user | Test User A | kapua_a@kapua.com | +386 31 323 444 | ENABLED | INTERNAL |
+    And Credentials
+      | name      | password          | enabled |
+      | test-user | ToManySecrets123# | true    |
+    And Add permissions to the last created user
+      | domain    | action |
+      | account   | read   |
+    Given I login as user with name "test-user" and password "ToManySecrets123#"
+    And I look for my account by id
+    Then I am able to read my account info
+
+  Scenario: Find self account by id and scope id
+    When I login as user with name "kapua-sys" and password "kapua-password"
+    And I configure account service
+      | type    | name                   | value |
+      | boolean | infiniteChildEntities  | true  |
+      | integer | maxNumberChildEntities | 50    |
+    Given Account
+      | name         | scopeId |
+      | test-account | 1       |
+    And I configure user service
+      | type    | name                   | value |
+      | boolean | infiniteChildEntities  | true  |
+      | integer | maxNumberChildEntities | 50    |
+    And A generic user
+      | name      | displayName | email             | phoneNumber     | status  | userType |
+      | test-user | Test User A | kapua_a@kapua.com | +386 31 323 444 | ENABLED | INTERNAL |
+    And Credentials
+      | name      | password          | enabled |
+      | test-user | ToManySecrets123# | true    |
+    And Add permissions to the last created user
+      | domain    | action |
+      | account   | read   |
+    Given I login as user with name "test-user" and password "ToManySecrets123#"
+    And I look for my account by id and scope id
+    Then I am able to read my account info
+
+  Scenario: Find self account by name
+    When I login as user with name "kapua-sys" and password "kapua-password"
+    And I configure account service
+      | type    | name                   | value |
+      | boolean | infiniteChildEntities  | true  |
+      | integer | maxNumberChildEntities | 50    |
+    Given Account
+      | name         | scopeId |
+      | test-account | 1       |
+    And I configure user service
+      | type    | name                   | value |
+      | boolean | infiniteChildEntities  | true  |
+      | integer | maxNumberChildEntities | 50    |
+    And A generic user
+      | name      | displayName | email             | phoneNumber     | status  | userType |
+      | test-user | Test User A | kapua_a@kapua.com | +386 31 323 444 | ENABLED | INTERNAL |
+    And Credentials
+      | name      | password          | enabled |
+      | test-user | ToManySecrets123# | true    |
+    And Add permissions to the last created user
+      | domain    | action |
+      | account   | read   |
+    Given I login as user with name "test-user" and password "ToManySecrets123#"
+    And I look for my account by name
+    Then I am able to read my account info
diff --git a/service/account/api/src/main/java/org/eclipse/kapua/service/account/AccountService.java b/service/account/api/src/main/java/org/eclipse/kapua/service/account/AccountService.java
@@ -58,5 +58,5 @@ public interface AccountService extends KapuaEntityService<Account, AccountCreat
      * @return List of direct child account of an account
      * @throws KapuaException
      */
-    AccountListResult findChildsRecursively(KapuaId accountId) throws KapuaException;
+    AccountListResult findChildrenRecursively(KapuaId accountId) throws KapuaException;
 }
diff --git a/...internal/src/main/java/org/eclipse/kapua/service/account/internal/AccountServiceImpl.java b/...internal/src/main/java/org/eclipse/kapua/service/account/internal/AccountServiceImpl.java
@@ -13,6 +13,7 @@
 package org.eclipse.kapua.service.account.internal;
 
 import org.apache.commons.lang3.StringUtils;
+
 import org.eclipse.kapua.KapuaDuplicateNameException;
 import org.eclipse.kapua.KapuaDuplicateNameInAnotherAccountError;
 import org.eclipse.kapua.KapuaEntityNotFoundException;
@@ -28,6 +29,7 @@
 import org.eclipse.kapua.commons.util.CommonsValidationRegex;
 import org.eclipse.kapua.locator.KapuaProvider;
 import org.eclipse.kapua.model.domain.Actions;
+import org.eclipse.kapua.model.domain.Domain;
 import org.eclipse.kapua.model.id.KapuaId;
 import org.eclipse.kapua.model.query.KapuaQuery;
 import org.eclipse.kapua.service.account.Account;
@@ -190,7 +192,7 @@ public Account update(Account account) throws KapuaException {
             }
             // check that expiration date is after all the children account
             // if expiration date is null it means the account never expires, so it will be obviously later its children
-            AccountListResult childrenAccounts = findChildsRecursively(account.getId());
+            AccountListResult childrenAccounts = findChildrenRecursively(account.getId());
             if (childrenAccounts.getItems().stream().anyMatch(childAccount -> {
                 // if child account expiration date is null it will be obviously after current account expiration date
                 return childAccount.getExpirationDate() == null || childAccount.getExpirationDate().after(account.getExpirationDate());
@@ -271,7 +273,7 @@ public Account find(KapuaId scopeId, KapuaId accountId) throws KapuaException {
 
         //
         // Check Access
-        authorizationService.checkPermission(permissionFactory.newPermission(AccountDomains.ACCOUNT_DOMAIN, Actions.read, scopeId));
+        checkAccountPermission(scopeId, accountId, AccountDomains.ACCOUNT_DOMAIN, Actions.read);
 
         //
         // Do find
@@ -284,13 +286,15 @@ public Account find(KapuaId accountId) throws KapuaException {
         // Argument validation
         ArgumentValidator.notNull(accountId, "accountId");
 
+        Account account = findById(accountId);
+
         //
         // Check Access
-        authorizationService.checkPermission(permissionFactory.newPermission(AccountDomains.ACCOUNT_DOMAIN, Actions.read, accountId));
+        if (account != null) {
+            checkAccountPermission(account.getScopeId(), account.getId(), AccountDomains.ACCOUNT_DOMAIN, Actions.read);
+        }
 
-        //
-        // Make sure account exists
-        return findById(accountId);
+        return account;
     }
 
     @Override
@@ -307,15 +311,15 @@ public Account findByName(String name) throws KapuaException {
             //
             // Check Access
             if (account != null) {
-                authorizationService.checkPermission(permissionFactory.newPermission(AccountDomains.ACCOUNT_DOMAIN, Actions.read, account.getId()));
+                checkAccountPermission(account.getScopeId(), account.getId(), AccountDomains.ACCOUNT_DOMAIN, Actions.read);
             }
 
             return account;
         });
     }
 
     @Override
-    public AccountListResult findChildsRecursively(KapuaId scopeId) throws KapuaException {
+    public AccountListResult findChildrenRecursively(KapuaId scopeId) throws KapuaException {
         //
         // Argument validation
         ArgumentValidator.notNull(scopeId, "scopeId");
@@ -329,7 +333,7 @@ public AccountListResult findChildsRecursively(KapuaId scopeId) throws KapuaExce
 
         //
         // Check Access
-        authorizationService.checkPermission(permissionFactory.newPermission(AccountDomains.ACCOUNT_DOMAIN, Actions.read, account.getId()));
+        checkAccountPermission(account.getScopeId(), account.getId(), AccountDomains.ACCOUNT_DOMAIN, Actions.read);
 
         return entityManagerSession.onResult(em -> {
             AccountListResult result = null;
@@ -407,4 +411,20 @@ private AccountListResult findChildAccountsTrusted(KapuaId accountId)
     protected Map<String, Object> getConfigValues(Account entity) throws KapuaException {
         return super.getConfigValues(entity.getId());
     }
+
+    /**
+     * Checks if the current session can retrieve the {@link Account}, by both having an explicit permission or because
+     * it's looking for its own {@link Account}
+     *
+     * @param accountId The {@link KapuaId} of the {@link Account} to look for
+     */
+    private void checkAccountPermission(KapuaId scopeId, KapuaId accountId, Domain domain, Actions action) throws KapuaException {
+        if (KapuaSecurityUtils.getSession().getScopeId().equals(accountId)) {
+            // I'm looking for myself, so let's check if I have the correct permission
+            authorizationService.checkPermission(permissionFactory.newPermission(domain, action, accountId));
+        } else {
+            // I'm looking for another account, so I need to check the permission on the account scope
+            authorizationService.checkPermission(permissionFactory.newPermission(domain, action, scopeId));
+        }
+    }
 }
diff --git a/...test-steps/src/main/java/org/eclipse/kapua/service/account/steps/AccountServiceSteps.java b/...test-steps/src/main/java/org/eclipse/kapua/service/account/steps/AccountServiceSteps.java
@@ -897,6 +897,32 @@ public void iCreateAAccountWithNameOrganizationNameAndEmailAdress(String account
         }
     }
 
+    @When("^I look for my account by id$")
+    public void findMyAccountById() throws Exception {
+        Account account = (Account) stepData.get("LastAccount");
+        Account selfAccount = accountService.find(account.getId());
+        stepData.put("LastAccount",selfAccount);
+    }
+
+    @When("^I look for my account by id and scope id$")
+    public void findMyAccountByIdAndScopeId() throws Exception {
+        Account account = (Account) stepData.get("LastAccount");
+        Account selfAccount = accountService.find(account.getId(), account.getScopeId());
+        stepData.put("LastAccount",selfAccount);
+    }
+
+    @When("^I look for my account by name$")
+    public void findMyAccountByName() throws Exception {
+        Account account = (Account) stepData.get("LastAccount");
+        Account selfAccount = accountService.findByName(account.getName());
+        stepData.put("LastAccount",selfAccount);
+    }
+
+    @Then("^I am able to read my account info")
+    public void verifySelfAccount() throws Exception {
+        assertNotNull(stepData.get("LastAccount"));
+    }
+
     // *****************
     // * Inner Classes *
     // *****************

diff --git a/...c/main/java/org/eclipse/kapua/service/job/execution/internal/JobExecutionServiceImpl.java b/...c/main/java/org/eclipse/kapua/service/job/execution/internal/JobExecutionServiceImpl.java
@@ -89,7 +89,7 @@ public JobExecution find(KapuaId scopeId, KapuaId jobExecutionId) throws KapuaEx
 
         //
         // Check Access
-        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(JobDomains.JOB_DOMAIN, Actions.write, scopeId));
+        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(JobDomains.JOB_DOMAIN, Actions.read, scopeId));
 
         //
         // Do find

diff --git a/.../src/main/java/org/eclipse/kapua/service/certificate/internal/CertificateServiceImpl.java b/.../src/main/java/org/eclipse/kapua/service/certificate/internal/CertificateServiceImpl.java
@@ -104,7 +104,7 @@ public CertificateListResult query(KapuaQuery<Certificate> query) throws KapuaEx
 
         //
         // Check Access
-        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(CertificateDomains.CERTIFICATE_DOMAIN, Actions.write, query.getScopeId()));
+        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(CertificateDomains.CERTIFICATE_DOMAIN, Actions.read, query.getScopeId()));
 
         //
         // Create the default certificate

diff --git a/...ain/java/org/eclipse/kapua/service/authentication/token/shiro/AccessTokenServiceImpl.java b/...ain/java/org/eclipse/kapua/service/authentication/token/shiro/AccessTokenServiceImpl.java
@@ -220,7 +220,7 @@ public void invalidate(KapuaId scopeId, KapuaId accessTokenId) throws KapuaExcep
 
         //
         // Check Access
-        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(AuthenticationDomains.ACCESS_TOKEN_DOMAIN, Actions.read, scopeId));
+        AUTHORIZATION_SERVICE.checkPermission(PERMISSION_FACTORY.newPermission(AuthenticationDomains.ACCESS_TOKEN_DOMAIN, Actions.write, scopeId));
 
         //
         // Do find

diff --git a/...main/java/org/eclipse/kapua/service/authorization/access/shiro/AccessInfoServiceImpl.java b/...main/java/org/eclipse/kapua/service/authorization/access/shiro/AccessInfoServiceImpl.java
@@ -210,7 +210,7 @@ public void delete(KapuaId scopeId, KapuaId accessInfoId) throws KapuaException
         KapuaLocator locator = KapuaLocator.getInstance();
         AuthorizationService authorizationService = locator.getService(AuthorizationService.class);
         PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
-        authorizationService.checkPermission(permissionFactory.newPermission(AuthorizationDomains.ACCESS_INFO_DOMAIN, Actions.write, scopeId));
+        authorizationService.checkPermission(permissionFactory.newPermission(AuthorizationDomains.ACCESS_INFO_DOMAIN, Actions.delete, scopeId));
 
         entityManagerSession.onTransactedAction(em -> {
             if (AccessInfoDAO.find(em, scopeId, accessInfoId) == null) {