Add Validation for username and email on logged in user (#16781)

(cherry picked from commit b55890f)
open-metadata · Jun 24, 2024 · c1b6d25 · c1b6d25
1 parent 9c5c19a
commit c1b6d25
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/UserRepository.java b/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/UserRepository.java
@@ -34,6 +34,7 @@
 import java.util.Set;
 import java.util.UUID;
 import java.util.stream.Collectors;
+import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.UriInfo;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.csv.CSVPrinter;
@@ -326,13 +327,22 @@ private List<EntityReference> getTeamChildren(UUID teamId) {
     return findTo(teamId, TEAM, Relationship.PARENT_OF, TEAM);
   }
 
-  public List<EntityReference> getGroupTeams(UriInfo uriInfo, String email) {
+  public List<EntityReference> getGroupTeams(
+      UriInfo uriInfo, SecurityContext context, String email) {
     // Cleanup
     User user = getByEmail(uriInfo, email, Fields.EMPTY_FIELDS);
+    validateLoggedInUserNameAndEmailMatches(context.getUserPrincipal().getName(), email, user);
     List<EntityReference> teams = getTeams(user);
     return getGroupTeams(teams);
   }
 
+  public void validateLoggedInUserNameAndEmailMatches(
+      String username, String email, User storedUser) {
+    if (!(username.equals(storedUser.getName()) && email.equals(storedUser.getEmail()))) {
+      throw EntityNotFoundException.byMessage(CatalogExceptionMessage.entityNotFound(USER, email));
+    }
+  }
+
   private List<EntityReference> getGroupTeams(List<EntityReference> teams) {
     Set<EntityReference> result = new HashSet<>();
     for (EntityReference t : teams) {

diff --git a/...metadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java b/...metadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java
@@ -441,6 +441,9 @@ public User getCurrentLoggedInUser(
     String currentEmail = ((CatalogPrincipal) catalogSecurityContext.getUserPrincipal()).getEmail();
     User user = repository.getByEmail(uriInfo, currentEmail, fields);
 
+    repository.validateLoggedInUserNameAndEmailMatches(
+        securityContext.getUserPrincipal().getName(), currentEmail, user);
+
     // Sync the Roles from token to User
     if (Boolean.TRUE.equals(authorizerConfiguration.getUseRolesFromProvider())
         && Boolean.FALSE.equals(user.getIsBot() != null && user.getIsBot())) {
@@ -476,7 +479,7 @@ public List<EntityReference> getCurrentLoggedInUser(
     CatalogSecurityContext catalogSecurityContext =
         (CatalogSecurityContext) containerRequestContext.getSecurityContext();
     String currentEmail = ((CatalogPrincipal) catalogSecurityContext.getUserPrincipal()).getEmail();
-    return repository.getGroupTeams(uriInfo, currentEmail);
+    return repository.getGroupTeams(uriInfo, catalogSecurityContext, currentEmail);
   }
 
   @POST