TSK-1195: Secure deleteTasks in TaskServiceImpl

2020-05-12 15:32:44 +02:00 · 2020-05-12 15:32:44 +02:00 · 1f13c2c33a
parent 7ebc468adc
commit 1f13c2c33a
5 changed files with 37 additions and 8 deletions
--- a/lib/taskana-core/src/main/java/pro/taskana/task/api/TaskService.java
+++ b/lib/taskana-core/src/main/java/pro/taskana/task/api/TaskService.java
@ -331,9 +331,10 @@ public interface TaskService {
   * @param tasks the ids of the tasks to delete.
   * @return the result of the operations with Id and Exception for each failed task deletion.
   * @throws InvalidArgumentException if the TaskIds parameter is NULL
+   * @throws NotAuthorizedException if the current user is not member of role ADMIN
   */
  BulkOperationResults<String, TaskanaException> deleteTasks(List<String> tasks)
-      throws InvalidArgumentException;
+      throws InvalidArgumentException, NotAuthorizedException;

  /**
   * Completes a list of tasks.
--- a/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskServiceImpl.java
+++ b/lib/taskana-core/src/main/java/pro/taskana/task/internal/TaskServiceImpl.java
@ -479,10 +479,13 @@ public class TaskServiceImpl implements TaskService {

  @Override
  public BulkOperationResults<String, TaskanaException> deleteTasks(List<String> taskIds)
-      throws InvalidArgumentException {
+      throws InvalidArgumentException, NotAuthorizedException {
    if (LOGGER.isDebugEnabled()) {
      LOGGER.debug("entry to deleteTasks(tasks = {})", LoggerUtils.listToString(taskIds));
    }
+
+    taskanaEngine.getEngine().checkRoleMembership(TaskanaRole.ADMIN);
+
    try {
      taskanaEngine.openConnection();
      if (taskIds == null) {
--- a/lib/taskana-core/src/main/java/pro/taskana/task/internal/jobs/TaskCleanupJob.java
+++ b/lib/taskana-core/src/main/java/pro/taskana/task/internal/jobs/TaskCleanupJob.java
@ -17,6 +17,7 @@ import pro.taskana.common.api.ScheduledJob;
 import pro.taskana.common.api.TaskanaEngine;
 import pro.taskana.common.api.TimeInterval;
 import pro.taskana.common.api.exceptions.InvalidArgumentException;
+import pro.taskana.common.api.exceptions.NotAuthorizedException;
 import pro.taskana.common.api.exceptions.TaskanaException;
 import pro.taskana.common.internal.jobs.AbstractTaskanaJob;
 import pro.taskana.common.internal.transaction.TaskanaTransactionProvider;
@ -174,7 +175,8 @@ public class TaskCleanupJob extends AbstractTaskanaJob {
    return deletedTaskCount;
  }

-  private int deleteTasks(List<TaskSummary> tasksToBeDeleted) throws InvalidArgumentException {
+  private int deleteTasks(List<TaskSummary> tasksToBeDeleted)
+      throws InvalidArgumentException, NotAuthorizedException {
    if (LOGGER.isDebugEnabled()) {
      LOGGER.debug("entry to deleteTasks(tasksToBeDeleted = {})", tasksToBeDeleted);
    }
--- a/lib/taskana-core/src/test/java/acceptance/task/DeleteTaskAccTest.java
+++ b/lib/taskana-core/src/test/java/acceptance/task/DeleteTaskAccTest.java
@ -5,6 +5,7 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;

 import acceptance.AbstractAccTest;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import org.assertj.core.api.ThrowableAssert.ThrowingCallable;
 import org.junit.jupiter.api.Test;
@ -42,6 +43,28 @@ class DeleteTaskAccTest extends AbstractAccTest {
    assertThatThrownBy(call).isInstanceOf(NotAuthorizedException.class);
  }

+  @WithAccessId(user = "businessadmin")
+  @WithAccessId(user = "taskadmin")
+  @WithAccessId(user = "user_1_1")
+  @TestTemplate
+  void should_ThrowException_When_UserIsNotInAdminRoleButTriesToBulkDeleteTasks() {
+
+    TaskService taskService = taskanaEngine.getTaskService();
+
+    List<String> taskIds =
+        Arrays.asList(
+            "TKI:000000000000000000000000000000000008",
+            "TKI:000000000000000000000000000000000009",
+            "TKI:000000000000000000000000000000000008",
+            "TKI:000000000000000000000000000000000010");
+
+    ThrowingCallable call =
+        () -> {
+          taskService.deleteTasks(taskIds);
+        };
+    assertThatThrownBy(call).isInstanceOf(NotAuthorizedException.class);
+  }
+
  @WithAccessId(
      user = "user_1_2",
      groups = {"group_1", "admin"})
@ -118,9 +141,9 @@ class DeleteTaskAccTest extends AbstractAccTest {
    assertThatThrownBy(call).isInstanceOf(TaskNotFoundException.class);
  }

-  @WithAccessId(user = "user_1_2", groups = "group_1")
+  @WithAccessId(user = "admin")
  @Test
-  void testBulkDeleteTask() throws InvalidArgumentException {
+  void testBulkDeleteTask() throws InvalidArgumentException, NotAuthorizedException {

    TaskService taskService = taskanaEngine.getTaskService();
    ArrayList<String> taskIdList = new ArrayList<>();
@ -137,7 +160,7 @@ class DeleteTaskAccTest extends AbstractAccTest {
    assertThatThrownBy(call).isInstanceOf(TaskNotFoundException.class);
  }

-  @WithAccessId(user = "user_1_2", groups = "group_1")
+  @WithAccessId(user = "admin")
  @Test
  void testBulkDeleteTasksWithException()
      throws TaskNotFoundException, InvalidArgumentException, NotAuthorizedException {
--- a/lib/taskana-core/src/test/java/acceptance/task/WorkOnTaskAccTest.java
+++ b/lib/taskana-core/src/test/java/acceptance/task/WorkOnTaskAccTest.java
@ -245,9 +245,9 @@ class WorkOnTaskAccTest extends AbstractAccTest {
    assertThat(completedTask2.getCompleted()).isNotNull();
  }

-  @WithAccessId(user = "user_1_2", groups = "group_1")
+  @WithAccessId(user = "admin")
  @Test
-  void testBulkDeleteTasksWithException() throws InvalidArgumentException {
+  void testBulkDeleteTasksWithException() throws InvalidArgumentException, NotAuthorizedException {

    TaskService taskService = taskanaEngine.getTaskService();
    List<String> taskIdList = new ArrayList<>();