Check authentication when ordering

Currently breaks tests
NationalLibraryOfNorway · Aug 27, 2024 · e8698fd · e8698fd
1 parent 3e41b62
commit e8698fd
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 9 deletions.
diff --git a/src/main/kotlin/no/nb/mlt/wls/order/controller/OrderController.kt b/src/main/kotlin/no/nb/mlt/wls/order/controller/OrderController.kt
@@ -10,13 +10,17 @@ import no.nb.mlt.wls.core.data.HostName
 import no.nb.mlt.wls.order.model.Order
 import no.nb.mlt.wls.order.payloads.ApiOrderPayload
 import no.nb.mlt.wls.order.service.OrderService
+import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
+import org.springframework.security.core.annotation.AuthenticationPrincipal
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestBody
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
+import org.springframework.web.server.ResponseStatusException
 
 @RestController
 @RequestMapping(path = ["", "/v1"])
@@ -74,8 +78,9 @@ class OrderController(val orderService: OrderService) {
     )
     @PostMapping("/order/batch/create")
     suspend fun createOrder(
+        @AuthenticationPrincipal jwt: JwtAuthenticationToken,
         @RequestBody payload: ApiOrderPayload
-    ): ResponseEntity<ApiOrderPayload> = orderService.createOrder(payload)
+    ): ResponseEntity<ApiOrderPayload> = orderService.createOrder(jwt.name, payload)
 
     @Operation(
         summary = "Gets an order from the storage system",
@@ -110,7 +115,18 @@ class OrderController(val orderService: OrderService) {
     )
     @GetMapping("/order/{hostName}/{hostOrderId}")
     suspend fun getOrder(
+        @AuthenticationPrincipal jwt: JwtAuthenticationToken,
         @PathVariable("hostName") hostName: HostName,
         @PathVariable("hostOrderId") hostOrderId: String
-    ): ResponseEntity<Order> = orderService.getOrder(hostName, hostOrderId)
+    ): ResponseEntity<Order> = orderService.getOrder(jwt, hostName, hostOrderId)
+
+    companion object {
+        fun throwIfHostInvalid(
+            clientName: String,
+            hostName: HostName
+        ) {
+            if (clientName.uppercase() == hostName.toString().uppercase()) return
+            throw ResponseStatusException(HttpStatus.FORBIDDEN, "You can only view orders for ${hostName.toString().uppercase()}")
+        }
+    }
 }
diff --git a/src/main/kotlin/no/nb/mlt/wls/order/service/OrderService.kt b/src/main/kotlin/no/nb/mlt/wls/order/service/OrderService.kt
@@ -4,15 +4,16 @@ import io.github.oshai.kotlinlogging.KotlinLogging
 import kotlinx.coroutines.reactive.awaitSingle
 import kotlinx.coroutines.reactor.awaitSingleOrNull
 import no.nb.mlt.wls.core.data.HostName
+import no.nb.mlt.wls.order.controller.OrderController
 import no.nb.mlt.wls.order.model.Order
 import no.nb.mlt.wls.order.payloads.ApiOrderPayload
 import no.nb.mlt.wls.order.payloads.toApiOrderPayload
 import no.nb.mlt.wls.order.payloads.toOrder
 import no.nb.mlt.wls.order.payloads.toSynqPayload
 import no.nb.mlt.wls.order.repository.OrderRepository
-import org.springframework.dao.IncorrectResultSizeDataAccessException
 import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken
 import org.springframework.stereotype.Service
 import org.springframework.web.server.ResponseStatusException
 import org.springframework.web.server.ServerErrorException
@@ -24,7 +25,14 @@ private val logger = KotlinLogging.logger {}
 
 @Service
 class OrderService(val db: OrderRepository, val synqService: SynqOrderService) {
-    suspend fun createOrder(payload: ApiOrderPayload): ResponseEntity<ApiOrderPayload> {
+    /**
+     * Creates an order within the WLS database, and sends it to the appropriate storage systems
+     */
+    suspend fun createOrder(
+        hostName: String,
+        payload: ApiOrderPayload
+    ): ResponseEntity<ApiOrderPayload> {
+        OrderController.throwIfHostInvalid(hostName, payload.hostName)
         throwIfInvalidPayload(payload)
 
         val existingOrder =
@@ -73,6 +81,7 @@ class OrderService(val db: OrderRepository, val synqService: SynqOrderService) {
      * Gets an order from the WLS database
      */
     suspend fun getOrder(
+        jwt: JwtAuthenticationToken,
         hostName: HostName,
         hostOrderId: String
     ): ResponseEntity<Order> {

diff --git a/src/test/kotlin/no/nb/mlt/wls/order/controller/OrderControllerTest.kt b/src/test/kotlin/no/nb/mlt/wls/order/controller/OrderControllerTest.kt
@@ -39,6 +39,7 @@ import org.springframework.test.web.reactive.server.WebTestClient
 import org.springframework.test.web.reactive.server.expectBody
 import java.net.URI
 
+// FIXME - Correctly handle JWT in tests
 @EnableTestcontainers
 @TestInstance(PER_CLASS)
 @AutoConfigureWebTestClient

diff --git a/src/test/kotlin/no/nb/mlt/wls/order/service/OrderServiceTest.kt b/src/test/kotlin/no/nb/mlt/wls/order/service/OrderServiceTest.kt
@@ -29,6 +29,7 @@ import org.springframework.web.server.ServerErrorException
 import org.springframework.web.server.ServerWebInputException
 import reactor.core.publisher.Mono
 
+// FIXME - Handle client used in test more gracefully
 @TestInstance(PER_CLASS)
 @ExtendWith(MockKExtension::class)
 class OrderServiceTest {
@@ -64,7 +65,7 @@ class OrderServiceTest {
     fun `save when order exists throws`() {
         runTest {
             every { db.findByHostNameAndHostOrderId(top.hostName, top.hostOrderId) } returns Mono.just(top.toOrder())
-            assertThat(cut.createOrder(top).statusCode.is4xxClientError)
+            assertThat(cut.createOrder("axiell", top).statusCode.is4xxClientError)
         }
     }
 
@@ -85,7 +86,7 @@ class OrderServiceTest {
 
         assertThatExceptionOfType(ServerErrorException::class.java).isThrownBy {
             runBlocking {
-                cut.createOrder(top)
+                cut.createOrder("axiell", top)
             }
         }
     }
@@ -97,7 +98,7 @@ class OrderServiceTest {
 
             assertThatExceptionOfType(ServerErrorException::class.java).isThrownBy {
                 runBlocking {
-                    cut.createOrder(top)
+                    cut.createOrder("axiell", top)
                 }
             }
         }
@@ -110,7 +111,7 @@ class OrderServiceTest {
             coEvery { synq.createOrder(any()) } returns ResponseEntity(HttpStatus.CREATED)
             every { db.save(any()) } returns Mono.just(top.toOrder())
 
-            assertThat(cut.createOrder(top).statusCode.is2xxSuccessful)
+            assertThat(cut.createOrder("axiell", top).statusCode.is2xxSuccessful)
         }
     }
 
@@ -145,6 +146,6 @@ class OrderServiceTest {
         message: String,
         exception: Class<T>
     ) = assertThatExceptionOfType(exception).isThrownBy {
-        runBlocking { cut.createOrder(payload) }
+        runBlocking { cut.createOrder("axiell", payload) }
     }.withMessageContaining(message)
 }