use algebraic data type for response and add additional check

Signed-off-by: Josh Hootman <[email protected]>

Author: HootDunk

UnityAuth/src/main/java/io/unityfoundation/auth/AuthController.java

@@ -6,7 +6,6 @@
 import io.micronaut.http.HttpStatus;
 import io.micronaut.http.annotation.Body;
 import io.micronaut.http.annotation.Controller;
-import io.micronaut.http.annotation.Get;
 import io.micronaut.http.annotation.Post;
 import io.micronaut.http.exceptions.HttpStatusException;
 import io.micronaut.security.annotation.Secured;
@@ -41,19 +40,22 @@ public AuthController(UserRepo userRepo, ServiceRepo serviceRepo, TenantRepo ten
     this.tenantRepo = tenantRepo;
   }
 
-  @Get("/permissions")
-  public HttpResponse<UserPermissionsResponse> permissions(@Body UserPermissionsRequest requestDTO,
+  @Post("/principal/permissions")
+  public UserPermissionsResponse permissions(@Body UserPermissionsRequest requestDTO,
       Authentication authentication) {
-    Tenant tenant = tenantRepo.findById(requestDTO.tenantId())
-        .orElseThrow(() -> new HttpStatusException(HttpStatus.NOT_FOUND, "No tenant found."));
+    Optional<Tenant> maybeTenant = tenantRepo.findById(requestDTO.tenantId());
+    if (maybeTenant.isEmpty()){
+      return new UserPermissionsResponse.Failure("No tenant found.");
+    }
+    Tenant tenant = maybeTenant.get();
 
     if (!tenant.getStatus().equals(TenantStatus.ENABLED)){
-      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The tenant is not enabled.");
+      return new UserPermissionsResponse.Failure("The tenant is not enabled.");
     }
 
     User user = userRepo.findByEmail(authentication.getName()).orElse(null);
     if (checkUserStatus(user)) {
-      throw new HttpStatusException(HttpStatus.FORBIDDEN, "The user's account has been disabled.");
+      return new UserPermissionsResponse.Failure("The users account has been disabled.");
     }
 
     Service service = serviceRepo.findById(requestDTO.serviceId())
@@ -62,11 +64,17 @@ public HttpResponse<UserPermissionsResponse> permissions(@Body UserPermissionsRe
     if (service.getStatus() == ServiceStatus.DISABLED) {
       throw new HttpStatusException(HttpStatus.FORBIDDEN, "The service is disabled.");
     } else if (service.getStatus() == ServiceStatus.DOWN_FOR_MAINTENANCE) {
+
       throw new HttpStatusException(HttpStatus.SERVICE_UNAVAILABLE,
           "The service is down for maintenance.");
     }
 
-    return HttpResponse.ok(new UserPermissionsResponse(getPermissionsFor(user, tenant)));
+    if (!userRepo.isServiceAvailable(user.getId(), service.getId())) {
+      return new UserPermissionsResponse.Failure(
+          "The Tenant and/or Service is not available for this user");
+    }
+
+    return new UserPermissionsResponse.Success(getPermissionsFor(user, tenant));
   }
 
   @Post("/hasPermission")
@@ -169,13 +177,18 @@ public record TenantPermission(
 
   }
 
+
+  public sealed interface UserPermissionsResponse {
+    @Serdeable
+    record Success(List<String> permissions) implements UserPermissionsResponse {}
+    @Serdeable
+    record Failure(String errorMessage) implements  UserPermissionsResponse {}
+  }
+
   @Serdeable
   public record UserPermissionsRequest(@NotNull Long tenantId,
                                        @NotNull Long serviceId) {
 
   }
 
-  @Serdeable
-  public record UserPermissionsResponse(List<String> permissions){}
-
 }

UnityAuth/src/test/java/io/unityfoundation/UnityIamTest.java

@@ -14,6 +14,8 @@
 import io.micronaut.security.token.render.BearerAccessRefreshToken;
 import io.micronaut.test.extensions.junit5.annotation.MicronautTest;
 import io.unityfoundation.auth.AuthController.HasPermissionResponse;
+import io.unityfoundation.auth.AuthController.UserPermissionsRequest;
+import io.unityfoundation.auth.AuthController.UserPermissionsResponse;
 import io.unityfoundation.auth.HasPermissionRequest;
 import jakarta.inject.Inject;
 import java.util.List;
@@ -120,6 +122,31 @@ void testHasNoSubtenantPermission() {
     assertNull(response.getBody().get().permissions());
   }
 
+
+  @Test
+  void testGetUserPermissionsDisabled() {
+    String accessToken = login("[email protected]");
+    HttpRequest<?> hasPermissionRequest = HttpRequest.POST("/api/principal/permissions",
+            new UserPermissionsRequest(1L, 1L))
+        .bearerAuth(accessToken);
+    HttpResponse<UserPermissionsResponse.Failure> response = client.toBlocking()
+        .exchange(hasPermissionRequest, UserPermissionsResponse.Failure.class);
+    UserPermissionsResponse.Failure failure = response.getBody().orElseThrow();
+    assertEquals("The user's account has been disabled.", failure.errorMessage());
+  }
+
+  @Test
+  void testGetUserPermissionsHappyPath() {
+    String accessToken = login("[email protected]");
+    HttpRequest<?> hasPermissionRequest = HttpRequest.POST("/api/principal/permissions",
+            new UserPermissionsRequest(1L, 1L))
+        .bearerAuth(accessToken);
+    HttpResponse<UserPermissionsResponse.Success> response = client.toBlocking()
+        .exchange(hasPermissionRequest, UserPermissionsResponse.Success.class);
+
+      assertEquals(response.getBody().get().permissions(), List.of("AUTH_SERVICE_EDIT-SYSTEM"));
+  }
+
   private String login(String username) {
     UsernamePasswordCredentials creds = new UsernamePasswordCredentials(username, "test");
     HttpRequest<?> request = HttpRequest.POST("/api/login", creds);