New endpoint to allow admins to get all access requests

backend/src/connectors/authorisation/base.ts

@@ -282,7 +282,8 @@ export class BasicAuthorisationConnector {
         if (
           !isNamed &&
           (await missingRequiredRole(user, model, ['owner'])) &&
-          ([AccessRequestAction.Delete, AccessRequestAction.Update] as AccessRequestActionKeys[]).includes(action)
+          ([AccessRequestAction.Delete, AccessRequestAction.Update] as AccessRequestActionKeys[]).includes(action) &&
+          (await this.model(user, model, ModelAction.View))
         ) {
           return { success: false, info: 'You cannot change an access request you do not own.', id: request.id }
         }

backend/src/routes.ts

@@ -17,6 +17,7 @@ import { putFileScan } from './routes/v2/filescanning/putFileScan.js'
 import { deleteAccessRequest } from './routes/v2/model/accessRequest/deleteAccessRequest.js'
 import { getAccessRequest } from './routes/v2/model/accessRequest/getAccessRequest.js'
 import { getAccessRequestCurrentUserPermissions } from './routes/v2/model/accessRequest/getAccessRequestCurrentUserPermissions.js'
+import { getAccessRequests } from './routes/v2/model/accessRequest/getAccessRequests.js'
 import { getModelAccessRequests } from './routes/v2/model/accessRequest/getModelAccessRequests.js'
 import { patchAccessRequest } from './routes/v2/model/accessRequest/patchAccessRequest.js'
 import { postAccessRequest } from './routes/v2/model/accessRequest/postAccessRequest.js'
@@ -138,6 +139,7 @@ server.post('/api/v2/model/:modelId/release/:semver/review', ...postReleaseRevie
 
 server.post('/api/v2/model/:modelId/access-requests', ...postAccessRequest)
 server.get('/api/v2/model/:modelId/access-requests', getModelAccessRequests)
+server.get('/api/v2/access-requests/search', getAccessRequests)
 server.get('/api/v2/model/:modelId/access-request/:accessRequestId', ...getAccessRequest)
 server.delete('/api/v2/model/:modelId/access-request/:accessRequestId', ...deleteAccessRequest)
 server.patch('/api/v2/model/:modelId/access-request/:accessRequestId', ...patchAccessRequest)

backend/src/routes/v2/model/accessRequest/getAccessRequests.ts

@@ -0,0 +1,57 @@
+import { Request, Response } from 'express'
+import { z } from 'zod'
+
+import { AuditInfo } from '../../../../connectors/audit/Base.js'
+import audit from '../../../../connectors/audit/index.js'
+import { AccessRequestInterface } from '../../../../models/AccessRequest.js'
+import { findAccessRequest } from '../../../../services/accessRequest.js'
+import { accessRequestInterfaceSchema, registerPath } from '../../../../services/specification.js'
+import { coerceArray, parse, strictCoerceBoolean } from '../../../../utils/validate.js'
+
+export const GetAccessRequestsSchema = z.object({
+  query: z.object({
+    modelId: coerceArray(z.array(z.string()).optional().default([])),
+    schemaId: z.string().optional().default(''),
+    mine: strictCoerceBoolean(z.boolean().optional().default(false)),
+    adminAccess: strictCoerceBoolean(z.boolean().optional().default(false)),
+  }),
+})
+
+registerPath({
+  method: 'get',
+  path: '/api/v2/access-requests/search',
+  tags: ['access-request'],
+  description: 'Get all access requests for all models.',
+  schema: GetAccessRequestsSchema,
+  responses: {
+    200: {
+      description: 'An array of access request instances.',
+      content: {
+        'application/json': {
+          schema: z.object({
+            accessRequests: z.array(accessRequestInterfaceSchema),
+          }),
+        },
+      },
+    },
+  },
+})
+
+interface GetAccessRequestsResponse {
+  accessRequests: Array<AccessRequestInterface>
+}
+
+export const getAccessRequests = [
+  async (req: Request, res: Response<GetAccessRequestsResponse>): Promise<void> => {
+    req.audit = AuditInfo.ViewAccessRequests
+    const {
+      query: { modelId, schemaId, mine, adminAccess },
+    } = parse(req, GetAccessRequestsSchema)
+
+    const accessRequests = await findAccessRequest(req.user, modelId, schemaId, mine, adminAccess)
+
+    await audit.onViewAccessRequests(req, accessRequests)
+
+    res.json({ accessRequests })
+  },
+]

backend/src/services/accessRequest.ts

@@ -1,10 +1,12 @@
+// eslint-disable-next-line simple-import-sort/imports
 import { Validator } from 'jsonschema'
 import { Types } from 'mongoose'
 
 import authentication from '../connectors/authentication/index.js'
+import { Roles } from '../connectors/authentication/Base.js'
 import { AccessRequestAction } from '../connectors/authorisation/actions.js'
 import authorisation from '../connectors/authorisation/index.js'
-import { AccessRequestInterface } from '../models/AccessRequest.js'
+import AccessRequestModel, { AccessRequestDoc, AccessRequestInterface } from '../models/AccessRequest.js'
 import AccessRequest from '../models/AccessRequest.js'
 import ResponseModel, { ResponseKind } from '../models/Response.js'
 import ReviewModel from '../models/Review.js'
@@ -23,6 +25,7 @@ import { removeResponsesByParentIds } from './response.js'
 import { createAccessRequestReviews, removeAccessRequestReviews } from './review.js'
 import { getSchemaById } from './schema.js'
 import { sendWebhooks } from './webhook.js'
+import ModelModel from '../models/Model.js'
 
 export type CreateAccessRequestParams = Pick<AccessRequestInterface, 'metadata' | 'schemaId'>
 export async function createAccessRequest(
@@ -131,6 +134,64 @@ export async function getAccessRequestById(user: UserInterface, accessRequestId:
   return accessRequest
 }
 
+export async function findAccessRequest(
+  user: UserInterface,
+  modelId: Array<string>,
+  schemaId: string,
+  filters: Array<string>,
+  adminAccess?: boolean,
+): Promise<Array<AccessRequestDoc>> {
+  if (adminAccess) {
+    if (!(await authentication.hasRole(user, Roles.Admin))) {
+      throw Forbidden('You do not have the required role.', {
+        userDn: user.dn,
+        requiredRole: Roles.Admin,
+      })
+    }
+  }
+
+  const query: any = {}
+
+  if (modelId.length) {
+    query.modelId = { $all: modelId }
+  }
+
+  if (schemaId) {
+    query.schemaId = { $all: schemaId }
+  }
+
+  if (filters.length > 0) {
+    if (filters.includes('mine')) {
+      query.metadata.overview = {
+        $elemMatch: {
+          entity: { $in: await authentication.getEntities(user) },
+        },
+      }
+    }
+  }
+
+  const cursor = AccessRequestModel.find(query)
+
+  const results = await cursor
+  //Auth already checked, so just need to check if they require admin access
+  if (adminAccess) {
+    return results
+  }
+
+  // authorisation
+  const modelIds = results.map((result) => result.modelId)
+  let auths: any[] = []
+  for (const modelId of modelIds) {
+    const modelDoc = await ModelModel.findOne({ id: modelId })
+    if (!modelDoc) {
+      throw BadReq('Model cannot be found', { modelId })
+    }
+    const model = modelDoc.toObject()
+    auths = auths.concat(await authorisation.accessRequests(user, model, results, AccessRequestAction.View))
+  }
+  return results.filter((_, i) => auths[i].success)
+}
+
 export type UpdateAccessRequestParams = Pick<AccessRequestInterface, 'metadata'>
 export async function updateAccessRequest(
   user: UserInterface,

backend/test/routes/model/accessRequest/__snapshots__/getAccessRequests.spec.ts.snap

@@ -0,0 +1,25 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`routes > accessRequest > getAccessRequests > 200 > ok 1`] = `
+{
+  "accessRequests": {
+    "_id": "664e1aa8bda1f88c28e1c0ce",
+    "deleted": false,
+    "deletedAt": "",
+    "deletedBy": "",
+    "id": "test-access-request-13623",
+    "modelId": "test-model-4342",
+  },
+}
+`;
+
+exports[`routes > accessRequest > getAccessRequests > audit > expected call 1`] = `
+{
+  "_id": "664e1aa8bda1f88c28e1c0ce",
+  "deleted": false,
+  "deletedAt": "",
+  "deletedBy": "",
+  "id": "test-access-request-13623",
+  "modelId": "test-model-4342",
+}
+`;

backend/test/routes/model/accessRequest/getAccessRequests.spec.ts

@@ -0,0 +1,51 @@
+import qs from 'qs'
+import { describe, expect, test, vi } from 'vitest'
+
+import audit from '../../../../src/connectors/audit/__mocks__/index.js'
+import AccessRequestModel from '../../../../src/models/AccessRequest.js'
+import { GetAccessRequestsSchema } from '../../../../src/routes/v2/model/accessRequest/getAccessRequests.js'
+import { createFixture, testGet } from '../../../testUtils/routes.js'
+import { testAccessRequest } from '../../../testUtils/testModels.js'
+
+vi.mock('../../../../src/connectors/audit/index.js')
+
+const accessRequestsMock = vi.hoisted(() => {
+  return {
+    findAccessRequest: vi.fn(() => undefined as any),
+  }
+})
+vi.mock('../../../../src/services/accessRequest.js', () => accessRequestsMock)
+
+const responseMock = vi.hoisted(() => {
+  return {
+    findResponses: vi.fn(() => undefined as any),
+  }
+})
+vi.mock('../../../../src/services/response.js', () => responseMock)
+
+describe('routes > accessRequest > getAccessRequests', () => {
+  test('200 > ok', async () => {
+    const accessRequestDoc = new AccessRequestModel({ ...testAccessRequest })
+    accessRequestsMock.findAccessRequest.mockResolvedValueOnce(accessRequestDoc)
+    responseMock.findResponses.mockResolvedValue([testAccessRequest])
+
+    const fixture = createFixture(GetAccessRequestsSchema)
+    const res = await testGet(`/api/v2/access-requests/search?${qs.stringify(fixture.query)}`)
+
+    expect(res.statusCode).toBe(200)
+    expect(res.body).matchSnapshot()
+  })
+
+  test('audit > expected call', async () => {
+    const accessRequestDoc = new AccessRequestModel({ ...testAccessRequest })
+    accessRequestsMock.findAccessRequest.mockResolvedValueOnce(accessRequestDoc)
+    responseMock.findResponses.mockResolvedValue([testAccessRequest])
+
+    const fixture = createFixture(GetAccessRequestsSchema)
+    const res = await testGet(`/api/v2/access-requests/search?${qs.stringify(fixture.query)}`)
+
+    expect(res.statusCode).toBe(200)
+    expect(audit.onViewAccessRequests).toBeCalled()
+    expect(audit.onViewAccessRequests.mock.calls.at(0)?.at(1)).toMatchSnapshot()
+  })
+})

backend/test/services/__snapshots__/accessRequest.spec.ts.snap

@@ -1,5 +1,17 @@
 // Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
 
+exports[`services > accessRequest > findAccessRequest > admin access with auth 1`] = `[]`;
+
+exports[`services > accessRequest > findAccessRequest > all filters 1`] = `[]`;
+
+exports[`services > accessRequest > findAccessRequest > no filters 1`] = `
+[
+  {
+    "_id": "a",
+  },
+]
+`;
+
 exports[`services > accessRequest > getAccessRequestsByModel > good 1`] = `
 [
   {

backend/test/services/accessRequest.spec.ts

@@ -4,6 +4,7 @@ import authorisation from '../../src/connectors/authorisation/index.js'
 import { UserInterface } from '../../src/models/User.js'
 import {
   createAccessRequest,
+  findAccessRequest,
   getAccessRequestsByModel,
   getCurrentUserPermissionsByAccessRequest,
   getModelAccessRequestsForUser,
@@ -18,11 +19,39 @@ const modelMocks = vi.hoisted(() => ({
 }))
 vi.mock('../../src/services/model.js', () => modelMocks)
 
+const modelModelMocks = vi.hoisted(() => {
+  const obj: any = { settings: { mirror: { sourceModelId: '' } } }
+
+  obj.aggregate = vi.fn(() => obj)
+  obj.match = vi.fn(() => obj)
+  obj.sort = vi.fn(() => obj)
+  obj.lookup = vi.fn(() => obj)
+  obj.append = vi.fn(() => obj)
+  obj.find = vi.fn(() => obj)
+  obj.findOne = vi.fn(() => obj)
+  obj.findOneAndUpdate = vi.fn(() => obj)
+  obj.updateOne = vi.fn(() => obj)
+  obj.save = vi.fn(() => obj)
+  obj.findByIdAndUpdate = vi.fn(() => obj)
+
+  const model: any = vi.fn(() => obj)
+  Object.assign(model, obj)
+
+  return model
+})
+vi.mock('../../src/models/Model.js', () => ({ default: modelModelMocks }))
+
 const schemaMocks = vi.hoisted(() => ({
   getSchemaById: vi.fn(),
 }))
 vi.mock('../../src/services/schema.js', () => schemaMocks)
 
+const mockAuthentication = vi.hoisted(() => ({
+  hasRole: vi.fn(),
+  getEntities: vi.fn(() => ['user:testUser']),
+}))
+vi.mock('../../src/connectors/authentication/index.js', async () => ({ default: mockAuthentication }))
+
 const accessRequestModelMocks = vi.hoisted(() => {
   const obj: any = {}
 
@@ -135,6 +164,41 @@ describe('services > accessRequest', () => {
     expect(accessRequests).toMatchSnapshot()
   })
 
+  test('findAccessRequest > no filters', async () => {
+    mockAuthentication.hasRole.mockReturnValueOnce(false)
+    accessRequestModelMocks.find.mockResolvedValue([{ _id: 'a' }])
+    modelModelMocks.findOne.mockResolvedValueOnce({
+      _id: 'a',
+      toObject: vi.fn(() => ({ _id: 'a' })),
+    })
+
+    const accessRequests = await findAccessRequest({} as any, [], '', [], false)
+    expect(accessRequests).toMatchSnapshot()
+  })
+
+  test('findAccessRequest > all filters', async () => {
+    mockAuthentication.hasRole.mockReturnValueOnce(false)
+    accessRequestModelMocks.find.mockResolvedValue([])
+
+    const accessRequests = await findAccessRequest({} as any, ['modelId'], 'schemaId', ['filter'], false)
+    expect(accessRequests).toMatchSnapshot()
+  })
+
+  test('findAccessRequest > admin access without auth', async () => {
+    mockAuthentication.hasRole.mockReturnValueOnce(false)
+    await expect(() => findAccessRequest({} as any, [], '', [], true)).rejects.toThrowError(
+      /^You do not have the required role./,
+    )
+  })
+
+  test('findAccessRequest > admin access with auth', async () => {
+    mockAuthentication.hasRole.mockReturnValueOnce(true)
+    accessRequestModelMocks.find.mockResolvedValue([])
+
+    const accessRequests = await findAccessRequest({} as any, ['modelId'], 'schemaId', ['filter'], true)
+    expect(accessRequests).toMatchSnapshot()
+  })
+
   test('removeAccessRequest > success', async () => {
     reviewModelMocks.find.mockResolvedValue([])
     responseModelMocks.find.mockResolvedValue([])