implement apply access control to /validate endpoints

Author: aktaskaan

src/contractTest/java/uk/gov/hmcts/ccd/v2/external/controller/ContractTestCreateCaseOperation.java

@@ -17,14 +17,14 @@
 import uk.gov.hmcts.ccd.domain.service.caselinking.CaseLinkService;
 import uk.gov.hmcts.ccd.domain.service.common.CaseDataService;
 import uk.gov.hmcts.ccd.domain.service.common.CasePostStateService;
-import uk.gov.hmcts.ccd.domain.service.common.CaseTypeService;
 import uk.gov.hmcts.ccd.domain.service.common.EventTriggerService;
 import uk.gov.hmcts.ccd.domain.service.createcase.DefaultCreateCaseOperation;
 import uk.gov.hmcts.ccd.domain.service.createcase.SubmitCaseTransaction;
 import uk.gov.hmcts.ccd.domain.service.processor.GlobalSearchProcessorService;
 import uk.gov.hmcts.ccd.domain.service.stdapi.CallbackInvoker;
 import uk.gov.hmcts.ccd.domain.service.supplementarydata.SupplementaryDataUpdateOperation;
 import uk.gov.hmcts.ccd.domain.service.validate.CaseDataIssueLogger;
+import uk.gov.hmcts.ccd.domain.service.validate.DefaultValidateCaseFieldsOperation;
 import uk.gov.hmcts.ccd.domain.service.validate.ValidateCaseFieldsOperation;
 import uk.gov.hmcts.ccd.domain.types.sanitiser.CaseSanitiser;
 
@@ -46,8 +46,9 @@ public ContractTestCreateCaseOperation(@Qualifier(DefaultUserRepository.QUALIFIE
                                            EventTokenService eventTokenService,
                                            CaseDataService caseDataService,
                                            SubmitCaseTransaction submitCaseTransaction,
-                                           CaseSanitiser caseSanitiser, CaseTypeService caseTypeService,
+                                           CaseSanitiser caseSanitiser,
                                            CallbackInvoker callbackInvoker,
+                                           @Qualifier(DefaultValidateCaseFieldsOperation.QUALIFIER)
                                            ValidateCaseFieldsOperation validateCaseFieldsOperation,
                                            CasePostStateService casePostStateService,
                                            @Qualifier(DefaultDraftGateway.QUALIFIER) DraftGateway draftGateway,
@@ -59,7 +60,7 @@ public ContractTestCreateCaseOperation(@Qualifier(DefaultUserRepository.QUALIFIE
                                            SupplementaryDataUpdateRequestValidator supplementaryDataValidator,
                                            CaseLinkService caseLinkService) {
         super(userRepository, caseDefinitionRepository, eventTriggerService, eventTokenService, caseDataService,
-            submitCaseTransaction, caseSanitiser, caseTypeService, callbackInvoker, validateCaseFieldsOperation,
+            submitCaseTransaction, caseSanitiser, callbackInvoker, validateCaseFieldsOperation,
             casePostStateService, draftGateway, caseDataIssueLogger, globalSearchProcessorService,
             supplementaryDataUpdateOperation, supplementaryDataValidator, caseLinkService);
         this.contractTestSecurityUtils = contractTestSecurityUtils;

src/main/java/uk/gov/hmcts/ccd/config/JacksonUtils.java

@@ -27,6 +27,8 @@
 
 public final class JacksonUtils {
 
+    public static final String DATA = "data";
+
     private JacksonUtils() {
     }
 
@@ -198,4 +200,12 @@ private static String getValue(@NonNull JsonNode jsonNode) {
         }
         return returnValue;
     }
+
+    public static Map<String, JsonNode> convertValueInDataField(Object from) {
+        Map<String, JsonNode> map = MAPPER.convertValue(from, new TypeReference<HashMap<String, JsonNode>>() {});
+
+        Map<String, JsonNode> dataNode = new HashMap<>();
+        dataNode.put(DATA, MAPPER.valueToTree(map));
+        return dataNode;
+    }
 }

src/main/java/uk/gov/hmcts/ccd/domain/service/createcase/DefaultCreateCaseOperation.java

@@ -29,12 +29,13 @@
 import uk.gov.hmcts.ccd.domain.service.caselinking.CaseLinkService;
 import uk.gov.hmcts.ccd.domain.service.common.CaseDataService;
 import uk.gov.hmcts.ccd.domain.service.common.CasePostStateService;
-import uk.gov.hmcts.ccd.domain.service.common.CaseTypeService;
 import uk.gov.hmcts.ccd.domain.service.common.EventTriggerService;
 import uk.gov.hmcts.ccd.domain.service.processor.GlobalSearchProcessorService;
 import uk.gov.hmcts.ccd.domain.service.stdapi.CallbackInvoker;
 import uk.gov.hmcts.ccd.domain.service.supplementarydata.SupplementaryDataUpdateOperation;
 import uk.gov.hmcts.ccd.domain.service.validate.CaseDataIssueLogger;
+import uk.gov.hmcts.ccd.domain.service.validate.DefaultValidateCaseFieldsOperation;
+import uk.gov.hmcts.ccd.domain.service.validate.OperationContext;
 import uk.gov.hmcts.ccd.domain.service.validate.ValidateCaseFieldsOperation;
 import uk.gov.hmcts.ccd.domain.types.sanitiser.CaseSanitiser;
 import uk.gov.hmcts.ccd.endpoint.exceptions.CallbackException;
@@ -57,7 +58,6 @@ public class DefaultCreateCaseOperation implements CreateCaseOperation {
     private final CaseDataService caseDataService;
     private final SubmitCaseTransaction submitCaseTransaction;
     private final CaseSanitiser caseSanitiser;
-    private final CaseTypeService caseTypeService;
     private final CallbackInvoker callbackInvoker;
     private final ValidateCaseFieldsOperation validateCaseFieldsOperation;
     private final DraftGateway draftGateway;
@@ -77,8 +77,8 @@ public DefaultCreateCaseOperation(@Qualifier(CachedUserRepository.QUALIFIER) fin
                                       final CaseDataService caseDataService,
                                       final SubmitCaseTransaction submitCaseTransaction,
                                       final CaseSanitiser caseSanitiser,
-                                      final CaseTypeService caseTypeService,
                                       final CallbackInvoker callbackInvoker,
+                                      @Qualifier(DefaultValidateCaseFieldsOperation.QUALIFIER)
                                       final ValidateCaseFieldsOperation validateCaseFieldsOperation,
                                       final CasePostStateService casePostStateService,
                                       @Qualifier(CachedDraftGateway.QUALIFIER) final DraftGateway draftGateway,
@@ -94,7 +94,6 @@ public DefaultCreateCaseOperation(@Qualifier(CachedUserRepository.QUALIFIER) fin
         this.eventTokenService = eventTokenService;
         this.submitCaseTransaction = submitCaseTransaction;
         this.caseSanitiser = caseSanitiser;
-        this.caseTypeService = caseTypeService;
         this.caseDataService = caseDataService;
         this.callbackInvoker = callbackInvoker;
         this.validateCaseFieldsOperation = validateCaseFieldsOperation;
@@ -140,7 +139,7 @@ public CaseDetails createCaseDetails(final String caseTypeId,
             caseTypeDefinition.getJurisdictionDefinition(),
             caseTypeDefinition);
 
-        validateCaseFieldsOperation.validateCaseDetails(caseTypeId, caseDataContent);
+        validateCaseFieldsOperation.validateCaseDetails(new OperationContext(caseTypeId, caseDataContent));
 
         final CaseDetails newCaseDetails = new CaseDetails();
 

src/main/java/uk/gov/hmcts/ccd/domain/service/createevent/CreateCaseEventService.java

@@ -43,6 +43,7 @@
 import uk.gov.hmcts.ccd.domain.service.stdapi.AboutToSubmitCallbackResponse;
 import uk.gov.hmcts.ccd.domain.service.stdapi.CallbackInvoker;
 import uk.gov.hmcts.ccd.domain.service.validate.CaseDataIssueLogger;
+import uk.gov.hmcts.ccd.domain.service.validate.DefaultValidateCaseFieldsOperation;
 import uk.gov.hmcts.ccd.domain.service.validate.ValidateCaseFieldsOperation;
 import uk.gov.hmcts.ccd.domain.types.sanitiser.CaseSanitiser;
 import uk.gov.hmcts.ccd.endpoint.exceptions.BadRequestException;
@@ -113,6 +114,7 @@ public CreateCaseEventService(@Qualifier(CachedUserRepository.QUALIFIER) final U
                                   final CallbackInvoker callbackInvoker,
                                   final UIDService uidService,
                                   final SecurityClassificationServiceImpl securityClassificationService,
+                                  @Qualifier(DefaultValidateCaseFieldsOperation.QUALIFIER)
                                   final ValidateCaseFieldsOperation validateCaseFieldsOperation,
                                   final UserAuthorisation userAuthorisation,
                                   final FieldProcessorService fieldProcessorService,

src/main/java/uk/gov/hmcts/ccd/domain/service/validate/AuthorisedValidateCaseFieldsOperation.java

@@ -0,0 +1,127 @@
+package uk.gov.hmcts.ccd.domain.service.validate;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.google.common.collect.Sets;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Service;
+import uk.gov.hmcts.ccd.config.JacksonUtils;
+import uk.gov.hmcts.ccd.data.casedetails.CachedCaseDetailsRepository;
+import uk.gov.hmcts.ccd.data.casedetails.CaseDetailsRepository;
+import uk.gov.hmcts.ccd.data.definition.CachedCaseDefinitionRepository;
+import uk.gov.hmcts.ccd.data.definition.CaseDefinitionRepository;
+import uk.gov.hmcts.ccd.domain.model.casedataaccesscontrol.AccessProfile;
+import uk.gov.hmcts.ccd.domain.model.definition.CaseDetails;
+import uk.gov.hmcts.ccd.domain.model.definition.CaseTypeDefinition;
+import uk.gov.hmcts.ccd.domain.model.draft.Draft;
+import uk.gov.hmcts.ccd.domain.model.std.CaseDataContent;
+import uk.gov.hmcts.ccd.domain.service.common.AccessControlService;
+import uk.gov.hmcts.ccd.domain.service.common.CaseAccessService;
+import uk.gov.hmcts.ccd.domain.service.createevent.MidEventCallback;
+import uk.gov.hmcts.ccd.endpoint.exceptions.ValidationException;
+
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import static com.google.common.collect.Maps.newHashMap;
+import static uk.gov.hmcts.ccd.domain.service.common.AccessControlService.CAN_READ;
+
+@Service
+@Slf4j
+@Qualifier(AuthorisedValidateCaseFieldsOperation.QUALIFIER)
+public class AuthorisedValidateCaseFieldsOperation implements ValidateCaseFieldsOperation {
+    public static final String QUALIFIER = "authorised";
+
+    private final AccessControlService accessControlService;
+    private final CaseDefinitionRepository caseDefinitionRepository;
+    private final CaseAccessService caseAccessService;
+    private final CaseDetailsRepository caseDetailsRepository;
+    private final ValidateCaseFieldsOperation validateCaseFieldsOperation;
+    private final MidEventCallback midEventCallback;
+
+    public AuthorisedValidateCaseFieldsOperation(AccessControlService accessControlService,
+                                                 @Qualifier(CachedCaseDefinitionRepository.QUALIFIER)
+                                                 CaseDefinitionRepository caseDefinitionRepository,
+                                                 CaseAccessService caseAccessService,
+                                                 @Qualifier(CachedCaseDetailsRepository.QUALIFIER)
+                                                 CaseDetailsRepository caseDetailsRepository,
+                                                 @Qualifier(DefaultValidateCaseFieldsOperation.QUALIFIER)
+                                                 ValidateCaseFieldsOperation validateCaseFieldsOperation,
+                                                 MidEventCallback midEventCallback) {
+        this.accessControlService = accessControlService;
+        this.caseDefinitionRepository = caseDefinitionRepository;
+        this.caseAccessService = caseAccessService;
+        this.caseDetailsRepository = caseDetailsRepository;
+        this.validateCaseFieldsOperation = validateCaseFieldsOperation;
+        this.midEventCallback = midEventCallback;
+    }
+
+    @Override
+    public Map<String, JsonNode> validateCaseDetails(OperationContext operationContext) {
+        validateCaseFieldsOperation.validateCaseDetails(operationContext);
+
+        CaseDataContent content = operationContext.content();
+        String caseTypeId = operationContext.caseTypeId();
+        String pageId = operationContext.pageId();
+
+        final JsonNode data = midEventCallback.invoke(caseTypeId,
+            content,
+            pageId);
+
+        content.setData(JacksonUtils.convertValue(data));
+
+        verifyReadAccess(caseTypeId, content);
+
+        return content.getData();
+    }
+
+    @Override
+    public void validateData(Map<String, JsonNode> data, CaseTypeDefinition caseTypeDefinition,
+                             CaseDataContent content) {
+        validateCaseFieldsOperation.validateData(data, caseTypeDefinition, content);
+    }
+
+    private void verifyReadAccess(final String caseTypeId, CaseDataContent content) {
+        Optional<CaseDetails> caseDetailsOptional = caseDetailsRepository.findByReference(
+            content.getCaseReference());
+        CaseDetails caseDetails = caseDetailsOptional.orElseThrow();
+
+        final CaseTypeDefinition caseTypeDefinition = getCaseType(caseTypeId);
+
+        Set<AccessProfile> caseAccessProfiles = getCaseRoles(caseDetails, caseTypeDefinition);
+
+        if (!accessControlService.canAccessCaseTypeWithCriteria(
+            caseTypeDefinition,
+            caseAccessProfiles,
+            CAN_READ)) {
+            content.setData(newHashMap());
+            return;
+        }
+
+        content.setData(JacksonUtils.convertValueInDataField(
+            accessControlService.filterCaseFieldsByAccess(
+                JacksonUtils.convertValueJsonNode(content.getData().get(JacksonUtils.DATA)),
+                caseTypeDefinition.getCaseFieldDefinitions(),
+                caseAccessProfiles,
+                CAN_READ,
+                false)));
+    }
+
+    private CaseTypeDefinition getCaseType(String caseTypeId) {
+        final CaseTypeDefinition caseTypeDefinition = caseDefinitionRepository.getCaseType(caseTypeId);
+        if (caseTypeDefinition == null) {
+            throw new ValidationException("Cannot find case type definition for  " + caseTypeId);
+        }
+        return caseTypeDefinition;
+    }
+
+    private Set<AccessProfile> getCaseRoles(CaseDetails caseDetails, CaseTypeDefinition caseTypeDefinition) {
+        if (caseDetails == null || caseDetails.getId() == null || Draft.isDraft(caseDetails.getId())) {
+            return Sets.union(caseAccessService.getCreationAccessProfiles(caseTypeDefinition.getId()),
+                caseAccessService.getCaseCreationCaseRoles());
+        } else {
+            return caseAccessService.getAccessProfilesByCaseReference(caseDetails.getReferenceAsString());
+        }
+    }
+}

src/main/java/uk/gov/hmcts/ccd/domain/service/validate/DefaultValidateCaseFieldsOperation.java

@@ -16,7 +16,9 @@
 import java.util.Map;
 
 @Service
+@Qualifier(DefaultValidateCaseFieldsOperation.QUALIFIER)
 public class DefaultValidateCaseFieldsOperation implements ValidateCaseFieldsOperation {
+    public static final String QUALIFIER = "default";
 
     private final CaseDefinitionRepository caseDefinitionRepository;
     private final CaseTypeService caseTypeService;
@@ -35,10 +37,12 @@ public class DefaultValidateCaseFieldsOperation implements ValidateCaseFieldsOpe
     }
 
     @Override
-    public final Map<String, JsonNode> validateCaseDetails(String caseTypeId, CaseDataContent content) {
+    public final Map<String, JsonNode> validateCaseDetails(OperationContext operationContext) {
+        CaseDataContent content = operationContext.content();
         if (content == null || content.getEvent() == null || content.getEventId() == null) {
             throw new ValidationException("Cannot validate case field because of event is not specified");
         }
+        String caseTypeId = operationContext.caseTypeId();
         final CaseTypeDefinition caseTypeDefinition = caseDefinitionRepository.getCaseType(caseTypeId);
         if (caseTypeDefinition == null) {
             throw new ValidationException("Cannot find case type definition for " + caseTypeId);

src/main/java/uk/gov/hmcts/ccd/domain/service/validate/OperationContext.java

@@ -0,0 +1,9 @@
+package uk.gov.hmcts.ccd.domain.service.validate;
+
+import uk.gov.hmcts.ccd.domain.model.std.CaseDataContent;
+
+public record OperationContext(String caseTypeId, CaseDataContent content, String pageId) {
+    public OperationContext(String caseTypeId, CaseDataContent content) {
+        this(caseTypeId, content, null);
+    }
+}

src/main/java/uk/gov/hmcts/ccd/domain/service/validate/ValidateCaseFieldsOperation.java

@@ -7,8 +7,8 @@
 import uk.gov.hmcts.ccd.domain.model.std.CaseDataContent;
 
 public interface ValidateCaseFieldsOperation {
-    Map<String, JsonNode> validateCaseDetails(String caseTypeId,
-                                              final CaseDataContent content);
+
+    Map<String, JsonNode> validateCaseDetails(OperationContext validationContext);
 
     void validateData(final Map<String, JsonNode> data,
                       final CaseTypeDefinition caseTypeDefinition,