P4ADEV-2238 fix download file permission

antonioT90 · antonioT90 · commit 3b231af2d1a0 · 2025-03-07T11:13:52.000+01:00
diff --git a/src/main/java/it/gov/pagopa/pu/fileshare/service/export/ExportFileFacadeServiceImpl.java b/src/main/java/it/gov/pagopa/pu/fileshare/service/export/ExportFileFacadeServiceImpl.java
@@ -15,6 +15,7 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.core.io.InputStreamResource;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.stereotype.Service;
 
 @Service
@@ -47,6 +48,10 @@ public FileResourceDTO downloadExportFile(Long organizationId,
         "Export file with id %s was not found".formatted(exportFileId));
     }
 
+    if(!organizationId.equals(exportFile.getOrganizationId())){
+      throw new AuthorizationDeniedException("Access Denied");
+    }
+
     if (!AuthorizationService.isAdminRole(organizationId, user) &&
       !user.getMappedExternalUserId()
         .equals(exportFile.getOperatorExternalId())) {
diff --git a/src/main/java/it/gov/pagopa/pu/fileshare/service/ingestion/IngestionFlowFileFacadeServiceImpl.java b/src/main/java/it/gov/pagopa/pu/fileshare/service/ingestion/IngestionFlowFileFacadeServiceImpl.java
@@ -7,7 +7,9 @@
 import it.gov.pagopa.pu.fileshare.dto.generated.IngestionFlowFileType;
 import it.gov.pagopa.pu.fileshare.exception.custom.FileAlreadyExistsException;
 import it.gov.pagopa.pu.fileshare.exception.custom.FileNotFoundException;
+import it.gov.pagopa.pu.fileshare.exception.custom.UnauthorizedFileDownloadException;
 import it.gov.pagopa.pu.fileshare.mapper.IngestionFlowFileDTOMapper;
+import it.gov.pagopa.pu.fileshare.service.AuthorizationService;
 import it.gov.pagopa.pu.fileshare.service.FileService;
 import it.gov.pagopa.pu.fileshare.service.FileStorerService;
 import it.gov.pagopa.pu.fileshare.service.UserAuthorizationService;
@@ -17,6 +19,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.InputStreamResource;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.stereotype.Service;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -88,6 +91,16 @@ public FileResourceDTO downloadIngestionFlowFile(Long organizationId, Long inges
       throw new FileNotFoundException("Ingestion flow file with id %s was not found".formatted(ingestionFlowFileId));
     }
 
+    if(!organizationId.equals(ingestionFlowFile.getOrganizationId())){
+      throw new AuthorizationDeniedException("Access Denied");
+    }
+
+    if (!AuthorizationService.isAdminRole(organizationId, user) &&
+      !user.getMappedExternalUserId().equals(ingestionFlowFile.getOperatorExternalId())) {
+      throw new UnauthorizedFileDownloadException(
+        "User is not authorized to download ingestion flow file with ID " + ingestionFlowFileId);
+    }
+
     Path filePath = getFilePath(ingestionFlowFile);
 
     InputStream decryptedInputStream = fileStorerService.decryptFile(filePath, ingestionFlowFile.getFileName());
diff --git a/src/test/java/it/gov/pagopa/pu/fileshare/service/export/ExportFileFacadeServiceImplTest.java b/src/test/java/it/gov/pagopa/pu/fileshare/service/export/ExportFileFacadeServiceImplTest.java
@@ -22,6 +22,7 @@
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 
 @ExtendWith(MockitoExtension.class)
 class ExportFileFacadeServiceImplTest {
@@ -94,6 +95,38 @@ void givenAuthorizedUserWhenDownloadExportFileThenReturnFileResource() {
     Mockito.verify(fileStorerServiceMock).decryptFile(fullFilePath, fileName);
   }
 
+  @Test
+  void givenUnauthorizedOrganizationWhenDownloadExportFileThenThrowException() {
+    String accessToken = "TOKEN";
+    Long organizationId = 1L;
+    Long exportFileId = 10L;
+    String filePathName = "examplePath";
+    String fileName = "testFile.zip";
+
+    UserOrganizationRoles userTestRole = new UserOrganizationRoles();
+    userTestRole.setRoles(List.of("TEST"));
+    userTestRole.setOrganizationId(organizationId);
+    UserInfo user = new UserInfo();
+    user.setOrganizations(List.of(userTestRole));
+    user.setMappedExternalUserId("UNAUTHORIZED_OPERATOR");
+
+    ExportFile exportFile = new ExportFile();
+    exportFile.setOrganizationId(-1L);
+    exportFile.setFileName(fileName);
+    exportFile.setFilePathName(filePathName);
+    exportFile.setStatus(ExportFile.StatusEnum.COMPLETED);
+    exportFile.setOperatorExternalId("TEST");
+
+    Mockito.when(exportFileServiceMock.getExportFile(exportFileId, accessToken)).thenReturn(exportFile);
+
+    Executable exec = () -> exportFileService.downloadExportFile(organizationId, exportFileId, user, accessToken);
+
+    Assertions.assertThrows(AuthorizationDeniedException.class, exec);
+
+    Mockito.verify(userAuthorizationServiceMock).checkUserAuthorization(organizationId, user, accessToken);
+    Mockito.verify(exportFileServiceMock).getExportFile(exportFileId, accessToken);
+  }
+
   @Test
   void givenUnauthorizedUserWhenDownloadExportFileThenThrowException() {
     String accessToken = "TOKEN";
diff --git a/src/test/java/it/gov/pagopa/pu/fileshare/service/ingestion/IngestionFlowFileFacadeServiceImplTest.java b/src/test/java/it/gov/pagopa/pu/fileshare/service/ingestion/IngestionFlowFileFacadeServiceImplTest.java
@@ -6,6 +6,7 @@
 import it.gov.pagopa.pu.fileshare.dto.generated.FileOrigin;
 import it.gov.pagopa.pu.fileshare.dto.generated.IngestionFlowFileType;
 import it.gov.pagopa.pu.fileshare.exception.custom.FileAlreadyExistsException;
+import it.gov.pagopa.pu.fileshare.exception.custom.UnauthorizedFileDownloadException;
 import it.gov.pagopa.pu.fileshare.mapper.IngestionFlowFileDTOMapper;
 import it.gov.pagopa.pu.fileshare.service.FileService;
 import it.gov.pagopa.pu.fileshare.service.FileStorerService;
@@ -25,6 +26,7 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
@@ -203,7 +205,7 @@ void givenAuthorizedUserWhenDownloadIngestionFlowFileThenReturnFileResource() {
     String fileName = "testFile.zip";
     Path fullFilePath = organizationBasePath.resolve(filePathName).resolve(ARCHIVED_SUB_FOLDER);
 
-    UserInfo user = TestUtils.getSampleUser();
+    UserInfo user = TestUtils.getSampleAdminUser();
 
     IngestionFlowFile ingestionFlowFile = new IngestionFlowFile();
     ingestionFlowFile.setOrganizationId(organizationId);
@@ -230,6 +232,45 @@ void givenAuthorizedUserWhenDownloadIngestionFlowFileThenReturnFileResource() {
     Mockito.verify(fileStorerServiceMock).decryptFile(fullFilePath, fileName);
   }
 
+  @Test
+  void givenUnauthorizedOrganizationWhenDownloadIngestionFlowFileThenThrowAuthorizationDeniedException() {
+    String accessToken = "TOKEN";
+    Long organizationId = 1L;
+    Long ingestionFlowFileId = 10L;
+
+    UserInfo user = TestUtils.getSampleAdminUser();
+
+    IngestionFlowFile ingestionFlowFile = new IngestionFlowFile();
+    ingestionFlowFile.setOrganizationId(-1L);
+    ingestionFlowFile.setStatus(IngestionFlowFile.StatusEnum.COMPLETED);
+
+    Mockito.when(ingestionFlowFileServiceMock.getIngestionFlowFile(ingestionFlowFileId, accessToken)).thenReturn(ingestionFlowFile);
+
+    Assertions.assertThrows(AuthorizationDeniedException.class, () -> ingestionFlowFileService.downloadIngestionFlowFile(organizationId, ingestionFlowFileId, user, accessToken));
+
+    Mockito.verify(userAuthorizationServiceMock).checkUserAuthorization(organizationId, user, accessToken);
+  }
+
+  @Test
+  void givenUnauthorizedUserWhenDownloadIngestionFlowFileThenThrowAuthorizationDeniedException() {
+    String accessToken = "TOKEN";
+    Long organizationId = 1L;
+    Long ingestionFlowFileId = 10L;
+
+    UserInfo user = TestUtils.getSampleUser();
+
+    IngestionFlowFile ingestionFlowFile = new IngestionFlowFile();
+    ingestionFlowFile.setOrganizationId(1L);
+    ingestionFlowFile.setOperatorExternalId("OTHERUSER");
+    ingestionFlowFile.setStatus(IngestionFlowFile.StatusEnum.COMPLETED);
+
+    Mockito.when(ingestionFlowFileServiceMock.getIngestionFlowFile(ingestionFlowFileId, accessToken)).thenReturn(ingestionFlowFile);
+
+    Assertions.assertThrows(UnauthorizedFileDownloadException.class, () -> ingestionFlowFileService.downloadIngestionFlowFile(organizationId, ingestionFlowFileId, user, accessToken));
+
+    Mockito.verify(userAuthorizationServiceMock).checkUserAuthorization(organizationId, user, accessToken);
+  }
+
   @Test
   void givenIngestionFlowFileInProgressWhenDownloadIngestionFlowFileThenReturnFilePath() {
     String accessToken = "TOKEN";
@@ -240,7 +281,7 @@ void givenIngestionFlowFileInProgressWhenDownloadIngestionFlowFileThenReturnFile
     String fileName = "testFile.zip";
     Path fullFilePath = organizationBasePath.resolve(filePathName);
 
-    UserInfo user = TestUtils.getSampleUser();
+    UserInfo user = TestUtils.getSampleAdminUser();
 
     IngestionFlowFile ingestionFlowFile = new IngestionFlowFile();
     ingestionFlowFile.setOrganizationId(organizationId);
diff --git a/src/test/java/it/gov/pagopa/pu/fileshare/util/TestUtils.java b/src/test/java/it/gov/pagopa/pu/fileshare/util/TestUtils.java
@@ -1,18 +1,16 @@
 package it.gov.pagopa.pu.fileshare.util;
 
+import it.gov.pagopa.pu.fileshare.service.AuthorizationService;
 import it.gov.pagopa.pu.p4paauth.dto.generated.UserInfo;
 import it.gov.pagopa.pu.p4paauth.dto.generated.UserOrganizationRoles;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
 import org.junit.jupiter.api.Assertions;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 
+import java.util.*;
+
 public class TestUtils {
 
   private TestUtils(){}
@@ -45,22 +43,28 @@ public static void addSampleUserIntoSecurityContext(){
     SecurityContextHolder.getContext().setAuthentication(authToken);
   }
 
+  public static UserInfo getSampleAdminUser(){
+    return getSampleUser(true, AuthorizationService.ROLE_ADMIN);
+  }
+
   public static UserInfo getSampleUser(){
-    return getSampleUser(true);
+    return getSampleUser(true, "ROLE_OPER");
   }
 
-  public static UserInfo getSampleUser(Boolean organizationAccess){
+  public static UserInfo getSampleUser(Boolean organizationAccess, String role){
     List<UserOrganizationRoles> organizations = List.of(
       new UserOrganizationRoles()
         .operatorId("operator1")
+        .organizationId(1L)
         .organizationIpaCode("ORG")
         .email("email1@example.com")
-        .roles(List.of("ROLE")),
+        .roles(List.of(role)),
       new UserOrganizationRoles()
         .operatorId("operator2")
+        .organizationId(2L)
         .organizationIpaCode("ORG2")
         .email("email2@example.com")
-        .roles(List.of("ROLE2"))
+        .roles(List.of(role))
     );
     return new UserInfo().mappedExternalUserId("MAPPEDEXTERNALUSERID")
       .fiscalCode("FISCALCODE")
