AliceO2Group · pepijndik · Nov 26, 2024 · Nov 26, 2024 · Nov 26, 2024 · Dec 2, 2024
@@ -20,7 +20,7 @@ const config = require('./config/configProvider.js');
 // middleware
 const {minimumRoleMiddleware} = require('./middleware/minimumRole.middleware.js');
 const {lockOwnershipMiddleware} = require('./middleware/lockOwnership.middleware.js');
-
+const { detectorOwnershipMiddleware } = require('./middleware/detectorOwnership.middleware.js');
 // controllers
 const {ConsulController} = require('./controllers/Consul.controller.js');
 const {EnvironmentController} = require('./controllers/Environment.controller.js');
@@ -191,6 +191,7 @@ module.exports.setup = (http, ws) => {
   http.get('/locks', lockController.getLocksStateHandler.bind(lockController));
   http.put('/locks/:action/:detectorId',
     minimumRoleMiddleware(Role.DETECTOR),
+    detectorOwnershipMiddleware,
     lockController.actionLockHandler.bind(lockController)
   );
   http.put('/locks/force/:action/:detectorId',

@@ -66,6 +66,15 @@ class User {
     return Boolean(accessList.includes('admin'));
   }
 
+  /**
+   * Checks if the given user can access the given detector
+   * @param {string} detectorId 
+   * @returns {Boolean}
+   */
+  belongsToDetector(detectorId) {
+    return Boolean(this._accessList.includes(`det-${detectorId}`));
+  }
+
   /**
    * Check if provided details of a user are the same as the current instance one;
    * @param {User} user - to compare to

@@ -0,0 +1,33 @@
+const {User} = require('../dtos/User');
+/**
+   * Middleware function to check detector ownership.
+   * Based on the session object, it checks if the user has ownership of the detector lock.
+   * @param {Request} req - Express Request object.
+   * @param {Response} res - Express Response object.
+   * @param {Function} next - Next middleware to call.
+   */
+const detectorOwnershipMiddleware = (req, res, next) => {
+  const { detectorId } = req.params;
+  const { name, username, personid, access } = req.session || {};
+
+  if (!detectorId || !access) {
+    return res.status(400).json({ message: 'Invalid request: missing information' });
+  }
+
+  try {
+    const u = new User(username, name, personid, access);
+    console.log(`Checking locks for detector ${detectorId}`);
+    if (!u.belongsToDetector(detectorId)) {
+      return res
+        .status(403)
+        .json({ message: `User ${name} does not have ownership of the lock for detector ${detectorId}` });
+    }
+
+    next(); // Proceed if lock ownership is verified
+  } catch (error) {
+    console.error(`Error checking locks:`, error);
+    res.status(500).json({ message: 'Internal server error' });
+  }
+};
+
+exports.detectorOwnershipMiddleware = detectorOwnershipMiddleware;
@@ -0,0 +1,100 @@
+const assert = require('assert');
+const sinon = require('sinon');
+const express = require('express');
+const request = require('supertest');
+const { User } = require('../../../lib/dtos/User');
+const { detectorOwnershipMiddleware } = require('../../../lib/middleware/detectorOwnership.middleware');
+
+describe('`DetectorOwnerShipmiddleware` test suite', () => {
+  let userStub;
+
+  beforeEach(() => {
+    userStub = sinon.stub(User.prototype, 'belongsToDetector');
+  });
+
+  afterEach(() => {
+    userStub.restore();
+  });
+
+  it('should call next() if user has ownership of the detector', () => {
+    const detectorId = 'det-its';
+    const req = { params: { detectorId }, session: { personid: 0, name: 'testUser', access: ['det-its'] } };
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    userStub.returns(true);
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(next.calledOnce);
+  });
+
+  it('should return 403 if user does not have ownership of the detector', () => {
+    const detectorId = 'det-its';
+    const req = { params: { detectorId }, session: { personid: 0, name: 'testUser', access: [] } };
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    userStub.returns(false);
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(res.status.calledWith(403));
+    assert.ok(res.
+      json.calledWith({ message: `User testUser does not have ownership of the lock for detector ${detectorId}` }));
+    assert.ok(next.notCalled);
+  });
+
+  it('should call belongsToDetector method of User', () => {
+    const detectorId = 'det-its';
+    const req = { params: { detectorId }, session: { personid: 0, name: 'testUser', access: ['det-its'] } };
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    userStub.returns(true);
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(userStub.calledOnceWith(detectorId));
+  });
+
+  it('should handle empty session object gracefully', () => {
+    const detectorId = '1234';
+    const req = { params: { detectorId }, session: {} }; // Empty session object
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(res.status.calledWith(400));
+    assert.ok(res.json.calledWith({ message: 'Invalid request: missing information' }));
+    assert.ok(next.notCalled);
+  });
+
+  it('should integrate with an Express route and add detectorId', async () => {
+    const app = express();
+    app.use(express.json());
+
+    app.get(
+      '/:id',
+      (req, res, next) => {
+        req.session = { personid: 0, name: 'testUser', access: ['det-its'] };
+        req.params.detectorId = 'det-its';
+        next();
+      },
+      detectorOwnershipMiddleware,
+      (req, res) => {
+        res.json(req.params);
+      }
+    );
+
+    userStub.returns(true); // Ensure the user has ownership
+
+    const response = await request(app).get('/456');
+    assert.strictEqual(response.status, 200);
+    assert.deepStrictEqual(response.body, {
+      id: '456',
+      detectorId: 'det-its',
+    });
+  });
+});