[EASI-4486] system intake doc uploads (#2691)

* (no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake(no verify) fresh branch with only system intake * (no-verify) update comment * finish up auth functions * update test * remove double intellisense * fix bug in canCreate * give test user a role * use const for role in test * check err no rows * naming * all three validators share similar input signature and same return signature
CMS-Enterprise · Jul 17, 2024 · 877a6dd · 877a6dd
1 parent 1e0c446
commit 877a6dd
Show file tree

Hide file tree

Showing 16 changed files with 328 additions and 185 deletions.
diff --git a/cypress/e2e/systemIntake.cy.js b/cypress/e2e/systemIntake.cy.js
@@ -1,8 +1,9 @@
 import cmsGovernanceTeams from '../../src/constants/enums/cmsGovernanceTeams';
+import { BASIC_USER_PROD } from '../../src/constants/jobCodes';
 
 describe('The System Intake Form', () => {
   beforeEach(() => {
-    cy.localLogin({ name: 'E2E1' });
+    cy.localLogin({ name: 'E2E1', role: BASIC_USER_PROD });
 
     cy.intercept('POST', '/api/graph/query', req => {
       if (req.body.operationName === 'UpdateSystemIntakeRequestDetails') {

diff --git a/migrations/V186__Add_Uploader_Role.sql b/migrations/V186__Add_Uploader_Role.sql
@@ -0,0 +1,11 @@
+CREATE TYPE document_uploader_role AS ENUM ('REQUESTER', 'ADMIN');
+
+-- add column without NOT NULL
+ALTER TABLE IF EXISTS system_intake_documents
+  ADD COLUMN IF NOT EXISTS uploader_role document_uploader_role;
+-- update all rows
+UPDATE system_intake_documents
+SET uploader_role = 'REQUESTER';
+-- add NOT NULL for new rows
+ALTER TABLE IF EXISTS system_intake_documents
+  ALTER COLUMN uploader_role SET NOT NULL;
diff --git a/pkg/graph/generated/generated.go b/pkg/graph/generated/generated.go
diff --git a/pkg/graph/resolvers/system_intake_document.go b/pkg/graph/resolvers/system_intake_document.go
@@ -2,25 +2,34 @@ package resolvers
 
 import (
 	"context"
+	"database/sql"
+	"errors"
 	"fmt"
 	"path/filepath"
+	"slices"
 
 	"github.com/google/uuid"
+	"go.uber.org/zap"
 
 	"github.com/cms-enterprise/easi-app/pkg/appcontext"
 	"github.com/cms-enterprise/easi-app/pkg/easiencoding"
 	"github.com/cms-enterprise/easi-app/pkg/models"
+	"github.com/cms-enterprise/easi-app/pkg/services"
 	"github.com/cms-enterprise/easi-app/pkg/storage"
 	"github.com/cms-enterprise/easi-app/pkg/upload"
 )
 
 // GetSystemIntakeDocumentsByRequestID fetches all documents attached to the system intake with the given ID.
-func GetSystemIntakeDocumentsByRequestID(ctx context.Context, store *storage.Store, s3Client *upload.S3Client, id uuid.UUID) ([]*models.SystemIntakeDocument, error) {
+func GetSystemIntakeDocumentsByRequestID(ctx context.Context, store *storage.Store, id uuid.UUID) ([]*models.SystemIntakeDocument, error) {
 	return store.GetSystemIntakeDocumentsByRequestID(ctx, id)
 }
 
 // GetURLForSystemIntakeDocument queries S3 for a presigned URL that can be used to fetch the document with the given s3Key
-func GetURLForSystemIntakeDocument(s3Client *upload.S3Client, s3Key string) (string, error) {
+func GetURLForSystemIntakeDocument(ctx context.Context, store *storage.Store, s3Client *upload.S3Client, s3Key string) (string, error) {
+	if err := canView(ctx, store, s3Key); err != nil {
+		return "", err
+	}
+
 	presignedURL, err := s3Client.NewGetPresignedURL(s3Key)
 	if err != nil {
 		return "", err
@@ -48,6 +57,20 @@ func GetStatusForSystemIntakeDocument(s3Client *upload.S3Client, s3Key string) (
 
 // CreateSystemIntakeDocument uploads a document to S3, then saves its metadata to our database.
 func CreateSystemIntakeDocument(ctx context.Context, store *storage.Store, s3Client *upload.S3Client, input models.CreateSystemIntakeDocumentInput) (*models.SystemIntakeDocument, error) {
+	intake, err := store.FetchSystemIntakeByID(ctx, input.RequestID)
+	if err != nil {
+		return nil, err
+	}
+
+	uploaderRole, err := getUploaderRole(ctx, intake)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := canCreate(ctx, uploaderRole, intake); err != nil {
+		return nil, err
+	}
+
 	s3Key := uuid.New().String()
 
 	existingExtension := filepath.Ext(input.FileData.Filename)
@@ -73,6 +96,7 @@ func CreateSystemIntakeDocument(ctx context.Context, store *storage.Store, s3Cli
 		FileName:              input.FileData.Filename,
 		S3Key:                 s3Key,
 		Bucket:                s3Client.GetBucket(),
+		UploaderRole:          uploaderRole,
 		// Status isn't saved in database - will be fetched from S3
 		// URL isn't saved in database - will be generated by querying S3
 	}
@@ -84,9 +108,121 @@ func CreateSystemIntakeDocument(ctx context.Context, store *storage.Store, s3Cli
 	return store.CreateSystemIntakeDocument(ctx, &documentDatabaseRecord)
 }
 
-// DeleteSystemIntakeDocument deletes an existing SystemIntakeDocumet, given its ID.
+// DeleteSystemIntakeDocument deletes an existing SystemIntakeDocument, given its ID.
 //
 // Does *not* delete the uploaded file from S3, following the example of TRB request documents.
 func DeleteSystemIntakeDocument(ctx context.Context, store *storage.Store, id uuid.UUID) (*models.SystemIntakeDocument, error) {
+	if err := canDelete(ctx, store, id); err != nil {
+		return nil, err
+	}
+
 	return store.DeleteSystemIntakeDocument(ctx, id)
 }
+
+// canView guards unauthorized views (downloads) of system intake documents
+// admins can view any document
+// requesters can view any document
+// GRB reviewers can view any document
+func canView(ctx context.Context, store *storage.Store, s3Key string) error {
+	// admins can view
+	if services.HasRole(ctx, models.RoleEasiGovteam) {
+		return nil
+	}
+
+	document, err := store.GetSystemIntakeDocumentByS3Key(ctx, s3Key)
+	if err != nil {
+
+		if errors.Is(err, sql.ErrNoRows) {
+			// if the document was deleted, don't error and break
+			return nil
+		}
+
+		return err
+	}
+
+	// requester can view
+	user := appcontext.Principal(ctx).Account()
+	if document.GetCreatedBy() == user.Username {
+		return nil
+	}
+
+	// if needed, get GRB members for this intake
+	grbUsers, err := store.SystemIntakeGRBReviewersBySystemIntakeIDs(ctx, []uuid.UUID{document.SystemIntakeRequestID})
+	if err != nil {
+		return err
+	}
+
+	if isGRBViewer := slices.ContainsFunc(grbUsers, func(reviewer *models.SystemIntakeGRBReviewer) bool {
+		return reviewer.UserID == user.ID
+	}); isGRBViewer {
+		return nil
+	}
+
+	appcontext.ZLogger(ctx).Warn("unauthorized user attempted to view system intake document",
+		zap.String("username", user.Username),
+		zap.String("system_intake.id", document.SystemIntakeRequestID.String()),
+		zap.String("document.id", document.ID.String()))
+
+	return errors.New("unauthorized attempt to view system intake document")
+}
+
+// getUploaderRole guards unauthorized creation of system intake documents
+// admins can upload documents
+// requesters can upload documents
+func getUploaderRole(ctx context.Context, intake *models.SystemIntake) (models.DocumentUploaderRole, error) {
+	// check requester first as that role takes precedence over admin role for uploader roles
+	user := appcontext.Principal(ctx).Account()
+	if intake.EUAUserID.String == user.Username {
+		return models.RequesterUploaderRole, nil
+	}
+
+	if services.HasRole(ctx, models.RoleEasiGovteam) {
+		return models.AdminUploaderRole, nil
+	}
+
+	appcontext.ZLogger(ctx).Warn("unauthorized user attempted to create system intake document",
+		zap.String("username", user.Username),
+		zap.String("system_intake.id", intake.ID.String()))
+
+	return "", errors.New("unauthorized attempt to create system intake document")
+}
+
+func canCreate(ctx context.Context, role models.DocumentUploaderRole, intake *models.SystemIntake) error {
+	if role == models.RequesterUploaderRole || role == models.AdminUploaderRole {
+		return nil
+	}
+
+	appcontext.ZLogger(ctx).Warn("unauthorized user attempted to create system intake document",
+		zap.String("username", appcontext.Principal(ctx).Account().Username),
+		zap.String("system_intake.id", intake.ID.String()))
+
+	return errors.New("unauthorized attempt to create system intake document")
+}
+
+// canDelete guards unauthorized deletions of system intake documents
+// an admin is allowed to delete admin-uploaded docs
+// the intake requester is allowed to delete requester-uploaded docs
+func canDelete(ctx context.Context, store *storage.Store, id uuid.UUID) error {
+	document, err := store.GetSystemIntakeDocumentByID(ctx, id)
+	if err != nil {
+		return err
+	}
+
+	// admins can only delete admin-uploaded docs
+	if services.HasRole(ctx, models.RoleEasiGovteam) && document.UploaderRole == models.AdminUploaderRole {
+		return nil
+	}
+
+	// if the acting user is the requester, they can delete the doc
+	user := appcontext.Principal(ctx).Account()
+	if document.GetCreatedBy() == user.Username {
+		return nil
+	}
+
+	appcontext.ZLogger(ctx).Warn("unauthorized user attempted to delete system intake document",
+		zap.String("username", user.Username),
+		zap.String("system_intake.id", document.SystemIntakeRequestID.String()),
+		zap.String("document.id", document.ID.String()))
+
+	return errors.New("unauthorized attempt to delete system intake document")
+}
diff --git a/pkg/graph/resolvers/system_intake_document_test.go b/pkg/graph/resolvers/system_intake_document_test.go
@@ -13,7 +13,6 @@ import (
 func (s *ResolverSuite) TestSystemIntakeDocumentResolvers() {
 	ctx := s.testConfigs.Context
 	store := s.testConfigs.Store
-	s3Client := s.testConfigs.S3Client
 
 	// Create a system intake
 	intake, err := store.CreateSystemIntake(ctx, &models.SystemIntake{
@@ -23,7 +22,7 @@ func (s *ResolverSuite) TestSystemIntakeDocumentResolvers() {
 	s.NotNil(intake)
 
 	// Check that there are no docs by default
-	docs, err := GetSystemIntakeDocumentsByRequestID(ctx, store, s3Client, intake.ID)
+	docs, err := GetSystemIntakeDocumentsByRequestID(ctx, store, intake.ID)
 	s.NoError(err)
 	s.Len(docs, 0)
 
@@ -34,6 +33,7 @@ func (s *ResolverSuite) TestSystemIntakeDocumentResolvers() {
 		FileName:              "create_and_get.pdf",
 		Bucket:                "bukkit",
 		S3Key:                 uuid.NewString(),
+		UploaderRole:          models.RequesterUploaderRole,
 	}
 	// documentToCreate.CreatedBy will be set based on principal in test config
 
@@ -75,12 +75,7 @@ func createSystemIntakeDocumentSubtest(s *ResolverSuite, systemIntakeID uuid.UUI
 }
 
 func getSystemIntakeDocumentsByRequestIDSubtest(s *ResolverSuite, systemIntakeID uuid.UUID, createdDocument *models.SystemIntakeDocument) {
-	documents, err := GetSystemIntakeDocumentsByRequestID(
-		s.testConfigs.Context,
-		s.testConfigs.Store,
-		s.testConfigs.S3Client,
-		systemIntakeID,
-	)
+	documents, err := GetSystemIntakeDocumentsByRequestID(s.testConfigs.Context, s.testConfigs.Store, systemIntakeID)
 	s.NoError(err)
 	s.Equal(1, len(documents))
 
@@ -96,12 +91,7 @@ func deleteSystemIntakeDocumentSubtest(s *ResolverSuite, createdDocument *models
 	s.NoError(err)
 	checkSystemIntakeDocumentEquality(s, createdDocument, createdDocument.CreatedBy, createdDocument.SystemIntakeRequestID, deletedDocument)
 
-	remainingDocuments, err := GetSystemIntakeDocumentsByRequestID(
-		s.testConfigs.Context,
-		s.testConfigs.Store,
-		s.testConfigs.S3Client,
-		createdDocument.SystemIntakeRequestID,
-	)
+	remainingDocuments, err := GetSystemIntakeDocumentsByRequestID(s.testConfigs.Context, s.testConfigs.Store, createdDocument.SystemIntakeRequestID)
 	s.NoError(err)
 	s.Equal(0, len(remainingDocuments))
 }

diff --git a/pkg/graph/schema.graphql b/pkg/graph/schema.graphql
@@ -2610,7 +2610,7 @@ A user role associated with a job code
 """
 enum Role {
   """
-  A member of the GRT
+  An admin on the GRT
   """
   EASI_GOVTEAM
 

diff --git a/pkg/graph/schema.resolvers.go b/pkg/graph/schema.resolvers.go
diff --git a/pkg/models/models_gen.go b/pkg/models/models_gen.go
diff --git a/pkg/models/system_intake_document.go b/pkg/models/system_intake_document.go
@@ -8,6 +8,8 @@ type SystemIntakeDocumentStatus string
 // SystemIntakeDocumentCommonType represents the document type, including an "OTHER" option for user-specified types
 type SystemIntakeDocumentCommonType string
 
+type DocumentUploaderRole string
+
 const (
 	// SystemIntakeDocumentStatusAvailable means that the document passed the virus scanning
 	SystemIntakeDocumentStatusAvailable SystemIntakeDocumentStatus = "AVAILABLE"
@@ -22,6 +24,11 @@ const (
 	SystemIntakeDocumentCommonTypeDraftICGE SystemIntakeDocumentCommonType = "DRAFT_ICGE"
 	// SystemIntakeDocumentCommonTypeDraftOther means the document is some type other than the common document types
 	SystemIntakeDocumentCommonTypeDraftOther SystemIntakeDocumentCommonType = "OTHER"
+
+	// RequesterUploaderRole signifies a Requester uploaded a document
+	RequesterUploaderRole DocumentUploaderRole = "REQUESTER"
+	// AdminUploaderRole signifies an Admin uploaded a document
+	AdminUploaderRole DocumentUploaderRole = "ADMIN"
 )
 
 // SystemIntakeDocument represents a document attached to a system intake that has been uploaded to S3
@@ -33,4 +40,5 @@ type SystemIntakeDocument struct {
 	FileName              string                         `json:"fileName" db:"file_name"`
 	Bucket                string                         `json:"bucket" db:"bucket"`
 	S3Key                 string                         `json:"s3Key" db:"s3_key"` // The document's key inside an S3 bucket; does *not* include the bucket name.
+	UploaderRole          DocumentUploaderRole           `json:"uploaderRole" db:"uploader_role"`
 }
diff --git a/pkg/sqlqueries/SQL/system_intake_document/create.sql b/pkg/sqlqueries/SQL/system_intake_document/create.sql
@@ -0,0 +1,33 @@
+INSERT INTO system_intake_documents (id,
+                                     system_intake_id,
+                                     file_name,
+                                     document_type,
+                                     other_type,
+                                     bucket,
+                                     s3_key,
+                                     created_by,
+                                     modified_by,
+                                     uploader_role)
+VALUES (:id,
+        :system_intake_id,
+        :file_name,
+        :document_type,
+        :other_type,
+        :bucket,
+        :s3_key,
+        :created_by,
+        :modified_by,
+        :uploader_role)
+RETURNING
+  id,
+  system_intake_id,
+  file_name,
+  document_type,
+  other_type,
+  bucket,
+  s3_key,
+  created_by,
+  created_at,
+  modified_by,
+  modified_at,
+  uploader_role;
diff --git a/pkg/sqlqueries/SQL/system_intake_document/delete.sql b/pkg/sqlqueries/SQL/system_intake_document/delete.sql
@@ -0,0 +1,16 @@
+DELETE
+FROM system_intake_documents
+WHERE id = :id
+RETURNING
+  id,
+  system_intake_id,
+  file_name,
+  document_type,
+  other_type,
+  bucket,
+  s3_key,
+  created_by,
+  created_at,
+  modified_by,
+  modified_at,
+  uploader_role;