finding single applications depends on service_id

app/controllers/admin/api/applications_controller.rb

@@ -28,18 +28,22 @@ def applications
   end
 
   def application
-    @application ||= case
+    return @application if defined?(@application)
+
+    scope = params[:service_id] ? applications.where(service_id: params[:service_id]) : applications
+
+    @application = case
 
                      when param_key = params[:user_key]
       # TODO: these scopes should be in model layer
       # but there is scope named by_user_key already
-      applications.where.has { (service.backend_version == '1') & (user_key == param_key) }.first!
+      scope.where.has { (service.backend_version == '1') & (user_key == param_key) }.first!
 
-                     when app_id = params[:app_id]
-      applications.where.has { (service.backend_version != '1') & (application_id == app_id) }.first!
+                   when app_id = params[:app_id]
+      scope.where.has { (service.backend_version != '1') & (application_id == app_id) }.first!
 
                      else
-      applications.find(params[:application_id] || params[:id])
+      scope.find(params[:application_id] || params[:id])
     end
   end
 

test/integration/user-management-api/applications_test.rb

@@ -46,7 +46,7 @@ def setup
     assert_select "applications/application", false
 
     User.any_instance.expects(:member_permission_service_ids).returns([@service.id]).at_least_once
-    get admin_api_applications_path, params: { access_token: token.value, service_id: @service.id + 1 }
+    get admin_api_applications_path, params: { access_token: token.value, service_id: service_2.id }
     assert_response :success
     assert_select "applications/application", false
 
@@ -175,24 +175,6 @@ def setup
 
   pending_test 'index returns fields defined'
 
-  test 'return 404 on non found app' do
-    get find_admin_api_applications_path(format: :xml), params: { user_key: "SHAWARMA", provider_key: @provider.api_key }
-
-    assert_xml_404
-  end
-
-  test 'find by user_key on backend v1' do
-    @service.backend_version = '1'
-    @service.save!
-
-    get find_admin_api_applications_path(format: :xml), params: { user_key: @application.user_key, provider_key: @provider.api_key }
-
-    assert_response :success
-    assert_application(@response.body,
-                       { id: @application.id,
-                         user_key: @application.user_key })
-  end
-
   test 'find by app_id on backend v2' do
     @service.backend_version = '2'
     @service.save!
@@ -232,58 +214,134 @@ def setup
                          application_id: @application.application_id, oidc: true})
   end
 
-  test 'return the oidc_configuration' do
-    @service.backend_version = 'oidc'
+  test "find by app_id with service_id" do
+    @service.backend_version = '2'
     @service.save!
 
-    config = @service.proxy.oidc_configuration
-    config.service_accounts_enabled = true
-    config.save!
-
-    get find_admin_api_applications_path(format: :json), params: { app_id: @application.application_id, provider_key: @provider.api_key }
+    get find_admin_api_applications_path(format: :xml), params: { app_id: @application.application_id,
+                                                                  service_id: @service.id,
+                                                                  provider_key: @provider.api_key }
 
     assert_response :success
+    assert_application(@response.body,
+                       { id: @application.id,
+                         user_account_id: @buyer.id,
+                         application_id: @application.application_id })
 
-    json = JSON.parse(@response.body)
-    assert json.dig('application', 'oidc_configuration', 'service_accounts_enabled')
-    assert json.dig('application', 'oidc_configuration', 'standard_flow_enabled')
-    assert_not json.dig('application', 'oidc_configuration', 'implicit_flow_enabled')
-    assert_not json.dig('application', 'oidc_configuration', 'direct_access_grants_enabled')
+    another_service = FactoryBot.create(:service, account: @provider)
+
+    get find_admin_api_applications_path(format: :xml), params: { app_id: @application.application_id,
+                                                                  service_id: another_service.id,
+                                                                  provider_key: @provider.api_key }
+
+    assert_response :not_found
   end
 
-  test 'find by id (application_id) on any backend' do
-    @service.backend_version = 'oauth'
+  test "find by application_id with service_id" do
+    @service.backend_version = '2'
     @service.save!
 
-    get find_admin_api_applications_path(format: :xml), params: { application_id: @application.id, provider_key: @provider.api_key }
+    get find_admin_api_applications_path(format: :xml), params: { application_id: @application.id,
+                                                                  service_id: @service.id,
+                                                                  provider_key: @provider.api_key }
 
     assert_response :success
     assert_application(@response.body,
                        { id: @application.id,
                          user_account_id: @buyer.id,
                          application_id: @application.application_id })
 
-    @service.backend_version = '2'
+    another_service = FactoryBot.create(:service, account: @provider)
+
+    get find_admin_api_applications_path(format: :xml), params: { application_id: @application.id,
+                                                                  service_id: another_service.id,
+                                                                  provider_key: @provider.api_key }
+
+    assert_response :not_found
+  end
+
+  test 'find by non-existing user_key' do
+    get find_admin_api_applications_path(format: :xml), params: { user_key: "SHAWARMA", provider_key: @provider.api_key }
+
+    assert_xml_404
+  end
+
+  test 'find by user_key on backend v1' do
+    @service.backend_version = '1'
     @service.save!
 
-    get find_admin_api_applications_path(format: :xml), params: { application_id: @application.id, provider_key: @provider.api_key }
+    get find_admin_api_applications_path(format: :xml), params: { user_key: @application.user_key, provider_key: @provider.api_key }
 
     assert_response :success
     assert_application(@response.body,
                        { id: @application.id,
-                         user_account_id: @buyer.id,
-                         application_id: @application.application_id })
+                         user_key: @application.user_key })
+  end
 
+  test 'find by user_key with correct service_id' do
     @service.backend_version = '1'
     @service.save!
 
-    get find_admin_api_applications_path(format: :xml), params: { application_id: @application.id, provider_key: @provider.api_key }
+    get find_admin_api_applications_path(format: :xml), params: { user_key: @application.user_key,
+                                                                  provider_key: @provider.api_key,
+                                                                  service_id: @service.id }
 
     assert_response :success
     assert_application(@response.body,
                        { id: @application.id,
-                         user_account_id: @buyer.id,
-                         user_key: @application.user_key  })
+                         user_key: @application.user_key })
+  end
+
+  test 'find by user_key with incorrect service_id' do
+    @service.backend_version = '1'
+    @service.save!
+
+    another_service = FactoryBot.create(:service, account: @provider)
+
+    get find_admin_api_applications_path(format: :xml), params: { user_key: @application.user_key,
+                                                                  provider_key: @provider.api_key,
+                                                                  service_id: another_service.id }
+
+    assert_response :not_found
+  end
+
+  test 'find by user_key when there are two apps with the same user key' do
+    @service.backend_version = '1'
+    @service.save!
+
+    another_service = FactoryBot.create(:service, account: @provider, backend_version: '1')
+    another_app = FactoryBot.create(:cinstance,
+                                    service: another_service,
+                                    plan: FactoryBot.create(:application_plan, issuer: another_service),
+                                    user_key: @application.user_key)
+
+    get find_admin_api_applications_path(format: :xml), params: { user_key: @application.user_key,
+                                                                  provider_key: @provider.api_key,
+                                                                  service_id: another_service.id }
+
+    assert_application(@response.body, {
+                       id: another_app.id,
+                       service_id: another_service.id,
+                       user_key: another_app.user_key })
+  end
+
+  test 'return the oidc_configuration' do
+    @service.backend_version = 'oidc'
+    @service.save!
+
+    config = @service.proxy.oidc_configuration
+    config.service_accounts_enabled = true
+    config.save!
+
+    get find_admin_api_applications_path(format: :json), params: { app_id: @application.application_id, provider_key: @provider.api_key }
+
+    assert_response :success
+
+    json = JSON.parse(@response.body)
+    assert json.dig('application', 'oidc_configuration', 'service_accounts_enabled')
+    assert json.dig('application', 'oidc_configuration', 'standard_flow_enabled')
+    assert_not json.dig('application', 'oidc_configuration', 'implicit_flow_enabled')
+    assert_not json.dig('application', 'oidc_configuration', 'direct_access_grants_enabled')
   end
 
   test 'security wise: applications is access denied in buyer side' do