Skip to content

Commit

Permalink
Improve controlBsds query and close bsds query api to gov accounts
Browse files Browse the repository at this point in the history
  • Loading branch information
@providenz
providenz committed Nov 6, 2024
1 parent 7c89ee2 commit c787625
Show file tree
Hide file tree
Showing 5 changed files with 214 additions and 153 deletions.
6 changes: 6 additions & 0 deletions Changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ Les changements importants de Trackdéchets sont documentés dans ce fichier.
Le format est basé sur [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
et le projet suit un schéma de versionning inspiré de [Calendar Versioning](https://calver.org/).

# [2024.11.1] 12/11/2024

#### :house: Interne

- Modification de la query controlBsds et fermeture de la query bsds aux comptes gouvernementaux [PR 3270](https://github.com/MTES-MCT/trackdechets/pull/3270)

# [2024.10.1] 22/10/2024

#### :rocket: Nouvelles fonctionnalités
Expand Down
125 changes: 5 additions & 120 deletions back/src/bsds/resolvers/queries/__tests__/bsds.integration.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ import { faker } from "@faker-js/faker";
describe("query bsds: governement accounts permissions", () => {
afterEach(resetDatabase);

it("should allow user authenticated with a token when tied to a government account with relevant perms", async () => {
it("should forbid user authenticated with a token when tied to a government account with relevant perms", async () => {
// query bsds used t be opend to gov account but is forbidden now
const { user: owner, company: someCompany } = await userWithCompanyFactory(
"MEMBER"
);
Expand Down Expand Up @@ -48,132 +49,16 @@ describe("query bsds: governement accounts permissions", () => {
});
await indexForm(await getFormForElastic(form));
await refreshElasticSearch();
const res = await request
const {
body: { errors, data }
} = await request
.post("/")
.send({
query: `{ bsds(where: {isFollowFor: ["${someCompany.siret}"]}) {pageInfo: totalCount}}`
})
.set("Authorization", `Bearer ${accessToken}`)
.set("X-Forwarded-For", allowedIP);
const { errors, data } = res.body;

expect(errors).toBeUndefined();
expect(data.bsds.pageInfo).toEqual(1);
});

it("should forbid user authenticated with a token when tied to a government account without relevant perms", async () => {
const { user: owner, company: someCompany } = await userWithCompanyFactory(
"MEMBER"
);
const request = supertest(app);

const allowedIP = faker.internet.ipv4();
// the gov account running the query
const { accessToken } = await userWithAccessTokenFactory({
governmentAccount: {
create: {
name: "GERICO",
permissions: [GovernmentPermission.REGISTRY_CAN_READ_ALL], // wrong permission
authorizedOrgIds: ["ALL"],
authorizedIPs: [allowedIP]
}
}
});
const form = await formFactory({
ownerId: owner.id,
opt: {
emitterCompanySiret: someCompany.siret,
status: "SENT",
sentAt: new Date(),
receivedAt: new Date()
}
});
await indexForm(await getFormForElastic(form));
await refreshElasticSearch();
const res = await request
.post("/")
.send({
query: `{ bsds(where: {isFollowFor: ["${someCompany.siret}"]}) {pageInfo: totalCount}}`
})
.set("Authorization", `Bearer ${accessToken}`)
.set("X-Forwarded-For", allowedIP);
const { errors, data } = res.body;
expect(data).toBeNull();
expect(errors).toHaveLength(1);
expect(errors[0].message).toEqual(`Vous n'êtes pas connecté.`);
});

it("should forbid user authenticated with a token if no government account is associated", async () => {
const { user: owner, company: someCompany } = await userWithCompanyFactory(
"MEMBER"
);
const request = supertest(app);

const allowedIP = faker.internet.ipv4();
// the gov account running the query
const { accessToken } = await userWithAccessTokenFactory();
const form = await formFactory({
ownerId: owner.id,
opt: {
emitterCompanySiret: someCompany.siret,
status: "SENT",
sentAt: new Date(),
receivedAt: new Date()
}
});
await indexForm(await getFormForElastic(form));
await refreshElasticSearch();
const res = await request
.post("/")
.send({
query: `{ bsds(where: {isFollowFor: ["${someCompany.siret}"]}) {pageInfo: totalCount}}`
})
.set("Authorization", `Bearer ${accessToken}`)
.set("X-Forwarded-For", allowedIP);
const { errors, data } = res.body;
expect(data).toBeNull();
expect(errors).toHaveLength(1);
expect(errors[0].message).toEqual(`Vous n'êtes pas connecté.`);
});

it("should forbid user authenticated with a token tied to a government account when IPs do not match", async () => {
const { user: owner, company: someCompany } = await userWithCompanyFactory(
"MEMBER"
);
const request = supertest(app);

const allowedIP = faker.internet.ipv4();
const userIP = faker.internet.ipv4();
// the gov account running the query
const { accessToken } = await userWithAccessTokenFactory({
governmentAccount: {
create: {
name: "GERICO",
permissions: [GovernmentPermission.BSDS_CAN_READ_ALL],
authorizedOrgIds: ["ALL"],
authorizedIPs: [allowedIP] // not user ip
}
}
});
const form = await formFactory({
ownerId: owner.id,
opt: {
emitterCompanySiret: someCompany.siret,
status: "SENT",
sentAt: new Date(),
receivedAt: new Date()
}
});
await indexForm(await getFormForElastic(form));
await refreshElasticSearch();
const res = await request
.post("/")
.send({
query: `{ bsds(where: {isFollowFor: ["${someCompany.siret}"]}) {pageInfo: totalCount}}`
})
.set("Authorization", `Bearer ${accessToken}`)
.set("X-Forwarded-For", userIP); // IPs do not match
const { errors, data } = res.body;
expect(data).toBeNull();
expect(errors).toHaveLength(1);
expect(errors[0].message).toEqual(`Vous n'êtes pas connecté.`);
Expand Down
184 changes: 184 additions & 0 deletions back/src/bsds/resolvers/queries/__tests__/controlbsds.integration.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -692,4 +692,188 @@ describe("query controlbsds: governement accounts permissions", () => {
form4.id
]);
});

it.each([
Status.SEALED,
Status.SENT,
Status.RECEIVED,
Status.ACCEPTED,
Status.REFUSED,
Status.PROCESSED
])("should filter by readableId (%p)", async status => {
const { user: owner } = await userWithCompanyFactory("MEMBER");
const request = supertest(app);

const allowedIP = faker.internet.ipv4();
// the gov account running the query
const { accessToken } = await userWithAccessTokenFactory({
governmentAccount: {
create: {
name: "GERICO",
permissions: [GovernmentPermission.BSDS_CAN_READ_ALL],
authorizedOrgIds: ["ALL"],
authorizedIPs: [allowedIP]
}
}
});
const siret1 = siretify(1);
const siret2 = siretify(2);
const siret3 = siretify(3);
const siret4 = siretify(3);

const form1 = await formFactory({
ownerId: owner.id,
opt: {
status,
sentAt: new Date(),
transporters: {
create: {
transporterCompanySiret: siret1,
number: 1,
takenOverAt: new Date(),
transporterNumberPlate: "AZ 23 99"
}
}
}
});

const form2 = await formFactory({
ownerId: owner.id,
opt: {
status,
sentAt: new Date(),
transporters: {
create: {
transporterCompanySiret: siret2,
number: 1,
takenOverAt: new Date(),
transporterNumberPlate: "AZ 23 99"
}
}
}
});

const form3 = await formFactory({
ownerId: owner.id,
opt: {
status,
sentAt: new Date(),
transporters: {
create: {
transporterCompanySiret: siret3,
number: 1,
takenOverAt: new Date(),
transporterNumberPlate: "QS 23 99"
}
}
}
});

const form4 = await formFactory({
ownerId: owner.id,
opt: {
status,
receivedAt: new Date(),
wasteAcceptationStatus: WasteAcceptationStatus.REFUSED,
transporters: {
create: {
transporterCompanySiret: siret4,
number: 1,
takenOverAt: new Date(),
transporterNumberPlate: "AZ 23 99"
}
}
}
});

await indexForm(await getFormForElastic(form1));
await indexForm(await getFormForElastic(form2));
await indexForm(await getFormForElastic(form3));
await indexForm(await getFormForElastic(form4));

await refreshElasticSearch();
const res = await request
.post("/")
.send({
query: `{ controlBsds(where: {readableId: "${form1.readableId}"}) {
edges {
node {
... on Form {
id
}
}
}
pageInfo: totalCount}}`
})
.set("Authorization", `Bearer ${accessToken}`)
.set("X-Forwarded-For", allowedIP);
const { errors, data } = res.body;

expect(errors).toBeUndefined();
expect(data.controlBsds.pageInfo).toEqual(1);
// the form matches the
expect(data.controlBsds.edges.map(e => e.node.id).sort()).toEqual([
form1.id
]);
});

it("should exclude DRAFT when filtered by readableId ", async () => {
const { user: owner } = await userWithCompanyFactory("MEMBER");
const request = supertest(app);

const allowedIP = faker.internet.ipv4();
// the gov account running the query
const { accessToken } = await userWithAccessTokenFactory({
governmentAccount: {
create: {
name: "GERICO",
permissions: [GovernmentPermission.BSDS_CAN_READ_ALL],
authorizedOrgIds: ["ALL"],
authorizedIPs: [allowedIP]
}
}
});
const siret = siretify(1);

const form = await formFactory({
ownerId: owner.id,
opt: {
status: "DRAFT",
sentAt: new Date(),
transporters: {
create: {
transporterCompanySiret: siret,
number: 1,
takenOverAt: new Date(),
transporterNumberPlate: "AZ 23 99"
}
}
}
});

await indexForm(await getFormForElastic(form));

await refreshElasticSearch();
const res = await request
.post("/")
.send({
query: `{ controlBsds(where: {readableId: "${form.readableId}"}) {
edges {
node {
... on Form {
id
}
}
}
pageInfo: totalCount}}`
})
.set("Authorization", `Bearer ${accessToken}`)
.set("X-Forwarded-For", allowedIP);
const { errors, data } = res.body;

expect(errors).toBeUndefined();
expect(data.controlBsds.pageInfo).toEqual(0);
// the form matches the
expect(data.controlBsds.edges).toEqual([]);
});
});
Loading

0 comments on commit c787625

Please sign in to comment.