Elide 5.x Async Create Permission Fix (#1425)

* NCreate Permission Check on AsyncQuery

* Create Permission Check on AsyncQuery

* Updating test case

* Cleanup

Author: moizarafat

elide-async/src/main/java/com/yahoo/elide/async/models/AsyncQuery.java

@@ -6,6 +6,7 @@
 package com.yahoo.elide.async.models;
 
 import com.yahoo.elide.annotation.ComputedAttribute;
+import com.yahoo.elide.annotation.CreatePermission;
 import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.Exclude;
 import com.yahoo.elide.annotation.Include;
@@ -56,6 +57,7 @@ public class AsyncQuery extends AsyncBase implements PrincipalOwned {
     private String requestId; //Client provided
 
     @UpdatePermission(expression = "Principal is Owner AND value is Cancelled")
+    @CreatePermission(expression = "value is Queued")
     private QueryStatus status = QueryStatus.QUEUED;
 
     @Embedded

elide-async/src/main/java/com/yahoo/elide/async/models/security/AsyncQueryOperationChecks.java

@@ -49,4 +49,13 @@ public boolean ok(AsyncQuery object, RequestScope requestScope, Optional<ChangeS
             return changeSpec.get().getModified().toString().equals(QueryStatus.CANCELLED.name());
         }
     }
+
+    @SecurityCheck(AsyncQueryStatusQueuedValue.VALUE_IS_QUEUED)
+    public static class AsyncQueryStatusQueuedValue extends OperationCheck<AsyncQuery> {
+        public static final String VALUE_IS_QUEUED = "value is Queued";
+        @Override
+        public boolean ok(AsyncQuery object, RequestScope requestScope, Optional<ChangeSpec> changeSpec) {
+            return changeSpec.get().getModified().toString().equals(QueryStatus.QUEUED.name());
+        }
+    }
 }

elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java

@@ -147,7 +147,7 @@ public static <T> PersistentResource<T> createObject(
 
         // Keep track of new resources for non-transferable resources
         requestScope.getNewPersistentResources().add(newResource);
-        checkPermission(CreatePermission.class, newResource);
+        checkUserPermission(CreatePermission.class, obj, requestScope);
 
         newResource.auditClass(Audit.Action.CREATE, new ChangeSpec(newResource, null, null, newResource.getObject()));
 
@@ -1737,6 +1737,11 @@ private static <A extends Annotation> ExpressionResult checkPermission(
         return resource.requestScope.getPermissionExecutor().checkPermission(annotationClass, resource);
     }
 
+    private static <A extends Annotation> ExpressionResult checkUserPermission(
+            Class<A> annotationClass, Object obj, RequestScope requestScope) {
+        return requestScope.getPermissionExecutor().checkUserPermissions(obj.getClass(), annotationClass);
+    }
+
     private <A extends Annotation> ExpressionResult checkFieldAwarePermissions(Class<A> annotationClass) {
         return requestScope.getPermissionExecutor().checkPermission(annotationClass, this);
     }

elide-integration-tests/src/test/java/com/yahoo/elide/async/integration/tests/AsyncIT.java

@@ -434,6 +434,51 @@ public void graphQLHappyPath2() throws InterruptedException {
         assertEquals(expectedResponse, responseGraphQL);
     }
 
+    /**
+     * Test for QueryStatus Set to PROCESSING instead of Queued
+     */
+    @Test
+    public void graphQLTestCreateFailOnQueryStatus() {
+
+        AsyncDelayStoreTransaction.sleep = true;
+        AsyncQuery queryObj = new AsyncQuery();
+        queryObj.setId("edc4a871-dff2-4054-804e-d80075cf839e");
+        queryObj.setAsyncAfterSeconds(0);
+        queryObj.setQueryType("GRAPHQL_V1_0");
+        queryObj.setStatus("PROCESSING");
+        queryObj.setQuery("{\"query\":\"{ book { edges { node { id title } } } }\",\"variables\":null}");
+        String graphQLRequest = document(
+                mutation(
+                        selection(
+                                field(
+                                        "asyncQuery",
+                                        arguments(
+                                                argument("op", "UPSERT"),
+                                                argument("data", queryObj, UNQUOTED_VALUE)
+                                        ),
+                                        selections(
+                                                field("id"),
+                                                field("query"),
+                                                field("queryType"),
+                                                field("status")
+                                        )
+                                )
+                        )
+                )
+        ).toQuery();
+
+        JsonNode graphQLJsonNode = toJsonNode(graphQLRequest, null);
+        ValidatableResponse response = given()
+                .contentType(MediaType.APPLICATION_JSON)
+                .accept(MediaType.APPLICATION_JSON)
+                .body(graphQLJsonNode)
+                .post("/graphQL")
+                .then()
+                .statusCode(org.apache.http.HttpStatus.SC_OK);
+
+        assertEquals(true, response.extract().body().asString().contains("errors"));
+    }
+
     /**
      * Various tests for an unknown collection (group) that does not exist JSONAPI query as a Async Request.
      * @throws InterruptedException

elide-integration-tests/src/test/java/com/yahoo/elide/async/integration/tests/framework/AsyncIntegrationTestApplicationResourceConfig.java

@@ -59,6 +59,7 @@ protected void configure() {
                 Map<String, Class<? extends Check>> checkMappings = new HashMap<>(TestCheckMappings.MAPPINGS);
                 checkMappings.put(AsyncQueryOperationChecks.AsyncQueryOwner.PRINCIPAL_IS_OWNER, AsyncQueryOperationChecks.AsyncQueryOwner.class);
                 checkMappings.put(AsyncQueryOperationChecks.AsyncQueryStatusValue.VALUE_IS_CANCELLED, AsyncQueryOperationChecks.AsyncQueryStatusValue.class);
+                checkMappings.put(AsyncQueryOperationChecks.AsyncQueryStatusQueuedValue.VALUE_IS_QUEUED, AsyncQueryOperationChecks.AsyncQueryStatusQueuedValue.class);
 
                 EntityDictionary dictionary = new EntityDictionary(checkMappings, injector::inject);
 

elide-integration-tests/src/test/java/example/NoCommitEntity.java

@@ -12,6 +12,9 @@
 import com.yahoo.elide.security.RequestScope;
 import com.yahoo.elide.security.checks.OperationCheck;
 
+import lombok.Getter;
+import lombok.Setter;
+
 import java.util.Optional;
 
 import javax.persistence.Entity;
@@ -27,6 +30,9 @@
 @Entity
 @Table(name = "nocommit")
 public class NoCommitEntity extends BaseId {
+    @Getter @Setter
+    private String value;
+
     static public class NoCommitCheck<T> extends OperationCheck<T> {
         @Override
         public boolean ok(T record, RequestScope requestScope, Optional<ChangeSpec> changeSpec) {

elide-integration-tests/src/test/resources/ResourceIT/testPatchExtNoCommit.req.json

@@ -4,7 +4,10 @@
         "path":"/nocommit",
         "value":{
             "type":"nocommit",
-            "id":"12345678-1234-1234-1234-123456789ab1"
+            "id":"12345678-1234-1234-1234-123456789ab1",
+            "attributes":{
+                "value":"value"
+            }
         }
     }
 ]