This is an automated email from the ASF dual-hosted git repository. yasith pushed a commit to branch feat/airavata-service-layer in repository https://gitbox.apache.org/repos/asf/airavata.git
commit 8f91f45ce2096b751e3aba3b3586bbdbb507d501 Author: yasithdev <[email protected]> AuthorDate: Thu Mar 26 12:03:32 2026 -0500 fix: add proper admin group validation to ResourceSharingService - Accept RegistryServerHandler in constructor (backwards-compatible overload kept) - Implement retrieveGatewayGroups helper using registry - validateAdminGroupNotRevoked now checks actual GatewayGroups admin group id - Pass registryHandler from AiravataServerHandler constructor --- .../service/sharing/ResourceSharingService.java | 35 +++++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java b/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java index 926f441141..bd9b2b6202 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java @@ -1,10 +1,13 @@ package org.apache.airavata.service.sharing; +import org.apache.airavata.model.appcatalog.gatewaygroups.GatewayGroups; import org.apache.airavata.model.group.ResourcePermissionType; import org.apache.airavata.model.group.ResourceType; +import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; import org.apache.airavata.service.context.RequestContext; import org.apache.airavata.service.exception.ServiceAuthorizationException; import org.apache.airavata.service.exception.ServiceException; +import org.apache.airavata.service.security.GatewayGroupsInitializer; import org.apache.airavata.sharing.registry.models.PermissionType; import org.apache.airavata.sharing.registry.models.User; import org.apache.airavata.sharing.registry.models.UserGroup; @@ -25,9 +28,16 @@ public class ResourceSharingService { private static final Logger logger = LoggerFactory.getLogger(ResourceSharingService.class); private final SharingRegistryServerHandler sharingHandler; + private final RegistryServerHandler registryHandler; - public ResourceSharingService(SharingRegistryServerHandler sharingHandler) { + public ResourceSharingService(SharingRegistryServerHandler sharingHandler, RegistryServerHandler registryHandler) { this.sharingHandler = sharingHandler; + this.registryHandler = registryHandler; + } + + // Backwards-compatible constructor for tests + public ResourceSharingService(SharingRegistryServerHandler sharingHandler) { + this(sharingHandler, null); } public boolean shareResourceWithUsers(RequestContext ctx, String resourceId, Map<String, ResourcePermissionType> userPermissionList) throws ServiceException { @@ -332,9 +342,26 @@ public class ResourceSharingService { } private void validateAdminGroupNotRevoked(String gatewayId, String resourceId, Map<String, ResourcePermissionType> groupPermissionList) throws Exception { - var gatewayGroups = sharingHandler.getEntity(gatewayId, gatewayId + ":GATEWAY_GROUPS"); - // Note: admin group validation is best-effort based on gateway groups entity - // The actual validation uses GatewayGroups from registryHandler (done in caller context) + GatewayGroups gatewayGroups = retrieveGatewayGroups(gatewayId); + if (gatewayGroups == null) { + return; + } + String adminsGroupId = gatewayGroups.getAdminsGroupId(); + if (adminsGroupId != null && groupPermissionList.containsKey(adminsGroupId)) { + throw new ServiceAuthorizationException( + "Cannot revoke sharing from the admin group " + adminsGroupId); + } + } + + private GatewayGroups retrieveGatewayGroups(String gatewayId) throws Exception { + if (registryHandler == null) { + return null; + } + if (registryHandler.isGatewayGroupsExists(gatewayId)) { + return registryHandler.getGatewayGroups(gatewayId); + } else { + return GatewayGroupsInitializer.initializeGatewayGroups(gatewayId); + } } void createManageSharingPermissionTypeIfMissing(String domainId) throws Exception {
