Return 403 in for /broker if no item(s) match

Author: adamdickmeiss

broker/api/api-handler.go

@@ -75,15 +75,21 @@ func (a *ApiHandler) GetEvents(w http.ResponseWriter, r *http.Request, params oa
 		if err == nil && a.TenantFilter(&tran, params.XOkapiTenant, params.RequesterSymbol) {
 			eventList, err = a.eventRepo.GetIllTransactionEvents(ctx, tran.ID)
 		}
-	} else if a.tenantToSymbol == "" && params.IllTransactionId != nil {
-		eventList, err = a.eventRepo.GetIllTransactionEvents(ctx, *params.IllTransactionId)
 	} else if a.tenantToSymbol == "" {
-		eventList, err = a.eventRepo.ListEvents(ctx)
+		if params.IllTransactionId != nil {
+			eventList, err = a.eventRepo.GetIllTransactionEvents(ctx, *params.IllTransactionId)
+		} else {
+			eventList, err = a.eventRepo.ListEvents(ctx)
+		}
 	}
 	if err != nil && !errors.Is(err, pgx.ErrNoRows) {
 		addInternalError(ctx, w, err)
 		return
 	}
+	if len(eventList) == 0 && a.tenantToSymbol != "" {
+		addForbiddenError(ctx, w)
+		return
+	}
 	resp := []oapi.Event{}
 	for _, event := range eventList {
 		resp = append(resp, toApiEvent(event))
@@ -108,7 +114,7 @@ func (a *ApiHandler) GetIllTransactions(w http.ResponseWriter, r *http.Request,
 		if a.TenantFilter(&tran, params.XOkapiTenant, params.RequesterSymbol) {
 			resp = append(resp, toApiIllTransaction(r, tran))
 		}
-	} else {
+	} else if a.tenantToSymbol == "" {
 		trans, err := a.illRepo.ListIllTransactions(ctx)
 		if err != nil {
 			addInternalError(ctx, w, err)
@@ -120,6 +126,10 @@ func (a *ApiHandler) GetIllTransactions(w http.ResponseWriter, r *http.Request,
 			}
 		}
 	}
+	if len(resp) == 0 && a.tenantToSymbol != "" {
+		addForbiddenError(ctx, w)
+		return
+	}
 	writeJsonResponse(w, resp)
 }
 
@@ -128,18 +138,16 @@ func (a *ApiHandler) GetIllTransactionsId(w http.ResponseWriter, r *http.Request
 		Other: map[string]string{"method": "GetIllTransactionsId", "id": id},
 	})
 	trans, err := a.illRepo.GetIllTransactionById(ctx, id)
-	if err != nil {
-		if errors.Is(err, pgx.ErrNoRows) {
-			addNotFoundError(w)
-			return
-		} else {
-			addInternalError(ctx, w, err)
+	if err != nil && !errors.Is(err, pgx.ErrNoRows) {
+		addInternalError(ctx, w, err)
+		return
+	}
+	if err != nil || !a.TenantFilter(&trans, params.XOkapiTenant, params.RequesterSymbol) {
+		if a.tenantToSymbol != "" {
+			addForbiddenError(ctx, w)
 			return
 		}
-	}
-	if !a.TenantFilter(&trans, params.XOkapiTenant, params.RequesterSymbol) {
 		addNotFoundError(w)
-		return
 	}
 	writeJsonResponse(w, toApiIllTransaction(r, trans))
 }
@@ -496,15 +504,21 @@ func (a *ApiHandler) GetLocatedSuppliers(w http.ResponseWriter, r *http.Request,
 		if err == nil && a.TenantFilter(&tran, params.XOkapiTenant, params.RequesterSymbol) {
 			supList, err = a.illRepo.GetLocatedSupplierByIllTransition(ctx, tran.ID)
 		}
-	} else if a.tenantToSymbol == "" && params.IllTransactionId != nil {
-		supList, err = a.illRepo.GetLocatedSupplierByIllTransition(ctx, *params.IllTransactionId)
 	} else if a.tenantToSymbol == "" {
-		supList, err = a.illRepo.ListLocatedSuppliers(ctx)
+		if params.IllTransactionId != nil {
+			supList, err = a.illRepo.GetLocatedSupplierByIllTransition(ctx, *params.IllTransactionId)
+		} else {
+			supList, err = a.illRepo.ListLocatedSuppliers(ctx)
+		}
 	}
 	if err != nil && !errors.Is(err, pgx.ErrNoRows) {
 		addInternalError(ctx, w, err)
 		return
 	}
+	if len(supList) == 0 && a.tenantToSymbol != "" {
+		addForbiddenError(ctx, w)
+		return
+	}
 	resp := []oapi.LocatedSupplier{}
 	for _, supplier := range supList {
 		resp = append(resp, toApiLocatedSupplier(r, supplier))
@@ -544,6 +558,16 @@ func addInternalError(ctx extctx.ExtendedContext, w http.ResponseWriter, err err
 	_ = json.NewEncoder(w).Encode(resp)
 }
 
+func addForbiddenError(ctx extctx.ExtendedContext, w http.ResponseWriter) {
+	resp := ErrorMessage{
+		Error: "forbidden",
+	}
+	ctx.Logger().Error("error serving api request", "error", "forbidden")
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusForbidden)
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
 func addBadRequestError(ctx extctx.ExtendedContext, w http.ResponseWriter, err error) {
 	resp := ErrorMessage{
 		Error: err.Error(),

broker/oapi/open-api.yaml

@@ -272,6 +272,16 @@ paths:
                   error:
                     type: string
                     description: Error message
+        '403': # Example error response
+          description: Forbidden. Invalid tenant.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  error:
+                    type: string
+                    description: Error message
         '500': # Example error response
           description: Internal Server Error
           content:
@@ -311,6 +321,16 @@ paths:
                   error:
                     type: string
                     description: Error message
+        '403': # Example error response
+          description: Forbidden. Invalid tenant.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  error:
+                    type: string
+                    description: Error message
         '500': # Example error response
           description: Internal Server Error
           content:
@@ -363,6 +383,16 @@ paths:
                   error:
                     type: string
                     description: Error message
+        '403': # Example error response
+          description: Forbidden. Invalid tenant.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  error:
+                    type: string
+                    description: Error message
         '500': # Example error response
           description: Internal Server Error
           content:
@@ -495,6 +525,16 @@ paths:
                   error:
                     type: string
                     description: Error message
+        '403': # Example error response
+          description: Forbidden. Invalid tenant.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  error:
+                    type: string
+                    description: Error message
         '500':
           description: Internal Server Error
           content:

broker/test/api/api-handler_test.go

@@ -225,29 +225,28 @@ func TestBrokerCRUD(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, illId, tran.ID)
 
-	httpGetWithTenant(t, "/broker/ill_transactions/"+illId+"?requester_symbol="+url.QueryEscape("ISIL:DK-DIKU"), "ruc", http.StatusNotFound)
+	httpGetWithTenant(t, "/broker/ill_transactions/"+illId+"?requester_symbol="+url.QueryEscape("ISIL:DK-DIKU"), "ruc", http.StatusForbidden)
 
-	httpGetWithTenant(t, "/broker/ill_transactions/"+illId, "ruc", http.StatusNotFound)
+	httpGetWithTenant(t, "/broker/ill_transactions/"+illId, "ruc", http.StatusForbidden)
 
-	httpGetWithTenant(t, "/broker/ill_transactions/"+illId, "", http.StatusNotFound)
+	httpGetWithTenant(t, "/broker/ill_transactions/"+illId, "", http.StatusForbidden)
 
 	body = httpGetWithTenant(t, "/broker/ill_transactions/"+illId+"?requester_symbol="+url.QueryEscape("ISIL:DK-DIKU"), "", http.StatusOK)
 	err = json.Unmarshal(body, &tran)
 	assert.NoError(t, err)
 	assert.Equal(t, illId, tran.ID)
 
-	body = httpGetWithTenant(t, "/broker/ill_transactions", "diku", http.StatusOK)
+	httpGetWithTenant(t, "/broker/ill_transactions", "diku", http.StatusForbidden)
+
+	httpGetWithTenant(t, "/broker/ill_transactions", "ruc", http.StatusForbidden)
+
+	body = httpGetWithTenant(t, "/broker/ill_transactions?requester_req_id="+url.QueryEscape(reqReqId), "diku", http.StatusOK)
 	var trans []oapi.IllTransaction
 	err = json.Unmarshal(body, &trans)
 	assert.NoError(t, err)
 	assert.Len(t, trans, 1)
 	assert.Equal(t, illId, trans[0].ID)
 
-	body = httpGetWithTenant(t, "/broker/ill_transactions", "ruc", http.StatusOK)
-	err = json.Unmarshal(body, &trans)
-	assert.NoError(t, err)
-	assert.Len(t, trans, 0)
-
 	peer := test.CreatePeer(t, illRepo, "ISIL:LOC_OTHER", "")
 	locSup := test.CreateLocatedSupplier(t, illRepo, illId, peer.ID, "ISIL:LOC_OTHER", string(iso18626.TypeStatusLoaned))
 
@@ -258,15 +257,9 @@ func TestBrokerCRUD(t *testing.T) {
 	assert.Len(t, supps, 1)
 	assert.Equal(t, locSup.ID, supps[0].ID)
 
-	body = httpGetWithTenant(t, "/broker/located_suppliers?requester_req_id="+url.QueryEscape(reqReqId), "ruc", http.StatusOK)
-	err = json.Unmarshal(body, &supps)
-	assert.NoError(t, err)
-	assert.Len(t, supps, 0)
+	httpGetWithTenant(t, "/broker/located_suppliers?requester_req_id="+url.QueryEscape(reqReqId), "ruc", http.StatusForbidden)
 
-	body = httpGetWithTenant(t, "/broker/located_suppliers?requester_req_id="+url.QueryEscape(uuid.NewString()), "diku", http.StatusOK)
-	err = json.Unmarshal(body, &supps)
-	assert.NoError(t, err)
-	assert.Len(t, supps, 0)
+	httpGetWithTenant(t, "/broker/located_suppliers?requester_req_id="+url.QueryEscape(uuid.NewString()), "diku", http.StatusForbidden)
 
 	eventId := test.GetEventId(t, eventRepo, illId, events.EventTypeNotice, events.EventStatusSuccess, events.EventNameMessageRequester)
 
@@ -283,15 +276,9 @@ func TestBrokerCRUD(t *testing.T) {
 	assert.Len(t, events, 1)
 	assert.Equal(t, eventId, events[0].ID)
 
-	body = httpGetWithTenant(t, "/broker/events?requester_req_id="+url.QueryEscape(reqReqId), "ruc", http.StatusOK)
-	err = json.Unmarshal(body, &events)
-	assert.NoError(t, err)
-	assert.Len(t, events, 0)
+	httpGetWithTenant(t, "/broker/events?requester_req_id="+url.QueryEscape(reqReqId), "ruc", http.StatusForbidden)
 
-	body = httpGetWithTenant(t, "/broker/events?requester_req_id="+url.QueryEscape(uuid.NewString()), "diku", http.StatusOK)
-	err = json.Unmarshal(body, &events)
-	assert.NoError(t, err)
-	assert.Len(t, events, 0)
+	httpGetWithTenant(t, "/broker/events?requester_req_id="+url.QueryEscape(uuid.NewString()), "diku", http.StatusForbidden)
 }
 
 func TestPeersCRUD(t *testing.T) {