Filter console registrars per user role (#2501)

2026-01-04 04:04:22 +00:00 · 2024-07-24 14:31:23 -04:00
parent 233ee09efe
commit 1a8f133d54
3 changed files with 59 additions and 28 deletions
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleDomainListAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleDomainListAction.java
@@ -115,6 +115,7 @@ public class ConsoleDomainListAction extends ConsoleApiAction {
            .setFirstResult(numResultsToSkip)
            .setMaxResults(resultsPerPage)
            .getResultList();
+
    consoleApiParams
        .response()
        .setPayload(gson.toJson(new DomainListResult(domains, checkpoint, actualTotalResults)));
--- a/core/src/main/java/google/registry/ui/server/console/RegistrarsAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/RegistrarsAction.java
@@ -16,6 +16,7 @@ package google.registry.ui.server.console;

 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static com.google.common.collect.ImmutableSet.toImmutableSet;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
@@ -23,6 +24,7 @@ import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;

 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Streams;
 import com.google.gson.Gson;
 import google.registry.model.console.ConsolePermission;
@@ -36,6 +38,8 @@ import google.registry.request.Parameter;
 import google.registry.request.auth.Auth;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.util.StringGenerator;
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import javax.inject.Inject;
 import javax.inject.Named;
@@ -50,6 +54,11 @@ public class RegistrarsAction extends ConsoleApiAction {
  private static final int PASSCODE_LENGTH = 5;
  private static final ImmutableList<RegistrarBase.Type> allowedRegistrarTypes =
      ImmutableList.of(Registrar.Type.REAL, RegistrarBase.Type.OTE);
+  private static final String SQL_TEMPLATE =
+      """
+            SELECT * FROM "Registrar"
+            WHERE registrar_id in :registrarIds
+      """;
  static final String PATH = "/console-api/registrars";
  private final Gson gson;
  private final Optional<Registrar> registrar;
@@ -72,18 +81,34 @@ public class RegistrarsAction extends ConsoleApiAction {

  @Override
  protected void getHandler(User user) {
-    if (!user.getUserRoles().hasGlobalPermission(ConsolePermission.VIEW_REGISTRARS)) {
+    if (user.getUserRoles().hasGlobalPermission(ConsolePermission.VIEW_REGISTRARS)) {
+      ImmutableList<Registrar> registrars =
+          Streams.stream(Registrar.loadAll())
+              .filter(r -> allowedRegistrarTypes.contains(r.getType()))
+              .collect(ImmutableList.toImmutableList());
+      consoleApiParams.response().setPayload(gson.toJson(registrars));
+      consoleApiParams.response().setStatus(SC_OK);
+    } else if (user.getUserRoles().getRegistrarRoles().values().stream()
+        .anyMatch(role -> role.hasPermission(ConsolePermission.VIEW_REGISTRAR_DETAILS))) {
+      ImmutableSet<String> accessibleRegistrarIds =
+          user.getUserRoles().getRegistrarRoles().entrySet().stream()
+              .filter(e -> e.getValue().hasPermission(ConsolePermission.VIEW_REGISTRAR_DETAILS))
+              .map(Map.Entry::getKey)
+              .collect(toImmutableSet());
+
+      List<Registrar> registrars =
+          tm().transact(
+                  () ->
+                      tm().getEntityManager()
+                          .createNativeQuery(SQL_TEMPLATE, Registrar.class)
+                          .setParameter("registrarIds", accessibleRegistrarIds)
+                          .getResultList());
+
+      consoleApiParams.response().setPayload(gson.toJson(registrars));
+      consoleApiParams.response().setStatus(SC_OK);
+    } else {
      consoleApiParams.response().setStatus(SC_FORBIDDEN);
-      return;
    }
-
-    ImmutableList<Registrar> registrars =
-        Streams.stream(Registrar.loadAll())
-            .filter(r -> allowedRegistrarTypes.contains(r.getType()))
-            .collect(ImmutableList.toImmutableList());
-
-    consoleApiParams.response().setPayload(gson.toJson(registrars));
-    consoleApiParams.response().setStatus(SC_OK);
  }

  @Override
@@ -151,4 +176,5 @@ public class RegistrarsAction extends ConsoleApiAction {
              tm().putAll(registrar, contact);
            });
  }
+
 }
--- a/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
@@ -21,7 +21,6 @@ import static google.registry.testing.DatabaseHelper.persistNewRegistrar;
 import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.testing.SqlHelper.saveRegistrar;
 import static jakarta.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
-import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.when;
@@ -148,6 +147,28 @@ class RegistrarsActionTest {
        .isTrue();
  }

+  @Test
+  void testSuccess_getOnlyAllowedRegistrars() {
+    saveRegistrar("registrarId");
+
+    RegistrarsAction action =
+        createAction(
+            Action.Method.GET,
+            AuthResult.createUser(
+                createUser(
+                    new UserRoles.Builder()
+                        .setRegistrarRoles(
+                            ImmutableMap.of("registrarId", RegistrarRole.ACCOUNT_MANAGER))
+                        .build())));
+
+    action.run();
+    assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
+    String payload = ((FakeResponse) consoleApiParams.response()).getPayload();
+    Registrar[] registrars = GSON.fromJson(payload, Registrar[].class);
+    assertThat(registrars).hasLength(1);
+    assertThat(registrars[0].getRegistrarId()).isEqualTo("registrarId");
+  }
+
  @Test
  void testSuccess_createRegistrar() {
    RegistrarsAction action =
@@ -205,23 +226,6 @@ class RegistrarsActionTest {
        .isEqualTo("Registrar with registrarId regIdTest already exists");
  }

-  @Test
-  void testFailure_getRegistrarIds() {
-    saveRegistrar("registrarId");
-    RegistrarsAction action =
-        createAction(
-            Action.Method.GET,
-            AuthResult.createUser(
-                createUser(
-                    new UserRoles.Builder()
-                        .setRegistrarRoles(
-                            ImmutableMap.of(
-                                "registrarId", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK))
-                        .build())));
-    action.run();
-    assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_FORBIDDEN);
-  }
-
  private User createUser(UserRoles userRoles) {
    return new User.Builder()
        .setEmailAddress("email@email.com")