Jobs tests

.github/workflows/test.yml

@@ -6,6 +6,7 @@ on:
   pull_request:
     branches:
       - master
+      - release-*
 
 jobs:
   install-and-cache:
@@ -152,6 +153,9 @@ jobs:
           CREATE_DATASET_WITH_PID_GROUPS: "group2"
           CREATE_DATASET_PRIVILEGED_GROUPS: "datasetIngestor,group3"
           ACCESS_GROUPS_STATIC_VALUES: "ess"
+          CREATE_JOB_GROUPS: group1,group2
+          UPDATE_JOB_GROUPS: group1
+          DELETE_JOB_GROUPS: "archivemanager"
           PROPOSAL_GROUPS: "proposalingestor"
           SAMPLE_PRIVILEGED_GROUPS: "sampleingestor"
           SAMPLE_GROUPS: "group1"
@@ -168,6 +172,7 @@ jobs:
           STACK_VERSION: 8.8.2
           CLUSTER_NAME: es-cluster
           MEM_LIMIT: 4G
+          JOB_CONFIGURATION_FILE: test/config/jobconfig.json
 
         # Start mongo container and app before running api tests
         run: |

src/casl/casl-ability.factory.ts

@@ -25,7 +25,10 @@ import { UserSettings } from "src/users/schemas/user-settings.schema";
 import { User } from "src/users/schemas/user.schema";
 import { AuthOp } from "./authop.enum";
 import configuration from "src/config/configuration";
-import { CreateJobAuth, StatusUpdateJobAuth } from "src/jobs/types/jobs-auth.enum";
+import {
+  CreateJobAuth,
+  StatusUpdateJobAuth,
+} from "src/jobs/types/jobs-auth.enum";
 
 type Subjects =
   | string
@@ -818,36 +821,53 @@ export class CaslAbilityFactory {
         ["configuration.create.auth" as string]: CreateJobAuth.DatasetPublic,
         datasetsValidation: true,
       });
+      can(AuthOp.JobStatusUpdateConfiguration, JobClass, {
+        ["configuration.statusUpdate.auth" as string]: StatusUpdateJobAuth.All,
+        ownerGroup: undefined,
+      });
     } else {
       /**
        * authenticated users
        */
-
       // check if this user is part of the admin group
       if (
         user.currentGroups.some((g) => configuration().adminGroups.includes(g))
       ) {
         /**
          * authenticated users belonging to any of the group listed in ADMIN_GROUPS
          */
-
         // -------------------------------------
         // endpoint authorization
         can(AuthOp.JobRead, JobClass);
         can(AuthOp.JobCreate, JobClass);
         can(AuthOp.JobStatusUpdate, JobClass);
+        cannot(AuthOp.JobDelete, JobClass);
 
         // -------------------------------------
         // data instance authorization
         can(AuthOp.JobReadAny, JobClass);
         can(AuthOp.JobCreateAny, JobClass);
         can(AuthOp.JobStatusUpdateAny, JobClass);
+      } else if (
+        user.currentGroups.some((g) =>
+          configuration().deleteJobGroups.includes(g),
+        )
+      ) {
+        /**
+         * authenticated users belonging to any of the group listed in DELETE_JOB_GROUPS
+         */
+        // -------------------------------------
+        // endpoint authorization
+        can(AuthOp.JobDelete, JobClass);
+
+        // -------------------------------------
+        // data instance authorization
+        can(AuthOp.JobDeleteAny, JobClass);
       } else {
         const jobUserAuthorizationValues = [
           ...user.currentGroups.map((g) => "@" + g),
           user.username,
         ];
-
         if (
           user.currentGroups.some((g) =>
             configuration().createJobGroups.includes(g),
@@ -880,7 +900,7 @@ export class CaslAbilityFactory {
           ];
           const jobCreateInstanceAuthorizationValues = [
             ...Object.values(CreateJobAuth).filter(
-              (v) => ~String(v).includes("#dataset"),
+              (v) => !String(v).includes("#dataset"),
             ),
             ...jobUserAuthorizationValues,
           ];
@@ -889,13 +909,17 @@ export class CaslAbilityFactory {
               String(v).includes("#dataset"),
             ),
           ];
-
           // -------------------------------------
           // endpoint authorization
           can(AuthOp.JobRead, JobClass);
+
           if (
             configuration().jobConfiguration.some(
-              (j) => j.create.auth! in jobCreateEndPointAuthorizationValues,
+              (j) =>
+                j.create.auth &&
+                jobCreateEndPointAuthorizationValues.includes(
+                  j.create.auth as string,
+                ),
             )
           ) {
             can(AuthOp.JobCreate, JobClass);
@@ -907,6 +931,7 @@ export class CaslAbilityFactory {
             ownerGroup: { $in: user.currentGroups },
             ownerUser: user.username,
           });
+
           can(AuthOp.JobCreateConfiguration, JobClass, {
             ["configuration.create.auth" as string]: {
               $in: jobCreateInstanceAuthorizationValues,
@@ -919,6 +944,16 @@ export class CaslAbilityFactory {
             datasetsValidation: true,
           });
         }
+        const jobUpdateEndPointAuthorizationValues = [
+          ...Object.values(StatusUpdateJobAuth),
+          ...jobUserAuthorizationValues,
+        ];
+        const jobUpdateInstanceAuthorizationValues = [
+          ...Object.values(StatusUpdateJobAuth).filter(
+            (v) => !String(v).includes("#job"),
+          ),
+          ...jobUserAuthorizationValues,
+        ];
 
         if (
           user.currentGroups.some((g) =>
@@ -931,29 +966,27 @@ export class CaslAbilityFactory {
 
           // -------------------------------------
           // data instance authorization
+          can(AuthOp.JobStatusUpdateConfiguration, JobClass, {
+            ["configuration.statusUpdate.auth" as string]: {
+              $in: jobUpdateInstanceAuthorizationValues,
+            },
+          });
           can(AuthOp.JobStatusUpdateOwner, JobClass, {
             ownerUser: user.username,
           });
           can(AuthOp.JobStatusUpdateOwner, JobClass, {
             ownerGroup: { $in: user.currentGroups },
           });
         } else {
-          const jobUpdateEndPointAuthorizationValues = [
-            ...Object.values(StatusUpdateJobAuth),
-            ...jobUserAuthorizationValues,
-          ];
-          const jobUpdateInstanceAuthorizationValues = [
-            ...Object.values(StatusUpdateJobAuth).filter(
-              (v) => ~String(v).includes("#job"),
-            ),
-            ...jobUserAuthorizationValues,
-          ];
-
           // -------------------------------------
           // endpoint authorization
           if (
             configuration().jobConfiguration.some(
-              (j) => j.statusUpdate.auth! in jobUpdateEndPointAuthorizationValues,
+              (j) =>
+                j.statusUpdate.auth &&
+                jobUpdateEndPointAuthorizationValues.includes(
+                  j.statusUpdate.auth as string,
+                ),
             )
           ) {
             can(AuthOp.JobStatusUpdate, JobClass);
@@ -975,6 +1008,7 @@ export class CaslAbilityFactory {
             ownerGroup: { $in: user.currentGroups },
           });
         }
+        cannot(AuthOp.JobDelete, JobClass);
       }
     }
 

src/common/handlebars-helpers.ts

@@ -40,6 +40,7 @@ export const formatCamelCase = (camelCase: string): string => {
   return words;
 };
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
 export const jsonify = (context: any): string => {
   return JSON.stringify(context, null, 3);
 };

src/config/configuration.ts

@@ -1,4 +1,3 @@
-import { Logger } from "@nestjs/common";
 import {
   loadJobConfig,
   registerCreateAction,
@@ -31,6 +30,7 @@ const configuration = () => {
 
   const createJobGroups = process.env.CREATE_JOB_GROUPS || ("" as string);
   const statusUpdateJobGroups = process.env.UPDATE_JOB_GROUPS || ("" as string);
+  const deleteJobGroups = process.env.DELETE_JOB_GROUPS || ("" as string);
 
   const proposalGroups = process.env.PROPOSAL_GROUPS || ("" as string);
   const sampleGroups = process.env.SAMPLE_GROUPS || ("#all" as string);
@@ -44,7 +44,8 @@ const configuration = () => {
     process.env.OIDC_USERINFO_MAPPING_FIELD_USERNAME || ("" as string);
 
   const jobConfigurationFile =
-    process.env.JOB_CONFIGURATION_FILE || ("src/jobs/config/jobConfig.example.json" as string);
+    process.env.JOB_CONFIGURATION_FILE ||
+    ("src/jobs/config/jobConfig.example.json" as string);
 
   const defaultLogger = {
     type: "DefaultLogger",
@@ -109,6 +110,7 @@ const configuration = () => {
     datasetCreationValidationRegex: datasetCreationValidationRegex,
     createJobGroups: createJobGroups,
     statusUpdateJobGroups: statusUpdateJobGroups,
+    deleteJobGroups: deleteJobGroups,
     logoutURL: process.env.LOGOUT_URL ?? "", // Example: http://localhost:3000/
     accessGroupsGraphQlConfig: {
       enabled: boolean(process.env?.ACCESS_GROUPS_GRAPHQL_ENABLED || false),

src/jobs/actions/emailaction.ts

@@ -25,6 +25,7 @@ export class EmailJobAction<T> implements JobAction<T> {
     return EmailJobAction.actionType;
   }
 
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   constructor(data: Record<string, any>) {
     Logger.log(
       "Initializing EmailJobAction. Params: " + JSON.stringify(data),
@@ -69,6 +70,7 @@ export class EmailJobAction<T> implements JobAction<T> {
     );
 
     // Fill templates
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const mail: any = {
       to: this.toTemplate(job),
       from: this.from,

src/jobs/actions/logaction.ts

@@ -22,6 +22,7 @@ export class LogJobAction<T> implements JobAction<T> {
     Logger.log("Performing job: " + JSON.stringify(job), "LogJobAction");
   }
 
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   constructor(data: Record<string, any>) {
     Logger.log(
       "Initializing LogJobAction. Params: " + JSON.stringify(data),

src/jobs/actions/rabbitmqaction.ts

@@ -3,7 +3,6 @@ import amqp, { Connection } from "amqplib/callback_api";
 import { JobAction } from "../config/jobconfig";
 import { JobClass } from "../schemas/job.schema";
 
-
 /**
  * Publish a message in a RabbitMQ queue
  */
@@ -12,6 +11,7 @@ export class RabbitMQJobAction<T> implements JobAction<T> {
   private connection;
   private binding;
 
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   constructor(data: Record<string, any>) {
     Logger.log(
       "Initializing RabbitMQJobAction. Params: " + JSON.stringify(data),
@@ -28,7 +28,7 @@ export class RabbitMQJobAction<T> implements JobAction<T> {
     this.binding = {
       exchange: data.exchange,
       queue: data.queue,
-      key: data.key
+      key: data.key,
     };
   }
 
@@ -42,14 +42,22 @@ export class RabbitMQJobAction<T> implements JobAction<T> {
       "RabbitMQJobAction",
     );
 
-    const connectionDetailsMissing = [undefined, ""].some(el => Object.values(this.connection).includes(el));
+    const connectionDetailsMissing = [undefined, ""].some((el) =>
+      Object.values(this.connection).includes(el),
+    );
     if (connectionDetailsMissing) {
-      throw new NotFoundException("RabbitMQ configuration is missing connection details.");
+      throw new NotFoundException(
+        "RabbitMQ configuration is missing connection details.",
+      );
     }
 
-    const bindingDetailsMissing = [undefined, ""].some(el => Object.values(this.binding).includes(el));
+    const bindingDetailsMissing = [undefined, ""].some((el) =>
+      Object.values(this.binding).includes(el),
+    );
     if (bindingDetailsMissing) {
-      throw new NotFoundException("RabbitMQ binding is missing exchange/queue/key details.");
+      throw new NotFoundException(
+        "RabbitMQ binding is missing exchange/queue/key details.",
+      );
     }
   }
 
@@ -59,33 +67,47 @@ export class RabbitMQJobAction<T> implements JobAction<T> {
       "RabbitMQJobAction",
     );
 
-    amqp.connect(this.connection, (connectionError: Error, connection: Connection) => {
-      if (connectionError) {
-        Logger.error(
-          "Connection error in RabbitMQJobAction: " + JSON.stringify(connectionError.message),
-          "RabbitMQJobAction",
-        );
-        return;
-      }
-
-      connection.createChannel((channelError: Error, channel) => {
-        if (channelError) {
+    amqp.connect(
+      this.connection,
+      (connectionError: Error, connection: Connection) => {
+        if (connectionError) {
           Logger.error(
-            "Channel error in RabbitMQJobAction: " + JSON.stringify(channelError.message),
+            "Connection error in RabbitMQJobAction: " +
+              JSON.stringify(connectionError.message),
             "RabbitMQJobAction",
           );
           return;
         }
 
-        channel.assertQueue(this.binding.queue, { durable: true });
-        channel.assertExchange(this.binding.exchange, "topic", { durable: true });
-        channel.bindQueue(this.binding.queue, this.binding.exchange, this.binding.key);
-        channel.sendToQueue(this.binding.queue, Buffer.from(JSON.stringify(job)));
+        connection.createChannel((channelError: Error, channel) => {
+          if (channelError) {
+            Logger.error(
+              "Channel error in RabbitMQJobAction: " +
+                JSON.stringify(channelError.message),
+              "RabbitMQJobAction",
+            );
+            return;
+          }
 
-        channel.close(() => {
-          connection.close();
+          channel.assertQueue(this.binding.queue, { durable: true });
+          channel.assertExchange(this.binding.exchange, "topic", {
+            durable: true,
+          });
+          channel.bindQueue(
+            this.binding.queue,
+            this.binding.exchange,
+            this.binding.key,
+          );
+          channel.sendToQueue(
+            this.binding.queue,
+            Buffer.from(JSON.stringify(job)),
+          );
+
+          channel.close(() => {
+            connection.close();
+          });
         });
-      });
-    });
+      },
+    );
   }
 }