Deletion security

dbf26968 · Luca Braun · d17dc5ab · dbf26968 · dbf26968 · dbf26968
Commit dbf26968 authored Jun 01, 2021 by Luca Braun
6 changed files
--- a/src/participation-hub/business-logic-microservice/app/configs/routes.yml
+++ b/src/participation-hub/business-logic-microservice/app/configs/routes.yml
@@ -5,7 +5,7 @@ paths:
  /use-cases:
    post:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.use_case.add"
      tags: 
        - "Use-Cases"
@@ -46,9 +46,18 @@ paths:
        - "Use-Cases"
      summary: "Delete all Use-Cases"
      description: "Delete all Use-Cases"
+      parameters:
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
+        '403':
+          description: "Confirmation required"
  #####
  # TABLES
  #####
@@ -66,15 +75,24 @@ paths:
          description: "Successful Request"
    delete:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.tables.delete_all"
      tags:
        - "Tables"
      summary: "Delete all Tables"
      description: "Delete all Tables"
+      parameters:
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
+        '403':
+          description: "Confirmation required"
  /use-cases/{use_case}/tables:
    get:
      security:
@@ -95,7 +113,7 @@ paths:
          description: "Successful Request"
    post:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.tables.add_complete"
      tags:
        - "Tables"
@@ -131,15 +149,23 @@ paths:
          description: "Name of the Use-Case the Table belongs to"
          required: true
          type: "string"
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
        '400':
          description: "Table with the name already exists or missing fields in the request."
+        '403':
+          description: "Confirmation required"
  /use-cases/{use_case}/tables/{name}/mapping:
    put:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.tables.put_mapping"
      tags:
        - "Tables"
@@ -193,12 +219,21 @@ paths:
        - "Layers"
      summary: "Delete all Layers from the DB"
      description: "Delete all Layers from the DB"
+      parameters:
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
+        '403':
+          description: "confirmation required"
    post:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.layer.add_complete"
      tags:
        - "Layers"
@@ -243,7 +278,7 @@ paths:
  /use-cases/{use_case}/tables/{table}/layers/{name}/cluster-mapping:
    put:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.layer.add_cluster_mapping"
      tags:
        - "Layers"
@@ -284,7 +319,7 @@ paths:
          description: "Field in request is missing or attribute does not exist in the Layer"
    delete:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.layer.delete_cluster_mapping"
      tags:
        - "Layers"
@@ -316,6 +351,12 @@ paths:
                type: string
                example: "end_time"
                description: "Internal name of the attribute"
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
@@ -323,6 +364,8 @@ paths:
          description: "Layer does not exist"
        '400':
          description: "Field in request is missing or attribute does not exist in the Layer"
+        '403':
+          description: "Confirmation required"
  /use-cases/{use_case}/layers:
    get:
      security:
@@ -375,7 +418,7 @@ paths:
          description: "Layer does not exist"
    delete:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.layer.delete_one"
      tags:
        - "Layers"
@@ -397,15 +440,23 @@ paths:
          description: "Name of the Layer"
          required: true
          type: "string"
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
        '404':
          description: "Layer does not exist"
+        '403':
+          description: "Confirmation required"
  /use-cases/{use_case}/layers/{name}/mapping:
    put:
      security:
-        - JwtRegular: []
+        - JwtAdmin: []
      operationId: "routes.layer.add_mapping"
      tags:
        - "Layers"
@@ -458,6 +509,12 @@ paths:
          required: true
          schema:
            $ref: '#/definitions/LayerMapping'
+        - name: "confirmation"
+          desciption: "'yes' to confirm deletion"
+          in: "query"
+          required: true
+          schema:
+            type: "string"
      responses:
        '200':
          description: "Successful Request"
@@ -465,6 +522,8 @@ paths:
          description: "Layer does not exist"
        '400':
          description: "Field in request is missing"
+        '403':
+          description: "Confirmation required"
 definitions:
  LayerMapping:

--- a/src/participation-hub/business-logic-microservice/app/routes/layer.py
+++ b/src/participation-hub/business-logic-microservice/app/routes/layer.py
@@ -16,10 +16,16 @@ def all():
    return [layer.to_serializable_dict() for layer in layer_repository.all()]
-def delete_all_layers():
+def delete_all_layers(confirmation: str):
    '''
    delete all layers from the DB
+    @params:
+        confirmation    - Required : "yes" to confirm deletion
    '''
+    if confirmation != "yes"
+        return Response(status=403)
    layer_repository.delete_all()
    return Response(status=200)
@@ -142,7 +148,7 @@ def one(use_case: str, table: str, name: str):
    return Response(status=200, response=json.dumps(layer.to_serializable_dict()))
-def delete_mapping(use_case: str, table: str, name: str):
+def delete_mapping(use_case: str, table: str, name: str, confirmation: str):
    '''
    delete a mapping from the layer identified by the internal representation
@@ -150,6 +156,7 @@ def delete_mapping(use_case: str, table: str, name: str):
        use_case    - Required : String-identifier for the Use-Case the Layer belongs to
        table       - Required : unique identifier of the Table the Layer belongs to
        name        - Required : unique identifier for the Layer
+        confirmation- Required : "yes" to confirm deletion
    '''
    use_case_repository.put(use_case)
@@ -206,7 +213,7 @@ def add_mapping(name: str, table: str, use_case: str):
    return Response(status=200)
-def delete_one(use_case: str, table: str, name: str):
+def delete_one(use_case: str, table: str, name: str, confirmation: str):
    '''
    delete a layer and all its mappings from the Db
@@ -214,8 +221,11 @@ def delete_one(use_case: str, table: str, name: str):
        use_case    - Required : String-identifier for the Use-Case the Layer belongs to
        table       - Required : unique identifier of the Table the Layer belongs to
        name        - Required : unique identifier for the Layer
+        confirmation- Required : "yes" to confirm deletion
    '''
+    if confirmation != "yes"
+        return Response(status=403)
    layer = layer_repository.one(name, use_case, table)
    if layer == None:

--- a/src/participation-hub/business-logic-microservice/app/routes/tables.py
+++ b/src/participation-hub/business-logic-microservice/app/routes/tables.py
@@ -51,10 +51,18 @@ def add_complete(use_case: str):
    return Response(status=200)
-def delete_all_for_use_case(use_case: str):
+def delete_all_for_use_case(use_case: str, confirmation: str):
+    if confirmation != "yes"
+        return Response(status=403)
    table_repository.delete_for_use_case(use_case)
    return Response(status=200)
 def delete_all():
+    if confirmation != "yes"
+        return Response(status=403)
    table_repository.delete_all()
    return Response(status=200)
\ No newline at end of file
--- a/src/participation-hub/business-logic-microservice/app/routes/use_case.py
+++ b/src/participation-hub/business-logic-microservice/app/routes/use_case.py
@@ -15,7 +15,11 @@ repository = Repository()
 def all():
    return [use_case.to_serializable_dict() for use_case in use_case_repository.all()]
-def delete_all():
+def delete_all(confirmation: str):
+    if confirmation != "yes"
+        return Response(status=403)
    use_case_repository.delete_all()
    repository.delete_all()
    table_repository.delete_all()

--- a/src/rest-gateway/app/routes/blockchain_trace.py
+++ b/src/rest-gateway/app/routes/blockchain_trace.py
@@ -17,4 +17,4 @@ def receive():
 def isBlockchainTraceValid(trace) -> bool:
    # different for every use case, no global schema
-    return 'ApplicationType' in trace 
+    return 'ApplicationType' in trace and 'docType' in trace
--- a/src/rest-gateway/app/routes/user.py
+++ b/src/rest-gateway/app/routes/user.py
@@ -52,7 +52,7 @@ def delete(username):
        return Response(status = 204)
    except ValueError as e:
-        # return 400 if the user already exists
+        # return 400 if the user does not exist
        return Response(status = 400, response=str(e))
 def add():