Transferring service and controller vulnerabilities to cosv (#2894)

* Transferring service and controller vulnerabilities to cosv

Author: Cheshiriks

save-backend/src/main/kotlin/com/saveourtool/save/backend/service/BackendForCosvService.kt

@@ -3,6 +3,7 @@ package com.saveourtool.save.backend.service
 import com.saveourtool.save.backend.configs.ConfigProperties
 import com.saveourtool.save.backend.security.OrganizationPermissionEvaluator
 import com.saveourtool.save.backend.security.UserPermissionEvaluator
+import com.saveourtool.save.domain.Role
 import com.saveourtool.save.entities.Organization
 import com.saveourtool.save.entities.User
 import com.saveourtool.save.entities.cosv.LnkVulnerabilityMetadataTag
@@ -15,12 +16,14 @@ import java.nio.file.Path
  * Service for [IBackendService] to get required info for COSV from backend
  */
 @Service
+@Suppress("LongParameterList")
 class BackendForCosvService(
     private val organizationService: OrganizationService,
     private val userDetailsService: UserDetailsService,
     private val userPermissionEvaluator: UserPermissionEvaluator,
     private val organizationPermissionEvaluator: OrganizationPermissionEvaluator,
     private val tagService: TagService,
+    private val lnkUserOrganizationService: LnkUserOrganizationService,
     configProperties: ConfigProperties,
 ) : IBackendService {
     override val workingDir: Path = configProperties.workingDir
@@ -48,4 +51,19 @@ class BackendForCosvService(
         identifier: String,
         tagName: Set<String>
     ): List<LnkVulnerabilityMetadataTag>? = tagService.addVulnerabilityTags(identifier, tagName)
+
+    override fun addVulnerabilityTag(
+        identifier: String,
+        tagName: String
+    ): LnkVulnerabilityMetadataTag = tagService.addVulnerabilityTag(identifier, tagName)
+
+    override fun deleteVulnerabilityTag(
+        identifier: String,
+        tagName: String
+    ) = tagService.deleteVulnerabilityTag(identifier, tagName)
+
+    override fun getGlobalRoleOrOrganizationRole(
+        authentication: Authentication,
+        organizationName: String,
+    ): Role = lnkUserOrganizationService.getGlobalRoleOrOrganizationRole(authentication, organizationName)
 }

save-backend/src/test/kotlin/com/saveourtool/save/backend/controller/OrganizationControllerTest.kt

@@ -4,6 +4,8 @@ import com.saveourtool.save.authservice.config.NoopWebSecurityConfig
 import com.saveourtool.save.backend.configs.WebConfig
 import com.saveourtool.save.backend.controllers.OrganizationController
 import com.saveourtool.save.backend.repository.*
+import com.saveourtool.save.backend.repository.OrganizationRepository
+import com.saveourtool.save.backend.repository.UserRepository
 import com.saveourtool.save.backend.security.OrganizationPermissionEvaluator
 import com.saveourtool.save.backend.security.ProjectPermissionEvaluator
 import com.saveourtool.save.backend.service.*

save-cosv/build.gradle.kts

@@ -6,6 +6,7 @@ plugins {
 }
 
 dependencies {
+    implementation(projects.authenticationService)
     api(projects.saveCloudCommon)
     api(libs.cosv4k)
     implementation(libs.spring.security.core)

save-cosv/src/main/kotlin/com/saveourtool/save/backend/service/IBackendService.kt

@@ -2,6 +2,7 @@
 
 package com.saveourtool.save.backend.service
 
+import com.saveourtool.save.domain.Role
 import com.saveourtool.save.entities.Organization
 import com.saveourtool.save.entities.User
 import com.saveourtool.save.entities.cosv.LnkVulnerabilityMetadataTag
@@ -67,11 +68,40 @@ interface IBackendService {
 
     /**
      * @param identifier [com.saveourtool.save.entities.cosv.VulnerabilityMetadata.identifier]
-     * @param tagName tag to add
+     * @param tagName tags to add
      * @return new [LnkVulnerabilityMetadataTag]
      */
     fun addVulnerabilityTags(
         identifier: String,
         tagName: Set<String>
     ): List<LnkVulnerabilityMetadataTag>?
+
+    /**
+     * @param identifier [com.saveourtool.save.entities.cosv.VulnerabilityMetadata.identifier]
+     * @param tagName tag to add
+     * @return new [LnkVulnerabilityMetadataTag]
+     */
+    fun addVulnerabilityTag(
+        identifier: String,
+        tagName: String
+    ): LnkVulnerabilityMetadataTag
+
+    /**
+     * @param identifier [com.saveourtool.save.entities.cosv.VulnerabilityMetadata.identifier]
+     * @param tagName tag to delete
+     */
+    fun deleteVulnerabilityTag(
+        identifier: String,
+        tagName: String
+    )
+
+    /**
+     * @param authentication
+     * @param organizationName
+     * @return the highest of two roles: the one in organization with name [organizationName] and global one.
+     */
+    fun getGlobalRoleOrOrganizationRole(
+        authentication: Authentication,
+        organizationName: String,
+    ): Role
 }

…vulnerability/VulnerabilityController.kt …v/controllers/VulnerabilityController.ktsave-backend/src/main/kotlin/com/saveourtool/save/backend/controllers/vulnerability/VulnerabilityController.kt renamed to save-cosv/src/main/kotlin/com/saveourtool/save/cosv/controllers/VulnerabilityController.kt save-backend/src/main/kotlin/com/saveourtool/save/backend/controllers/vulnerability/VulnerabilityController.kt renamed to save-cosv/src/main/kotlin/com/saveourtool/save/cosv/controllers/VulnerabilityController.kt

@@ -1,17 +1,20 @@
-package com.saveourtool.save.backend.controllers.vulnerability
+package com.saveourtool.save.cosv.controllers
 
 import com.saveourtool.save.authservice.utils.username
-import com.saveourtool.save.backend.security.VulnerabilityPermissionEvaluator
-import com.saveourtool.save.backend.service.LnkUserOrganizationService
-import com.saveourtool.save.backend.service.vulnerability.VulnerabilityService
-import com.saveourtool.save.backend.utils.hasRole
+import com.saveourtool.save.backend.service.IBackendService
 import com.saveourtool.save.configs.ApiSwaggerSupport
 import com.saveourtool.save.configs.RequiresAuthorizationSourceHeader
+import com.saveourtool.save.cosv.security.VulnerabilityPermissionEvaluator
 import com.saveourtool.save.cosv.service.CosvService
+import com.saveourtool.save.cosv.service.VulnerabilityMetadataDtoList
+import com.saveourtool.save.cosv.service.VulnerabilityService
+import com.saveourtool.save.cosv.utils.hasRole
 import com.saveourtool.save.domain.Role
 import com.saveourtool.save.entities.cosv.VulnerabilityExt
 import com.saveourtool.save.entities.cosv.VulnerabilityMetadataDto
-import com.saveourtool.save.entities.vulnerability.*
+import com.saveourtool.save.entities.vulnerability.VulnerabilityDateDto
+import com.saveourtool.save.entities.vulnerability.VulnerabilityProjectDto
+import com.saveourtool.save.entities.vulnerability.VulnerabilityStatus
 import com.saveourtool.save.filters.VulnerabilityFilter
 import com.saveourtool.save.info.UserInfo
 import com.saveourtool.save.permission.Permission
@@ -33,8 +36,6 @@ import reactor.core.publisher.Flux
 import reactor.core.publisher.Mono
 import reactor.kotlin.core.publisher.toMono
 
-typealias VulnerabilityMetadataDtoList = List<VulnerabilityMetadataDto>
-
 /**
  * Controller for working with vulnerabilities.
  */
@@ -48,7 +49,7 @@ class VulnerabilityController(
     private val vulnerabilityService: VulnerabilityService,
     private val vulnerabilityPermissionEvaluator: VulnerabilityPermissionEvaluator,
     private val cosvService: CosvService,
-    private val lnkUserOrganizationService: LnkUserOrganizationService,
+    private val backendService: IBackendService,
 ) {
     @PostMapping("/by-filter")
     @Operation(
@@ -96,7 +97,7 @@ class VulnerabilityController(
         if (!isPublicVulnerabilities && authentication != null) {
             val isSuperAdmin = authentication.hasRole(Role.SUPER_ADMIN)
             val isOwner = filter.authorName?.let { it == authentication.username() } ?: false
-            val roleInOrganization = filter.organizationName?.let { lnkUserOrganizationService.getGlobalRoleOrOrganizationRole(authentication, it) }
+            val roleInOrganization = filter.organizationName?.let { backendService.getGlobalRoleOrOrganizationRole(authentication, it) }
             val isAdminInOrganization = roleInOrganization?.isHigherOrEqualThan(Role.ADMIN) ?: false
 
             val isHasAdditionalRights = isSuperAdmin || isOwner || isAdminInOrganization
@@ -386,5 +387,5 @@ class VulnerabilityController(
         .switchIfEmptyToResponseException(HttpStatus.FORBIDDEN) { "Permissions required for comment deletion were not granted." }
         .flatMap { blockingToMono { vulnerabilityService.deleteUser(userName, it) } }
         .switchIfEmptyToNotFound { "Could not find user." }
-        .map { StringResponse.ok("Successfully deleted user from vulnerability.") }
+        .map { ResponseEntity.ok("Successfully deleted user from vulnerability.") }
 }

save-cosv/src/main/kotlin/com/saveourtool/save/cosv/repository/OrganizationRepository.kt

@@ -0,0 +1,36 @@
+package com.saveourtool.save.cosv.repository
+
+import com.saveourtool.save.entities.Organization
+import org.springframework.data.jpa.repository.Query
+import org.springframework.data.repository.query.Param
+import org.springframework.stereotype.Repository
+
+/**
+ * The repository of organization entities
+ */
+@Repository
+interface OrganizationRepository {
+    /**
+     * @param organizationName organization name for update
+     * @param rating new organization rating
+     * @return updated organization
+     */
+    @Query(
+        value = "update save_cloud.organization o set o.rating = :rating where o.name = :organization_name",
+        nativeQuery = true,
+    )
+    fun updateOrganization(
+        @Param("organization_name") organizationName: String,
+        @Param("rating") rating: Long,
+    )
+
+    /**
+     * @param name name of organization
+     * @return found [Organization] by name
+     */
+    @Query(
+        value = "select * from save_cloud.organization where name = :name",
+        nativeQuery = true,
+    )
+    fun getOrganizationByName(@Param("name") name: String): Organization
+}

save-cosv/src/main/kotlin/com/saveourtool/save/cosv/repository/TagRepository.kt

@@ -0,0 +1,40 @@
+package com.saveourtool.save.cosv.repository
+
+import com.saveourtool.save.entities.Tag
+import org.springframework.data.jpa.repository.Modifying
+import org.springframework.data.jpa.repository.Query
+import org.springframework.data.repository.query.Param
+import org.springframework.stereotype.Repository
+import org.springframework.transaction.annotation.Transactional
+
+/**
+ * The repository of tag entities.
+ */
+@Repository
+interface TagRepository {
+    /**
+     * Find [Tag] by its [Tag.name]
+     *
+     * @param name tag name
+     * @return [Tag] if found, null otherwise
+     */
+    @Query(
+        value = "select * from save_cloud.tag t where t.name = :name",
+        nativeQuery = true,
+    )
+    fun findByName(@Param("name") name: String): Tag?
+
+    /**
+     * @param name name of tag
+     * @return save tag
+     */
+    @Transactional
+    @Modifying
+    @Query(
+        value = "insert into save_cloud.tag (name) values (:name)",
+        nativeQuery = true,
+    )
+    fun saveTag(
+        @Param("name") name: String,
+    )
+}

save-cosv/src/main/kotlin/com/saveourtool/save/cosv/repository/UserRepository.kt

@@ -0,0 +1,36 @@
+package com.saveourtool.save.cosv.repository
+
+import com.saveourtool.save.entities.User
+import org.springframework.data.jpa.repository.Query
+import org.springframework.data.repository.query.Param
+import org.springframework.stereotype.Repository
+
+/**
+ * Repository to access data about users
+ */
+@Repository
+interface UserRepository {
+    /**
+     * @param userName user name for update
+     * @param rating new user rating
+     * @return updated user
+     */
+    @Query(
+        value = "update save_cloud.user u set u.rating = :rating where u.name = :user_name",
+        nativeQuery = true,
+    )
+    fun updateUser(
+        @Param("user_name") userName: String,
+        @Param("rating") rating: Long,
+    )
+
+    /**
+     * @param name name of organization
+     * @return found [User] by name
+     */
+    @Query(
+        value = "select * from save_cloud.user where name = :name",
+        nativeQuery = true,
+    )
+    fun getUserByName(@Param("name") name: String): User
+}

…rity/VulnerabilityPermissionEvaluator.kt …rity/VulnerabilityPermissionEvaluator.ktsave-backend/src/main/kotlin/com/saveourtool/save/backend/security/VulnerabilityPermissionEvaluator.kt renamed to save-cosv/src/main/kotlin/com/saveourtool/save/cosv/security/VulnerabilityPermissionEvaluator.kt save-backend/src/main/kotlin/com/saveourtool/save/backend/security/VulnerabilityPermissionEvaluator.kt renamed to save-cosv/src/main/kotlin/com/saveourtool/save/cosv/security/VulnerabilityPermissionEvaluator.kt

@@ -1,7 +1,7 @@
-package com.saveourtool.save.backend.security
+package com.saveourtool.save.cosv.security
 
-import com.saveourtool.save.backend.service.vulnerability.VulnerabilityService
-import com.saveourtool.save.backend.utils.hasRole
+import com.saveourtool.save.cosv.service.VulnerabilityService
+import com.saveourtool.save.cosv.utils.hasRole
 import com.saveourtool.save.domain.Role
 import com.saveourtool.save.entities.cosv.VulnerabilityMetadataDto
 import com.saveourtool.save.entities.vulnerability.VulnerabilityStatus

save-cosv/src/main/kotlin/com/saveourtool/save/cosv/service/OrganizationService.kt

@@ -0,0 +1,23 @@
+package com.saveourtool.save.cosv.service
+
+import com.saveourtool.save.cosv.repository.OrganizationRepository
+import com.saveourtool.save.entities.Organization
+
+/**
+ * Service for organization
+ */
+class OrganizationService(
+    private val organizationRepository: OrganizationRepository,
+) {
+    /**
+     * @param organization organization for update
+     * @return updated organization
+     */
+    fun saveUser(organization: Organization) = organizationRepository.updateOrganization(organization.name, organization.rating)
+
+    /**
+     * @param name
+     * @return organization with [name]
+     */
+    fun getOrganizationByName(name: String): Organization = organizationRepository.getOrganizationByName(name)
+}