[OGUI-1580] add middleware for detector matching user role

Control/lib/api.js

@@ -20,7 +20,7 @@ const config = require('./config/configProvider.js');
 // middleware
 const {minimumRoleMiddleware} = require('./middleware/minimumRole.middleware.js');
 const {lockOwnershipMiddleware} = require('./middleware/lockOwnership.middleware.js');
-
+const { detectorOwnershipMiddleware } = require('./middleware/detectorOwnership.middleware.js');
 // controllers
 const {ConsulController} = require('./controllers/Consul.controller.js');
 const {EnvironmentController} = require('./controllers/Environment.controller.js');
@@ -191,6 +191,7 @@ module.exports.setup = (http, ws) => {
   http.get('/locks', lockController.getLocksStateHandler.bind(lockController));
   http.put('/locks/:action/:detectorId',
     minimumRoleMiddleware(Role.DETECTOR),
+    detectorOwnershipMiddleware,
     lockController.actionLockHandler.bind(lockController)
   );
   http.put('/locks/force/:action/:detectorId',

Control/lib/dtos/User.js

@@ -66,6 +66,15 @@ class User {
     return Boolean(accessList.includes('admin'));
   }
 
+  /**
+   * Checks if the given user can access the given detector
+   * @param {string} detectorId 
+   * @returns {Boolean}
+   */
+  belongsToDetector(detectorId) {
+    return Boolean(this._accessList.includes(`det-${detectorId}`));
+  }
+
   /**
    * Check if provided details of a user are the same as the current instance one;
    * @param {User} user - to compare to

Control/lib/middleware/detectorOwnership.middleware.js

@@ -0,0 +1,33 @@
+const {User} = require('../dtos/User');
+
+const {UnauthorizedAccessError} = require('./../errors/UnauthorizedAccessError.js');
+const {updateExpressResponseFromNativeError} = require('./../errors/updateExpressResponseFromNativeError.js');
+/**
+   * Middleware function to check detector ownership.
+   * Based on the session object, it checks if the user has ownership of the detector lock.
+   * @param {Request} req - Express Request object.
+   * @param {Response} res - Express Response object.
+   * @param {Function} next - Next middleware to call.
+   */
+const detectorOwnershipMiddleware = (req, res, next) => {
+  const { detectorId } = req.params;
+  const { name, username, personid, access } = req.session || {};
+
+  if (!detectorId || !access) {
+    updateExpressResponseFromNativeError(res, new UnauthorizedAccessError('Invalid request: missing information')); 
+  }
+
+  try {
+    const user = new User(username, name, personid, access);
+    if (!user.belongsToDetector(detectorId)) {
+      updateExpressResponseFromNativeError(res, 
+        new UnauthorizedAccessError(`User ${name} does not have ownership of the lock for detector ${detectorId}`));
+    }
+
+    next(); // Proceed if lock ownership is verified
+  } catch (error) {
+    updateExpressResponseFromNativeError(res, error);
+  }
+};
+
+exports.detectorOwnershipMiddleware = detectorOwnershipMiddleware;

Control/test/lib/middleware/mocha-detectorOwnership.middleware.test.js

@@ -0,0 +1,73 @@
+const assert = require('assert');
+const sinon = require('sinon');
+const express = require('express');
+const request = require('supertest');
+const { User } = require('../../../lib/dtos/User');
+const { detectorOwnershipMiddleware } = require('../../../lib/middleware/detectorOwnership.middleware');
+
+describe('`DetectorOwnerShipmiddleware` test suite', () => {
+  let userStub;
+
+  beforeEach(() => {
+    userStub = sinon.stub(User.prototype, 'belongsToDetector');
+  });
+
+  afterEach(() => {
+    userStub.restore();
+  });
+
+  it('should call next() if user has ownership of the detector', () => {
+    const detectorId = 'det-its';
+    const req = { params: { detectorId }, session: { personid: 0, name: 'testUser', access: ['det-its'] } };
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    userStub.returns(true);
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(next.calledOnce);
+  });
+
+  it('should return 403 if user does not have ownership of the detector', () => {
+    const detectorId = 'det-its';
+    const req = { params: { detectorId }, session: { personid: 0, name: 'testUser', access: [] } };
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    userStub.returns(false);
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(res.status.calledWith(403));
+    assert.ok(res.
+      json.calledWith({ message: `User testUser does not have ownership of the lock for detector ${detectorId}` }));
+    assert.ok(next.notCalled);
+  });
+
+  it('should call belongsToDetector method of User', () => {
+    const detectorId = 'det-its';
+    const req = { params: { detectorId }, session: { personid: 0, name: 'testUser', access: ['det-its'] } };
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    userStub.returns(true);
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(userStub.calledOnceWith(detectorId));
+  });
+
+  it('should handle empty session object gracefully', () => {
+    const detectorId = '1234';
+    const req = { params: { detectorId }, session: {} }; // Empty session object
+    const res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
+    const next = sinon.stub();
+
+    detectorOwnershipMiddleware(req, res, next);
+
+    assert.ok(res.status.calledWith(400));
+    assert.ok(res.json.calledWith({ message: 'Invalid request: missing information' }));
+    assert.ok(next.notCalled);
+  });
+});