Refactor backend for getting signed url

2025-06-07 18:44:08 +00:00 · 2024-08-28 18:00:20 +02:00 · 2024-08-28 18:00:20 +02:00 · 00cc3b7806
commit 00cc3b7806
parent 7ab52ff09e
7 changed files with 345 additions and 135 deletions
--- a/src/Bundle/ChillDocStoreBundle/AsyncUpload/Driver/OpenstackObjectStore/TempUrlOpenstackGenerator.php
+++ b/src/Bundle/ChillDocStoreBundle/AsyncUpload/Driver/OpenstackObjectStore/TempUrlOpenstackGenerator.php
@ -58,6 +58,7 @@ final readonly class TempUrlOpenstackGenerator implements TempUrlGeneratorInterf
        ?int $expire_delay = null,
        ?int $submit_delay = null,
        int $max_file_count = 1,
        ?string $object_name = null,
    ): SignedUrlPost {
        $delay = $expire_delay ?? $this->max_expire_delay;
        $submit_delay ??= $this->max_submit_delay;
@ -84,7 +85,9 @@ final readonly class TempUrlOpenstackGenerator implements TempUrlGeneratorInterf
        $expires = $this->clock->now()->add(new \DateInterval('PT'.(string) $delay.'S'));
        if (null === $object_name) {
            $object_name = $this->generateObjectName();
        }
        $g = new SignedUrlPost(
            $url = $this->generateUrl($object_name),
--- a/src/Bundle/ChillDocStoreBundle/AsyncUpload/TempUrlGeneratorInterface.php
+++ b/src/Bundle/ChillDocStoreBundle/AsyncUpload/TempUrlGeneratorInterface.php
@ -16,7 +16,8 @@ interface TempUrlGeneratorInterface
    public function generatePost(
        ?int $expire_delay = null,
        ?int $submit_delay = null,
-        int $max_file_count = 1
+        int $max_file_count = 1,
        ?string $object_name = null,
    ): SignedUrlPost;
    public function generate(string $method, string $object_name, ?int $expire_delay = null): SignedUrl;
--- a/src/Bundle/ChillDocStoreBundle/Controller/AsyncUploadController.php
+++ b/src/Bundle/ChillDocStoreBundle/Controller/AsyncUploadController.php
@ -11,9 +11,10 @@ declare(strict_types=1);
 namespace Chill\DocStoreBundle\Controller;
 use Chill\DocStoreBundle\AsyncUpload\Exception\TempUrlGeneratorException;
 use Chill\DocStoreBundle\AsyncUpload\TempUrlGeneratorInterface;
-use Chill\DocStoreBundle\Security\Authorization\AsyncUploadVoter;
+use Chill\DocStoreBundle\Entity\StoredObject;
 use Chill\DocStoreBundle\Entity\StoredObjectVersion;
 use Chill\DocStoreBundle\Security\Authorization\StoredObjectRoleEnum;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@ -30,63 +31,78 @@ final readonly class AsyncUploadController
        private TempUrlGeneratorInterface $tempUrlGenerator,
        private SerializerInterface $serializer,
        private Security $security,
-        private LoggerInterface $logger,
+        private LoggerInterface $chillLogger,
    ) {}
-    #[Route(path: '/asyncupload/temp_url/generate/{method}', name: 'async_upload.generate_url')]
+    #[Route(path: '/api/1.0/doc-store/async-upload/temp_url/{uuid}/generate/post', name: 'chill_docstore_asyncupload_getsignedurlpost')]
-    public function getSignedUrl(string $method, Request $request): JsonResponse
+    public function getSignedUrlPost(Request $request, StoredObject $storedObject): JsonResponse
    {
-        try {
+        if (!$this->security->isGranted(StoredObjectRoleEnum::EDIT->value, $storedObject)) {
-            switch (strtolower($method)) {
+            throw new AccessDeniedHttpException('not able to edit the given stored object');
-                case 'post':
+        }
        // we create a dummy version, to generate a filename
        $version = $storedObject->registerVersion();
        $p = $this->tempUrlGenerator
            ->generatePost(
                $request->query->has('expires_delay') ? $request->query->getInt('expires_delay') : null,
-                            $request->query->has('submit_delay') ? $request->query->getInt('submit_delay') : null
+                $request->query->has('submit_delay') ? $request->query->getInt('submit_delay') : null,
-                        )
+                object_name: $version->getFilename()
                    ;
                    break;
                case 'get':
                case 'head':
                    $object_name = $request->query->get('object_name', null);
                    if (null === $object_name) {
                        return (new JsonResponse((object) [
                            'message' => 'the object_name is null',
                        ]))
                            ->setStatusCode(JsonResponse::HTTP_BAD_REQUEST);
                    }
                    $p = $this->tempUrlGenerator->generate(
                        $method,
                        $object_name,
                        $request->query->has('expires_delay') ? $request->query->getInt('expires_delay') : null
            );
-                    break;
+
-                default:
+        $this->chillLogger->notice('[Privacy Event] a request to upload a document has been generated', [
-                    return (new JsonResponse((object) ['message' => 'the method '
+            'doc_uuid' => $storedObject->getUuid(),
                        ."{$method} is not valid"]))
                        ->setStatusCode(JsonResponse::HTTP_BAD_REQUEST);
            }
        } catch (TempUrlGeneratorException $e) {
            $this->logger->warning('The client requested a temp url'
                .' which sparkle an error.', [
                    'message' => $e->getMessage(),
                    'expire_delay' => $request->query->getInt('expire_delay', 0),
                    'file_count' => $request->query->getInt('file_count', 1),
                    'method' => $method,
        ]);
-            $p = new \stdClass();
+        return new JsonResponse(
-            $p->message = $e->getMessage();
+            $this->serializer->serialize($p, 'json', [AbstractNormalizer::GROUPS => ['read']]),
-            $p->status = JsonResponse::HTTP_BAD_REQUEST;
+            Response::HTTP_OK,
-
+            [],
-            return new JsonResponse($p, JsonResponse::HTTP_BAD_REQUEST);
+            true
        );
    }
-        if (!$this->security->isGranted(AsyncUploadVoter::GENERATE_SIGNATURE, $p)) {
+    #[Route(path: '/api/1.0/doc-store/async-upload/temp_url/{uuid}/generate/{method}', name: 'chill_docstore_asyncupload_getsignedurlget', requirements: ['method' => 'get|head'])]
-            throw new AccessDeniedHttpException('not allowed to generate this signature');
+    public function getSignedUrlGet(Request $request, StoredObject $storedObject, string $method): JsonResponse
    {
        if (!$this->security->isGranted(StoredObjectRoleEnum::SEE->value, $storedObject)) {
            throw new AccessDeniedHttpException('not able to read the given stored object');
        }
        // we really want to be sure that there are no other method than get or head:
        if (!in_array($method, ['get', 'head'], true)) {
            throw new AccessDeniedHttpException('Only methods get and head are allowed');
        }
        if ($request->query->has('version')) {
            $filename = $request->query->get('version');
            $storedObjectVersion = $storedObject->getVersions()->findFirst(fn(int $index, StoredObjectVersion $version): bool => $version->getFilename() === $filename);
            if (null === $storedObjectVersion) {
                // we are here in the case where the version is not stored into the database
                // as the version is prefixed by the stored object prefix, we just have to check that this prefix
                // is the same. It means that the user had previously the permission to "SEE_AND_EDIT" this stored
                // object with same prefix that we checked before
                if (!str_starts_with($filename, $storedObject->getPrefix())) {
                    throw new AccessDeniedHttpException('not able to match the version with the same filename');
                }
            }
        } else {
            $filename = $storedObject->getCurrentVersion()->getFilename();
        }
        $p = $this->tempUrlGenerator->generate(
            $method,
            $filename,
            $request->query->has('expires_delay') ? $request->query->getInt('expires_delay') : null
        );
        $this->chillLogger->notice('[Privacy Event] a request to see a document has been granted', [
            'doc_uuid' => $storedObject->getUuid(),
        ]);
        return new JsonResponse(
            $this->serializer->serialize($p, 'json', [AbstractNormalizer::GROUPS => ['read']]),
            Response::HTTP_OK,
--- a/src/Bundle/ChillDocStoreBundle/Entity/StoredObject.php
+++ b/src/Bundle/ChillDocStoreBundle/Entity/StoredObject.php
@ -41,6 +41,7 @@ use Symfony\Component\Serializer\Annotation as Serializer;
 class StoredObject implements Document, TrackCreationInterface
 {
    use TrackCreationTrait;
    final public const STATUS_EMPTY = 'empty';
    final public const STATUS_READY = 'ready';
    final public const STATUS_PENDING = 'pending';
    final public const STATUS_FAILURE = 'failure';
@ -98,7 +99,7 @@ class StoredObject implements Document, TrackCreationInterface
     */
    public function __construct(
        #[ORM\Column(type: \Doctrine\DBAL\Types\Types::TEXT, options: ['default' => 'ready'])]
-        private string $status = 'ready'
+        private string $status = 'empty'
    ) {
        $this->uuid = Uuid::uuid4();
        $this->versions = new ArrayCollection();
@ -330,6 +331,10 @@ class StoredObject implements Document, TrackCreationInterface
        $this->versions->add($version);
        if ('empty' === $this->status) {
            $this->status = self::STATUS_READY;
        }
        return $version;
    }
--- a/src/Bundle/ChillDocStoreBundle/Resources/public/types.ts
+++ b/src/Bundle/ChillDocStoreBundle/Resources/public/types.ts
@ -1,6 +1,6 @@
 import {DateTime} from "../../../ChillMainBundle/Resources/public/types";
-export type StoredObjectStatus = "ready"|"failure"|"pending";
+export type StoredObjectStatus = "empty"|"ready"|"failure"|"pending";
 export interface StoredObject {
    id: number,
--- a/src/Bundle/ChillDocStoreBundle/Tests/Controller/AsyncUploadControllerTest.php
+++ b/src/Bundle/ChillDocStoreBundle/Tests/Controller/AsyncUploadControllerTest.php
@ -15,7 +15,7 @@ use Chill\DocStoreBundle\AsyncUpload\SignedUrl;
 use Chill\DocStoreBundle\AsyncUpload\SignedUrlPost;
 use Chill\DocStoreBundle\AsyncUpload\TempUrlGeneratorInterface;
 use Chill\DocStoreBundle\Controller\AsyncUploadController;
-use Chill\DocStoreBundle\Security\Authorization\AsyncUploadVoter;
+use Chill\DocStoreBundle\Entity\StoredObject;
 use PHPUnit\Framework\TestCase;
 use Prophecy\Argument;
 use Prophecy\PhpUnit\ProphecyTrait;
@ -34,46 +34,165 @@ class AsyncUploadControllerTest extends TestCase
 {
    use ProphecyTrait;
-    public function testGenerateWhenUserIsNotGranted(): void
+    public function testGetSignedUrlPost(): void
    {
-        $this->expectException(AccessDeniedHttpException::class);
+        $storedObject = new StoredObject();
-        $controller = $this->buildAsyncUploadController(false);
+        $security = $this->prophesize(Security::class);
        $security->isGranted('SEE_AND_EDIT', $storedObject)->willReturn(true)->shouldBeCalled();
-        $controller->getSignedUrl('POST', new Request());
+        $controller = new AsyncUploadController(
-    }
+            $this->buildTempUrlGenerator(),
            $this->buildSerializer(),
            $security->reveal(),
            new NullLogger(),
        );
-    public function testGeneratePost(): void
+        $actual = $controller->getSignedUrlPost(new Request(query: ['expires_delay' => 10, 'submit_delay' => 1800]), $storedObject);
    {
        $controller = $this->buildAsyncUploadController(true);
        $actual = $controller->getSignedUrl('POST', new Request());
        $decodedActual = json_decode($actual->getContent(), true, JSON_THROW_ON_ERROR, JSON_THROW_ON_ERROR);
        self::assertArrayHasKey('method', $decodedActual);
        self::assertEquals('POST', $decodedActual['method']);
    }
-    public function testGenerateGet(): void
+    public function testGetSignedUrlGetSimpleScenarioHappy(): void
    {
-        $controller = $this->buildAsyncUploadController(true);
+        $storedObject = new StoredObject();
        $storedObject->registerVersion();
        $security = $this->prophesize(Security::class);
        $security->isGranted('SEE', $storedObject)->willReturn(true)->shouldBeCalled();
        $controller = new AsyncUploadController(
            $this->buildTempUrlGenerator(),
            $this->buildSerializer(),
            $security->reveal(),
            new NullLogger(),
        );
        $actual = $controller->getSignedUrlGet(new Request(query: ['expires_delay' => 10, 'submit_delay' => 1800]), $storedObject, 'get');
        $actual = $controller->getSignedUrl('GET', new Request(['object_name' => 'abc']));
        $decodedActual = json_decode($actual->getContent(), true, JSON_THROW_ON_ERROR, JSON_THROW_ON_ERROR);
        self::assertArrayHasKey('method', $decodedActual);
        self::assertEquals('GET', $decodedActual['method']);
    }
-    private function buildAsyncUploadController(
+    public function testGetSignedUrlGetSimpleScenarioNotAuthorized(): void
-        bool $isGranted,
+    {
-    ): AsyncUploadController {
+        $this->expectException(AccessDeniedHttpException::class);
-        $tempUrlGenerator = new class () implements TempUrlGeneratorInterface {
+
-            public function generatePost(?int $expire_delay = null, ?int $submit_delay = null, int $max_file_count = 1): SignedUrlPost
+        $storedObject = new StoredObject();
        $storedObject->registerVersion();
        $security = $this->prophesize(Security::class);
        $security->isGranted('SEE', $storedObject)->willReturn(false)->shouldBeCalled();
        $controller = new AsyncUploadController(
            $this->buildTempUrlGenerator(),
            $this->buildSerializer(),
            $security->reveal(),
            new NullLogger(),
        );
        $controller->getSignedUrlGet(new Request(query: ['expires_delay' => 10, 'submit_delay' => 1800]), $storedObject, 'get');
    }
    public function testGetSignedUrlGetForSpecificVersionOfTheStoredObjectStoredInDatabase(): void
    {
        $storedObject = new StoredObject();
        $version = $storedObject->registerVersion();
        // we add a version to be sure that the we do not get the last one
        $storedObject->registerVersion();
        $security = $this->prophesize(Security::class);
        $security->isGranted('SEE', $storedObject)->willReturn(true)->shouldBeCalled();
        $controller = new AsyncUploadController(
            $this->buildTempUrlGenerator(),
            $this->buildSerializer(),
            $security->reveal(),
            new NullLogger(),
        );
        $actual = $controller->getSignedUrlGet(
            new Request(query: ['expires_delay' => 10, 'submit_delay' => 1800, 'version' => $version->getFilename()]),
            $storedObject,
            'get'
        );
        $decodedActual = json_decode($actual->getContent(), true, JSON_THROW_ON_ERROR, JSON_THROW_ON_ERROR);
        self::assertArrayHasKey('method', $decodedActual);
        self::assertEquals('GET', $decodedActual['method']);
        self::assertArrayHasKey('object_name', $decodedActual);
        self::assertEquals($version->getFilename(), $decodedActual['object_name']);
    }
    public function testGetSignedUrlGetForSpecificVersionOfTheStoredObjectNotYetStoredInDatabase(): void
    {
        $storedObject = new StoredObject();
        $storedObject->registerVersion();
        // we generate a valid name
        $version = $storedObject->getPrefix().'/some-version';
        $security = $this->prophesize(Security::class);
        $security->isGranted('SEE', $storedObject)->willReturn(true)->shouldBeCalled();
        $controller = new AsyncUploadController(
            $this->buildTempUrlGenerator(),
            $this->buildSerializer(),
            $security->reveal(),
            new NullLogger(),
        );
        $actual = $controller->getSignedUrlGet(
            new Request(query: ['expires_delay' => 10, 'submit_delay' => 1800, 'version' => $version]),
            $storedObject,
            'get'
        );
        $decodedActual = json_decode($actual->getContent(), true, JSON_THROW_ON_ERROR, JSON_THROW_ON_ERROR);
        self::assertArrayHasKey('method', $decodedActual);
        self::assertEquals('GET', $decodedActual['method']);
        self::assertArrayHasKey('object_name', $decodedActual);
        self::assertEquals($version, $decodedActual['object_name']);
    }
    public function testGetSignedUrlGetForSpecificVersionNotBelongingToTheStoreObject(): void
    {
        $this->expectException(AccessDeniedHttpException::class);
        $storedObject = new StoredObject();
        $storedObject->registerVersion();
        // we generate a random version
        $version = 'something/else';
        $security = $this->prophesize(Security::class);
        $security->isGranted('SEE', $storedObject)->willReturn(true)->shouldBeCalled();
        $controller = new AsyncUploadController(
            $this->buildTempUrlGenerator(),
            $this->buildSerializer(),
            $security->reveal(),
            new NullLogger(),
        );
        $controller->getSignedUrlGet(
            new Request(query: ['expires_delay' => 10, 'submit_delay' => 1800, 'version' => $version]),
            $storedObject,
            'get'
        );
    }
    public function buildTempUrlGenerator(): TempUrlGeneratorInterface
    {
        return new class () implements TempUrlGeneratorInterface {
            public function generatePost(?int $expire_delay = null, ?int $submit_delay = null, int $max_file_count = 1, ?string $object_name = null): SignedUrlPost
            {
                return new SignedUrlPost(
                    'https://object.store.example',
                    new \DateTimeImmutable('1 hour'),
-                    'abc',
+                    $object_name ?? 'abc',
                    150,
                    1,
                    1800,
@ -86,27 +205,25 @@ class AsyncUploadControllerTest extends TestCase
            public function generate(string $method, string $object_name, ?int $expire_delay = null): SignedUrl
            {
                return new SignedUrl(
-                    $method,
+                    strtoupper($method),
                    'https://object.store.example',
                    new \DateTimeImmutable('1 hour'),
                    $object_name
                );
            }
        };
    }
    private function buildSerializer(): SerializerInterface
    {
        $serializer = $this->prophesize(SerializerInterface::class);
        $serializer->serialize(Argument::type(SignedUrl::class), 'json', Argument::type('array'))
-            ->will(fn (array $args): string => json_encode(['method' => $args[0]->method], JSON_THROW_ON_ERROR, 3));
+            ->will(fn (array $args): string => json_encode(
                ['method' => $args[0]->method, 'object_name' => $args[0]->object_name],
                JSON_THROW_ON_ERROR,
                3
            ));
-        $security = $this->prophesize(Security::class);
+        return $serializer->reveal();
        $security->isGranted(AsyncUploadVoter::GENERATE_SIGNATURE, Argument::type(SignedUrl::class))
            ->willReturn($isGranted);
        return new AsyncUploadController(
            $tempUrlGenerator,
            $serializer->reveal(),
            $security->reveal(),
            new NullLogger()
        );
    }
 }
--- a/src/Bundle/ChillDocStoreBundle/chill.api.specs.yaml
+++ b/src/Bundle/ChillDocStoreBundle/chill.api.specs.yaml
@ -37,3 +37,71 @@ paths:
                    description: "Unauthorized"
                422:
                    description: "Invalid data"
    /1.0/doc-store/async-upload/temp_url/{uuid}/generate/post:
        get:
            tags:
                - storedobject
            summary: Get a signed route to post stored object
            parameters:
                -   in: path
                    name: uuid
                    required: true
                    allowEmptyValue: false
                    description: The UUID of the storedObject
                    schema:
                        type: string
                        format: uuid
            responses:
                200:
                    description: "OK"
                    content:
                        application/json:
                            schema:
                                type: object
                403:
                    description: "Unauthorized"
                404:
                    description: "Not found"
    /1.0/doc-store/async-upload/temp_url/{uuid}/generate/{method}:
        get:
            tags:
                - storedobject
            summary: Get a signed route to get a stored object
            parameters:
                - in: path
                  name: uuid
                  required: true
                  allowEmptyValue: false
                  description: The UUID of the storedObjeect
                  schema:
                      type: string
                      format: uuid
                - in: path
                  name: method
                  required: true
                  allowEmptyValue: false
                  description: the method of the signed url (get or head)
                  schema:
                      type: string
                      enum: [get, head]
                - in: query
                  name: version
                  required: false
                  allowEmptyValue: false
                  description: the version's filename of the stored object
                  schema:
                      type: string
                      minLength: 2
            responses:
                200:
                    description: "OK"
                    content:
                        application/json:
                            schema:
                                type: object
                403:
                    description: "Unauthorized"
                404:
                    description: "Not found"