From db91a2e1d5c8f321b08384c99dc217cb05acff8f Mon Sep 17 00:00:00 2001 From: Sriharsha Chintalapani Date: Thu, 1 Dec 2022 01:51:32 -0800 Subject: [PATCH] Fix #8323: GenerateToken can overwrite any relations that user may have (#9091) Co-authored-by: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com> --- .../openmetadata/service/resources/teams/UserResource.java | 4 ++-- .../service/resources/teams/UserResourceTest.java | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java b/openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java index 5d2f49f9c9b..1ff9f41660c 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java @@ -567,7 +567,7 @@ public class UserResource extends EntityResource { @Valid GenerateTokenRequest generateTokenRequest) throws IOException { authorizer.authorizeAdmin(securityContext); - User user = dao.get(uriInfo, id, Fields.EMPTY_FIELDS); + User user = dao.get(uriInfo, id, dao.getFieldsWithUserAuth("*")); JWTAuthMechanism jwtAuthMechanism = jwtTokenGenerator.generateJWTToken(user, generateTokenRequest.getJWTTokenExpiry()); AuthenticationMechanism authenticationMechanism = @@ -598,7 +598,7 @@ public class UserResource extends EntityResource { @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid RevokeTokenRequest revokeTokenRequest) throws IOException { authorizer.authorizeAdmin(securityContext); - User user = dao.get(uriInfo, revokeTokenRequest.getId(), Fields.EMPTY_FIELDS); + User user = dao.get(uriInfo, revokeTokenRequest.getId(), dao.getFieldsWithUserAuth("*")); if (!user.getIsBot()) { throw new IllegalStateException(CatalogExceptionMessage.invalidBotUser()); } diff --git a/openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java b/openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java index cfee614d8ee..7f999b0daeb 100644 --- a/openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java +++ b/openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java @@ -693,15 +693,19 @@ public class UserResourceTest extends EntityResourceTest { CreateUser create = createBotUserRequest("ingestion-bot-jwt") .withEmail("ingestion-bot-jwt@email.com") + .withRoles(List.of(ROLE1_REF.getId())) .withAuthenticationMechanism(authMechanism); User user = createEntity(create, authHeaders("ingestion-bot-jwt@email.com")); + user = getEntity(user.getId(), "*", ADMIN_AUTH_HEADERS); + assertEquals(user.getRoles().size(), 1); TestUtils.put( getResource(String.format("users/generateToken/%s", user.getId())), new GenerateTokenRequest().withJWTTokenExpiry(JWTTokenExpiry.Seven), OK, ADMIN_AUTH_HEADERS); - user = getEntity(user.getId(), ADMIN_AUTH_HEADERS); + user = getEntity(user.getId(), "*", ADMIN_AUTH_HEADERS); assertNull(user.getAuthenticationMechanism()); + assertEquals(user.getRoles().size(), 1); JWTAuthMechanism jwtAuthMechanism = TestUtils.get( getResource(String.format("users/token/%s", user.getId())), JWTAuthMechanism.class, ADMIN_AUTH_HEADERS);