From e04e2defa1d43e182a7a917e668886c0925c2f91 Mon Sep 17 00:00:00 2001
From: Sriharsha Chintalapani <harshach@users.noreply.github.com>
Date: Thu, 12 Dec 2024 01:49:05 -0800
Subject: [PATCH] Minor: Domain only access policy prevents bots from listing
 (#19017)

* Minor: Domain only access policy prevents bots listing

* Minor: Domain only access policy prevents bots listing

* Add Entity Type condition to limit the scope of NOT IN

---------

Co-authored-by: mohitdeuex <mohit.y@deuexsolutions.com>
---
 .../service/jdbi3/ListFilter.java             | 26 ++++++++++++++-----
 .../service/resources/EntityResource.java     |  2 +-
 .../openmetadata/service/util/EntityUtil.java |  8 +++---
 3 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java b/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java
index 08f299b5cf4..1722181a18a 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/ListFilter.java
@@ -14,6 +14,8 @@ import org.openmetadata.service.resources.databases.DatasourceConfig;
 import org.openmetadata.service.util.FullyQualifiedName;
 
 public class ListFilter extends Filter<ListFilter> {
+  public static final String NULL_PARAM = "null";
+
   public ListFilter() {
     this(Include.NON_DELETED);
   }
@@ -116,12 +118,24 @@ public class ListFilter extends Filter<ListFilter> {
 
   private String getDomainCondition(String tableName) {
     String domainId = getQueryParam("domainId");
-    return domainId == null
-        ? ""
-        : String.format(
-            "(%s in (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' AND entity_relationship.fromId IN (%s) AND "
-                + "relation=10))",
-            nullOrEmpty(tableName) ? "id" : String.format("%s.id", tableName), domainId);
+    String entityIdColumn = nullOrEmpty(tableName) ? "id" : (tableName + ".id");
+    if (domainId == null) {
+      return "";
+    } else if (NULL_PARAM.equals(domainId)) {
+      String entityType = getQueryParam("entityType");
+      String entityTypeCondition =
+          nullOrEmpty(entityType)
+              ? ""
+              : String.format("AND entity_relationship.toEntity='%s'", entityType);
+      return String.format(
+          "(%s NOT IN (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' %s AND relation=10))",
+          entityIdColumn, entityTypeCondition);
+    } else {
+      return String.format(
+          "(%s in (SELECT entity_relationship.toId FROM entity_relationship WHERE entity_relationship.fromEntity='domain' AND entity_relationship.fromId IN (%s) AND "
+              + "relation=10))",
+          entityIdColumn, domainId);
+    }
   }
 
   public String getApiCollectionCondition(String apiEndpoint) {
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java b/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java
index d2044d44420..04deb0fd052 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/EntityResource.java
@@ -171,7 +171,7 @@ public abstract class EntityResource<T extends EntityInterface, K extends Entity
     authorizer.authorize(securityContext, operationContext, resourceContext);
 
     // Add Domain Filter
-    EntityUtil.addDomainQueryParam(securityContext, filter);
+    EntityUtil.addDomainQueryParam(securityContext, filter, entityType);
 
     // List
     ResultList<T> resultList;
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java b/openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java
index e08ff1e910f..99e723f3447 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/util/EntityUtil.java
@@ -17,6 +17,7 @@ import static org.openmetadata.common.utils.CommonUtil.listOrEmpty;
 import static org.openmetadata.common.utils.CommonUtil.nullOrEmpty;
 import static org.openmetadata.schema.type.Include.ALL;
 import static org.openmetadata.schema.type.Include.NON_DELETED;
+import static org.openmetadata.service.jdbi3.ListFilter.NULL_PARAM;
 import static org.openmetadata.service.jdbi3.RoleRepository.DOMAIN_ONLY_ACCESS_ROLE;
 import static org.openmetadata.service.security.DefaultAuthorizer.getSubjectContext;
 
@@ -688,7 +689,8 @@ public final class EntityUtil {
     return result.stream().toList();
   }
 
-  public static void addDomainQueryParam(SecurityContext securityContext, ListFilter filter) {
+  public static void addDomainQueryParam(
+      SecurityContext securityContext, ListFilter filter, String entityType) {
     SubjectContext subjectContext = getSubjectContext(securityContext);
     // If the User is admin then no need to add domainId in the query param
     // Also if there are domain restriction on the subject context via role
@@ -697,8 +699,8 @@ public final class EntityUtil {
         filter.addQueryParam(
             "domainId", getCommaSeparatedIdsFromRefs(subjectContext.getUserDomains()));
       } else {
-        // TODO: Hack :(
-        filter.addQueryParam("domainId", "null");
+        filter.addQueryParam("domainId", NULL_PARAM);
+        filter.addQueryParam("entityType", entityType);
       }
     }
   }