Handle category change with provided Acc Id (#252)

When account id supplied via claim, we should handle change of the domain classification. If category of domain change to private, we should re-evaluate the private account
2025-05-29 22:31:50 +02:00 · 2022-03-09 13:31:42 +01:00 · 2022-03-09 13:31:42 +01:00 · ff62fec956
commit ff62fec956
parent 347a668bd5
2 changed files with 64 additions and 30 deletions
--- a/management/server/account.go
+++ b/management/server/account.go
@ -316,8 +316,16 @@ func (am *DefaultAccountManager) handleNewUserAccount(domainAcc *Account, claims
 func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error) {
 	// if Account ID is part of the claims
 	// it means that we've already classified the domain and user has an account
-	if claims.DomainCategory != PrivateCategory || claims.AccountId != "" {
+	if claims.DomainCategory != PrivateCategory {
 		return am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
+	} else if claims.AccountId != "" {
+		accountFromID, err := am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
+		if err != nil {
+			return nil, err
+		}
+		if accountFromID.DomainCategory == PrivateCategory || claims.DomainCategory != PrivateCategory {
+			return accountFromID, nil
+		}
 	}

 	am.mux.Lock()
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@ -43,9 +43,11 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 		inputClaims             jwtclaims.AuthorizationClaims
 		inputInitUserParams     initUserParams
 		inputUpdateAttrs        bool
+		inputUpdateClaimAccount bool
 		testingFunc             require.ComparisonAssertionFunc
 		expectedMSG             string
 		expectedUserRole        UserRole
+		expectedDomainCategory  string
 	}

 	var (
@ -70,6 +72,7 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 		testingFunc:            require.NotEqual,
 		expectedMSG:            "account IDs shouldn't match",
 		expectedUserRole:       UserRoleAdmin,
+		expectedDomainCategory: "",
 	}

 	initUnknown := defaultInitAccount
@ -87,6 +90,7 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 		testingFunc:            require.NotEqual,
 		expectedMSG:            "account IDs shouldn't match",
 		expectedUserRole:       UserRoleAdmin,
+		expectedDomainCategory: "",
 	}

 	testCase3 := test{
@ -100,6 +104,7 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 		testingFunc:            require.NotEqual,
 		expectedMSG:            "account IDs shouldn't match",
 		expectedUserRole:       UserRoleAdmin,
+		expectedDomainCategory: PrivateCategory,
 	}

 	privateInitAccount := defaultInitAccount
@ -118,6 +123,7 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 		testingFunc:            require.Equal,
 		expectedMSG:            "account IDs should match",
 		expectedUserRole:       UserRoleUser,
+		expectedDomainCategory: PrivateCategory,
 	}

 	testCase5 := test{
@ -131,9 +137,24 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 		testingFunc:            require.Equal,
 		expectedMSG:            "account IDs should match",
 		expectedUserRole:       UserRoleAdmin,
+		expectedDomainCategory: PrivateCategory,
 	}

-	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} {
+	testCase6 := test{
+		name: "Existing Account Id With Existing Reclassified Private Domain",
+		inputClaims: jwtclaims.AuthorizationClaims{
+			Domain:         defaultInitAccount.Domain,
+			UserId:         defaultInitAccount.UserId,
+			DomainCategory: PrivateCategory,
+		},
+		inputUpdateClaimAccount: true,
+		inputInitUserParams:     defaultInitAccount,
+		testingFunc:             require.Equal,
+		expectedMSG:             "account IDs should match",
+		expectedUserRole:        UserRoleAdmin,
+		expectedDomainCategory:  PrivateCategory,
+	}
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5, testCase6} {
 		t.Run(testCase.name, func(t *testing.T) {

 			manager, err := createManager(t)
@ -147,12 +168,17 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
 				require.NoError(t, err, "update init user failed")
 			}

+			if testCase.inputUpdateClaimAccount {
+				testCase.inputClaims.AccountId = initAccount.Id
+			}
+
 			account, err := manager.GetAccountWithAuthorizationClaims(testCase.inputClaims)
 			require.NoError(t, err, "support function failed")

 			testCase.testingFunc(t, initAccount.Id, account.Id, testCase.expectedMSG)

 			require.EqualValues(t, testCase.expectedUserRole, account.Users[testCase.inputClaims.UserId].Role, "user role should match")
+			require.EqualValues(t, testCase.expectedDomainCategory, account.DomainCategory, "account domain category should match")
 		})
 	}
 }