refactor(api): Return clearances based on token's access to groups

Return path exclusions and license conclusions from the groups that the API
token has access to.

If there are path exclusions with the same pattern in multiple groups, the
path exclusion from the highest ranking group is returned. If there are
multiple path exclusions with the same pattern in the same group, the path
exclusion that was created most recently is returned.

Similarly for the license conclusions, if multiple license conclusions
have been added for the same path in the queried package, return the one
from the highest-ranking group, or select the newest item within a group.

Signed-off-by: Johanna Lamppu <johanna.lamppu@doubleopen.org>

Author: lamppu

apps/api/src/helpers/db_operations.ts

@@ -718,18 +718,53 @@ type PackageConfiguration = {
 };
 
 export const getPackageConfiguration = async (
-    purl: string,
+    packageId: number,
+    apiTokenId: string,
 ): Promise<PackageConfiguration> => {
-    const packageWithPathExclusions =
-        await dbQueries.findPackageWithPathExclusionsByPurl(purl);
+    const atcgs =
+        await dbQueries.findClearanceGroupsForApiTokenWithPackageClearances(
+            packageId,
+            apiTokenId,
+        );
+
+    const peMap = new Map<
+        string,
+        PackageConfiguration["pathExclusions"][number]
+    >();
+
+    const lcMap = new Map<
+        string,
+        PackageConfiguration["licenseConclusions"][number]
+    >();
+
+    for (const atcg of atcgs) {
+        for (const pe of atcg.clearanceGroup.pathExclusions) {
+            if (!peMap.has(pe.pathExclusion.pattern)) {
+                peMap.set(pe.pathExclusion.pattern, pe.pathExclusion);
+            }
+        }
 
-    if (!packageWithPathExclusions) throw new Error("Package not found");
+        for (const lc of atcg.clearanceGroup.licenseConclusions) {
+            for (const ft of lc.licenseConclusion.file.filetrees) {
+                const path = ft.path;
+
+                if (!lcMap.has(path)) {
+                    lcMap.set(path, {
+                        path: path,
+                        detectedLicenseExpressionSPDX:
+                            lc.licenseConclusion.detectedLicenseExpressionSPDX,
+                        concludedLicenseExpressionSPDX:
+                            lc.licenseConclusion.concludedLicenseExpressionSPDX,
+                        comment: lc.licenseConclusion.comment,
+                    });
+                }
+            }
+        }
+    }
 
-    const licenseConclusions =
-        await dbQueries.findLicenseConclusionsByPackagePurl(purl);
     return {
-        licenseConclusions: licenseConclusions,
-        pathExclusions: packageWithPathExclusions.pathExclusions,
+        licenseConclusions: [...lcMap.values()],
+        pathExclusions: [...peMap.values()],
     };
 };
 

apps/api/src/helpers/db_queries.ts

@@ -2178,6 +2178,7 @@ export const findPackagesByPurls = async (
 
 export const findPackageIdByPurl = async (
     purl: string,
+    scanStatus?: string,
 ): Promise<number | null> => {
     let retries = initialRetryCount;
     let packageId: number | null = null;
@@ -2189,6 +2190,7 @@ export const findPackageIdByPurl = async (
                 .findUnique({
                     where: {
                         purl: purl,
+                        scanStatus: scanStatus,
                     },
                     select: {
                         id: true,
@@ -2210,56 +2212,89 @@ export const findPackageIdByPurl = async (
     return packageId;
 };
 
-type PackageWithRelations = Prisma.PackageGetPayload<{
-    select: {
-        id: true;
-        pathExclusions: {
+export const findClearanceGroupsForApiTokenWithPackageClearances = async (
+    packageId: number,
+    apiTokenId: string,
+) => {
+    return await retry(async () => {
+        return prisma.apiToken_ClearanceGroup.findMany({
+            where: {
+                apiTokenId: apiTokenId,
+            },
+            orderBy: {
+                rank: "asc",
+            },
             select: {
-                pattern: true;
-                reason: true;
-                comment: true;
-            };
-        };
-    };
-}>;
-
-export const findPackageWithPathExclusionsByPurl = async (
-    purl: string,
-): Promise<PackageWithRelations> => {
-    let retries = initialRetryCount;
-    let querySuccess = false;
-    let packageObj: PackageWithRelations | null = null;
-
-    while (!querySuccess && retries > 0) {
-        try {
-            packageObj = await prisma.package.findUnique({
-                where: {
-                    purl: purl,
-                },
-                select: {
-                    id: true,
-                    pathExclusions: {
-                        select: {
-                            pattern: true,
-                            reason: true,
-                            comment: true,
+                clearanceGroup: {
+                    select: {
+                        id: true,
+                        pathExclusions: {
+                            select: {
+                                pathExclusion: {
+                                    select: {
+                                        pattern: true,
+                                        reason: true,
+                                        comment: true,
+                                    },
+                                },
+                            },
+                            where: {
+                                pathExclusion: {
+                                    packageId: packageId,
+                                },
+                            },
+                            orderBy: {
+                                pathExclusion: {
+                                    createdAt: "desc",
+                                },
+                            },
+                        },
+                        licenseConclusions: {
+                            select: {
+                                licenseConclusion: {
+                                    select: {
+                                        detectedLicenseExpressionSPDX: true,
+                                        concludedLicenseExpressionSPDX: true,
+                                        comment: true,
+                                        fileSha256: true,
+                                        file: {
+                                            select: {
+                                                filetrees: {
+                                                    select: {
+                                                        path: true,
+                                                    },
+                                                    where: {
+                                                        packageId: packageId,
+                                                    },
+                                                },
+                                            },
+                                        },
+                                    },
+                                },
+                            },
+                            where: {
+                                licenseConclusion: {
+                                    file: {
+                                        filetrees: {
+                                            some: {
+                                                packageId: packageId,
+                                            },
+                                        },
+                                    },
+                                },
+                            },
+                            orderBy: {
+                                licenseConclusion: {
+                                    createdAt: "desc",
+                                },
+                            },
                         },
                     },
                 },
-            });
-            querySuccess = true;
-        } catch (error) {
-            console.log("Error with trying to find Package: " + error);
-            handleError(error);
-            retries--;
-            if (retries > 0) await waitToRetry();
-            else throw error;
-        }
-    }
-
-    if (!packageObj) throw new Error("Error: Unable to find Package");
-
-    return packageObj;
+                rank: true,
+            },
+        });
+    });
 };
 
 export const getPathExclusionsByPackagePurl = async (
@@ -3896,82 +3931,6 @@ export const findPathExclusionsByPackageId = async (
     return pathExclusions;
 };
 
-export const findLicenseConclusionsByPackagePurl = async (
-    purl: string,
-): Promise<
-    {
-        path: string;
-        detectedLicenseExpressionSPDX: string | null;
-        concludedLicenseExpressionSPDX: string;
-        comment: string | null;
-    }[]
-> => {
-    let retries = initialRetryCount;
-    let querySuccess = false;
-    let filetrees = null;
-
-    while (!querySuccess && retries > 0) {
-        try {
-            filetrees = await prisma.fileTree.findMany({
-                where: {
-                    package: {
-                        purl: purl,
-                    },
-                },
-                select: {
-                    path: true,
-                    file: {
-                        select: {
-                            licenseConclusions: {
-                                select: {
-                                    detectedLicenseExpressionSPDX: true,
-                                    concludedLicenseExpressionSPDX: true,
-                                    comment: true,
-                                    local: true,
-                                    contextPurl: true,
-                                },
-                            },
-                        },
-                    },
-                },
-            });
-            querySuccess = true;
-        } catch (error) {
-            console.log(
-                "Error with trying to find LicenseConclusions: " + error,
-            );
-            handleError(error);
-            retries--;
-            if (retries > 0) await waitToRetry();
-            else throw error;
-        }
-    }
-
-    if (!filetrees) throw new Error("Error: Unable to find LicenseConclusions");
-
-    const licenseConclusions = [];
-
-    for (const filetree of filetrees) {
-        for (const licenseConclusion of filetree.file.licenseConclusions) {
-            if (
-                !licenseConclusion.local ||
-                (licenseConclusion.local &&
-                    licenseConclusion.contextPurl === purl)
-            )
-                licenseConclusions.push({
-                    path: filetree.path,
-                    detectedLicenseExpressionSPDX:
-                        licenseConclusion.detectedLicenseExpressionSPDX,
-                    concludedLicenseExpressionSPDX:
-                        licenseConclusion.concludedLicenseExpressionSPDX,
-                    comment: licenseConclusion.comment,
-                });
-        }
-    }
-
-    return licenseConclusions;
-};
-
 export const findLicenseConclusionsByContextPurl = async (
     contextPurl: string,
 ): Promise<LicenseConclusion[]> => {

apps/api/src/routes/scanner_router.ts

@@ -4,7 +4,7 @@
 
 import { zodiosRouter } from "@zodios/express";
 import { JobStatus } from "bull";
-import { ApiScope, Package, Prisma, ScannerJob } from "database";
+import { ApiScope, Package, ScannerJob } from "database";
 import log from "loglevel";
 import { deleteFile, getPresignedPutUrl, objectExistsCheck } from "s3-helpers";
 import { scannerAPI } from "validation-helpers";
@@ -459,29 +459,37 @@ scannerRouter.post(
     requireApiScope(ApiScope.CLEARANCE_DATA),
     async (req, res) => {
         try {
-            // TODO: Return results based on user access rights and choices
+            // The middlewares have already verified that req.apiTokenAuth exists, so the non-null assertion operator can be safely used here.
+            const auth = req.apiTokenAuth!;
 
             console.log(
                 "Searching for configuration for package with purl: " +
                     req.body.purl,
             );
 
+            const packageId = await dbQueries.findPackageIdByPurl(
+                req.body.purl,
+                "scanned",
+            );
+
+            if (!packageId) throw new CustomError("Package not found", 404);
+
             const packageConfiguration =
-                await dbOperations.getPackageConfiguration(req.body.purl);
+                await dbOperations.getPackageConfiguration(
+                    packageId,
+                    auth.apiTokenId,
+                );
 
             res.status(200).json(packageConfiguration);
         } catch (error) {
             console.log("Error: ", error);
-            if (
-                error instanceof Prisma.PrismaClientKnownRequestError &&
-                error.code === "P2025"
-            ) {
-                return res.status(404).json({
-                    message: "Unable to find results for the requested package",
-                });
-            } else if (error instanceof Error)
-                res.status(404).json({ message: error.message });
-            else res.status(500).json({ message: "Internal server error" });
+
+            if (error instanceof CustomError) {
+                res.status(error.statusCode).json({ message: error.message });
+            } else {
+                const err = await getErrorCodeAndMessage(error);
+                res.status(err.statusCode).json({ message: err.message });
+            }
         }
     },
 );