epam · Oleksii-Klimov · Jun 27, 2024 · Jun 20, 2024 · Jun 20, 2024 · Jun 20, 2024
@@ -134,4 +134,8 @@ public String getProject() {
     public List<String> getExecutionPath() {
         return proxyApiKeyData == null ? null : proxyApiKeyData.getExecutionPath();
     }
+
+    public boolean getBooleanParam(String name) {
+        return Boolean.parseBoolean(request.getParam(name, "false"));
+    }
 }
@@ -2,6 +2,7 @@
 
 import com.epam.aidial.core.Proxy;
 import com.epam.aidial.core.ProxyContext;
+import com.epam.aidial.core.data.ResourceAccessType;
 import com.epam.aidial.core.security.AccessService;
 import com.epam.aidial.core.storage.ResourceDescription;
 import com.epam.aidial.core.util.HttpStatus;
@@ -29,7 +30,8 @@ public Future<?> handle(String resourceUrl) {
         return proxy.getVertx()
                 .executeBlocking(() -> {
                     AccessService service = proxy.getAccessService();
-                    return isWriteAccess ? service.hasWriteAccess(resource, context) : service.hasReadAccess(resource, context);
+                    ResourceAccessType permission = isWriteAccess ? ResourceAccessType.WRITE : ResourceAccessType.READ;
+                    return service.hasAccess(resource, context, permission);
                 }, false)
                 .map(hasAccess -> {
                     if (hasAccess) {

@@ -2,8 +2,6 @@
 
 import com.epam.aidial.core.Proxy;
 import com.epam.aidial.core.ProxyContext;
-import com.epam.aidial.core.data.ResourceLink;
-import com.epam.aidial.core.data.ResourceLinkCollection;
 import com.epam.aidial.core.service.InvitationService;
 import com.epam.aidial.core.service.LockService;
 import com.epam.aidial.core.service.ShareService;
@@ -13,9 +11,6 @@
 import io.vertx.core.Future;
 import lombok.extern.slf4j.Slf4j;
 
-import java.util.HashSet;
-import java.util.Set;
-
 @Slf4j
 public class DeleteFileController extends AccessControlBaseController {
 
@@ -43,11 +38,9 @@ protected Future<?> handle(ResourceDescription resource) {
             String bucketName = resource.getBucketName();
             String bucketLocation = resource.getBucketLocation();
             try {
-                Set<ResourceLink> resourceLinks = new HashSet<>();
-                resourceLinks.add(new ResourceLink(resource.getUrl()));
                 return lockService.underBucketLock(bucketLocation, () -> {
-                    invitationService.cleanUpResourceLinks(bucketName, bucketLocation, resourceLinks);
-                    shareService.revokeSharedAccess(bucketName, bucketLocation, new ResourceLinkCollection(resourceLinks));
+                    invitationService.cleanUpResourceLink(bucketName, bucketLocation, resource);
+                    shareService.revokeSharedResource(bucketName, bucketLocation, resource);
                     storage.delete(absoluteFilePath);
                     return null;
                 });

@@ -3,18 +3,23 @@
 import com.epam.aidial.core.Proxy;
 import com.epam.aidial.core.ProxyContext;
 import com.epam.aidial.core.data.MetadataBase;
+import com.epam.aidial.core.security.AccessService;
 import com.epam.aidial.core.storage.BlobStorage;
 import com.epam.aidial.core.storage.ResourceDescription;
 import com.epam.aidial.core.util.HttpStatus;
 import io.vertx.core.Future;
 import io.vertx.core.http.HttpHeaders;
 import lombok.extern.slf4j.Slf4j;
 
+import java.util.List;
+
 @Slf4j
 public class FileMetadataController extends AccessControlBaseController {
+    private final AccessService accessService;
 
     public FileMetadataController(Proxy proxy, ProxyContext context) {
         super(proxy, context, false);
+        accessService = proxy.getAccessService();
     }
 
     private String getContentType() {
@@ -37,7 +42,10 @@ protected Future<?> handle(ResourceDescription resource) {
             try {
                 MetadataBase metadata = storage.listMetadata(resource, token, limit, recursive);
                 if (metadata != null) {
-                    proxy.getAccessService().filterForbidden(context, resource, metadata);
+                    accessService.filterForbidden(context, resource, metadata);
+                    if (context.getBooleanParam("permissions")) {
+                        accessService.populatePermissions(context, resource.getBucketLocation(), List.of(metadata));
+                    }
                     context.respond(HttpStatus.OK, getContentType(), metadata);
                 } else {
                     context.respond(HttpStatus.NOT_FOUND);

@@ -3,6 +3,7 @@
 import com.epam.aidial.core.Proxy;
 import com.epam.aidial.core.ProxyContext;
 import com.epam.aidial.core.data.ListPublishedResourcesRequest;
+import com.epam.aidial.core.data.MetadataBase;
 import com.epam.aidial.core.data.Publication;
 import com.epam.aidial.core.data.Publications;
 import com.epam.aidial.core.data.RejectPublicationRequest;
@@ -26,6 +27,9 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
+import java.util.Collection;
+import java.util.List;
+
 @Slf4j
 @RequiredArgsConstructor
 public class PublicationController {
@@ -161,7 +165,14 @@ public Future<?> listPublishedResources() {
                     ListPublishedResourcesRequest request = ProxyUtil.convertToObject(body, ListPublishedResourcesRequest.class);
                     String bucketLocation = BlobStorageUtil.buildInitiatorBucket(context);
                     String bucket = encryptService.encrypt(bucketLocation);
-                    return vertx.executeBlocking(() -> publicationService.listPublishedResources(request, bucket, bucketLocation), false);
+                    return vertx.executeBlocking(() -> {
+                        Collection<MetadataBase> metadata =
+                                publicationService.listPublishedResources(request, bucket, bucketLocation);
+                        if (context.getBooleanParam("permissions")) {
+                            accessService.populatePermissions(context, bucketLocation, metadata);
+                        }
+                        return metadata;
+                    }, false);
                 })
                 .onSuccess(metadata -> context.respond(HttpStatus.OK, metadata))
                 .onFailure(error -> respondError("Can't list published resources", error));

@@ -5,9 +5,8 @@
 import com.epam.aidial.core.data.Conversation;
 import com.epam.aidial.core.data.MetadataBase;
 import com.epam.aidial.core.data.Prompt;
-import com.epam.aidial.core.data.ResourceLink;
-import com.epam.aidial.core.data.ResourceLinkCollection;
 import com.epam.aidial.core.data.ResourceType;
+import com.epam.aidial.core.security.AccessService;
 import com.epam.aidial.core.service.InvitationService;
 import com.epam.aidial.core.service.LockService;
 import com.epam.aidial.core.service.ResourceService;
@@ -23,8 +22,7 @@
 import lombok.extern.slf4j.Slf4j;
 
 import java.nio.charset.StandardCharsets;
-import java.util.HashSet;
-import java.util.Set;
+import java.util.List;
 
 @Slf4j
 @SuppressWarnings("checkstyle:Indentation")
@@ -36,13 +34,15 @@ public class ResourceController extends AccessControlBaseController {
     private final LockService lockService;
     private final InvitationService invitationService;
     private final boolean metadata;
+    private final AccessService accessService;
 
     public ResourceController(Proxy proxy, ProxyContext context, boolean metadata) {
-        // PUT and DELETE require full access, GET - not
+        // PUT and DELETE require write access, GET - read
         super(proxy, context, !HttpMethod.GET.equals(context.getRequest().method()));
         this.vertx = proxy.getVertx();
         this.service = proxy.getResourceService();
         this.shareService = proxy.getShareService();
+        this.accessService = proxy.getAccessService();
         this.lockService = proxy.getLockService();
         this.invitationService = proxy.getInvitationService();
         this.metadata = metadata;
@@ -93,7 +93,10 @@ private Future<?> getMetadata(ResourceDescription descriptor) {
                     if (result == null) {
                         context.respond(HttpStatus.NOT_FOUND, "Not found: " + descriptor.getUrl());
                     } else {
-                        proxy.getAccessService().filterForbidden(context, descriptor, result);
+                        accessService.filterForbidden(context, descriptor, result);
+                        if (context.getBooleanParam("permissions")) {
+                            accessService.populatePermissions(context, descriptor.getBucketLocation(), List.of(result));
+                        }
                         context.respond(HttpStatus.OK, getContentType(), result);
                     }
                 })
@@ -188,14 +191,11 @@ private Future<?> deleteResource(ResourceDescription descriptor) {
         }
 
         return vertx.executeBlocking(() -> {
-                    Set<ResourceLink> resourceLinks = new HashSet<>();
-                    resourceLinks.add(new ResourceLink(descriptor.getUrl()));
                     String bucketName = descriptor.getBucketName();
                     String bucketLocation = descriptor.getBucketLocation();
                     return lockService.underBucketLock(bucketLocation, () -> {
-                        invitationService.cleanUpResourceLinks(bucketName, bucketLocation, resourceLinks);
-                        shareService.revokeSharedAccess(bucketName, bucketLocation,
-                                new ResourceLinkCollection(resourceLinks));
+                        invitationService.cleanUpResourceLink(bucketName, bucketLocation, descriptor);
+                        shareService.revokeSharedResource(bucketName, bucketLocation, descriptor);
                         return service.deleteResource(descriptor);
                     });
                 }, false)

@@ -4,25 +4,29 @@
 import com.epam.aidial.core.ProxyContext;
 import com.epam.aidial.core.data.CopySharedAccessRequest;
 import com.epam.aidial.core.data.ListSharedResourcesRequest;
+import com.epam.aidial.core.data.ResourceAccessType;
 import com.epam.aidial.core.data.ResourceLinkCollection;
+import com.epam.aidial.core.data.RevokeResourcesRequest;
 import com.epam.aidial.core.data.ShareResourcesRequest;
+import com.epam.aidial.core.data.SharedResource;
 import com.epam.aidial.core.security.EncryptionService;
 import com.epam.aidial.core.service.InvitationService;
 import com.epam.aidial.core.service.LockService;
-import com.epam.aidial.core.service.ResourceService;
 import com.epam.aidial.core.service.ShareService;
-import com.epam.aidial.core.storage.BlobStorage;
 import com.epam.aidial.core.storage.BlobStorageUtil;
 import com.epam.aidial.core.storage.ResourceDescription;
 import com.epam.aidial.core.util.HttpException;
 import com.epam.aidial.core.util.HttpStatus;
 import com.epam.aidial.core.util.ProxyUtil;
-import com.epam.aidial.core.util.ResourceUtil;
+import com.google.common.collect.Sets;
 import io.vertx.core.Future;
 import io.vertx.core.buffer.Buffer;
 import lombok.extern.slf4j.Slf4j;
 
 import java.nio.charset.StandardCharsets;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 @Slf4j
 public class ShareController {
@@ -35,8 +39,6 @@ public class ShareController {
     private final EncryptionService encryptionService;
     private final LockService lockService;
     private final InvitationService invitationService;
-    private final ResourceService resourceService;
-    private final BlobStorage storage;
 
     public ShareController(Proxy proxy, ProxyContext context) {
         this.proxy = proxy;
@@ -45,8 +47,6 @@ public ShareController(Proxy proxy, ProxyContext context) {
         this.encryptionService = proxy.getEncryptionService();
         this.lockService = proxy.getLockService();
         this.invitationService = proxy.getInvitationService();
-        this.resourceService = proxy.getResourceService();
-        this.storage = proxy.getStorage();
     }
 
     public Future<?> handle(Operation operation) {
@@ -133,13 +133,18 @@ public Future<?> revokeSharedResources() {
         return context.getRequest()
                 .body()
                 .compose(buffer -> {
-                    ResourceLinkCollection request = getResourceLinkCollection(buffer, Operation.REVOKE);
+                    RevokeResourcesRequest request = getRevokeResourcesRequest(buffer, Operation.REVOKE);
                     String bucketLocation = BlobStorageUtil.buildInitiatorBucket(context);
                     String bucket = encryptionService.encrypt(bucketLocation);
+                    Map<ResourceDescription, Set<ResourceAccessType>> permissionsToRevoke = request.getResources().stream()
+                            .collect(Collectors.toUnmodifiableMap(
+                                    resource -> shareService.getResourceFromLink(resource.url()),
+                                    SharedResource::permissions,
+                                    Sets::union));
                     return proxy.getVertx()
                             .executeBlocking(() -> lockService.underBucketLock(bucketLocation, () -> {
-                                invitationService.cleanUpResourceLinks(bucket, bucketLocation, request.getResources());
-                                shareService.revokeSharedAccess(bucket, bucketLocation, request);
+                                invitationService.cleanUpPermissions(bucket, bucketLocation, permissionsToRevoke);
+                                shareService.revokeSharedAccess(bucket, bucketLocation, permissionsToRevoke);
                                 return null;
                             }), false);
                 })
@@ -210,8 +215,14 @@ private ResourceLinkCollection getResourceLinkCollection(Buffer buffer, Operatio
         }
     }
 
-    private boolean hasResource(ResourceDescription resource) {
-        return ResourceUtil.hasResource(resource, resourceService, storage);
+    private RevokeResourcesRequest getRevokeResourcesRequest(Buffer buffer, Operation operation) {
+        try {
+            String body = buffer.toString(StandardCharsets.UTF_8);
+            return ProxyUtil.convertToObject(body, RevokeResourcesRequest.class);
+        } catch (Exception e) {
+            log.error("Invalid request body provided", e);
+            throw new HttpException(HttpStatus.BAD_REQUEST, "Can't %s shared resources. Incorrect body".formatted(operation));
+        }
     }
 
     public enum Operation {

@@ -1,17 +1,32 @@
 package com.epam.aidial.core.data;
 
-import lombok.AllArgsConstructor;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
-import java.util.Set;
+import java.util.List;
+import java.util.stream.Collectors;
 
 @Data
-@AllArgsConstructor
 @NoArgsConstructor
 public class Invitation {
     String id;
-    Set<ResourceLink> resources;
+    List<SharedResource> resources;
     long createdAt;
     long expireAt;
+
+    @JsonCreator
+    public Invitation(
+            @JsonProperty("id") String id,
+            @JsonProperty("resources") List<SharedResource> resources,
+            @JsonProperty("createdAt") long createdAt,
+            @JsonProperty("expireAt") long expireAt) {
+        this.id = id;
+        this.resources = resources.stream()
+                .map(SharedResource::withReadIfNoPermissions)
+                .collect(Collectors.toList());
+        this.createdAt = createdAt;
+        this.expireAt = expireAt;
+    }
 }
@@ -1,9 +1,12 @@
 package com.epam.aidial.core.data;
 
+import com.fasterxml.jackson.annotation.JsonInclude;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
+import java.util.Set;
+
 @AllArgsConstructor
 @Data
 @NoArgsConstructor
@@ -16,4 +19,6 @@ public abstract class MetadataBase {
     private String url;
     private NodeType nodeType;
     private ResourceType resourceType;
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Set<ResourceAccessType> permissions;
 }
@@ -0,0 +1,15 @@
+package com.epam.aidial.core.data;
+
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
+
+public enum ResourceAccessType {
+    READ,
+    WRITE;
+
+    public static final Set<ResourceAccessType> ALL = Collections.unmodifiableSet(
+            EnumSet.allOf(ResourceAccessType.class));
+    public static final Set<ResourceAccessType> READ_ONLY = Collections.unmodifiableSet(
+            EnumSet.of(READ));
+}
@@ -20,7 +20,7 @@ public class ResourceFolderMetadata extends MetadataBase {
     private String nextToken;
 
     public ResourceFolderMetadata(ResourceType type, String bucket, String name, String path, String url, List<MetadataBase> items) {
-        super(name, path, bucket, url, NodeType.FOLDER, type);
+        super(name, path, bucket, url, NodeType.FOLDER, type, null);
         this.items = items;
     }
 

@@ -20,7 +20,7 @@ public class ResourceItemMetadata extends MetadataBase {
     private Long updatedAt;
 
     public ResourceItemMetadata(ResourceType type, String bucket, String name, String path, String url) {
-        super(name, path, bucket, url, NodeType.ITEM, type);
+        super(name, path, bucket, url, NodeType.ITEM, type, null);
     }
 
     public ResourceItemMetadata(ResourceDescription resource) {