From d559656a8acbe7371fe77efd7f04716d2185a8ed Mon Sep 17 00:00:00 2001
From: ksrinath <ksrinath@users.noreply.github.com>
Date: Mon, 27 May 2024 14:20:05 +0530
Subject: [PATCH] feat(auth): add viewTests platform privilege (#10413)

---
 .../com/linkedin/datahub/graphql/resolvers/MeResolver.java | 7 +++++++
 .../datahub/graphql/resolvers/test/ListTestsResolver.java  | 2 +-
 .../linkedin/datahub/graphql/resolvers/test/TestUtils.java | 6 ++++++
 datahub-graphql-core/src/main/resources/app.graphql        | 5 +++++
 datahub-web-react/src/Mocks.tsx                            | 2 ++
 datahub-web-react/src/graphql/me.graphql                   | 1 +
 .../linkedin/metadata/authorization/PoliciesConfig.java    | 4 ++++
 7 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/MeResolver.java b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/MeResolver.java
index a2ef87b1ce98b3..f7dbb73d148423 100644
--- a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/MeResolver.java
+++ b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/MeResolver.java
@@ -75,6 +75,7 @@ public CompletableFuture<AuthenticatedUser> get(DataFetchingEnvironment environm
             platformPrivileges.setManageIngestion(canManageIngestion(context));
             platformPrivileges.setManageSecrets(canManageSecrets(context));
             platformPrivileges.setManageTokens(canManageTokens(context));
+            platformPrivileges.setViewTests(canViewTests(context));
             platformPrivileges.setManageTests(canManageTests(context));
             platformPrivileges.setManageGlossaries(canManageGlossaries(context));
             platformPrivileges.setManageUserCredentials(canManageUserCredentials(context));
@@ -130,6 +131,12 @@ private boolean canGeneratePersonalAccessToken(final QueryContext context) {
         PoliciesConfig.GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE);
   }
 
+  /** Returns true if the authenticated user has privileges to view tests. */
+  private boolean canViewTests(final QueryContext context) {
+    return isAuthorized(
+        context.getAuthorizer(), context.getActorUrn(), PoliciesConfig.VIEW_TESTS_PRIVILEGE);
+  }
+
   /** Returns true if the authenticated user has privileges to manage (add or remove) tests. */
   private boolean canManageTests(final QueryContext context) {
     return isAuthorized(
diff --git a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/ListTestsResolver.java b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/ListTestsResolver.java
index 3f4a0367af05ad..22c3b87712a347 100644
--- a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/ListTestsResolver.java
+++ b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/ListTestsResolver.java
@@ -45,7 +45,7 @@ public CompletableFuture<ListTestsResult> get(final DataFetchingEnvironment envi
 
     return CompletableFuture.supplyAsync(
         () -> {
-          if (canManageTests(context)) {
+          if (canManageTests(context) || canViewTests(context)) {
             final ListTestsInput input =
                 bindArgument(environment.getArgument("input"), ListTestsInput.class);
             final Integer start = input.getStart() == null ? DEFAULT_START : input.getStart();
diff --git a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/TestUtils.java b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/TestUtils.java
index ae23e963cebb90..020064ed643c88 100644
--- a/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/TestUtils.java
+++ b/datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/test/TestUtils.java
@@ -19,6 +19,12 @@
 
 public class TestUtils {
 
+  /** Returns true if the authenticated user is able to view tests. */
+  public static boolean canViewTests(@Nonnull QueryContext context) {
+    return AuthUtil.isAuthorized(
+        context.getAuthorizer(), context.getActorUrn(), PoliciesConfig.VIEW_TESTS_PRIVILEGE);
+  }
+
   /** Returns true if the authenticated user is able to manage tests. */
   public static boolean canManageTests(@Nonnull QueryContext context) {
     return AuthUtil.isAuthorized(
diff --git a/datahub-graphql-core/src/main/resources/app.graphql b/datahub-graphql-core/src/main/resources/app.graphql
index c8fb2dedd59284..d84a86a3bedd36 100644
--- a/datahub-graphql-core/src/main/resources/app.graphql
+++ b/datahub-graphql-core/src/main/resources/app.graphql
@@ -91,6 +91,11 @@ type PlatformPrivileges {
   """
   manageTokens: Boolean!
 
+  """
+  Whether the user is able to view Tests
+  """
+  viewTests: Boolean!
+
   """
   Whether the user is able to manage Tests
   """
diff --git a/datahub-web-react/src/Mocks.tsx b/datahub-web-react/src/Mocks.tsx
index c7e0a89ab38ea0..9f9107865aac4c 100644
--- a/datahub-web-react/src/Mocks.tsx
+++ b/datahub-web-react/src/Mocks.tsx
@@ -3617,6 +3617,7 @@ export const mocks = [
                         createTags: true,
                         manageUserCredentials: true,
                         manageGlossaries: true,
+                        viewTests: false,
                         manageTests: true,
                         manageTokens: true,
                         manageSecrets: true,
@@ -3892,6 +3893,7 @@ export const platformPrivileges: PlatformPrivileges = {
     manageIngestion: true,
     manageSecrets: true,
     manageTokens: true,
+    viewTests: false,
     manageTests: true,
     manageGlossaries: true,
     manageUserCredentials: true,
diff --git a/datahub-web-react/src/graphql/me.graphql b/datahub-web-react/src/graphql/me.graphql
index 7a2c0e562be6bb..9a1fb89a249eb8 100644
--- a/datahub-web-react/src/graphql/me.graphql
+++ b/datahub-web-react/src/graphql/me.graphql
@@ -39,6 +39,7 @@ query getMe {
             manageSecrets
             manageTokens
             manageDomains
+            viewTests
             manageTests
             manageGlossaries
             manageUserCredentials
diff --git a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
index ea8f52925b5b38..ff740a4dfc0e05 100644
--- a/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
+++ b/metadata-utils/src/main/java/com/linkedin/metadata/authorization/PoliciesConfig.java
@@ -90,6 +90,9 @@ public class PoliciesConfig {
           "Manage Home Page Posts",
           "Create and delete home page posts");
 
+  public static final Privilege VIEW_TESTS_PRIVILEGE =
+      Privilege.of("VIEW_TESTS", "View Tests", "View Asset Tests.");
+
   public static final Privilege MANAGE_TESTS_PRIVILEGE =
       Privilege.of("MANAGE_TESTS", "Manage Tests", "Create and remove Asset Tests.");
 
@@ -158,6 +161,7 @@ public class PoliciesConfig {
           MANAGE_SECRETS_PRIVILEGE,
           GENERATE_PERSONAL_ACCESS_TOKENS_PRIVILEGE,
           MANAGE_ACCESS_TOKENS,
+          VIEW_TESTS_PRIVILEGE,
           MANAGE_TESTS_PRIVILEGE,
           MANAGE_GLOSSARIES_PRIVILEGE,
           MANAGE_USER_CREDENTIALS_PRIVILEGE,