Prevent json encoding of forbidden proposal_field_values

We never want to return `FORBIDDEN` ProposalFieldValues. The primary way
to accomplish that is to ensure our queries appropriately condition
against selecting those values in the first place.

This commit is a "belt and suspenders" approach which is only taken on
because of the level of sensitivity that this date represents.  If
a query attempts to select a forbidden ProposalFieldValue it will result
in a database exception.

This doesn't completely prevent access (e.g. if a query accesses field
values without creating an entire row), but it is still a layer of
defense.

Issue #1621 Add the concept of "too sensitive to store data" to base fields

Author: slifty

src/__tests__/proposalVersions.int.test.ts

@@ -16,6 +16,7 @@ import {
 	createChangemaker,
 	createOrUpdateUserChangemakerPermission,
 	createChangemakerProposal,
+	createProposalFieldValue,
 } from '../database';
 import { getLogger } from '../logger';
 import {
@@ -457,6 +458,23 @@ describe('/proposalVersions', () => {
 					label: 'Forbidden Field',
 				},
 			);
+			await createProposal(db, testUserAuthContext, {
+				externalId: `proposal-2525-01-04T00Z`,
+				opportunityId: 1,
+			});
+			await createProposalVersion(db, testUserAuthContext, {
+				proposalId: 1,
+				applicationFormId: 1,
+				sourceId: systemSource.id,
+			});
+			await createProposalFieldValue(db, null, {
+				proposalVersionId: 1,
+				applicationFormFieldId: forbiddenApplicationFormField.id,
+				position: 1,
+				value: 'Should not be returned',
+				isValid: true,
+				goodAsOf: null,
+			});
 			await createOrUpdateBaseField(db, null, {
 				...forbiddenBaseField,
 				sensitivityClassification: BaseFieldSensitivityClassification.FORBIDDEN,

src/database/initialization/__tests__/proposal_field_value_to_json.int.test.ts

@@ -0,0 +1,86 @@
+import {
+	createApplicationForm,
+	createApplicationFormField,
+	createOpportunity,
+	createOrUpdateBaseField,
+	createProposal,
+	createProposalFieldValue,
+	createProposalVersion,
+	db,
+	loadSystemFunder,
+	loadSystemSource,
+} from '../..';
+import { getAuthContext, loadTestUser } from '../../../test/utils';
+import {
+	BaseFieldDataType,
+	BaseFieldScope,
+	BaseFieldSensitivityClassification,
+} from '../../../types';
+
+describe('/proposal_field_value_to_json', () => {
+	it('returns a db error if attempting to load a forbidden proposal_field_value_to_json', async () => {
+		const testUser = await loadTestUser();
+		const testUserAuthContext = getAuthContext(testUser);
+		const systemSource = await loadSystemSource(db, null);
+		const systemFunder = await loadSystemFunder(db, null);
+		await createOpportunity(db, null, {
+			title: '🔥',
+			funderShortCode: systemFunder.shortCode,
+		});
+		await createProposal(db, testUserAuthContext, {
+			externalId: 'proposal-1',
+			opportunityId: 1,
+		});
+		await createApplicationForm(db, null, {
+			opportunityId: 1,
+		});
+		const forbiddenBaseField = await createOrUpdateBaseField(db, null, {
+			label: 'Forbidden Field',
+			description: 'This field should not be used in proposal versions',
+			shortCode: 'forbiddenField',
+			dataType: BaseFieldDataType.STRING,
+			scope: BaseFieldScope.PROPOSAL,
+			valueRelevanceHours: null,
+			sensitivityClassification: BaseFieldSensitivityClassification.RESTRICTED,
+		});
+		const forbiddenApplicationFormField = await createApplicationFormField(
+			db,
+			null,
+			{
+				applicationFormId: 1,
+				baseFieldShortCode: forbiddenBaseField.shortCode,
+				position: 1,
+				label: 'Forbidden Field',
+			},
+		);
+		await createProposal(db, testUserAuthContext, {
+			externalId: `proposal-2525-01-04T00Z`,
+			opportunityId: 1,
+		});
+		await createProposalVersion(db, testUserAuthContext, {
+			proposalId: 1,
+			applicationFormId: 1,
+			sourceId: systemSource.id,
+		});
+		await createProposalFieldValue(db, null, {
+			proposalVersionId: 1,
+			applicationFormFieldId: forbiddenApplicationFormField.id,
+			position: 1,
+			value: 'Should not be returned',
+			isValid: true,
+			goodAsOf: null,
+		});
+		await createOrUpdateBaseField(db, null, {
+			...forbiddenBaseField,
+			sensitivityClassification: BaseFieldSensitivityClassification.FORBIDDEN,
+		});
+
+		await expect(
+			db.query(
+				'SELECT proposal_field_value_to_json(proposal_field_values.*) FROM proposal_field_values WHERE proposal_field_values.id = 1',
+			),
+		).rejects.toThrow(
+			'Attempt to convert forbidden proposal_field_value to JSON (1)',
+		);
+	});
+});

src/database/initialization/proposal_field_value_to_json.sql

@@ -5,23 +5,37 @@ CREATE FUNCTION proposal_field_value_to_json(
 )
 RETURNS jsonb AS $$
 DECLARE
-  application_form_field_json JSONB;
+	is_forbidden BOOLEAN;
+	application_form_field_json JSONB;
 BEGIN
-  SELECT application_form_field_to_json(application_form_fields.*)
-  INTO application_form_field_json
-  FROM application_form_fields
-  WHERE application_form_fields.id = proposal_field_value.application_form_field_id;
+	SELECT EXISTS (
+		select 1
+		FROM application_form_fields
+		JOIN base_fields ON application_form_fields.base_field_short_code = base_fields.short_code
+		WHERE application_form_fields.id = proposal_field_value.application_form_field_id
+			AND base_fields.sensitivity_classification = 'forbidden'
+	) INTO is_forbidden;
 
-  RETURN jsonb_build_object(
-    'id', proposal_field_value.id,
-    'proposalVersionId', proposal_field_value.proposal_version_id,
-    'applicationFormFieldId', proposal_field_value.application_form_field_id,
-    'applicationFormField', application_form_field_json,
-    'position', proposal_field_value.position,
-    'value', proposal_field_value.value,
-    'goodAsOf', proposal_field_value.good_as_of,
-    'isValid', proposal_field_value.is_valid,
-    'createdAt', proposal_field_value.created_at
-  );
+	IF is_forbidden THEN
+		RAISE EXCEPTION 'Attempt to convert forbidden proposal_field_value to JSON (%)', proposal_field_value.id
+			USING ERRCODE = '22023'; -- invalid_parameter_value
+	END IF;
+
+	SELECT application_form_field_to_json(application_form_fields.*)
+	INTO application_form_field_json
+	FROM application_form_fields
+	WHERE application_form_fields.id = proposal_field_value.application_form_field_id;
+
+	RETURN jsonb_build_object(
+		'id', proposal_field_value.id,
+		'proposalVersionId', proposal_field_value.proposal_version_id,
+		'applicationFormFieldId', proposal_field_value.application_form_field_id,
+		'applicationFormField', application_form_field_json,
+		'position', proposal_field_value.position,
+		'value', proposal_field_value.value,
+		'goodAsOf', proposal_field_value.good_as_of,
+		'isValid', proposal_field_value.is_valid,
+		'createdAt', proposal_field_value.created_at
+	);
 END;
 $$ LANGUAGE plpgsql;