From e98d079a2fca6ff633ed7095394168c37343a6c9 Mon Sep 17 00:00:00 2001 From: Zachary Prebosnyak <91638307+zprebosnyak-lm@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:47:52 -0600 Subject: [PATCH 1/2] Permission deconstruction (#1) * feat: add upstream MR creation * Deleted .gitlab-ci.yml * fix: build & push api server with kaniko * fix: address prior stage error * fix: fix dockerfile path * fix: run maven build job * fix: switch to mvn version eclipse 21 * fix: address java cacert path * fix: switch java jdk 17 * fix: add the settings.xml file * fix: added additonal script to create jar * fix: build apiserver docker container * remove crane job * create target destination file * remove target dir * disable the kaniko before script * fix: add back before script to copy target file * commented target from dockerignore * revise docker build context * move logback-json to root * move back logback-json * switch dockerfile to original proxy cached * applied suggested changes * revert to rule to default branch * test: see if logic works with existing permissions * test: revert old permissions test, test case with new permissions * fix: copy pasta'd myself * feat: add new permissions to API routes * fix: change api permission to match CRUDops better * fix: change policy condition resource for update * test: add api and ci changes * test: yq command * test: yq cmd * test: if its the container * test: parse version * test: why is it connecting to proxy * test: use curl * fix: cleanup CI * test: cleanup pt2 * fix: clean pt3 * fix: spelling mistake in description * fix: revert some files and change values back to original --------- Co-authored-by: e407773 Co-authored-by: Cortes, Noel Signed-off-by: Zachary Prebosnyak <91638307+zprebosnyak-lm@users.noreply.github.com> --- .../org/dependencytrack/auth/Permissions.java | 54 +++++++++++++++++-- .../persistence/DefaultObjectGenerator.java | 6 ++- .../resources/v1/AccessControlResource.java | 12 ++--- .../resources/v1/AnalysisResource.java | 4 +- .../resources/v1/BomResource.java | 12 ++--- .../v1/ComponentPropertyResource.java | 8 +-- .../resources/v1/ComponentResource.java | 16 +++--- .../resources/v1/ConfigPropertyResource.java | 12 ++--- .../resources/v1/FindingResource.java | 4 +- .../resources/v1/IntegrationResource.java | 8 +-- .../resources/v1/LdapResource.java | 16 +++--- .../resources/v1/LicenseGroupResource.java | 28 +++++----- .../resources/v1/LicenseResource.java | 8 +-- .../resources/v1/MetricsResource.java | 12 ++--- .../v1/NotificationPublisherResource.java | 20 +++---- .../v1/NotificationRuleResource.java | 32 +++++------ .../resources/v1/OidcResource.java | 32 +++++------ .../resources/v1/PermissionResource.java | 20 +++---- .../resources/v1/PolicyConditionResource.java | 16 +++--- .../resources/v1/PolicyResource.java | 36 ++++++------- .../resources/v1/ProjectPropertyResource.java | 16 +++--- .../resources/v1/ProjectResource.java | 21 ++++---- .../resources/v1/RepositoryResource.java | 20 +++---- .../resources/v1/ServiceResource.java | 12 ++--- .../resources/v1/TeamResource.java | 36 ++++++------- .../resources/v1/UserResource.java | 48 ++++++++--------- .../resources/v1/VexResource.java | 12 ++--- .../v1/ViolationAnalysisResource.java | 2 +- .../v1/VulnerabilityPolicyBundleResource.java | 4 +- .../v1/VulnerabilityPolicyResource.java | 8 +-- .../resources/v1/VulnerabilityResource.java | 40 +++++++------- 31 files changed, 313 insertions(+), 262 deletions(-) diff --git a/src/main/java/org/dependencytrack/auth/Permissions.java b/src/main/java/org/dependencytrack/auth/Permissions.java index 62419d962..72612c8c3 100644 --- a/src/main/java/org/dependencytrack/auth/Permissions.java +++ b/src/main/java/org/dependencytrack/auth/Permissions.java @@ -29,15 +29,38 @@ public enum Permissions { BOM_UPLOAD("Allows the ability to upload CycloneDX Software Bill of Materials (SBOM)"), VIEW_PORTFOLIO("Provides the ability to view the portfolio of projects, components, and licenses"), PORTFOLIO_MANAGEMENT("Allows the creation, modification, and deletion of data in the portfolio"), + PORTFOLIO_MANAGEMENT_CREATE("Allows the creation of data in the portfolio"), + PORTFOLIO_MANAGEMENT_READ("Allows the reading of data in the portfolio"), + PORTFOLIO_MANAGEMENT_UPDATE("Allows the updating of data in the portfolio"), + PORTFOLIO_MANAGEMENT_DELETE("Allows the deletion of data in the portfolio"), VIEW_VULNERABILITY("Provides the ability to view the vulnerabilities projects are affected by"), - VULNERABILITY_ANALYSIS("Provides the ability to make analysis decisions on vulnerabilities"), + VULNERABILITY_ANALYSIS("Provides all abilities to make analysis decisions on vulnerabilities"), + VULNERABILITY_ANALYSIS_CREATE("Provides the ability to upload supported VEX documents to a project"), + VULNERABILITY_ANALYSIS_READ("Provides the ability read the VEX document for a project"), + VULNERABILITY_ANALYSIS_UPDATE("Provides the ability to make analysis decisions on vulnerabilities and upload supported VEX documents for a project"), VIEW_POLICY_VIOLATION("Provides the ability to view policy violations"), - VULNERABILITY_MANAGEMENT("Allows management of internally-defined vulnerabilities"), + VULNERABILITY_MANAGEMENT("Allows all management permissions of internally-defined vulnerabilities"), + VULNERABILITY_MANAGEMENT_CREATE("Allows creation of internally-defined vulnerabilities"), + VULNERABILITY_MANAGEMENT_READ("Allows reading internally-defined vulnerabilities"), + VULNERABILITY_MANAGEMENT_UPDATE("Allows updating internally-defined vulnerabilities and vulnerability tags"), + VULNERABILITY_MANAGEMENT_DELETE("Allows management of internally-defined vulnerabilities"), POLICY_VIOLATION_ANALYSIS("Provides the ability to make analysis decisions on policy violations"), ACCESS_MANAGEMENT("Allows the management of users, teams, and API keys"), - SYSTEM_CONFIGURATION("Allows the configuration of the system including notifications, repositories, and email settings"), + ACCESS_MANAGEMENT_CREATE("Allows create permissions of users, teams, and API keys"), + ACCESS_MANAGEMENT_READ("Allows read permissions of users, teams, and API keys"), + ACCESS_MANAGEMENT_UPDATE("Allows update permissions of users, teams, and API keys"), + ACCESS_MANAGEMENT_DELETE("Allows delete permissions of users, teams, and API keys"), + SYSTEM_CONFIGURATION("Allows all access to configuration of the system including notifications, repositories, and email settings"), + SYSTEM_CONFIGURATION_CREATE("Allows creating configuration of the system including notifications, repositories, and email settings"), + SYSTEM_CONFIGURATION_READ("Allows reading the configuration of the system including notifications, repositories, and email settings"), + SYSTEM_CONFIGURATION_UPDATE("Allows updating the configuration of the system including notifications, repositories, and email settings"), + SYSTEM_CONFIGURATION_DELETE("Allows deleting the configuration of the system including notifications, repositories, and email settings"), PROJECT_CREATION_UPLOAD("Provides the ability to optionally create project (if non-existent) on BOM or scan upload"), - POLICY_MANAGEMENT("Allows the creation, modification, and deletion of policy"); + POLICY_MANAGEMENT("Allows the creation, modification, and deletion of policy"), + POLICY_MANAGEMENT_CREATE("Allows the creation of a policy"), + POLICY_MANAGEMENT_READ("Allows reading of policies"), + POLICY_MANAGEMENT_UPDATE("Allows the modification of a policy"), + POLICY_MANAGEMENT_DELETE("Allows the deletion of a policy"); private final String description; @@ -53,15 +76,38 @@ public static class Constants { public static final String BOM_UPLOAD = "BOM_UPLOAD"; public static final String VIEW_PORTFOLIO = "VIEW_PORTFOLIO"; public static final String PORTFOLIO_MANAGEMENT = "PORTFOLIO_MANAGEMENT"; + public static final String PORTFOLIO_MANAGEMENT_CREATE = "PORTFOLIO_MANAGEMENT_CREATE"; + public static final String PORTFOLIO_MANAGEMENT_READ = "PORTFOLIO_MANAGEMENT_READ"; + public static final String PORTFOLIO_MANAGEMENT_UPDATE = "PORTFOLIO_MANAGEMENT_UPDATE"; + public static final String PORTFOLIO_MANAGEMENT_DELETE = "PORTFOLIO_MANAGEMENT_DELETE"; public static final String VIEW_VULNERABILITY = "VIEW_VULNERABILITY"; public static final String VULNERABILITY_ANALYSIS = "VULNERABILITY_ANALYSIS"; + public static final String VULNERABILITY_ANALYSIS_CREATE = "VULNERABILITY_ANALYSIS_CREATE"; + public static final String VULNERABILITY_ANALYSIS_READ = "VULNERABILITY_ANALYSIS_READ"; + public static final String VULNERABILITY_ANALYSIS_UPDATE = "VULNERABILITY_ANALYSIS_UPDATE"; public static final String VIEW_POLICY_VIOLATION = "VIEW_POLICY_VIOLATION"; public static final String VULNERABILITY_MANAGEMENT = "VULNERABILITY_MANAGEMENT"; + public static final String VULNERABILITY_MANAGEMENT_CREATE = "VULNERABILITY_MANAGEMENT_CREATE"; + public static final String VULNERABILITY_MANAGEMENT_READ = "VULNERABILITY_MANAGEMENT_READ"; + public static final String VULNERABILITY_MANAGEMENT_UPDATE = "VULNERABILITY_MANAGEMENT_UPDATE"; + public static final String VULNERABILITY_MANAGEMENT_DELETE = "VULNERABILITY_MANAGEMENT_DELETE"; public static final String POLICY_VIOLATION_ANALYSIS = "POLICY_VIOLATION_ANALYSIS"; public static final String ACCESS_MANAGEMENT = "ACCESS_MANAGEMENT"; + public static final String ACCESS_MANAGEMENT_CREATE = "ACCESS_MANAGEMENT_CREATE"; + public static final String ACCESS_MANAGEMENT_READ = "ACCESS_MANAGEMENT_READ"; + public static final String ACCESS_MANAGEMENT_UPDATE = "ACCESS_MANAGEMENT_UPDATE"; + public static final String ACCESS_MANAGEMENT_DELETE = "ACCESS_MANAGEMENT_DELETE"; public static final String SYSTEM_CONFIGURATION = "SYSTEM_CONFIGURATION"; + public static final String SYSTEM_CONFIGURATION_CREATE = "SYSTEM_CONFIGURATION_CREATE"; + public static final String SYSTEM_CONFIGURATION_READ = "SYSTEM_CONFIGURATION_READ"; + public static final String SYSTEM_CONFIGURATION_UPDATE = "SYSTEM_CONFIGURATION_UPDATE"; + public static final String SYSTEM_CONFIGURATION_DELETE = "SYSTEM_CONFIGURATION_DELETE"; public static final String PROJECT_CREATION_UPLOAD = "PROJECT_CREATION_UPLOAD"; public static final String POLICY_MANAGEMENT = "POLICY_MANAGEMENT"; + public static final String POLICY_MANAGEMENT_CREATE = "POLICY_MANAGEMENT_CREATE"; + public static final String POLICY_MANAGEMENT_READ = "POLICY_MANAGEMENT_READ"; + public static final String POLICY_MANAGEMENT_UPDATE = "POLICY_MANAGEMENT_UPDATE"; + public static final String POLICY_MANAGEMENT_DELETE = "POLICY_MANAGEMENT_DELETE"; } } diff --git a/src/main/java/org/dependencytrack/persistence/DefaultObjectGenerator.java b/src/main/java/org/dependencytrack/persistence/DefaultObjectGenerator.java index 8051af6ae..a0c8ada9a 100644 --- a/src/main/java/org/dependencytrack/persistence/DefaultObjectGenerator.java +++ b/src/main/java/org/dependencytrack/persistence/DefaultObjectGenerator.java @@ -170,7 +170,11 @@ private List getPortfolioManagersPermissions(final List final List permissions = new ArrayList<>(); for (final Permission permission: fullList) { if (permission.getName().equals(Permissions.Constants.VIEW_PORTFOLIO) || - permission.getName().equals(Permissions.Constants.PORTFOLIO_MANAGEMENT)) { + permission.getName().equals(Permissions.Constants.PORTFOLIO_MANAGEMENT) || + permission.getName().equals(Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE) || + permission.getName().equals(Permissions.Constants.PORTFOLIO_MANAGEMENT_READ) || + permission.getName().equals(Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE) || + permission.getName().equals(Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE)) { permissions.add(permission); } } diff --git a/src/main/java/org/dependencytrack/resources/v1/AccessControlResource.java b/src/main/java/org/dependencytrack/resources/v1/AccessControlResource.java index 7c81e1933..9219c6ac5 100644 --- a/src/main/java/org/dependencytrack/resources/v1/AccessControlResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/AccessControlResource.java @@ -70,14 +70,14 @@ public class AccessControlResource extends AlpineResource { response = String.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of projects"), - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

" ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the team could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response retrieveProjects (@ApiParam(value = "The UUID of the team to retrieve mappings for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @ApiParam(value = "Optionally excludes inactive projects from being returned", required = false) @@ -101,14 +101,14 @@ public Response retrieveProjects (@ApiParam(value = "The UUID of the team to ret @ApiOperation( value = "Adds an ACL mapping", response = AclMappingRequest.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the team or project could not be found"), @ApiResponse(code = 409, message = "A mapping with the same team and project already exists") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response addMapping(AclMappingRequest request) { final Validator validator = super.getValidator(); failOnValidationError( @@ -138,13 +138,13 @@ public Response addMapping(AclMappingRequest request) { @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Removes an ACL mapping", - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the team or project could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteMapping( @ApiParam(value = "The UUID of the team to delete the mapping for", format = "uuid", required = true) @PathParam("teamUuid") @ValidUuid String teamUuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java b/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java index 09d4222f8..afd3ee000 100644 --- a/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/AnalysisResource.java @@ -121,13 +121,13 @@ public Response retrieveAnalysis(@ApiParam(value = "The UUID of the project", fo @ApiOperation( value = "Records an analysis decision", response = Analysis.class, - notes = "

Requires permission VULNERABILITY_ANALYSIS

" + notes = "

Requires permission VULNERABILITY_ANALYSIS or VULNERABILITY_ANALYSIS_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The project, component, or vulnerability could not be found") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_ANALYSIS) + @PermissionRequired({Permissions.Constants.VULNERABILITY_ANALYSIS, Permissions.Constants.VULNERABILITY_ANALYSIS_UPDATE}) public Response updateAnalysis(AnalysisRequest request) { final Validator validator = getValidator(); failOnValidationError( diff --git a/src/main/java/org/dependencytrack/resources/v1/BomResource.java b/src/main/java/org/dependencytrack/resources/v1/BomResource.java index fb37f1a06..044c91dc0 100644 --- a/src/main/java/org/dependencytrack/resources/v1/BomResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/BomResource.java @@ -219,8 +219,8 @@ public Response exportComponentAsCycloneDx( then the projectName and projectVersion must be specified. Optionally, if autoCreate is specified and true and the project does not exist, the project will be created. In this scenario, the principal making the request will - additionally need the PORTFOLIO_MANAGEMENT or - PROJECT_CREATION_UPLOAD permission. + additionally need the PORTFOLIO_MANAGEMENT, PORTFOLIO_MANAGEMENT_CREATE, + or PROJECT_CREATION_UPLOAD permission.

The BOM will be validated against the CycloneDX schema. If schema validation fails, @@ -264,7 +264,7 @@ public Response uploadBom(@ApiParam(required = true) BomSubmitRequest request) { try (QueryManager qm = new QueryManager()) { Project project = qm.getProject(request.getProjectName(), request.getProjectVersion()); if (project == null && request.isAutoCreate()) { - if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) { + if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) { Project parent = null; if (request.getParentUUID() != null || request.getParentName() != null) { if (request.getParentUUID() != null) { @@ -310,8 +310,8 @@ public Response uploadBom(@ApiParam(required = true) BomSubmitRequest request) { then the projectName and projectVersion must be specified. Optionally, if autoCreate is specified and true and the project does not exist, the project will be created. In this scenario, the principal making the request will - additionally need the PORTFOLIO_MANAGEMENT or - PROJECT_CREATION_UPLOAD permission. + additionally need the PORTFOLIO_MANAGEMENT, PORTFOLIO_MANAGEMENT_CREATE, + or PROJECT_CREATION_UPLOAD permission.

The BOM will be validated against the CycloneDX schema. If schema validation fails, @@ -349,7 +349,7 @@ public Response uploadBom(@FormDataParam("project") String projectUuid, final String trimmedProjectVersion = StringUtils.trimToNull(projectVersion); Project project = qm.getProject(trimmedProjectName, trimmedProjectVersion); if (project == null && autoCreate) { - if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) { + if (hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT) || hasPermission(Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE) || hasPermission(Permissions.Constants.PROJECT_CREATION_UPLOAD)) { Project parent = null; if (parentUUID != null || parentName != null) { if (parentUUID != null) { diff --git a/src/main/java/org/dependencytrack/resources/v1/ComponentPropertyResource.java b/src/main/java/org/dependencytrack/resources/v1/ComponentPropertyResource.java index 9a90a8c27..e4a5394d7 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ComponentPropertyResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ComponentPropertyResource.java @@ -101,7 +101,7 @@ public Response getProperties( value = "Creates a new component property", response = ComponentProperty.class, code = 201, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @@ -109,7 +109,7 @@ public Response getProperties( @ApiResponse(code = 404, message = "The component could not be found"), @ApiResponse(code = 409, message = "A property with the specified component/group/name combination already exists") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE}) public Response createProperty( @ApiParam(value = "The UUID of the component to create a property for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -159,14 +159,14 @@ public Response createProperty( @ApiOperation( value = "Deletes a config property", response = ComponentProperty.class, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The component or component property could not be found"), }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response deleteProperty( @ApiParam(value = "The UUID of the component to delete a property from", format = "uuid", required = true) @PathParam("uuid") @ValidUuid final String componentUuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java b/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java index 9ebea2569..f784aa986 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ComponentResource.java @@ -339,14 +339,14 @@ public Response getComponentByHash( value = "Creates a new component", response = Component.class, code = 201, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response createComponent(@ApiParam(value = "The UUID of the project to create a component for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, Component jsonComponent) { final Validator validator = super.getValidator(); @@ -458,14 +458,14 @@ public Response createComponent(@ApiParam(value = "The UUID of the project to cr @ApiOperation( value = "Updates a component", response = Component.class, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The UUID of the component could not be found"), }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response updateComponent(Component jsonComponent) { final Validator validator = super.getValidator(); failOnValidationError( @@ -578,14 +578,14 @@ public Response updateComponent(Component jsonComponent) { @ApiOperation( value = "Deletes a component", code = 204, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The UUID of the component could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response deleteComponent( @ApiParam(value = "The UUID of the component to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -609,12 +609,12 @@ public Response deleteComponent( @ApiOperation( value = "Requests the identification of internal components in the portfolio", code = 204, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response identifyInternalComponents() { Event.dispatch(new InternalComponentIdentificationEvent()); return Response.status(Response.Status.NO_CONTENT).build(); diff --git a/src/main/java/org/dependencytrack/resources/v1/ConfigPropertyResource.java b/src/main/java/org/dependencytrack/resources/v1/ConfigPropertyResource.java index 4038b4916..4b64116ab 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ConfigPropertyResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ConfigPropertyResource.java @@ -55,12 +55,12 @@ public class ConfigPropertyResource extends AbstractConfigPropertyResource { value = "Returns a list of all ConfigProperties for the specified groupName", response = ConfigProperty.class, responseContainer = "List", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getConfigProperties() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final List configProperties = qm.getConfigProperties(); @@ -84,13 +84,13 @@ public Response getConfigProperties() { @ApiOperation( value = "Updates a config property", response = ConfigProperty.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The config property could not be found"), }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response updateConfigProperty(ConfigProperty json) { final Validator validator = super.getValidator(); failOnValidationError( @@ -112,13 +112,13 @@ public Response updateConfigProperty(ConfigProperty json) { value = "Updates an array of config properties", response = ConfigProperty.class, responseContainer = "List", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "One or more config properties could not be found"), }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response updateConfigProperty(List list) { final Validator validator = super.getValidator(); for (ConfigProperty item: list) { diff --git a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java index 81a8902ac..3159636a0 100644 --- a/src/main/java/org/dependencytrack/resources/v1/FindingResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/FindingResource.java @@ -169,13 +169,13 @@ public Response exportFindingsByProject(@ApiParam(value = "The UUID of the proje @Path("/portfolio/analyze") @ApiOperation( value = "Triggers Vulnerability Analysis for the entire portfolio", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "Analysis is already in progress"), @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) // Require admin privileges due to system impact + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_CREATE}) // Require admin privileges due to system impact public Response analyzePortfolio() { LOGGER.info("Portfolio analysis requested by " + super.getPrincipal().getName()); if (Event.isEventBeingProcessed(PortfolioRepositoryMetaAnalysisEvent.CHAIN_IDENTIFIER)) { diff --git a/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java b/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java index 6f4abe28e..2e99bab12 100644 --- a/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/IntegrationResource.java @@ -47,12 +47,12 @@ public class IntegrationResource extends AlpineResource { value = "Returns a list of all ecosystems in OSV", response = String.class, responseContainer = "List", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getAllEcosystems() { OsvDownloadTask osvDownloadTask = new OsvDownloadTask(); final List ecosystems = osvDownloadTask.getEcosystems(); @@ -66,12 +66,12 @@ public Response getAllEcosystems() { value = "Returns a list of available inactive ecosystems in OSV to be selected by user", response = String.class, responseContainer = "List", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getInactiveEcosystems() { OsvDownloadTask osvDownloadTask = new OsvDownloadTask(); var selectedEcosystems = osvDownloadTask.getEnabledEcosystems(); diff --git a/src/main/java/org/dependencytrack/resources/v1/LdapResource.java b/src/main/java/org/dependencytrack/resources/v1/LdapResource.java index 9d992f3cd..578e12cec 100644 --- a/src/main/java/org/dependencytrack/resources/v1/LdapResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/LdapResource.java @@ -78,12 +78,12 @@ public class LdapResource extends AlpineResource { This API performs a pass-through query to the configured LDAP server. Search criteria results are cached using default Alpine CacheManager policy.

-

Requires permission ACCESS_MANAGEMENT

""" +

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

""" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response retrieveLdapGroups() { if (!LdapConnectionWrapper.LDAP_CONFIGURED) { return Response.ok().build(); @@ -123,13 +123,13 @@ public Response retrieveLdapGroups() { value = "Returns the DNs of all groups mapped to the specified team", response = String.class, responseContainer = "List", - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the team could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response retrieveLdapGroups(@ApiParam(value = "The UUID of the team to retrieve mappings for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { try (QueryManager qm = new QueryManager()) { @@ -149,14 +149,14 @@ public Response retrieveLdapGroups(@ApiParam(value = "The UUID of the team to re @ApiOperation( value = "Adds a mapping", response = MappedLdapGroup.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the team could not be found"), @ApiResponse(code = 409, message = "A mapping with the same team and dn already exists") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response addMapping(MappedLdapGroupRequest request) { final Validator validator = super.getValidator(); failOnValidationError( @@ -184,13 +184,13 @@ public Response addMapping(MappedLdapGroupRequest request) { @ApiOperation( value = "Removes a mapping", response = MappedLdapGroup.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the mapping could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteMapping( @ApiParam(value = "The UUID of the mapping to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { diff --git a/src/main/java/org/dependencytrack/resources/v1/LicenseGroupResource.java b/src/main/java/org/dependencytrack/resources/v1/LicenseGroupResource.java index 563fce13b..020a9a036 100644 --- a/src/main/java/org/dependencytrack/resources/v1/LicenseGroupResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/LicenseGroupResource.java @@ -66,13 +66,13 @@ public class LicenseGroupResource extends AlpineResource { response = LicenseGroup.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of license groups"), - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_READ

" ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_READ}) public Response getLicenseGroups() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final PaginatedResult result = qm.getLicenseGroups(); @@ -86,13 +86,13 @@ public Response getLicenseGroups() { @ApiOperation( value = "Returns a specific license group", response = License.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The license group could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_READ}) public Response getLicenseGroup( @ApiParam(value = "The UUID of the license group to retrieve", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -113,13 +113,13 @@ public Response getLicenseGroup( value = "Creates a new license group", response = LicenseGroup.class, code = 201, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A license group with the specified name already exists") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_CREATE}) public Response createLicenseGroup(LicenseGroup jsonLicenseGroup) { final Validator validator = super.getValidator(); failOnValidationError( @@ -143,13 +143,13 @@ public Response createLicenseGroup(LicenseGroup jsonLicenseGroup) { @ApiOperation( value = "Updates a license group", response = LicenseGroup.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The license group could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response updateLicenseGroup(LicenseGroup jsonLicenseGroup) { final Validator validator = super.getValidator(); failOnValidationError( @@ -174,13 +174,13 @@ public Response updateLicenseGroup(LicenseGroup jsonLicenseGroup) { @ApiOperation( value = "Deletes a license group", code = 204, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the license group could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_DELETE}) public Response deleteLicenseGroup( @ApiParam(value = "The UUID of the license group to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -202,14 +202,14 @@ public Response deleteLicenseGroup( @ApiOperation( value = "Adds the license to the specified license group.", response = LicenseGroup.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The license group already has the specified license assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The license group or license could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response addLicenseToLicenseGroup( @ApiParam(value = "A valid license group", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -242,14 +242,14 @@ public Response addLicenseToLicenseGroup( @ApiOperation( value = "Removes the license from the license group.", response = LicenseGroup.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The license is not a member with the license group"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The license group or license could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response removeLicenseFromLicenseGroup( @ApiParam(value = "A valid license group", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/LicenseResource.java b/src/main/java/org/dependencytrack/resources/v1/LicenseResource.java index 765488a4b..75b27ebd7 100644 --- a/src/main/java/org/dependencytrack/resources/v1/LicenseResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/LicenseResource.java @@ -123,13 +123,13 @@ public Response getLicense( @ApiOperation( value = "Creates a new custom license", response = License.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A license with the specified ID already exists.") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_CREATE}) public Response createLicense(License jsonLicense) { final Validator validator = super.getValidator(); failOnValidationError( @@ -154,14 +154,14 @@ public Response createLicense(License jsonLicense) { @ApiOperation( value = "Deletes a custom license", code = 204, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The license could not be found"), @ApiResponse(code = 409, message = "Only custom licenses can be deleted.") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_DELETE}) public Response deleteLicense( @ApiParam(value = "The SPDX License ID of the license to delete", required = true) @PathParam("licenseId") String licenseId) { diff --git a/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java b/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java index 4c342772a..836070b88 100644 --- a/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/MetricsResource.java @@ -159,12 +159,12 @@ public Response getPortfolioMetricsXDays( @ApiOperation( value = "Requests a refresh of the portfolio metrics", response = PortfolioMetrics.class, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_READ}) public Response RefreshPortfolioMetrics() { Event.dispatch(new PortfolioMetricsUpdateEvent()); return Response.ok().build(); @@ -259,14 +259,14 @@ public Response getProjectMetricsXDays( @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Requests a refresh of a specific projects metrics", - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_READ}) public Response RefreshProjectMetrics( @ApiParam(value = "The UUID of the project to refresh metrics on", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -377,14 +377,14 @@ public Response getComponentMetricsXDays( @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Requests a refresh of a specific components metrics", - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The component could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_READ}) public Response RefreshComponentMetrics( @ApiParam(value = "The UUID of the component to refresh metrics on", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { diff --git a/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java b/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java index 7cf337388..f1ea55fac 100644 --- a/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/NotificationPublisherResource.java @@ -70,12 +70,12 @@ public class NotificationPublisherResource extends AlpineResource { value = "Returns a list of all notification publishers", response = NotificationPublisher.class, responseContainer = "List", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getAllNotificationPublishers() { try (QueryManager qm = new QueryManager()) { final List publishers = qm.getAllNotificationPublishers(); @@ -90,14 +90,14 @@ public Response getAllNotificationPublishers() { value = "Creates a new notification publisher", response = NotificationPublisher.class, code = 201, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Invalid notification class or trying to modify a default publisher"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "Conflict with an existing publisher's name") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_CREATE}) public Response createNotificationPublisher(NotificationPublisher jsonNotificationPublisher) { final Validator validator = super.getValidator(); failOnValidationError( @@ -137,7 +137,7 @@ public Response createNotificationPublisher(NotificationPublisher jsonNotificati @ApiOperation( value = "Updates a notification publisher", response = NotificationRule.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Invalid notification class or trying to modify a default publisher"), @@ -145,7 +145,7 @@ public Response createNotificationPublisher(NotificationPublisher jsonNotificati @ApiResponse(code = 404, message = "The notification publisher could not be found"), @ApiResponse(code = 409, message = "Conflict with an existing publisher's name") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response updateNotificationPublisher(NotificationPublisher jsonNotificationPublisher) { final Validator validator = super.getValidator(); failOnValidationError( @@ -197,14 +197,14 @@ public Response updateNotificationPublisher(NotificationPublisher jsonNotificati @ApiOperation( value = "Deletes a notification publisher and all related notification rules", code = 204, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Deleting a default notification publisher is forbidden"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the notification publisher could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_DELETE}) public Response deleteNotificationPublisher(@ApiParam(value = "The UUID of the notification publisher to delete", format = "uuid", required = true) @PathParam("notificationPublisherUuid") @ValidUuid String notificationPublisherUuid) { try (QueryManager qm = new QueryManager()) { @@ -228,12 +228,12 @@ public Response deleteNotificationPublisher(@ApiParam(value = "The UUID of the n @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Restore the default notification publisher templates using the ones in the solution classpath", - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_CREATE}) public Response restoreDefaultTemplates() { try (QueryManager qm = new QueryManager()) { final ConfigProperty property = qm.getConfigProperty( diff --git a/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java b/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java index 2387c7437..b38eb0cf8 100644 --- a/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/NotificationRuleResource.java @@ -71,13 +71,13 @@ public class NotificationRuleResource extends AlpineResource { response = NotificationRule.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of notification rules"), - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

" ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getAllNotificationRules() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final PaginatedResult result = qm.getNotificationRules(); @@ -92,13 +92,13 @@ public Response getAllNotificationRules() { value = "Creates a new notification rule", response = NotificationRule.class, code = 201, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the notification publisher could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_CREATE}) public Response createNotificationRule(NotificationRule jsonRule) { final Validator validator = super.getValidator(); failOnValidationError( @@ -129,13 +129,13 @@ public Response createNotificationRule(NotificationRule jsonRule) { @ApiOperation( value = "Updates a notification rule", response = NotificationRule.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the notification rule could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response updateNotificationRule(NotificationRule jsonRule) { final Validator validator = super.getValidator(); failOnValidationError( @@ -161,13 +161,13 @@ public Response updateNotificationRule(NotificationRule jsonRule) { @ApiOperation( value = "Deletes a notification rule", code = 204, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the notification rule could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_DELETE}) public Response deleteNotificationRule(NotificationRule jsonRule) { try (QueryManager qm = new QueryManager()) { final NotificationRule rule = qm.getObjectByUuid(NotificationRule.class, jsonRule.getUuid()); @@ -187,14 +187,14 @@ public Response deleteNotificationRule(NotificationRule jsonRule) { @ApiOperation( value = "Adds a project to a notification rule", response = NotificationRule.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The rule already has the specified project assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The notification rule or project could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response addProjectToRule( @ApiParam(value = "The UUID of the rule to add a project to", format = "uuid", required = true) @PathParam("ruleUuid") @ValidUuid String ruleUuid, @@ -229,14 +229,14 @@ public Response addProjectToRule( @ApiOperation( value = "Removes a project from a notification rule", response = NotificationRule.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The rule does not have the specified project assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The notification rule or project could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_DELETE}) public Response removeProjectFromRule( @ApiParam(value = "The UUID of the rule to remove the project from", format = "uuid", required = true) @PathParam("ruleUuid") @ValidUuid String ruleUuid, @@ -271,14 +271,14 @@ public Response removeProjectFromRule( @ApiOperation( value = "Adds a team to a notification rule", response = NotificationRule.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The rule already has the specified team assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The notification rule or team could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response addTeamToRule( @ApiParam(value = "The UUID of the rule to add a team to", format = "uuid", required = true) @PathParam("ruleUuid") @ValidUuid String ruleUuid, @@ -313,14 +313,14 @@ public Response addTeamToRule( @ApiOperation( value = "Removes a team from a notification rule", response = NotificationRule.class, - notes = "

Requires permission SYSTEM_CONFIGURATION

" + notes = "

Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The rule does not have the specified team assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The notification rule or team could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_DELETE}) public Response removeTeamFromRule( @ApiParam(value = "The UUID of the rule to remove the project from", format = "uuid", required = true) @PathParam("ruleUuid") @ValidUuid String ruleUuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/OidcResource.java b/src/main/java/org/dependencytrack/resources/v1/OidcResource.java index 9a6f9170f..f0b9c49e9 100644 --- a/src/main/java/org/dependencytrack/resources/v1/OidcResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/OidcResource.java @@ -82,12 +82,12 @@ public Response isAvailable() { value = "Returns a list of all groups", response = OidcGroup.class, responseContainer = "List", - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response retrieveGroups() { try (QueryManager qm = new QueryManager()) { final List oidcGroups = qm.getOidcGroups(); @@ -103,12 +103,12 @@ public Response retrieveGroups() { value = "Creates group", response = OidcGroup.class, code = 201, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response createGroup(final OidcGroup jsonGroup) { final Validator validator = super.getValidator(); failOnValidationError( @@ -133,12 +133,12 @@ public Response createGroup(final OidcGroup jsonGroup) { @ApiOperation( value = "Updates group", response = OidcGroup.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response updateGroup(final OidcGroup jsonGroup) { final Validator validator = super.getValidator(); failOnValidationError( @@ -165,13 +165,13 @@ public Response updateGroup(final OidcGroup jsonGroup) { @ApiOperation( value = "Deletes a group", code = 204, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The group could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteGroup(@ApiParam(value = "The UUID of the group to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid final String uuid) { try (QueryManager qm = new QueryManager()) { @@ -194,13 +194,13 @@ public Response deleteGroup(@ApiParam(value = "The UUID of the group to delete", value = "Returns a list of teams associated with the specified group", response = Team.class, responseContainer = "List", - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the mapping could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response retrieveTeamsMappedToGroup(@ApiParam(value = "The UUID of the mapping to retrieve the team for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid final String uuid) { try (final QueryManager qm = new QueryManager()) { @@ -223,14 +223,14 @@ public Response retrieveTeamsMappedToGroup(@ApiParam(value = "The UUID of the ma @ApiOperation( value = "Adds a mapping", response = MappedOidcGroup.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the team or group could not be found"), @ApiResponse(code = 409, message = "A mapping with the same team and group name already exists") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response addMapping(final MappedOidcGroupRequest request) { final Validator validator = super.getValidator(); failOnValidationError( @@ -265,13 +265,13 @@ public Response addMapping(final MappedOidcGroupRequest request) { @ApiOperation( value = "Deletes a mapping", code = 204, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the mapping could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteMappingByUuid(@ApiParam(value = "The UUID of the mapping to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid final String uuid) { try (QueryManager qm = new QueryManager()) { @@ -292,13 +292,13 @@ public Response deleteMappingByUuid(@ApiParam(value = "The UUID of the mapping t @ApiOperation( value = "Deletes a mapping", code = 204, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the mapping could not be found"), }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteMapping(@ApiParam(value = "The UUID of the group to delete a mapping for", format = "uuid", required = true) @PathParam("groupUuid") @ValidUuid final String groupUuid, @ApiParam(value = "The UUID of the team to delete a mapping for", format = "uuid", required = true) diff --git a/src/main/java/org/dependencytrack/resources/v1/PermissionResource.java b/src/main/java/org/dependencytrack/resources/v1/PermissionResource.java index 02e2cc168..9f42bf474 100644 --- a/src/main/java/org/dependencytrack/resources/v1/PermissionResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/PermissionResource.java @@ -64,12 +64,12 @@ public class PermissionResource extends AlpineResource { value = "Returns a list of all permissions", response = alpine.model.Permission.class, responseContainer = "List", - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response getAllPermissions() { try (QueryManager qm = new QueryManager()) { final List permissions = qm.getPermissions(); @@ -84,14 +84,14 @@ public Response getAllPermissions() { @ApiOperation( value = "Adds the permission to the specified username.", response = UserPrincipal.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The user already has the specified permission assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response addPermissionToUser( @ApiParam(value = "A valid username", required = true) @PathParam("username") String username, @@ -125,14 +125,14 @@ public Response addPermissionToUser( @ApiOperation( value = "Removes the permission from the user.", response = UserPrincipal.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The user already has the specified permission assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response removePermissionFromUser( @ApiParam(value = "A valid username", required = true) @PathParam("username") String username, @@ -166,14 +166,14 @@ public Response removePermissionFromUser( @ApiOperation( value = "Adds the permission to the specified team.", response = Team.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The team already has the specified permission assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response addPermissionToTeam( @ApiParam(value = "A valid team uuid", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -207,14 +207,14 @@ public Response addPermissionToTeam( @ApiOperation( value = "Removes the permission from the team.", response = Team.class, - notes = "

Requires permission ACCESS_MANAGEMENT

" + notes = "

Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The team already has the specified permission assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response removePermissionFromTeam( @ApiParam(value = "A valid team uuid", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/PolicyConditionResource.java b/src/main/java/org/dependencytrack/resources/v1/PolicyConditionResource.java index 9bfdf2036..457f72b4d 100644 --- a/src/main/java/org/dependencytrack/resources/v1/PolicyConditionResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/PolicyConditionResource.java @@ -68,16 +68,16 @@ public class PolicyConditionResource extends AlpineResource { @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) @ApiOperation( - value = "Creates a new policy condition", + value = "Creates a new policy condition for an existing policy", response = PolicyCondition.class, code = 201, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the policy could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response createPolicyCondition( @ApiParam(value = "The UUID of the policy", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -107,13 +107,13 @@ public Response createPolicyCondition( @ApiOperation( value = "Updates a policy condition", response = PolicyCondition.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the policy condition could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response updatePolicyCondition(PolicyCondition jsonPolicyCondition) { final Validator validator = super.getValidator(); failOnValidationError( @@ -136,15 +136,15 @@ public Response updatePolicyCondition(PolicyCondition jsonPolicyCondition) { @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) @ApiOperation( - value = "Deletes a policy condition", + value = "Deletes a policy condition from an existing policy", code = 204, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the policy condition could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response deletePolicyCondition( @ApiParam(value = "The UUID of the policy condition to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { diff --git a/src/main/java/org/dependencytrack/resources/v1/PolicyResource.java b/src/main/java/org/dependencytrack/resources/v1/PolicyResource.java index 9daf1f91e..674116769 100644 --- a/src/main/java/org/dependencytrack/resources/v1/PolicyResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/PolicyResource.java @@ -67,13 +67,13 @@ public class PolicyResource extends AlpineResource { response = Policy.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of policies"), - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_READ

" ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_READ}) public Response getPolicies() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final PaginatedResult result = qm.getPolicies(); @@ -87,13 +87,13 @@ public Response getPolicies() { @ApiOperation( value = "Returns a specific policy", response = Policy.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The policy could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_READ}) public Response getPolicy( @ApiParam(value = "The UUID of the policy to retrieve", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -114,13 +114,13 @@ public Response getPolicy( value = "Creates a new policy", response = Policy.class, code = 201, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_CREATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A policy with the specified name already exists") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_CREATE}) public Response createPolicy(Policy jsonPolicy) { final Validator validator = super.getValidator(); failOnValidationError( @@ -154,13 +154,13 @@ public Response createPolicy(Policy jsonPolicy) { @ApiOperation( value = "Updates a policy", response = Policy.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The policy could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response updatePolicy(Policy jsonPolicy) { final Validator validator = super.getValidator(); failOnValidationError( @@ -188,13 +188,13 @@ public Response updatePolicy(Policy jsonPolicy) { @ApiOperation( value = "Deletes a policy", code = 204, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the policy could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_DELETE}) public Response deletePolicy( @ApiParam(value = "The UUID of the policy to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -216,14 +216,14 @@ public Response deletePolicy( @ApiOperation( value = "Adds a project to a policy", response = Policy.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The policy already has the specified project assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The policy or project could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response addProjectToPolicy( @ApiParam(value = "The UUID of the policy to add a project to", format = "uuid", required = true) @PathParam("policyUuid") @ValidUuid String policyUuid, @@ -255,14 +255,14 @@ public Response addProjectToPolicy( @ApiOperation( value = "Removes a project from a policy", response = Policy.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The policy does not have the specified project assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The policy or project could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_DELETE}) public Response removeProjectFromPolicy( @ApiParam(value = "The UUID of the policy to remove the project from", format = "uuid", required = true) @PathParam("policyUuid") @ValidUuid String policyUuid, @@ -294,14 +294,14 @@ public Response removeProjectFromPolicy( @ApiOperation( value = "Adds a tag to a policy", response = Policy.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The policy already has the specified tag assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The policy or tag could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response addTagToPolicy( @ApiParam(value = "The UUID of the policy to add a project to", format = "uuid", required = true) @PathParam("policyUuid") @ValidUuid String policyUuid, @@ -334,14 +334,14 @@ public Response addTagToPolicy( @ApiOperation( value = "Removes a tag from a policy", response = Policy.class, - notes = "

Requires permission POLICY_MANAGEMENT

" + notes = "

Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The policy does not have the specified tag assigned"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The policy or tag could not be found") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_DELETE}) public Response removeTagFromPolicy( @ApiParam(value = "The UUID of the policy to remove the tag from", format = "uuid", required = true) @PathParam("policyUuid") @ValidUuid String policyUuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java b/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java index 8c6c386e4..a58d70e41 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ProjectPropertyResource.java @@ -61,14 +61,14 @@ public class ProjectPropertyResource extends AbstractConfigPropertyResource { value = "Returns a list of all ProjectProperties for the specified project", response = ProjectProperty.class, responseContainer = "List", - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_READ

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_READ}) public Response getProperties( @ApiParam(value = "The UUID of the project to retrieve properties for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -104,7 +104,7 @@ public Response getProperties( value = "Creates a new project property", response = ProjectProperty.class, code = 201, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @@ -112,7 +112,7 @@ public Response getProperties( @ApiResponse(code = 404, message = "The project could not be found"), @ApiResponse(code = 409, message = "A property with the specified project/group/name combination already exists") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response createProperty( @ApiParam(value = "The UUID of the project to create a property for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -161,14 +161,14 @@ public Response createProperty( @ApiOperation( value = "Updates a project property", response = ProjectProperty.class, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found"), }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response updateProperty( @ApiParam(value = "The UUID of the project to create a property for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -204,14 +204,14 @@ public Response updateProperty( @ApiOperation( value = "Deletes a config property", response = ProjectProperty.class, - notes = "

Requires permission PORTFOLIO_MANAGEMENT

" + notes = "

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

" ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project or project property could not be found"), }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response deleteProperty( @ApiParam(value = "The UUID of the project to delete a property from", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, diff --git a/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java b/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java index 5e959b5b4..91f39c51e 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ProjectResource.java @@ -211,6 +211,7 @@ public Response getProjectChildrenConcise( @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) + @PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO) public Response getProject( @ApiParam(value = "The UUID of the project to retrieve", format = "uuid", required = true) @@ -330,7 +331,7 @@ public Response getProjectsByClassifier( value = "Creates a new project", notes = """

If a parent project exists, parent.uuid is required

-

Requires permission PORTFOLIO_MANAGEMENT

""", +

Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_CREATE

""", response = Project.class, code = 201 ) @@ -342,7 +343,7 @@ public Response getProjectsByClassifier(
  • A project with the specified name already exists
    • """), }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE}) public Response createProject(Project jsonProject) { final Validator validator = super.getValidator(); failOnValidationError( @@ -392,7 +393,7 @@ public Response createProject(Project jsonProject) { @ApiOperation( value = "Updates a project", response = Project.class, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @@ -405,7 +406,7 @@ public Response createProject(Project jsonProject) {
  • A project cannot select itself as a parent
    • """) }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response updateProject(Project jsonProject) { final Validator validator = super.getValidator(); failOnValidationError( @@ -462,7 +463,7 @@ public Response updateProject(Project jsonProject) { @ApiOperation( value = "Partially updates a project", response = Project.class, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @@ -475,7 +476,7 @@ public Response updateProject(Project jsonProject) {
  • A project cannot select itself as a parent
    • """) }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response patchProject( @ApiParam(value = "The UUID of the project to modify", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -598,7 +599,7 @@ private boolean setIfDifferent(final Project source, final Project target, f @ApiOperation( value = "Deletes a project", code = 204, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @@ -606,7 +607,7 @@ private boolean setIfDifferent(final Project source, final Project target, f @ApiResponse(code = 404, message = "The UUID of the project could not be found"), @ApiResponse(code = 500, message = "Unable to delete components of the project") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response deleteProject( @ApiParam(value = "The UUID of the project to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -635,13 +636,13 @@ public Response deleteProject( @ApiOperation( value = "Clones a project", response = Project.class, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the project could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE}) public Response cloneProject(CloneProjectRequest jsonRequest) { final Validator validator = super.getValidator(); failOnValidationError( diff --git a/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java b/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java index ed09143a8..08f8a3055 100644 --- a/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/RepositoryResource.java @@ -72,13 +72,13 @@ public class RepositoryResource extends AlpineResource { response = Repository.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of repositories"), - notes = "

    Requires permission SYSTEM_CONFIGURATION

    " + notes = "

    Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

    " ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getRepositories() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final PaginatedResult result = qm.getRepositories(); @@ -94,13 +94,13 @@ public Response getRepositories() { response = Repository.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of repositories"), - notes = "

    Requires permission SYSTEM_CONFIGURATION

    " + notes = "

    Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_READ

    " ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_READ}) public Response getRepositoriesByType( @ApiParam(value = "The type of repositories to retrieve", required = true) @PathParam("type") RepositoryType type) { @@ -154,13 +154,13 @@ public Response getRepositoryMetaComponent( value = "Creates a new repository", response = Repository.class, code = 201, - notes = "

    Requires permission SYSTEM_CONFIGURATION

    " + notes = "

    Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A repository with the specified identifier already exists") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_CREATE}) public Response createRepository(Repository jsonRepository) { final Validator validator = super.getValidator(); failOnValidationError( @@ -196,13 +196,13 @@ public Response createRepository(Repository jsonRepository) { @ApiOperation( value = "Updates a repository", response = Repository.class, - notes = "

    Requires permission SYSTEM_CONFIGURATION

    " + notes = "

    Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the repository could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE}) public Response updateRepository(Repository jsonRepository) { final Validator validator = super.getValidator(); failOnValidationError(validator.validateProperty(jsonRepository, "identifier"), @@ -241,13 +241,13 @@ public Response updateRepository(Repository jsonRepository) { @ApiOperation( value = "Deletes a repository", code = 204, - notes = "

    Requires permission SYSTEM_CONFIGURATION

    " + notes = "

    Requires permission SYSTEM_CONFIGURATION or SYSTEM_CONFIGURATION_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The UUID of the repository could not be found") }) - @PermissionRequired(Permissions.Constants.SYSTEM_CONFIGURATION) + @PermissionRequired({Permissions.Constants.SYSTEM_CONFIGURATION, Permissions.Constants.SYSTEM_CONFIGURATION_DELETE}) public Response deleteRepository( @ApiParam(value = "The UUID of the repository to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { diff --git a/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java b/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java index 998f0fe6c..c0d4d07a9 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ServiceResource.java @@ -133,14 +133,14 @@ public Response getServiceByUuid( value = "Creates a new service", response = ServiceComponent.class, code = 201, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE}) public Response createService(@ApiParam(value = "The UUID of the project", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, ServiceComponent jsonService) { final Validator validator = super.getValidator(); @@ -186,14 +186,14 @@ public Response createService(@ApiParam(value = "The UUID of the project", forma @ApiOperation( value = "Updates a service", response = ServiceComponent.class, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified service is forbidden"), @ApiResponse(code = 404, message = "The UUID of the service could not be found"), }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response updateService(ServiceComponent jsonService) { final Validator validator = super.getValidator(); failOnValidationError( @@ -237,14 +237,14 @@ public Response updateService(ServiceComponent jsonService) { @ApiOperation( value = "Deletes a service", code = 204, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified service is forbidden"), @ApiResponse(code = 404, message = "The UUID of the service could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response deleteService( @ApiParam(value = "The UUID of the service to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { diff --git a/src/main/java/org/dependencytrack/resources/v1/TeamResource.java b/src/main/java/org/dependencytrack/resources/v1/TeamResource.java index 9ac8c29db..3400e12e1 100644 --- a/src/main/java/org/dependencytrack/resources/v1/TeamResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/TeamResource.java @@ -71,12 +71,12 @@ public class TeamResource extends AlpineResource { response = Team.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of teams"), - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response getTeams() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final long totalCount = qm.getCount(Team.class); @@ -91,13 +91,13 @@ public Response getTeams() { @ApiOperation( value = "Returns a specific team", response = Team.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response getTeam( @ApiParam(value = "The UUID of the team to retrieve", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -118,12 +118,12 @@ public Response getTeam( value = "Creates a new team along with an associated API key", response = Team.class, code = 201, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) //public Response createTeam(String jsonRequest) { public Response createTeam(Team jsonTeam) { //Team team = MapperUtil.readAsObjectOf(Team.class, jsonRequest); @@ -145,13 +145,13 @@ public Response createTeam(Team jsonTeam) { @ApiOperation( value = "Updates a team's fields including", response = Team.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response updateTeam(Team jsonTeam) { final Validator validator = super.getValidator(); failOnValidationError( @@ -177,13 +177,13 @@ public Response updateTeam(Team jsonTeam) { @ApiOperation( value = "Deletes a team", code = 204, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteTeam(Team jsonTeam) { try (QueryManager qm = new QueryManager()) { final Team team = qm.getObjectByUuid(Team.class, jsonTeam.getUuid(), Team.FetchGroup.ALL.name()); @@ -205,13 +205,13 @@ public Response deleteTeam(Team jsonTeam) { value = "Generates an API key and returns its value", response = ApiKey.class, code = 201, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response generateApiKey( @ApiParam(value = "The UUID of the team to generate a key for", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -232,13 +232,13 @@ public Response generateApiKey( @ApiOperation( value = "Regenerates an API key by removing the specified key, generating a new one and returning its value", response = ApiKey.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The API key could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response regenerateApiKey( @ApiParam(value = "The API key to regenerate", required = true) @PathParam("apikey") String apikey) { @@ -260,13 +260,13 @@ public Response regenerateApiKey( @ApiOperation( value = "Updates an API key's comment", response = ApiKey.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The API key could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response updateApiKeyComment(@PathParam("apikey") final String apikey, final String comment) { try (final var qm = new QueryManager()) { @@ -291,13 +291,13 @@ public Response updateApiKeyComment(@PathParam("apikey") final String apikey, @ApiOperation( value = "Deletes the specified API key", code = 204, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The API key could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteApiKey( @ApiParam(value = "The API key to delete", required = true) @PathParam("apikey") String apikey) { diff --git a/src/main/java/org/dependencytrack/resources/v1/UserResource.java b/src/main/java/org/dependencytrack/resources/v1/UserResource.java index df8e39487..b93ddddc2 100644 --- a/src/main/java/org/dependencytrack/resources/v1/UserResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/UserResource.java @@ -233,12 +233,12 @@ public Response forceChangePassword(@FormParam("username") String username, @For response = ManagedUser.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of managed users"), - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response getManagedUsers() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final long totalCount = qm.getCount(ManagedUser.class); @@ -255,12 +255,12 @@ public Response getManagedUsers() { response = LdapUser.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of LDAP users"), - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response getLdapUsers() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final long totalCount = qm.getCount(LdapUser.class); @@ -280,12 +280,12 @@ public Response getLdapUsers() { response = OidcUser.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of OIDC users"), - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_READ}) public Response getOidcUsers() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final long totalCount = qm.getCount(OidcUser.class); @@ -380,14 +380,14 @@ public Response updateSelf(ManagedUser jsonUser) { value = "Creates a new user that references an existing LDAP object.", response = LdapUser.class, code = 201, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Username cannot be null or blank."), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A user with the same username already exists. Cannot create new user") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response createLdapUser(LdapUser jsonUser) { try (QueryManager qm = new QueryManager()) { if (StringUtils.isBlank(jsonUser.getUsername())) { @@ -412,13 +412,13 @@ public Response createLdapUser(LdapUser jsonUser) { @ApiOperation( value = "Deletes a user.", code = 204, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteLdapUser(LdapUser jsonUser) { try (QueryManager qm = new QueryManager()) { final LdapUser user = qm.getLdapUser(jsonUser.getUsername()); @@ -442,14 +442,14 @@ public Response deleteLdapUser(LdapUser jsonUser) { value = "Creates a new user.", response = ManagedUser.class, code = 201, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Missing required field"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A user with the same username already exists. Cannot create new user") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response createManagedUser(ManagedUser jsonUser) { try (QueryManager qm = new QueryManager()) { @@ -490,14 +490,14 @@ public Response createManagedUser(ManagedUser jsonUser) { @ApiOperation( value = "Updates a managed user.", response = ManagedUser.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Missing required field"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response updateManagedUser(ManagedUser jsonUser) { try (QueryManager qm = new QueryManager()) { ManagedUser user = qm.getManagedUser(jsonUser.getUsername()); @@ -533,13 +533,13 @@ public Response updateManagedUser(ManagedUser jsonUser) { @ApiOperation( value = "Deletes a user.", code = 204, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteManagedUser(ManagedUser jsonUser) { try (QueryManager qm = new QueryManager()) { final ManagedUser user = qm.getManagedUser(jsonUser.getUsername()); @@ -563,14 +563,14 @@ public Response deleteManagedUser(ManagedUser jsonUser) { value = "Creates a new user that references an existing OpenID Connect user.", response = OidcUser.class, code = 201, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Username cannot be null or blank."), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A user with the same username already exists. Cannot create new user") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_CREATE}) public Response createOidcUser(final OidcUser jsonUser) { try (QueryManager qm = new QueryManager()) { if (StringUtils.isBlank(jsonUser.getUsername())) { @@ -595,13 +595,13 @@ public Response createOidcUser(final OidcUser jsonUser) { @ApiOperation( value = "Deletes an OpenID Connect user.", code = 204, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response deleteOidcUser(final OidcUser jsonUser) { try (QueryManager qm = new QueryManager()) { final OidcUser user = qm.getOidcUser(jsonUser.getUsername()); @@ -624,14 +624,14 @@ public Response deleteOidcUser(final OidcUser jsonUser) { @ApiOperation( value = "Adds the username to the specified team.", response = UserPrincipal.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The user is already a member of the specified team"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user or team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_UPDATE}) public Response addTeamToUser( @ApiParam(value = "A valid username", required = true) @PathParam("username") String username, @@ -664,14 +664,14 @@ public Response addTeamToUser( @ApiOperation( value = "Removes the username from the specified team.", response = UserPrincipal.class, - notes = "

    Requires permission ACCESS_MANAGEMENT

    " + notes = "

    Requires permission ACCESS_MANAGEMENT or ACCESS_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 304, message = "The user was not a member of the specified team"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The user or team could not be found") }) - @PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT) + @PermissionRequired({Permissions.Constants.ACCESS_MANAGEMENT, Permissions.Constants.ACCESS_MANAGEMENT_DELETE}) public Response removeTeamFromUser( @ApiParam(value = "A valid username", required = true) @PathParam("username") String username, diff --git a/src/main/java/org/dependencytrack/resources/v1/VexResource.java b/src/main/java/org/dependencytrack/resources/v1/VexResource.java index 774f3a9c3..cfbd379ec 100644 --- a/src/main/java/org/dependencytrack/resources/v1/VexResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/VexResource.java @@ -80,14 +80,14 @@ public class VexResource extends AlpineResource { @ApiOperation( value = "Returns a VEX for a project in CycloneDX format", response = String.class, - notes = "

    Requires permission VULNERABILITY_ANALYSIS

    " + notes = "

    Requires permission VULNERABILITY_ANALYSIS or VULNERABILITY_ANALYSIS_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_ANALYSIS) + @PermissionRequired({Permissions.Constants.VULNERABILITY_ANALYSIS, Permissions.Constants.VULNERABILITY_ANALYSIS_READ}) public Response exportProjectAsCycloneDx( @ApiParam(value = "The UUID of the project to export", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @@ -139,7 +139,7 @@ public Response exportProjectAsCycloneDx( When uploading large VEX files, the POST endpoint is preferred, as it does not have this limit.

    -

    Requires permission VULNERABILITY_ANALYSIS

    """ +

    Requires permission VULNERABILITY_ANALYSIS or VULNERABILITY_ANALYSIS_UPDATE

    """ ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Invalid VEX", response = InvalidBomProblemDetails.class), @@ -147,7 +147,7 @@ public Response exportProjectAsCycloneDx( @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_ANALYSIS) + @PermissionRequired({Permissions.Constants.VULNERABILITY_ANALYSIS, Permissions.Constants.VULNERABILITY_ANALYSIS_UPDATE}) public Response uploadVex(VexSubmitRequest request) { final Validator validator = getValidator(); if (request.getProject() != null) { @@ -187,7 +187,7 @@ public Response uploadVex(VexSubmitRequest request) { a response with problem details in RFC 9457 format will be returned. In this case, the response's content type will be application/problem+json.

    -

    Requires permission VULNERABILITY_ANALYSIS

    """ +

    Requires permission VULNERABILITY_ANALYSIS or VULNERABILITY_ANALYSIS_UPDATE

    """ ) @ApiResponses(value = { @ApiResponse(code = 400, message = "Invalid VEX", response = InvalidBomProblemDetails.class), @@ -195,7 +195,7 @@ public Response uploadVex(VexSubmitRequest request) { @ApiResponse(code = 403, message = "Access to the specified project is forbidden"), @ApiResponse(code = 404, message = "The project could not be found") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_ANALYSIS) + @PermissionRequired({Permissions.Constants.VULNERABILITY_ANALYSIS, Permissions.Constants.VULNERABILITY_ANALYSIS_UPDATE}) public Response uploadVex(@FormDataParam("project") String projectUuid, @FormDataParam("projectName") String projectName, @FormDataParam("projectVersion") String projectVersion, diff --git a/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java b/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java index 3340c99c7..28732cb17 100644 --- a/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/ViolationAnalysisResource.java @@ -103,7 +103,7 @@ public Response retrieveAnalysis(@ApiParam(value = "The UUID of the component", @ApiOperation( value = "Records a violation analysis decision", response = ViolationAnalysis.class, - notes = "

    Requires permission VIEW_POLICY_VIOLATION

    " + notes = "

    Requires permission POLICY_VIOLATION_ANALYSIS

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), diff --git a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyBundleResource.java b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyBundleResource.java index 307d018b5..cb0ed6ac6 100644 --- a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyBundleResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyBundleResource.java @@ -44,12 +44,12 @@ public class VulnerabilityPolicyBundleResource extends AlpineResource { @ApiOperation( value = "Returns vulnerability policy resource bundle", response = VulnerabilityPolicyBundle.class, - notes = "

    Requires permission POLICY_MANAGEMENT

    " + notes = "

    Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_READ}) public Response getVulnerabilityPolicyBundle() { try (QueryManager qm = new QueryManager(getAlpineRequest())) { final VulnerabilityPolicyBundle bundle = qm.getVulnerabilityPolicyBundle(); diff --git a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResource.java b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResource.java index 1d2037040..b960300e5 100644 --- a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityPolicyResource.java @@ -73,13 +73,13 @@ public class VulnerabilityPolicyResource extends AlpineResource { response = VulnerabilityPolicy.class, responseContainer = "List", responseHeaders = @ResponseHeader(name = TOTAL_COUNT_HEADER, response = Long.class, description = "The total number of vulnerability policies"), - notes = "

    Requires permission POLICY_MANAGEMENT

    " + notes = "

    Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_READ

    " ) @PaginatedApi @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_READ}) public Response getVulnerabilityPolicies() { VulnerabilityPolicyProviderFactory instance = VulnerabilityPolicyProviderFactory.getInstance(); VulnerabilityPolicyProvider vulnerabilityPolicyProvider = instance.policyProviderImpl(); @@ -94,14 +94,14 @@ public Response getVulnerabilityPolicies() { value = "Triggers policy bundle synchronization. Returns a workflow token if trigger succeeded.", response = String.class, responseContainer = "Map", - notes = "

    Requires permission POLICY_MANAGEMENT

    " + notes = "

    Requires permission POLICY_MANAGEMENT or POLICY_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 202, message = "Accepted"), @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "Conflict") }) - @PermissionRequired(Permissions.Constants.POLICY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.POLICY_MANAGEMENT, Permissions.Constants.POLICY_MANAGEMENT_UPDATE}) public Response triggerVulnerabilityPolicyBundleSync() { if (!Config.getInstance().getPropertyAsBoolean(ConfigKey.VULNERABILITY_POLICY_ANALYSIS_ENABLED)) { return Response diff --git a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java index 7f591d6af..6c637488e 100644 --- a/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java +++ b/src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java @@ -153,13 +153,13 @@ public Response getVulnerabilitiesByProject(@ApiParam(value = "The UUID of the p @ApiOperation( value = "Returns a specific vulnerability", response = Vulnerability.class, - notes = "

    Requires permission VULNERABILITY_MANAGEMENT

    " + notes = "

    Requires permission VULNERABILITY_MANAGEMENT or VULNERABILITY_MANAGEMENT_READ

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The vulnerability could not be found") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.VULNERABILITY_MANAGEMENT, Permissions.Constants.VULNERABILITY_MANAGEMENT_READ}) public Response getVulnerabilityByUuid(@ApiParam(value = "The UUID of the vulnerability", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { try (QueryManager qm = new QueryManager()) { @@ -269,13 +269,13 @@ public Response getAllVulnerabilities() { value = "Creates a new vulnerability", response = Vulnerability.class, code = 201, - notes = "

    Requires permission VULNERABILITY_MANAGEMENT

    " + notes = "

    Requires permission VULNERABILITY_MANAGEMENT or VULNERABILITY_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 409, message = "A vulnerability with the specified vulnId already exists") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.VULNERABILITY_MANAGEMENT, Permissions.Constants.VULNERABILITY_MANAGEMENT_CREATE}) public Response createVulnerability(Vulnerability jsonVulnerability) { final Validator validator = super.getValidator(); failOnValidationError( @@ -341,14 +341,14 @@ public Response createVulnerability(Vulnerability jsonVulnerability) { @ApiOperation( value = "Updates an internal vulnerability", response = Project.class, - notes = "

    Requires permission VULNERABILITY_MANAGEMENT

    " + notes = "

    Requires permission VULNERABILITY_MANAGEMENT or VULNERABILITY_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The vulnerability could not be found"), @ApiResponse(code = 406, message = "The vulnId may not be changed") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.VULNERABILITY_MANAGEMENT, Permissions.Constants.VULNERABILITY_MANAGEMENT_UPDATE}) public Response updateVulnerability(Vulnerability jsonVuln) { final Validator validator = super.getValidator(); failOnValidationError( @@ -421,7 +421,7 @@ public Response updateVulnerability(Vulnerability jsonVuln) { @ApiOperation( value = "Deletes a vulnerability", code = 204, - notes = "

    Requires permission VULNERABILITY_MANAGEMENT

    " + notes = "

    Requires permission VULNERABILITY_MANAGEMENT or VULNERABILITY_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @@ -429,7 +429,7 @@ public Response updateVulnerability(Vulnerability jsonVuln) { @ApiResponse(code = 404, message = "The UUID of the vulnerability could not be found"), @ApiResponse(code = 412, message = "Portfolio components or services are affected by this vulnerability. Unable to delete.") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.VULNERABILITY_MANAGEMENT, Permissions.Constants.VULNERABILITY_MANAGEMENT_DELETE}) public Response deleteVulnerability( @ApiParam(value = "The UUID of the vulnerability to delete", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { @@ -459,12 +459,12 @@ public Response deleteVulnerability( @ApiOperation( value = "Generates an internal vulnerability identifier", response = String.class, - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_CREATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE}) public Response generateInternalVulnerabilityIdentifier() { final String vulnId = VulnerabilityUtil.randomInternalId(); return Response.ok(vulnId).build(); @@ -516,14 +516,14 @@ public void recalculateScoresAndSeverityFromVectors(Vulnerability vuln) throws M @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Assigns a vulnerability to a component", - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The vulnerability or component could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response assignVulnerability(@ApiParam(value = "The vulnerability source", required = true) @PathParam("source") String source, @ApiParam(value = "The vulnId", required = true) @@ -555,14 +555,14 @@ public Response assignVulnerability(@ApiParam(value = "The vulnerability source" @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Assigns a vulnerability to a component", - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The vulnerability or component could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE}) public Response assignVulnerability(@ApiParam(value = "The UUID of the vulnerability", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @ApiParam(value = "The UUID of the component", format = "uuid", required = true) @@ -592,14 +592,14 @@ public Response assignVulnerability(@ApiParam(value = "The UUID of the vulnerabi @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Removes assignment of a vulnerability from a component", - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The vulnerability or component could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response unassignVulnerability(@ApiParam(value = "The vulnerability source", required = true) @PathParam("source") String source, @ApiParam(value = "The vulnId", required = true) @@ -631,14 +631,14 @@ public Response unassignVulnerability(@ApiParam(value = "The vulnerability sourc @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Removes assignment of a vulnerability from a component", - notes = "

    Requires permission PORTFOLIO_MANAGEMENT

    " + notes = "

    Requires permission PORTFOLIO_MANAGEMENT or PORTFOLIO_MANAGEMENT_DELETE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 403, message = "Access to the specified component is forbidden"), @ApiResponse(code = 404, message = "The vulnerability or component could not be found") }) - @PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT) + @PermissionRequired({Permissions.Constants.PORTFOLIO_MANAGEMENT, Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE}) public Response unassignVulnerability(@ApiParam(value = "The UUID of the vulnerability", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid, @ApiParam(value = "The UUID of the component", format = "uuid", required = true) @@ -668,13 +668,13 @@ public Response unassignVulnerability(@ApiParam(value = "The UUID of the vulnera @Produces(MediaType.APPLICATION_JSON) @ApiOperation( value = "Updates tags for a vulnerability", - notes = "

    Requires permission VULNERABILITY_MANAGEMENT

    " + notes = "

    Requires permission VULNERABILITY_MANAGEMENT or VULNERABILITY_MANAGEMENT_UPDATE

    " ) @ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 404, message = "The vulnerability could not be found") }) - @PermissionRequired(Permissions.Constants.VULNERABILITY_MANAGEMENT) + @PermissionRequired({Permissions.Constants.VULNERABILITY_MANAGEMENT, Permissions.Constants.VULNERABILITY_MANAGEMENT_UPDATE}) public Response updateVulnerabilityTags(List tags, @ApiParam(value = "UUID of the vulnerability", format = "uuid", required = true) @PathParam("uuid") @ValidUuid String uuid) { From d4e64755f114ceba6ad62d648d8b49f75abdb341 Mon Sep 17 00:00:00 2001 From: Zachary Prebosnyak <91638307+zprebosnyak-lm@users.noreply.github.com> Date: Mon, 29 Jul 2024 11:39:34 -0600 Subject: [PATCH 2/2] fix: update tests Signed-off-by: Zachary Prebosnyak <91638307+zprebosnyak-lm@users.noreply.github.com> --- .../dependencytrack/auth/PermissionsTest.java | 85 +++++++++++++++++-- .../resources/v1/PermissionResourceTest.java | 2 +- 2 files changed, 78 insertions(+), 9 deletions(-) diff --git a/src/test/java/org/dependencytrack/auth/PermissionsTest.java b/src/test/java/org/dependencytrack/auth/PermissionsTest.java index 5263c0938..83f680339 100644 --- a/src/test/java/org/dependencytrack/auth/PermissionsTest.java +++ b/src/test/java/org/dependencytrack/auth/PermissionsTest.java @@ -21,36 +21,82 @@ import org.junit.Assert; import org.junit.Test; -import static org.dependencytrack.auth.Permissions.Constants.ACCESS_MANAGEMENT; import static org.dependencytrack.auth.Permissions.Constants.BOM_UPLOAD; -import static org.dependencytrack.auth.Permissions.Constants.POLICY_MANAGEMENT; -import static org.dependencytrack.auth.Permissions.Constants.POLICY_VIOLATION_ANALYSIS; -import static org.dependencytrack.auth.Permissions.Constants.PORTFOLIO_MANAGEMENT; -import static org.dependencytrack.auth.Permissions.Constants.PROJECT_CREATION_UPLOAD; -import static org.dependencytrack.auth.Permissions.Constants.SYSTEM_CONFIGURATION; -import static org.dependencytrack.auth.Permissions.Constants.VIEW_POLICY_VIOLATION; import static org.dependencytrack.auth.Permissions.Constants.VIEW_PORTFOLIO; +import static org.dependencytrack.auth.Permissions.Constants.PORTFOLIO_MANAGEMENT; +import static org.dependencytrack.auth.Permissions.Constants.PORTFOLIO_MANAGEMENT_CREATE; +import static org.dependencytrack.auth.Permissions.Constants.PORTFOLIO_MANAGEMENT_READ; +import static org.dependencytrack.auth.Permissions.Constants.PORTFOLIO_MANAGEMENT_UPDATE; +import static org.dependencytrack.auth.Permissions.Constants.PORTFOLIO_MANAGEMENT_DELETE; import static org.dependencytrack.auth.Permissions.Constants.VIEW_VULNERABILITY; import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_ANALYSIS; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_ANALYSIS_CREATE; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_ANALYSIS_READ; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_ANALYSIS_UPDATE; +import static org.dependencytrack.auth.Permissions.Constants.VIEW_POLICY_VIOLATION; import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_MANAGEMENT; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_MANAGEMENT_CREATE; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_MANAGEMENT_READ; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_MANAGEMENT_UPDATE; +import static org.dependencytrack.auth.Permissions.Constants.VULNERABILITY_MANAGEMENT_DELETE; +import static org.dependencytrack.auth.Permissions.Constants.POLICY_VIOLATION_ANALYSIS; +import static org.dependencytrack.auth.Permissions.Constants.ACCESS_MANAGEMENT; +import static org.dependencytrack.auth.Permissions.Constants.ACCESS_MANAGEMENT_CREATE; +import static org.dependencytrack.auth.Permissions.Constants.ACCESS_MANAGEMENT_READ; +import static org.dependencytrack.auth.Permissions.Constants.ACCESS_MANAGEMENT_UPDATE; +import static org.dependencytrack.auth.Permissions.Constants.ACCESS_MANAGEMENT_DELETE; +import static org.dependencytrack.auth.Permissions.Constants.SYSTEM_CONFIGURATION; +import static org.dependencytrack.auth.Permissions.Constants.SYSTEM_CONFIGURATION_CREATE; +import static org.dependencytrack.auth.Permissions.Constants.SYSTEM_CONFIGURATION_READ; +import static org.dependencytrack.auth.Permissions.Constants.SYSTEM_CONFIGURATION_UPDATE; +import static org.dependencytrack.auth.Permissions.Constants.SYSTEM_CONFIGURATION_DELETE; +import static org.dependencytrack.auth.Permissions.Constants.PROJECT_CREATION_UPLOAD; +import static org.dependencytrack.auth.Permissions.Constants.POLICY_MANAGEMENT; +import static org.dependencytrack.auth.Permissions.Constants.POLICY_MANAGEMENT_CREATE; +import static org.dependencytrack.auth.Permissions.Constants.POLICY_MANAGEMENT_READ; +import static org.dependencytrack.auth.Permissions.Constants.POLICY_MANAGEMENT_UPDATE; +import static org.dependencytrack.auth.Permissions.Constants.POLICY_MANAGEMENT_DELETE; public class PermissionsTest { @Test public void testPermissionEnums() { - Assert.assertEquals(12, Permissions.values().length); + Assert.assertEquals(35, Permissions.values().length); Assert.assertEquals("BOM_UPLOAD", Permissions.BOM_UPLOAD.name()); Assert.assertEquals("VIEW_PORTFOLIO", Permissions.VIEW_PORTFOLIO.name()); Assert.assertEquals("PORTFOLIO_MANAGEMENT", Permissions.PORTFOLIO_MANAGEMENT.name()); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_CREATE", Permissions.PORTFOLIO_MANAGEMENT_CREATE.name()); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_READ", Permissions.PORTFOLIO_MANAGEMENT_READ.name()); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_UPDATE", Permissions.PORTFOLIO_MANAGEMENT_UPDATE.name()); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_DELETE", Permissions.PORTFOLIO_MANAGEMENT_DELETE.name()); Assert.assertEquals("VIEW_VULNERABILITY", Permissions.VIEW_VULNERABILITY.name()); Assert.assertEquals("VULNERABILITY_ANALYSIS", Permissions.VULNERABILITY_ANALYSIS.name()); + Assert.assertEquals("VULNERABILITY_ANALYSIS_CREATE", Permissions.VULNERABILITY_ANALYSIS_CREATE.name()); + Assert.assertEquals("VULNERABILITY_ANALYSIS_READ", Permissions.VULNERABILITY_ANALYSIS_READ.name()); + Assert.assertEquals("VULNERABILITY_ANALYSIS_UPDATE", Permissions.VULNERABILITY_ANALYSIS_UPDATE.name()); Assert.assertEquals("VIEW_POLICY_VIOLATION", Permissions.VIEW_POLICY_VIOLATION.name()); Assert.assertEquals("VULNERABILITY_MANAGEMENT", Permissions.VULNERABILITY_MANAGEMENT.name()); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_CREATE", Permissions.VULNERABILITY_MANAGEMENT_CREATE.name()); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_READ", Permissions.VULNERABILITY_MANAGEMENT_READ.name()); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_UPDATE", Permissions.VULNERABILITY_MANAGEMENT_UPDATE.name()); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_DELETE", Permissions.VULNERABILITY_MANAGEMENT_DELETE.name()); Assert.assertEquals("POLICY_VIOLATION_ANALYSIS", Permissions.POLICY_VIOLATION_ANALYSIS.name()); Assert.assertEquals("ACCESS_MANAGEMENT", Permissions.ACCESS_MANAGEMENT.name()); + Assert.assertEquals("ACCESS_MANAGEMENT_CREATE", Permissions.ACCESS_MANAGEMENT_CREATE.name()); + Assert.assertEquals("ACCESS_MANAGEMENT_READ", Permissions.ACCESS_MANAGEMENT_READ.name()); + Assert.assertEquals("ACCESS_MANAGEMENT_UPDATE", Permissions.ACCESS_MANAGEMENT_UPDATE.name()); + Assert.assertEquals("ACCESS_MANAGEMENT_DELETE", Permissions.ACCESS_MANAGEMENT_DELETE.name()); Assert.assertEquals("SYSTEM_CONFIGURATION", Permissions.SYSTEM_CONFIGURATION.name()); + Assert.assertEquals("SYSTEM_CONFIGURATION_CREATE", Permissions.SYSTEM_CONFIGURATION_CREATE.name()); + Assert.assertEquals("SYSTEM_CONFIGURATION_READ", Permissions.SYSTEM_CONFIGURATION_READ.name()); + Assert.assertEquals("SYSTEM_CONFIGURATION_UPDATE", Permissions.SYSTEM_CONFIGURATION_UPDATE.name()); + Assert.assertEquals("SYSTEM_CONFIGURATION_DELETE", Permissions.SYSTEM_CONFIGURATION_DELETE.name()); Assert.assertEquals("PROJECT_CREATION_UPLOAD", Permissions.PROJECT_CREATION_UPLOAD.name()); Assert.assertEquals("POLICY_MANAGEMENT", Permissions.POLICY_MANAGEMENT.name()); + Assert.assertEquals("POLICY_MANAGEMENT_CREATE", Permissions.POLICY_MANAGEMENT_CREATE.name()); + Assert.assertEquals("POLICY_MANAGEMENT_READ", Permissions.POLICY_MANAGEMENT_READ.name()); + Assert.assertEquals("POLICY_MANAGEMENT_UPDATE", Permissions.POLICY_MANAGEMENT_UPDATE.name()); + Assert.assertEquals("POLICY_MANAGEMENT_DELETE", Permissions.POLICY_MANAGEMENT_DELETE.name()); } @Test @@ -58,14 +104,37 @@ public void testPermissionConstants() { Assert.assertEquals("BOM_UPLOAD", BOM_UPLOAD); Assert.assertEquals("VIEW_PORTFOLIO", VIEW_PORTFOLIO); Assert.assertEquals("PORTFOLIO_MANAGEMENT", PORTFOLIO_MANAGEMENT); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_CREATE", PORTFOLIO_MANAGEMENT_CREATE); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_READ", PORTFOLIO_MANAGEMENT_READ); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_UPDATE", PORTFOLIO_MANAGEMENT_UPDATE); + Assert.assertEquals("PORTFOLIO_MANAGEMENT_DELETE", PORTFOLIO_MANAGEMENT_DELETE); Assert.assertEquals("VIEW_VULNERABILITY", VIEW_VULNERABILITY); Assert.assertEquals("VULNERABILITY_ANALYSIS", VULNERABILITY_ANALYSIS); + Assert.assertEquals("VULNERABILITY_ANALYSIS_CREATE", VULNERABILITY_ANALYSIS_CREATE); + Assert.assertEquals("VULNERABILITY_ANALYSIS_READ", VULNERABILITY_ANALYSIS_READ); + Assert.assertEquals("VULNERABILITY_ANALYSIS_UPDATE", VULNERABILITY_ANALYSIS_UPDATE); Assert.assertEquals("VIEW_POLICY_VIOLATION", VIEW_POLICY_VIOLATION); Assert.assertEquals("VULNERABILITY_MANAGEMENT", VULNERABILITY_MANAGEMENT); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_CREATE", VULNERABILITY_MANAGEMENT_CREATE); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_READ", VULNERABILITY_MANAGEMENT_READ); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_UPDATE", VULNERABILITY_MANAGEMENT_UPDATE); + Assert.assertEquals("VULNERABILITY_MANAGEMENT_DELETE", VULNERABILITY_MANAGEMENT_DELETE); Assert.assertEquals("POLICY_VIOLATION_ANALYSIS", POLICY_VIOLATION_ANALYSIS); Assert.assertEquals("ACCESS_MANAGEMENT", ACCESS_MANAGEMENT); + Assert.assertEquals("ACCESS_MANAGEMENT_CREATE", ACCESS_MANAGEMENT_CREATE); + Assert.assertEquals("ACCESS_MANAGEMENT_READ", ACCESS_MANAGEMENT_READ); + Assert.assertEquals("ACCESS_MANAGEMENT_UPDATE", ACCESS_MANAGEMENT_UPDATE); + Assert.assertEquals("ACCESS_MANAGEMENT_DELETE", ACCESS_MANAGEMENT_DELETE); Assert.assertEquals("SYSTEM_CONFIGURATION", SYSTEM_CONFIGURATION); + Assert.assertEquals("SYSTEM_CONFIGURATION_CREATE", SYSTEM_CONFIGURATION_CREATE); + Assert.assertEquals("SYSTEM_CONFIGURATION_READ", SYSTEM_CONFIGURATION_READ); + Assert.assertEquals("SYSTEM_CONFIGURATION_UPDATE", SYSTEM_CONFIGURATION_UPDATE); + Assert.assertEquals("SYSTEM_CONFIGURATION_DELETE", SYSTEM_CONFIGURATION_DELETE); Assert.assertEquals("PROJECT_CREATION_UPLOAD", PROJECT_CREATION_UPLOAD); Assert.assertEquals("POLICY_MANAGEMENT", POLICY_MANAGEMENT); + Assert.assertEquals("POLICY_MANAGEMENT_CREATE", POLICY_MANAGEMENT_CREATE); + Assert.assertEquals("POLICY_MANAGEMENT_READ", POLICY_MANAGEMENT_READ); + Assert.assertEquals("POLICY_MANAGEMENT_UPDATE", POLICY_MANAGEMENT_UPDATE); + Assert.assertEquals("POLICY_MANAGEMENT_DELETE", POLICY_MANAGEMENT_DELETE); } } diff --git a/src/test/java/org/dependencytrack/resources/v1/PermissionResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/PermissionResourceTest.java index 87d4a04a1..18684cb7f 100644 --- a/src/test/java/org/dependencytrack/resources/v1/PermissionResourceTest.java +++ b/src/test/java/org/dependencytrack/resources/v1/PermissionResourceTest.java @@ -64,7 +64,7 @@ public void getAllPermissionsTest() { Assert.assertNull(response.getHeaderString(TOTAL_COUNT_HEADER)); JsonArray json = parseJsonArray(response); Assert.assertNotNull(json); - Assert.assertEquals(12, json.size()); + Assert.assertEquals(35, json.size()); Assert.assertEquals("ACCESS_MANAGEMENT", json.getJsonObject(0).getString("name")); Assert.assertEquals("Allows the management of users, teams, and API keys", json.getJsonObject(0).getString("description")); }