diff --git a/server/src/main/java/access/security/RemoteUser.java b/server/src/main/java/access/security/RemoteUser.java index f49c6f27..bec3cf86 100644 --- a/server/src/main/java/access/security/RemoteUser.java +++ b/server/src/main/java/access/security/RemoteUser.java @@ -28,6 +28,7 @@ public class RemoteUser implements UserDetails, CredentialsContainer, Provisiona private String displayName; private List scopes = new ArrayList<>(); private List applications = new ArrayList<>(); + private boolean localDevMode; public RemoteUser(RemoteUser remoteUser) { this.username = remoteUser.username; @@ -35,6 +36,7 @@ public RemoteUser(RemoteUser remoteUser) { this.displayName = remoteUser.displayName; this.scopes = remoteUser.scopes; this.applications = remoteUser.applications; + this.localDevMode = remoteUser.localDevMode; } @Override diff --git a/server/src/main/java/access/security/RemoteUserPermissions.java b/server/src/main/java/access/security/RemoteUserPermissions.java index c0db8b67..de5387eb 100644 --- a/server/src/main/java/access/security/RemoteUserPermissions.java +++ b/server/src/main/java/access/security/RemoteUserPermissions.java @@ -33,6 +33,9 @@ public static void assertApplicationAccess(RemoteUser remoteUser, List rol if (remoteUser == null) { throw new UserRestrictionException(); } + if (remoteUser.isLocalDevMode()) { + return; + } List remoteUserApplications = remoteUser.getApplications(); boolean hasApplicationAccess = roles.stream().map(role -> role.applicationsUsed()) .flatMap(Collection::stream) diff --git a/server/src/main/resources/application.yml b/server/src/main/resources/application.yml index a8912b32..387410d1 100644 --- a/server/src/main/resources/application.yml +++ b/server/src/main/resources/application.yml @@ -161,6 +161,16 @@ external-api-configuration: applications: - manageId: "4" manageType: SAML20_SP + - + username: sp_dashboard_local_dev_mode + displayName: "SP Dashboard" + password: "secret" + scopes: + - sp_dashboard + applications: + - manageId: "4" + manageType: SAML20_SP + localDevMode: true voot: group_urn_domain: urn:mace:surf.nl:test.surfaccess.nl diff --git a/server/src/test/java/access/internal/InternalInviteControllerTest.java b/server/src/test/java/access/internal/InternalInviteControllerTest.java index 595f8cc5..44622be6 100644 --- a/server/src/test/java/access/internal/InternalInviteControllerTest.java +++ b/server/src/test/java/access/internal/InternalInviteControllerTest.java @@ -42,7 +42,24 @@ void createWithAPIUser() throws Exception { .as(new TypeRef<>() { }); assertNotNull(newRole.getId()); - System.out.println(objectMapper.writeValueAsString(newRole)); + } + + @Test + void createWithAPIUserNotAllowed() { + Role role = new Role("Required role name", "Required role description", application("3", EntityType.SAML20_SP), + 365, false, false); + + super.stubForManagerProvidersByIdIn(EntityType.SAML20_SP, List.of("3")); + + given() + .when() + .auth().preemptive().basic("sp_dashboard", "secret") + .accept(ContentType.JSON) + .contentType(ContentType.JSON) + .body(role) + .post("/api/internal/invite/roles") + .then() + .statusCode(403); } @Test @@ -191,14 +208,4 @@ void userRolesByRole() { assertEquals(1, userRoles.size()); } - @Test - void delme() throws JsonProcessingException { - InvitationResponse invitationResponse = new InvitationResponse( - 201, - List.of(new RecipientInvitationURL("admin@service.nl", "https://invite.test.surfconext.nl/invitation/accept?{hash}")) - ); - String json = objectMapper.writeValueAsString(invitationResponse); - System.out.println(json); - } - } \ No newline at end of file diff --git a/server/src/test/java/access/security/ExtendedInMemoryUserDetailsManagerTest.java b/server/src/test/java/access/security/ExtendedInMemoryUserDetailsManagerTest.java index 9254b196..1c9bdd92 100644 --- a/server/src/test/java/access/security/ExtendedInMemoryUserDetailsManagerTest.java +++ b/server/src/test/java/access/security/ExtendedInMemoryUserDetailsManagerTest.java @@ -16,7 +16,8 @@ class ExtendedInMemoryUserDetailsManagerTest { "password", "SP Dashboard", List.of(Scope.profile), - List.of(new Application("4", EntityType.SAML20_SP))); + List.of(new Application("4", EntityType.SAML20_SP)), + false); private final ExtendedInMemoryUserDetailsManager userDetailsManager = new ExtendedInMemoryUserDetailsManager(List.of(remoteUser)); diff --git a/server/src/test/java/access/security/RemoteUserPermissionsTest.java b/server/src/test/java/access/security/RemoteUserPermissionsTest.java index 03df1e08..16d5efa6 100644 --- a/server/src/test/java/access/security/RemoteUserPermissionsTest.java +++ b/server/src/test/java/access/security/RemoteUserPermissionsTest.java @@ -21,7 +21,7 @@ void assertScopeAccess() { RemoteUserPermissions.assertScopeAccess(new RemoteUser()); RemoteUserPermissions.assertScopeAccess( - new RemoteUser("user", "secret", null, List.of(Scope.profile), List.of()), Scope.profile); + new RemoteUser("user", "secret", null, List.of(Scope.profile), List.of(), false), Scope.profile); } @Test @@ -34,9 +34,25 @@ void assertApplicationAccess() { role.setApplicationUsages(applicationUsages); assertThrows(UserRestrictionException.class, () -> RemoteUserPermissions.assertApplicationAccess(null, role)); assertThrows(UserRestrictionException.class, () -> RemoteUserPermissions.assertApplicationAccess(new RemoteUser(), role)); - RemoteUser remoteUser = new RemoteUser("user", "secret", null, List.of(), List.of(application)); + RemoteUser remoteUser = new RemoteUser("user", "secret", null, List.of(), List.of(application), false); RemoteUserPermissions.assertApplicationAccess(remoteUser, role); RemoteUserPermissions.assertApplicationAccess(remoteUser, List.of(role)); } + @Test + void assertApplicationAccessDevMode() { + Role role = new Role(); + Application application = new Application("1", EntityType.SAML20_SP); + Set applicationUsages = Set.of( + new ApplicationUsage(application, "landingPage") + ); + role.setApplicationUsages(applicationUsages); + RemoteUser remoteUser = new RemoteUser("user", "secret", null, List.of(), List.of(new Application("5", EntityType.SAML20_SP)), false); + assertThrows(UserRestrictionException.class, () -> RemoteUserPermissions.assertApplicationAccess(remoteUser, role)); + + RemoteUser remoteUserDevMode = new RemoteUser(remoteUser); + remoteUserDevMode.setLocalDevMode(true); + RemoteUserPermissions.assertApplicationAccess(remoteUserDevMode, role); + } + } \ No newline at end of file