Skip to content

Commit

Permalink
Replace #oauth.hasScope annotation with proper #iam.hasScope (#664)
Browse files Browse the repository at this point in the history
Fixed pre-authz in order to rely on token's scopes instead of already approved ones.

---------

Co-authored-by: rmiccoli <[email protected]>
Co-authored-by: Federica Agostini <[email protected]>
  • Loading branch information
3 people authored Oct 30, 2023
1 parent 6bd6a34 commit 402693a
Show file tree
Hide file tree
Showing 34 changed files with 1,169 additions and 194 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ private void handleValidationError(BindingResult result) {
}

@RequestMapping(value = "/iam/account/{id}/attributes", method = RequestMethod.GET)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
public List<AttributeDTO> getAttributes(@PathVariable String id) {

IamAccount account =
Expand All @@ -85,7 +85,7 @@ public List<AttributeDTO> getAttributes(@PathVariable String id) {
}

@RequestMapping(value = "/iam/account/{id}/attributes", method = PUT)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute,
final BindingResult validationResult) {

Expand All @@ -99,7 +99,7 @@ public void setAttribute(@PathVariable String id, @RequestBody @Validated Attrib
}

@RequestMapping(value = "/iam/account/{id}/attributes", method = DELETE)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@ResponseStatus(value = NO_CONTENT)
public void deleteAttribute(@PathVariable String id, @Validated AttributeDTO attribute,
final BindingResult validationResult) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,22 +68,22 @@ protected IamAccount findAccountByName(String name) {
.orElseThrow(() -> new NoSuchAccountError(format("No account found for name '%s'", name)));
}

@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')")
@RequestMapping(value = "/me/authorities", method = RequestMethod.GET)
public AuthoritySetDTO getAuthoritiesForMe(Authentication authn) {
return AuthoritySetDTO
.fromAuthorities(authorityService.getAccountAuthorities(findAccountByName(authn.getName())));
}

@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
@RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.GET)
@ResponseBody
public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) {
return AuthoritySetDTO
.fromAuthorities(authorityService.getAccountAuthorities(findAccountById(id)));
}

@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.POST)
public void addAuthorityToAccount(@PathVariable("id") String id, @Valid AuthorityDTO authority,
BindingResult validationResult) {
Expand All @@ -96,7 +96,7 @@ public void addAuthorityToAccount(@PathVariable("id") String id, @Valid Authorit

}

@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.DELETE)
public void removeAuthorityFromAccount(@PathVariable("id") String id,
@Valid AuthorityDTO authority, BindingResult validationResult) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
import it.infn.mw.iam.api.scim.model.ScimUser;

@RestController
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
public class FindAccountController {

public static final String INVALID_FIND_ACCOUNT_REQUEST = "Invalid find account request";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ public AccountGroupController(IamAccountService accountService, IamGroupService

@RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = POST)
@ResponseStatus(value = HttpStatus.CREATED)
@PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')")
@PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')")
public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable String groupUuid) {
IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid));

Expand All @@ -75,7 +75,7 @@ public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable St

@RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = DELETE)
@ResponseStatus(value = HttpStatus.NO_CONTENT)
@PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')")
@PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')")
public void removeAccountFromGroup(@PathVariable String accountUuid,
@PathVariable String groupUuid) {
IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ public AccountGroupManagerController(AccountGroupManagerService service,


@RequestMapping(value = "/iam/account/{accountId}/managed-groups", method = RequestMethod.GET)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)")
public AccountManagedGroupsDTO getAccountManagedGroupsInformation(
@PathVariable String accountId) {
IamAccount account = accountRepository.findByUuid(accountId)
Expand All @@ -74,7 +74,7 @@ public AccountManagedGroupsDTO getAccountManagedGroupsInformation(

@RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}",
method = RequestMethod.POST)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@ResponseStatus(value = HttpStatus.CREATED)
public void addManagedGroupToAccount(@PathVariable String accountId,
@PathVariable String groupId) {
Expand All @@ -90,7 +90,7 @@ public void addManagedGroupToAccount(@PathVariable String accountId,

@RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}",
method = RequestMethod.DELETE)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@ResponseStatus(value = HttpStatus.NO_CONTENT)
public void removeManagedGroupFromAccount(@PathVariable String accountId,
@PathVariable String groupId) {
Expand All @@ -105,7 +105,7 @@ public void removeManagedGroupFromAccount(@PathVariable String accountId,
}

@RequestMapping(value = "/iam/group/{groupId}/group-managers", method=RequestMethod.GET)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)")
public List<ScimUser> getGroupManagersForGroup(@PathVariable String groupId) {
IamGroup group = groupRepository.findByUuid(groupId)
.orElseThrow(() -> InvalidManagedGroupError.groupNotFoundException(groupId));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ private void handleValidationError(BindingResult result) {
}

@RequestMapping(method = GET)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)")
public List<LabelDTO> getLabels(@PathVariable String id) {

IamAccount account = service.findByUuid(id).orElseThrow(noSuchAccountError(id));
Expand All @@ -88,7 +88,7 @@ public List<LabelDTO> getLabels(@PathVariable String id) {
}

@RequestMapping(method = PUT)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO label,
BindingResult validationResult) {
handleValidationError(validationResult);
Expand All @@ -98,7 +98,7 @@ public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO l
}

@RequestMapping(method = DELETE)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@ResponseStatus(NO_CONTENT)
public void deleteLabel(@PathVariable String id, @Validated LabelDTO label,
BindingResult validationResult) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@

@RestController
@RequestMapping(value = AccountLifecycleController.BASE_RESOURCE)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public class AccountLifecycleController {

public static final String BASE_RESOURCE = "/iam/account/{id}/endTime";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ private void handleValidationError(BindingResult result) {
}

@RequestMapping(value = "/iam/account/me/proxycert", method = PUT)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')")
public void addProxyCertificate(
@RequestBody @Validated(
value = ProxyCertificateDTO.AddProxyCertValidation.class) ProxyCertificateDTO proxyCert,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@

@RestController
@Transactional
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
@RequestMapping(AccountSearchController.ACCOUNT_SEARCH_ENDPOINT)
public class AccountSearchController extends AbstractSearchController<ScimUser, IamAccount> {

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@

@RestController
@Transactional
@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #oauth2.hasScope('iam:admin.read')")
@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #iam.hasScope('iam:admin.read')")
@RequestMapping(GroupSearchController.GROUP_SEARCH_ENDPOINT)
public class GroupSearchController extends AbstractSearchController<ScimGroup, IamGroup> {

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ public AupSignatureDTO getSignature() throws AccountNotFoundException {
}

@RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.GET)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)")
public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) throws AccountNotFoundException {
IamAccount account = accountUtils.getByAccountId(accountId)
.orElseThrow(accountNotFoundException("Account not found for id: " + accountId));
Expand All @@ -113,7 +113,7 @@ public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) th
}

@RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.PATCH)
@PreAuthorize("#oauth2.hasScope('iam:admin.write')")
@PreAuthorize("#iam.hasScope('iam:admin.write')")
public void setSignatureForAccount(@PathVariable String accountId,
@RequestBody @Validated AupSignatureDTO dto) throws AccountNotFoundException {
IamAccount account = accountUtils.getByAccountId(accountId)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,15 +68,15 @@ public ClientManagementAPIController(ClientManagementService managementService)

@PostMapping
@ResponseStatus(CREATED)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public RegisteredClientDTO saveNewClient(@RequestBody RegisteredClientDTO client)
throws ParseException {
return managementService.saveNewClient(client);
}

@JsonView({ClientViews.ClientManagement.class})
@GetMapping
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
public ListResponseDTO<RegisteredClientDTO> retrieveClients(
@RequestParam final Optional<Integer> count,
@RequestParam final Optional<Integer> startIndex,
Expand All @@ -94,14 +94,14 @@ public ListResponseDTO<RegisteredClientDTO> retrieveClients(

@JsonView({ClientViews.ClientManagement.class})
@GetMapping("/{clientId}")
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
public RegisteredClientDTO retrieveClient(@PathVariable String clientId) {
return managementService.retrieveClientByClientId(clientId)
.orElseThrow(clientNotFound(clientId));
}

@GetMapping("/{clientId}/owners")
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
public ListResponseDTO<ScimUser> retrieveClientOwners(@PathVariable String clientId,
@RequestParam final Optional<Integer> count,
@RequestParam final Optional<Integer> startIndex) {
Expand All @@ -111,29 +111,29 @@ public ListResponseDTO<ScimUser> retrieveClientOwners(@PathVariable String clien

@PostMapping("/{clientId}/owners/{accountId}")
@ResponseStatus(CREATED)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void assignClientOwner(@PathVariable String clientId,
@PathVariable final String accountId) {
managementService.assignClientOwner(clientId, accountId);
}

@PostMapping("/{clientId}/rat")
@ResponseStatus(CREATED)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public RegisteredClientDTO rotateRegistrationAccessToken(@PathVariable String clientId) {
return managementService.rotateRegistrationAccessToken(clientId);
}

@DeleteMapping("/{clientId}/owners/{accountId}")
@ResponseStatus(NO_CONTENT)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void removeClientOwner(@PathVariable String clientId,
@PathVariable final String accountId) {
managementService.removeClientOwner(clientId, accountId);
}

@PutMapping("/{clientId}")
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public RegisteredClientDTO updateClient(@PathVariable String clientId,
@RequestBody RegisteredClientDTO client)
throws ParseException {
Expand All @@ -142,14 +142,14 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId,

@PostMapping("/{clientId}/secret")
@ResponseStatus(CREATED)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public RegisteredClientDTO rotateClientSecret(@PathVariable String clientId) {
return managementService.generateNewClientSecret(clientId);
}

@DeleteMapping("/{clientId}")
@ResponseStatus(NO_CONTENT)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void deleteClient(@PathVariable String clientId) {
managementService.deleteClientByClientId(clientId);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

@RestController
@RequestMapping(SearchClientController.ENDPOINT)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
public class SearchClientController {

public static final int MAX_PAGE_SIZE = 100;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ protected InvalidExchangePolicyError buildValidationError(BindingResult result)
}

@RequestMapping(value = "/policies", method = RequestMethod.GET)
@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
public List<ExchangePolicyDTO> getExchangePolicies() {
Page<ExchangePolicyDTO> resultsPage = service.getTokenExchangePolicies(UNPAGED);
if (resultsPage.hasNext()) {
Expand All @@ -74,14 +74,14 @@ public List<ExchangePolicyDTO> getExchangePolicies() {

@RequestMapping(value = "/policies/{id}", method = RequestMethod.DELETE)
@ResponseStatus(code = HttpStatus.NO_CONTENT)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void deleteExchangePolicy(@PathVariable Long id) {
service.deleteTokenExchangePolicyById(id);
}

@RequestMapping(value = "/policies", method = RequestMethod.POST)
@ResponseStatus(code = HttpStatus.CREATED)
@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
public void createExchangePolicy(@Valid @RequestBody ExchangePolicyDTO dto,
BindingResult validationResult) {

Expand Down
Loading

0 comments on commit 402693a

Please sign in to comment.