diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java index 57d6e5f49..b5adc6604 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java @@ -72,7 +72,7 @@ private void handleValidationError(BindingResult result) { } @RequestMapping(value = "/iam/account/{id}/attributes", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") public List getAttributes(@PathVariable String id) { IamAccount account = @@ -85,7 +85,7 @@ public List getAttributes(@PathVariable String id) { } @RequestMapping(value = "/iam/account/{id}/attributes", method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute, final BindingResult validationResult) { @@ -99,7 +99,7 @@ public void setAttribute(@PathVariable String id, @RequestBody @Validated Attrib } @RequestMapping(value = "/iam/account/{id}/attributes", method = DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = NO_CONTENT) public void deleteAttribute(@PathVariable String id, @Validated AttributeDTO attribute, final BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java index 6b836f88c..6e4cede2c 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java @@ -68,14 +68,14 @@ protected IamAccount findAccountByName(String name) { .orElseThrow(() -> new NoSuchAccountError(format("No account found for name '%s'", name))); } - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')") @RequestMapping(value = "/me/authorities", method = RequestMethod.GET) public AuthoritySetDTO getAuthoritiesForMe(Authentication authn) { return AuthoritySetDTO .fromAuthorities(authorityService.getAccountAuthorities(findAccountByName(authn.getName()))); } - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.GET) @ResponseBody public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) { @@ -83,7 +83,7 @@ public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) { .fromAuthorities(authorityService.getAccountAuthorities(findAccountById(id))); } - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.POST) public void addAuthorityToAccount(@PathVariable("id") String id, @Valid AuthorityDTO authority, BindingResult validationResult) { @@ -96,7 +96,7 @@ public void addAuthorityToAccount(@PathVariable("id") String id, @Valid Authorit } - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.DELETE) public void removeAuthorityFromAccount(@PathVariable("id") String id, @Valid AuthorityDTO authority, BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java index 38a52d67f..2356b93ee 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java @@ -36,7 +36,7 @@ import it.infn.mw.iam.api.scim.model.ScimUser; @RestController -@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") +@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public class FindAccountController { public static final String INVALID_FIND_ACCOUNT_REQUEST = "Invalid find account request"; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java index c7316a43a..994f2b529 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java @@ -57,7 +57,7 @@ public AccountGroupController(IamAccountService accountService, IamGroupService @RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = POST) @ResponseStatus(value = HttpStatus.CREATED) - @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')") + @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')") public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable String groupUuid) { IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid)); @@ -75,7 +75,7 @@ public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable St @RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = DELETE) @ResponseStatus(value = HttpStatus.NO_CONTENT) - @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')") + @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')") public void removeAccountFromGroup(@PathVariable String accountUuid, @PathVariable String groupUuid) { IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid)); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java index 6a52268b2..b5682e58a 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java @@ -63,7 +63,7 @@ public AccountGroupManagerController(AccountGroupManagerService service, @RequestMapping(value = "/iam/account/{accountId}/managed-groups", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)") public AccountManagedGroupsDTO getAccountManagedGroupsInformation( @PathVariable String accountId) { IamAccount account = accountRepository.findByUuid(accountId) @@ -74,7 +74,7 @@ public AccountManagedGroupsDTO getAccountManagedGroupsInformation( @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}", method = RequestMethod.POST) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = HttpStatus.CREATED) public void addManagedGroupToAccount(@PathVariable String accountId, @PathVariable String groupId) { @@ -90,7 +90,7 @@ public void addManagedGroupToAccount(@PathVariable String accountId, @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}", method = RequestMethod.DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = HttpStatus.NO_CONTENT) public void removeManagedGroupFromAccount(@PathVariable String accountId, @PathVariable String groupId) { @@ -105,7 +105,7 @@ public void removeManagedGroupFromAccount(@PathVariable String accountId, } @RequestMapping(value = "/iam/group/{groupId}/group-managers", method=RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)") public List getGroupManagersForGroup(@PathVariable String groupId) { IamGroup group = groupRepository.findByUuid(groupId) .orElseThrow(() -> InvalidManagedGroupError.groupNotFoundException(groupId)); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java index dbbd9eb8d..41f047614 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java @@ -75,7 +75,7 @@ private void handleValidationError(BindingResult result) { } @RequestMapping(method = GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)") public List getLabels(@PathVariable String id) { IamAccount account = service.findByUuid(id).orElseThrow(noSuchAccountError(id)); @@ -88,7 +88,7 @@ public List getLabels(@PathVariable String id) { } @RequestMapping(method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO label, BindingResult validationResult) { handleValidationError(validationResult); @@ -98,7 +98,7 @@ public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO l } @RequestMapping(method = DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(NO_CONTENT) public void deleteLabel(@PathVariable String id, @Validated LabelDTO label, BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java index 7f7bfa542..2a3e443a3 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java @@ -42,7 +42,7 @@ @RestController @RequestMapping(value = AccountLifecycleController.BASE_RESOURCE) -@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") +@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public class AccountLifecycleController { public static final String BASE_RESOURCE = "/iam/account/{id}/endTime"; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java index 1b2a81540..b64d11340 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java @@ -77,7 +77,7 @@ private void handleValidationError(BindingResult result) { } @RequestMapping(value = "/iam/account/me/proxycert", method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')") public void addProxyCertificate( @RequestBody @Validated( value = ProxyCertificateDTO.AddProxyCertValidation.class) ProxyCertificateDTO proxyCert, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java index 7062a1ae9..50c4f7e72 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java @@ -38,7 +38,7 @@ @RestController @Transactional -@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") +@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") @RequestMapping(AccountSearchController.ACCOUNT_SEARCH_ENDPOINT) public class AccountSearchController extends AbstractSearchController { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java index 41c2dc06e..6f352bf5d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java @@ -42,7 +42,7 @@ @RestController @Transactional -@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #oauth2.hasScope('iam:admin.read')") +@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #iam.hasScope('iam:admin.read')") @RequestMapping(GroupSearchController.GROUP_SEARCH_ENDPOINT) public class GroupSearchController extends AbstractSearchController { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java index f7db70d31..b8db5f862 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java @@ -101,7 +101,7 @@ public AupSignatureDTO getSignature() throws AccountNotFoundException { } @RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)") public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) throws AccountNotFoundException { IamAccount account = accountUtils.getByAccountId(accountId) .orElseThrow(accountNotFoundException("Account not found for id: " + accountId)); @@ -113,7 +113,7 @@ public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) th } @RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.PATCH) - @PreAuthorize("#oauth2.hasScope('iam:admin.write')") + @PreAuthorize("#iam.hasScope('iam:admin.write')") public void setSignatureForAccount(@PathVariable String accountId, @RequestBody @Validated AupSignatureDTO dto) throws AccountNotFoundException { IamAccount account = accountUtils.getByAccountId(accountId) diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java index 08395290f..a761d86df 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java @@ -68,7 +68,7 @@ public ClientManagementAPIController(ClientManagementService managementService) @PostMapping @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO saveNewClient(@RequestBody RegisteredClientDTO client) throws ParseException { return managementService.saveNewClient(client); @@ -76,7 +76,7 @@ public RegisteredClientDTO saveNewClient(@RequestBody RegisteredClientDTO client @JsonView({ClientViews.ClientManagement.class}) @GetMapping - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public ListResponseDTO retrieveClients( @RequestParam final Optional count, @RequestParam final Optional startIndex, @@ -94,14 +94,14 @@ public ListResponseDTO retrieveClients( @JsonView({ClientViews.ClientManagement.class}) @GetMapping("/{clientId}") - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO retrieveClient(@PathVariable String clientId) { return managementService.retrieveClientByClientId(clientId) .orElseThrow(clientNotFound(clientId)); } @GetMapping("/{clientId}/owners") - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public ListResponseDTO retrieveClientOwners(@PathVariable String clientId, @RequestParam final Optional count, @RequestParam final Optional startIndex) { @@ -111,7 +111,7 @@ public ListResponseDTO retrieveClientOwners(@PathVariable String clien @PostMapping("/{clientId}/owners/{accountId}") @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void assignClientOwner(@PathVariable String clientId, @PathVariable final String accountId) { managementService.assignClientOwner(clientId, accountId); @@ -119,21 +119,21 @@ public void assignClientOwner(@PathVariable String clientId, @PostMapping("/{clientId}/rat") @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO rotateRegistrationAccessToken(@PathVariable String clientId) { return managementService.rotateRegistrationAccessToken(clientId); } @DeleteMapping("/{clientId}/owners/{accountId}") @ResponseStatus(NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void removeClientOwner(@PathVariable String clientId, @PathVariable final String accountId) { managementService.removeClientOwner(clientId, accountId); } @PutMapping("/{clientId}") - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO updateClient(@PathVariable String clientId, @RequestBody RegisteredClientDTO client) throws ParseException { @@ -142,14 +142,14 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId, @PostMapping("/{clientId}/secret") @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO rotateClientSecret(@PathVariable String clientId) { return managementService.generateNewClientSecret(clientId); } @DeleteMapping("/{clientId}") @ResponseStatus(NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteClient(@PathVariable String clientId) { managementService.deleteClientByClientId(clientId); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java index be9aa82a2..fa524d114 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java @@ -36,7 +36,7 @@ @RestController @RequestMapping(SearchClientController.ENDPOINT) -@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") +@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public class SearchClientController { public static final int MAX_PAGE_SIZE = 100; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java index 7bf1a4d62..210431e0f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java @@ -62,7 +62,7 @@ protected InvalidExchangePolicyError buildValidationError(BindingResult result) } @RequestMapping(value = "/policies", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public List getExchangePolicies() { Page resultsPage = service.getTokenExchangePolicies(UNPAGED); if (resultsPage.hasNext()) { @@ -74,14 +74,14 @@ public List getExchangePolicies() { @RequestMapping(value = "/policies/{id}", method = RequestMethod.DELETE) @ResponseStatus(code = HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteExchangePolicy(@PathVariable Long id) { service.deleteTokenExchangePolicyById(id); } @RequestMapping(value = "/policies", method = RequestMethod.POST) @ResponseStatus(code = HttpStatus.CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void createExchangePolicy(@Valid @RequestBody ExchangePolicyDTO dto, BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java index 9963eed00..28ea8c02b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java @@ -86,7 +86,7 @@ private void handleValidationError(String prefix, BindingResult result) { @RequestMapping(value = "/iam/group", method = POST) @ResponseStatus(value = HttpStatus.CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public GroupDTO createGroup(@RequestBody @Validated(CreateGroup.class) GroupDTO group, final BindingResult validationResult) { handleValidationError(INVALID_GROUP,validationResult); @@ -97,7 +97,7 @@ public GroupDTO createGroup(@RequestBody @Validated(CreateGroup.class) GroupDTO } @RequestMapping(value = "/iam/group/{id}", method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") public GroupDTO updateGroup(@PathVariable String id, @RequestBody @Validated(UpdateGroup.class) GroupDTO group, final BindingResult validationResult) { handleValidationError(INVALID_GROUP, validationResult); @@ -107,7 +107,7 @@ public GroupDTO updateGroup(@PathVariable String id, @RequestBody @Validated(Upd } @RequestMapping(value = "/iam/group/{id}/attributes", method=RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") public List getAttributes(@PathVariable String id){ IamGroup entity = groupService.findByUuid(id).orElseThrow(()->NoSuchGroupError.forUuid(id)); @@ -119,7 +119,7 @@ public List getAttributes(@PathVariable String id){ } @RequestMapping(value = "/iam/group/{id}/attributes", method= PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute, final BindingResult validationResult) { handleValidationError(INVALID_ATTRIBUTE,validationResult); IamGroup entity = groupService.findByUuid(id).orElseThrow(()->NoSuchGroupError.forUuid(id)); @@ -130,7 +130,7 @@ public void setAttribute(@PathVariable String id, @RequestBody @Validated Attrib } @RequestMapping(value = "/iam/group/{id}/attributes", method=DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = HttpStatus.NO_CONTENT) public void deleteAttribute(@PathVariable String id, @Validated AttributeDTO attribute, final BindingResult validationResult) { handleValidationError(INVALID_ATTRIBUTE, validationResult); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java index f20954ca0..98569a0c6 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java @@ -73,7 +73,7 @@ private Set parseAttributes(final String attributesParameter) { @Autowired ScimGroupProvisioning groupProvisioningService; - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimGroup getGroup(@PathVariable final String id) { @@ -81,7 +81,7 @@ public ScimGroup getGroup(@PathVariable final String id) { return groupProvisioningService.getById(id); } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public MappingJacksonValue listGroups(@RequestParam(required = false) final Integer count, @RequestParam(required = false) final Integer startIndex, @@ -104,7 +104,7 @@ public MappingJacksonValue listGroups(@RequestParam(required = false) final Inte return wrapper; } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.POST, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.CREATED) @@ -115,7 +115,7 @@ public ScimGroup create(@RequestBody @Validated final ScimGroup group, return groupProvisioningService.create(group); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.OK) @@ -128,7 +128,7 @@ public ScimGroup replaceGroup(@PathVariable final String id, } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}", method = RequestMethod.PATCH, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) @@ -141,7 +141,7 @@ public void updateGroup(@PathVariable final String id, groupProvisioningService.update(id, groupPatchRequest.getOperations()); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}", method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) public void deleteGroup(@PathVariable final String id) { @@ -150,7 +150,7 @@ public void deleteGroup(@PathVariable final String id) { } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}/members", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimListResponse listMembers(@PathVariable final String id, @@ -161,7 +161,7 @@ public ScimListResponse listMembers(@PathVariable final String id buildPageRequest(count, startIndex, SCIM_MEMBERS_MAX_PAGE_SIZE)); } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}/subgroups", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimListResponse listSubgroups(@PathVariable final String id, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java index a340f6f15..b3e03044f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java @@ -126,7 +126,7 @@ public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { this.eventPublisher = publisher; } - @PreAuthorize("#oauth2.hasScope('scim:read') or hasRole('USER')") + @PreAuthorize("#iam.hasScope('scim:read') or hasRole('USER')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimUser whoami() { @@ -135,7 +135,7 @@ public ScimUser whoami() { } - @PreAuthorize("#oauth2.hasScope('scim:write') or hasRole('USER')") + @PreAuthorize("#iam.hasScope('scim:write') or hasRole('USER')") @RequestMapping(method = RequestMethod.PATCH, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) public void updateUser( diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java index c1e104868..11e2e4606 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java @@ -75,7 +75,7 @@ private Set parseAttributes(final String attributesParameter) { return result; } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public MappingJacksonValue listUsers(@RequestParam(required = false) final Integer count, @RequestParam(required = false) final Integer startIndex, @@ -98,7 +98,7 @@ public MappingJacksonValue listUsers(@RequestParam(required = false) final Integ return wrapper; } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimUser getUser(@PathVariable final String id) { @@ -106,7 +106,7 @@ public ScimUser getUser(@PathVariable final String id) { return userProvisioningService.getById(id); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.POST, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.CREATED) @@ -120,7 +120,7 @@ public MappingJacksonValue create( return new MappingJacksonValue(result); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.OK) @@ -134,7 +134,7 @@ public ScimUser replaceUser(@PathVariable final String id, } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.PATCH, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) @@ -148,7 +148,7 @@ public void updateUser(@PathVariable final String id, } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) public void deleteUser(@PathVariable final String id) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java index 84937b5a1..7f8962c15 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java @@ -55,7 +55,7 @@ public ScopePolicyController(ScopePolicyService policyService, } @RequestMapping(value = "/iam/scope_policies", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public List listScopePolicies() { Iterable policies = policyService.findAllScopePolicies(); @@ -70,7 +70,7 @@ public List listScopePolicies() { @RequestMapping(value = "/iam/scope_policies", method = RequestMethod.POST) @ResponseStatus(code = HttpStatus.CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void addScopePolicy(@Valid @RequestBody ScopePolicyDTO policy, BindingResult validationResult) { @@ -83,7 +83,7 @@ public void addScopePolicy(@Valid @RequestBody ScopePolicyDTO policy, @RequestMapping(value = "/iam/scope_policies/{id}", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public ScopePolicyDTO getScopePolicy(@PathVariable Long id) { IamScopePolicy p = policyService.findScopePolicyById(id) @@ -95,7 +95,7 @@ public ScopePolicyDTO getScopePolicy(@PathVariable Long id) { @RequestMapping(value = "/iam/scope_policies/{id}", method = RequestMethod.PUT) @ResponseStatus(code = HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void updateScopePolicy(@PathVariable Long id, @Valid @RequestBody ScopePolicyDTO policy, BindingResult validationResult) { @@ -110,7 +110,7 @@ public void updateScopePolicy(@PathVariable Long id, @RequestMapping(value = "/iam/scope_policies/{id}", method = RequestMethod.DELETE) @ResponseStatus(code = HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteScopePolicy(@PathVariable Long id) { policyService.deleteScopePolicyById(id); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java index 5113ab640..49fc09f64 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java @@ -49,7 +49,7 @@ public class AccessTokensController extends TokensControllerSupport { private TokenService tokenService; @RequestMapping(method = RequestMethod.GET, produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public MappingJacksonValue listAccessTokens(@RequestParam(required = false) Integer count, @RequestParam(required = false) Integer startIndex, @RequestParam(required = false) String userId, @@ -63,7 +63,7 @@ public MappingJacksonValue listAccessTokens(@RequestParam(required = false) Inte @RequestMapping(method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteAllTokens() { tokenService.deleteAllTokens(); } @@ -87,7 +87,7 @@ private ListResponseDTO getFilteredList(TokensPageRequest pageReque } @RequestMapping(method = RequestMethod.GET, value = "/{id}", produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public AccessToken getAccessToken(@PathVariable("id") Long id) { return tokenService.getTokenById(id); @@ -95,7 +95,7 @@ public AccessToken getAccessToken(@PathVariable("id") Long id) { @RequestMapping(method = RequestMethod.DELETE, value = "/{id}") @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void revokeAccessToken(@PathVariable("id") Long id) { tokenService.revokeTokenById(id); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java index 28b232c36..90c7f68b2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java @@ -49,7 +49,7 @@ public class RefreshTokensController extends TokensControllerSupport { private TokenService tokenService; @RequestMapping(method = RequestMethod.GET, produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public MappingJacksonValue lisRefreshTokens(@RequestParam(required = false) Integer count, @RequestParam(required = false) Integer startIndex, @RequestParam(required = false) String userId, @@ -63,7 +63,7 @@ public MappingJacksonValue lisRefreshTokens(@RequestParam(required = false) Inte @RequestMapping(method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteAllTokens() { tokenService.deleteAllTokens(); } @@ -87,7 +87,7 @@ private ListResponseDTO getFilteredList(TokensPageRequest pageRequ } @RequestMapping(method = RequestMethod.GET, value = "/{id}", produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public RefreshToken getRefreshToken(@PathVariable("id") Long id) { return tokenService.getTokenById(id); @@ -95,7 +95,7 @@ public RefreshToken getRefreshToken(@PathVariable("id") Long id) { @RequestMapping(method = RequestMethod.DELETE, value = "/{id}") @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void revokeRefreshToken(@PathVariable("id") Long id) { tokenService.revokeTokenById(id); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java index 271624d60..7b4563381 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java @@ -57,7 +57,7 @@ public IamUserInfoEndpoint(JWTProfileResolver profileResolver, this.scopeResolver = scopeResolver; } - @PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('" + SystemScopeService.OPENID_SCOPE + @PreAuthorize("hasRole('ROLE_USER') and #iam.hasScope('" + SystemScopeService.OPENID_SCOPE + "')") @RequestMapping(method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE}) public String getInfo( diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java b/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java index 04561f271..abe92b7f2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java @@ -95,7 +95,7 @@ private Optional getExternalAuthenticati - @PreAuthorize("#oauth2.hasScope('registration:read') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:read') or hasRole('ADMIN')") @RequestMapping(value = "/registration/list", method = RequestMethod.GET) @ResponseBody public List listRequests( @@ -104,7 +104,7 @@ public List listRequests( return service.listRequests(status); } - @PreAuthorize("#oauth2.hasScope('registration:read') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:read') or hasRole('ADMIN')") @RequestMapping(value = "/registration/list/pending", method = RequestMethod.GET) @ResponseBody public List listPendingRequests() { @@ -121,13 +121,13 @@ public RegistrationRequestDto createRegistrationRequest( } - @PreAuthorize("#oauth2.hasScope('registration:write') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:write') or hasRole('ADMIN')") @RequestMapping(value = "/registration/approve/{uuid}", method = RequestMethod.POST) public RegistrationRequestDto approveRequest(@PathVariable("uuid") String uuid) { return service.approveRequest(uuid); } - @PreAuthorize("#oauth2.hasScope('registration:write') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:write') or hasRole('ADMIN')") @RequestMapping(value = "/registration/reject/{uuid}", method = RequestMethod.POST) public RegistrationRequestDto rejectRequest(@PathVariable("uuid") String uuid, @RequestParam(required = false) String motivation) { diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java index 6e7693552..60fe54400 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/ClientManagementAPIIntegrationTests.java @@ -28,12 +28,15 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.security.test.context.support.WithAnonymousUser; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.ResultMatcher; import com.fasterxml.jackson.databind.ObjectMapper; @@ -41,12 +44,14 @@ import it.infn.mw.iam.api.client.management.ClientManagementAPIController; import it.infn.mw.iam.api.common.client.RegisteredClientDTO; import it.infn.mw.iam.test.api.TestSupport; +import it.infn.mw.iam.test.core.CoreControllerTestSupport; import it.infn.mw.iam.test.oauth.client_registration.ClientRegistrationTestSupport.ClientJsonStringBuilder; +import it.infn.mw.iam.test.util.WithMockOAuthUser; import it.infn.mw.iam.test.util.annotation.IamMockMvcIntegrationTest; +import it.infn.mw.iam.test.util.oauth.MockOAuth2Filter; @IamMockMvcIntegrationTest -@WithMockUser(username = "admin", roles = {"ADMIN", "USER"}) -@SpringBootTest(classes = {IamLoginService.class}) +@SpringBootTest(classes = {IamLoginService.class, CoreControllerTestSupport.class}) public class ClientManagementAPIIntegrationTests extends TestSupport { @Autowired @@ -55,60 +60,87 @@ public class ClientManagementAPIIntegrationTests extends TestSupport { @Autowired private ObjectMapper mapper; - @Test - @WithAnonymousUser - public void clientManagementRequiresAuthenticatedUser() throws Exception { + @Autowired + private MockOAuth2Filter mockOAuth2Filter; - String clientJson = ClientJsonStringBuilder.builder().build(); - mvc.perform(get(ClientManagementAPIController.ENDPOINT)).andExpect(UNAUTHORIZED); - mvc - .perform(post(ClientManagementAPIController.ENDPOINT).contentType(APPLICATION_JSON) - .content(clientJson)) - .andExpect(UNAUTHORIZED); - mvc - .perform(put(ClientManagementAPIController.ENDPOINT + "/client").contentType(APPLICATION_JSON) - .content(clientJson)) - .andExpect(UNAUTHORIZED); - mvc.perform(delete(ClientManagementAPIController.ENDPOINT + "/client")).andExpect(UNAUTHORIZED); + + @BeforeEach + public void setup() { + mockOAuth2Filter.cleanupSecurityContext(); } - @Test - @WithMockUser(username = "test", roles = "USER") - public void clientManagementRequiresAdminUser() throws Exception { + @AfterEach + public void teardown() { + mockOAuth2Filter.cleanupSecurityContext(); + } + + private void clientManagementFailsWithResponseForClient(ResultMatcher response, String clientId) + throws Exception { String clientJson = ClientJsonStringBuilder.builder().build(); - mvc.perform(get(ClientManagementAPIController.ENDPOINT)).andExpect(FORBIDDEN); + mvc.perform(get(ClientManagementAPIController.ENDPOINT)).andExpect(response); mvc .perform(post(ClientManagementAPIController.ENDPOINT).contentType(APPLICATION_JSON) .content(clientJson)) - .andExpect(FORBIDDEN); + .andExpect(response); mvc - .perform(put(ClientManagementAPIController.ENDPOINT + "/client").contentType(APPLICATION_JSON) - .content(clientJson)) - .andExpect(FORBIDDEN); - mvc.perform(delete(ClientManagementAPIController.ENDPOINT + "/client")).andExpect(FORBIDDEN); + .perform( + put(ClientManagementAPIController.ENDPOINT + "/" + clientId).contentType(APPLICATION_JSON) + .content(clientJson)) + .andExpect(response); + mvc.perform(delete(ClientManagementAPIController.ENDPOINT + "/" + clientId)) + .andExpect(response); } - - @Test - public void paginatedGetClientsWorks() throws Exception { + private void paginatedGetClientsTest() throws Exception { mvc.perform(get(ClientManagementAPIController.ENDPOINT)) .andExpect(OK) - .andExpect(jsonPath("$.totalResults").value(16)) + .andExpect(jsonPath("$.totalResults").value(18)) .andExpect(jsonPath("$.itemsPerPage").value(10)) .andExpect(jsonPath("$.startIndex").value(1)) .andExpect(jsonPath("$.Resources", hasSize(10))) - .andExpect(jsonPath("$.Resources[0].client_id").value("client")); + .andExpect(jsonPath("$.Resources[0].client_id").value("admin-client-ro")); mvc.perform(get(ClientManagementAPIController.ENDPOINT).param("startIndex", "11")) .andExpect(OK) - .andExpect(jsonPath("$.totalResults").value(16)) - .andExpect(jsonPath("$.itemsPerPage").value(6)) + .andExpect(jsonPath("$.totalResults").value(18)) + .andExpect(jsonPath("$.itemsPerPage").value(8)) .andExpect(jsonPath("$.startIndex").value(11)) - .andExpect(jsonPath("$.Resources", hasSize(6))) - .andExpect(jsonPath("$.Resources[0].client_id").value("scim-client-ro")); + .andExpect(jsonPath("$.Resources", hasSize(8))) + .andExpect(jsonPath("$.Resources[0].client_id").value("public-dc-client")); + } + + @Test + @WithAnonymousUser + public void clientManagementRequiresAuthenticatedUser() throws Exception { + clientManagementFailsWithResponseForClient(UNAUTHORIZED, "client"); } @Test + @WithMockUser(username = "test", roles = "USER") + public void clientManagementIsForbiddenForUsers() throws Exception { + clientManagementFailsWithResponseForClient(FORBIDDEN, "client"); + } + + @Test + @WithMockOAuthUser(user = "test", scopes = {"openid"}) + public void clientManagementIsForbiddenWithoutAdminScopes() throws Exception { + clientManagementFailsWithResponseForClient(FORBIDDEN, "client"); + } + + @Test + @WithMockOAuthUser(user = "test", scopes = {"iam:admin.read"}) + public void paginatedGetClientsWorksWithScopes() throws Exception { + paginatedGetClientsTest(); + } + + @Test + @WithMockUser(username = "admin", roles = {"ADMIN", "USER"}) + public void paginatedGetClientsWorksAsAdmin() throws Exception { + paginatedGetClientsTest(); + } + + @Test + @WithMockUser(username = "admin", roles = {"ADMIN", "USER"}) public void clientRemovalWorks() throws Exception { mvc.perform(get(ClientManagementAPIController.ENDPOINT + "/client")) @@ -123,6 +155,7 @@ public void clientRemovalWorks() throws Exception { } @Test + @WithMockUser(username = "admin", roles = {"ADMIN", "USER"}) public void ratRotationWorks() throws Exception { String clientJson = ClientJsonStringBuilder.builder().scopes("openid").build(); @@ -147,6 +180,7 @@ public void ratRotationWorks() throws Exception { } @Test + @WithMockUser(username = "admin", roles = {"ADMIN", "USER"}) public void setTokenLifetimesWorks() throws Exception { String clientJson = ClientJsonStringBuilder.builder() @@ -184,28 +218,29 @@ public void setTokenLifetimesWorks() throws Exception { client = mapper.readValue(responseJson, RegisteredClientDTO.class); assertTrue(client.getAccessTokenValiditySeconds().equals(0)); assertTrue(client.getRefreshTokenValiditySeconds().equals(0)); - + clientJson = ClientJsonStringBuilder.builder() - .scopes("openid") - .accessTokenValiditySeconds(10) - .refreshTokenValiditySeconds(10) - .build(); - - responseJson = mvc - .perform(post(ClientManagementAPIController.ENDPOINT).contentType(APPLICATION_JSON) - .content(clientJson)) - .andExpect(CREATED) - .andReturn() - .getResponse() - .getContentAsString(); - - client = mapper.readValue(responseJson, RegisteredClientDTO.class); - assertTrue(client.getAccessTokenValiditySeconds().equals(10)); - assertTrue(client.getRefreshTokenValiditySeconds().equals(10)); + .scopes("openid") + .accessTokenValiditySeconds(10) + .refreshTokenValiditySeconds(10) + .build(); + + responseJson = mvc + .perform(post(ClientManagementAPIController.ENDPOINT).contentType(APPLICATION_JSON) + .content(clientJson)) + .andExpect(CREATED) + .andReturn() + .getResponse() + .getContentAsString(); + + client = mapper.readValue(responseJson, RegisteredClientDTO.class); + assertTrue(client.getAccessTokenValiditySeconds().equals(10)); + assertTrue(client.getRefreshTokenValiditySeconds().equals(10)); } @Test + @WithMockUser(username = "admin", roles = {"ADMIN", "USER"}) public void negativeTokenLifetimesNotAllowed() throws Exception { String clientJson = diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java index c352cafb1..6c991f018 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java @@ -18,8 +18,8 @@ import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.springframework.http.HttpStatus.BAD_REQUEST; import static org.springframework.http.HttpStatus.FORBIDDEN; import static org.springframework.http.HttpStatus.NOT_FOUND; @@ -32,6 +32,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringRunner; import it.infn.mw.iam.IamLoginService; @@ -69,22 +70,43 @@ public void teardown() { } @Test - @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {}) + @WithMockOAuthUser(user = TESTUSER_USERNAME, scopes = {}) public void insufficientScopeUser() throws Exception { restUtils.getMe(FORBIDDEN); } @Test - @WithMockOAuthUser(user = NOT_FOUND_USERNAME, authorities = {"ROLE_USER"}) + @WithMockUser(username = TESTUSER_USERNAME, roles = {}) + public void insufficientAuthoritiesUser() throws Exception { + + restUtils.getMe(FORBIDDEN); + } + + @Test + @WithMockOAuthUser(user = NOT_FOUND_USERNAME, scopes = {SCIM_READ_SCOPE}) + public void notFoundUserWithToken() throws Exception { + + restUtils.getMe(NOT_FOUND); + } + + @Test + @WithMockUser(username = NOT_FOUND_USERNAME, roles = {"USER"}) public void notFoundUser() throws Exception { restUtils.getMe(NOT_FOUND); } @Test - @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) - public void authenticatedUser() throws Exception { + @WithMockOAuthUser(user = TESTUSER_USERNAME, scopes = {SCIM_READ_SCOPE}) + public void authenticatedUserWithToken() throws Exception { + + assertThat(restUtils.getMe().getUserName(), equalTo(TESTUSER_USERNAME)); + } + + @Test + @WithMockUser(username = TESTUSER_USERNAME, roles = {"USER"}) + public void authenticatedUserNoToken() throws Exception { assertThat(restUtils.getMe().getUserName(), equalTo(TESTUSER_USERNAME)); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java index b5265da39..9b699b130 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/TokenEndpointClientAuthenticationTests.java @@ -15,8 +15,12 @@ */ package it.infn.mw.iam.test.oauth; +import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.not; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; @@ -30,7 +34,10 @@ import org.springframework.test.context.junit4.SpringRunner; import org.springframework.test.web.servlet.MockMvc; +import com.fasterxml.jackson.databind.ObjectMapper; + import it.infn.mw.iam.IamLoginService; +import it.infn.mw.iam.test.util.WithAnonymousUser; import it.infn.mw.iam.test.util.annotation.IamMockMvcIntegrationTest; @@ -42,10 +49,17 @@ public class TokenEndpointClientAuthenticationTests { private static final String TOKEN_ENDPOINT = "/token"; private static final String GRANT_TYPE = "client_credentials"; private static final String SCOPE = "read-tasks"; + private static final String SCOPE_SUBSET = "openid"; + + private static final String TEST_USER_UUID = "80e5fb8d-b7c8-451a-89ba-346ae278a66f"; + private static final String PRODUCTION_GROUP_UUID = "c617d586-54e6-411d-8e38-64967798fa8a"; @Autowired private MockMvc mvc; + @Autowired + private ObjectMapper mapper; + @Test public void testTokenEndpointFormClientAuthentication() throws Exception { @@ -114,10 +128,151 @@ public void testTokenEndpointBasicClientAuthentication() throws Exception { .andExpect(jsonPath("$.scope", equalTo(SCOPE))); // @formatter:on } - + @Test public void testTokenEndpointOptionsMethodAllowed() throws Exception { - mvc.perform(options(TOKEN_ENDPOINT)) - .andExpect(status().isOk()); + mvc.perform(options(TOKEN_ENDPOINT)).andExpect(status().isOk()); + } + + @Test + @WithAnonymousUser + public void testInsufficientScopedClientCredentialTokenForbidsAccess() throws Exception { + + String clientId = "scim-client-rw"; + String clientSecret = "secret"; + + String response = mvc + .perform(post(TOKEN_ENDPOINT).with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("scope", SCOPE_SUBSET)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", equalTo(SCOPE_SUBSET))) + .andExpect(jsonPath("$.scope", not(containsString("scim:read")))) + .andExpect(jsonPath("$.scope", not(containsString("scim:write")))) + .andReturn() + .getResponse() + .getContentAsString(); + + ObjectMapper mapper = new ObjectMapper(); + String accessTokenNoSCIM = mapper.readTree(response).get("access_token").asText(); + + String scimAuthorizationHeader = String.format("Bearer %s", accessTokenNoSCIM); + + mvc.perform(get("/scim/Users").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + mvc + .perform( + get("/scim/Users/" + TEST_USER_UUID).header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + mvc + .perform( + delete("/scim/Users/" + TEST_USER_UUID).header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + mvc.perform(get("/scim/Groups").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + mvc + .perform(get("/scim/Groups/" + PRODUCTION_GROUP_UUID).header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + mvc + .perform(delete("/scim/Groups/" + PRODUCTION_GROUP_UUID).header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + } + + @Test + @WithAnonymousUser + public void testSCIMScopedClientCredentialTokenAllowsAccess() throws Exception { + + String clientId = "scim-client-rw"; + String clientSecret = "secret"; + + String response = mvc + .perform(post(TOKEN_ENDPOINT).with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("scope", "scim:read scim:write")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", containsString("scim:read"))) + .andExpect(jsonPath("$.scope", containsString("scim:write"))) + .andReturn() + .getResponse() + .getContentAsString(); + + String accessTokenSCIM = mapper.readTree(response).get("access_token").asText(); + + String scimAuthorizationHeader = String.format("Bearer %s", accessTokenSCIM); + + mvc.perform(get("/scim/Users").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.Resources[1].userName", equalTo("test"))); + + mvc + .perform( + get("/scim/Users/" + TEST_USER_UUID).header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.userName", equalTo("test"))); + + mvc + .perform( + delete("/scim/Users/" + TEST_USER_UUID).header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isNoContent()); + + mvc.perform(get("/scim/Groups").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.startIndex", equalTo(1))) + .andExpect(jsonPath("$.Resources[0].displayName", equalTo("Production"))); + + mvc + .perform(get("/scim/Groups/" + PRODUCTION_GROUP_UUID).header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.displayName", equalTo("Production"))); + + mvc + .perform(delete("/scim/Groups/" + PRODUCTION_GROUP_UUID).header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.detail", equalTo("Group is not empty"))); + } + + @Test + @WithAnonymousUser + public void testAdminScopedClientCredentialTokenAllowsAccess() throws Exception { + + String clientId = "admin-client-rw"; + String clientSecret = "secret"; + + String response = mvc + .perform(post(TOKEN_ENDPOINT).with(httpBasic(clientId, clientSecret)) + .param("grant_type", GRANT_TYPE) + .param("scope", "iam:admin.read iam:admin.write")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.scope", containsString("iam:admin.read"))) + .andExpect(jsonPath("$.scope", containsString("iam:admin.write"))) + .andReturn() + .getResponse() + .getContentAsString(); + + String accessTokenAdmin = mapper.readTree(response).get("access_token").asText(); + + String adminAuthorizationHeader = String.format("Bearer %s", accessTokenAdmin); + + mvc + .perform( + get("/iam/api/clients/" + clientId).header("Authorization", adminAuthorizationHeader)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.client_id", equalTo(clientId))); + + mvc + .perform( + delete("/iam/api/clients/" + clientId).header("Authorization", adminAuthorizationHeader)) + .andExpect(status().isNoContent()); + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/authzcode/AuthorizationCodeIntegrationTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/authzcode/AuthorizationCodeIntegrationTests.java index 4c2522248..b654ee0b0 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/authzcode/AuthorizationCodeIntegrationTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/authzcode/AuthorizationCodeIntegrationTests.java @@ -62,7 +62,8 @@ public class AuthorizationCodeIntegrationTests { public static final String RESPONSE_TYPE_CODE = "code"; - public static final String SCOPE = "openid profile"; + public static final String SCOPE = + "openid profile scim:read scim:write offline_access iam:admin.read iam:admin.write"; public static final String TEST_USER_ID = "test"; public static final String TEST_USER_PASSWORD = "password"; @@ -194,4 +195,280 @@ public void testAuthzCodeAudienceSupport() } + @Test + public void testRefreshTokenAfterAuthzCodeWorks() + throws JsonProcessingException, IOException, ParseException { + + // @formatter:off + ValidatableResponse resp1 = RestAssured.given() + .queryParam("response_type", RESPONSE_TYPE_CODE) + .queryParam("client_id", TEST_CLIENT_ID) + .queryParam("redirect_uri", TEST_CLIENT_REDIRECT_URI) + .queryParam("scope", SCOPE) + .queryParam("nonce", "1") + .queryParam("state", "1") + .redirects().follow(false) + .when() + .get(authorizeUrl) + .then() + .statusCode(HttpStatus.FOUND.value()) + .header("Location", is(loginUrl)); + // @formatter:on + + // @formatter:off + ValidatableResponse resp2 = RestAssured.given() + .formParam("username", "test") + .formParam("password", "password") + .formParam("submit", "Login") + .cookie(resp1.extract().detailedCookie("JSESSIONID")) + .redirects().follow(false) + .when() + .post(loginUrl) + .then() + .statusCode(HttpStatus.FOUND.value()); + // @formatter:on + + // @formatter:off + RestAssured.given() + .cookie(resp2.extract().detailedCookie("JSESSIONID")) + .queryParam("response_type", RESPONSE_TYPE_CODE) + .queryParam("client_id", TEST_CLIENT_ID) + .queryParam("redirect_uri", TEST_CLIENT_REDIRECT_URI) + .queryParam("scope", SCOPE) + .queryParam("nonce", "1") + .queryParam("state", "1") + .redirects().follow(false) + .when() + .get(authorizeUrl) + .then() + .log().all() + .statusCode(HttpStatus.OK.value()); + // @formatter:on + + // @formatter:off + ValidatableResponse resp4 = RestAssured.given() + .cookie(resp2.extract().detailedCookie("JSESSIONID")) + .formParam("user_oauth_approval", "true") + .formParam("authorize", "Authorize") + .formParam("scope_openid", "openid") + .formParam("scope_profile", "profile") + .formParam("scope_offline_access", "offline_access") + .formParam("scope_scim_read", "scim:read") + .formParam("scope_scim_write", "scim:write") + .formParam("scope_iam_admin_read", "iam:admin.read") + .formParam("scope_iam_admin_write", "iam:admin.write") + .formParam("remember", "none") + .redirects().follow(false) + .when() + .post(authorizeUrl) + .then() + .statusCode(HttpStatus.SEE_OTHER.value()); + // @formatter:on + + String authzCode = UriComponentsBuilder.fromHttpUrl(resp4.extract().header("Location")) + .build() + .getQueryParams() + .get("code") + .get(0); + + // @formatter:off + ValidatableResponse resp5= RestAssured.given() + .formParam("grant_type", "authorization_code") + .formParam("redirect_uri", TEST_CLIENT_REDIRECT_URI) + .formParam("code", authzCode) + .formParam("state", "1") + .auth() + .preemptive() + .basic(TEST_CLIENT_ID, TEST_CLIENT_SECRET) + .when() + .post(tokenUrl) + .then() + .statusCode(HttpStatus.OK.value()); + // @formatter:on + + String refreshToken = + mapper.readTree(resp5.extract().body().asString()).get("refresh_token").asText(); + + // @formatter:off + ValidatableResponse resp6= RestAssured.given() + .formParam("grant_type", "refresh_token") + .formParam("refresh_token", refreshToken) + .formParam("scope", "openid") + .auth() + .preemptive() + .basic(TEST_CLIENT_ID, TEST_CLIENT_SECRET) + .when() + .post(tokenUrl) + .then() + .statusCode(HttpStatus.OK.value()); + // @formatter:on + + String refreshedToken = + mapper.readTree(resp6.extract().body().asString()).get("access_token").asText(); + + // @formatter:off + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Users") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Groups") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Groups/c617d586-54e6-411d-8e38-649677980001") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .delete("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .delete("/scim/Groups/c617d586-54e6-411d-8e38-649677980001") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/group/c617d586-54e6-411d-8e38-649677980001/attributes") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/me/authorities") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/api/clients") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/scope_policies") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + + ValidatableResponse resp7= RestAssured.given() + .formParam("grant_type", "refresh_token") + .formParam("refresh_token", refreshToken) + .formParam("scope", "openid scim:read scim:write") + .auth() + .preemptive() + .basic(TEST_CLIENT_ID, TEST_CLIENT_SECRET) + .when() + .post(tokenUrl) + .then() + .statusCode(HttpStatus.OK.value()); + // @formatter:on + + refreshedToken = + mapper.readTree(resp7.extract().body().asString()).get("access_token").asText(); + + // @formatter:off + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Users") + .then() + .statusCode(HttpStatus.OK.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Groups") + .then() + .statusCode(HttpStatus.OK.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f") + .then() + .statusCode(HttpStatus.OK.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/scim/Groups/c617d586-54e6-411d-8e38-649677980001") + .then() + .statusCode(HttpStatus.OK.value()); + + ValidatableResponse resp8= RestAssured.given() + .formParam("grant_type", "refresh_token") + .formParam("refresh_token", refreshToken) + .formParam("scope", "openid iam:admin.read iam:admin.write") + .auth() + .preemptive() + .basic(TEST_CLIENT_ID, TEST_CLIENT_SECRET) + .when() + .post(tokenUrl) + .then() + .statusCode(HttpStatus.OK.value()); + // @formatter:on + + refreshedToken = + mapper.readTree(resp8.extract().body().asString()).get("access_token").asText(); + +// @formatter:off + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/group/c617d586-54e6-411d-8e38-649677980001/attributes") + .then() + .statusCode(HttpStatus.OK.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/me/authorities") + .then() + .statusCode(HttpStatus.OK.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/api/clients") + .then() + .statusCode(HttpStatus.OK.value()); + + RestAssured.given() + .header("Authorization", "Bearer " + refreshedToken) + .when() + .get("/iam/scope_policies") + .then() + .statusCode(HttpStatus.OK.value()); + // @formatter:on + + + } + } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java index 6c6897d2f..e41ae79d0 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java @@ -22,10 +22,12 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertNotNull; import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; import static org.springframework.http.MediaType.APPLICATION_JSON; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; @@ -392,6 +394,9 @@ public void testDeviceCodeApprovalFlowWorks() throws Exception { .andExpect(jsonPath("$.scope", containsString("openid"))) .andExpect(jsonPath("$.scope", containsString("profile"))) .andExpect(jsonPath("$.scope", containsString("offline_access"))) + .andExpect(jsonPath("$.scope", not(containsString("email")))) + .andExpect(jsonPath("$.scope", not(containsString("phone")))) + .andExpect(jsonPath("$.scope", not(containsString("address")))) .andReturn() .getResponse() .getContentAsString(); @@ -723,4 +728,173 @@ public void publicClientDeviceCodeWorks() throws Exception { mvc.perform(get(USERINFO_ENDPOINT).header("Authorization", authorizationHeader)) .andExpect(status().isOk()); } + + @Test + public void testRefreshedTokenAfterDeviceCodeApprovalFlowWorks() throws Exception { + + final String SCIM_DEVICE_CLIENT_ID = "scim-client-rw"; + final String SCIM_DEVICE_CLIENT_SECRET = "secret"; + + String response = mvc + .perform(post(DEVICE_CODE_ENDPOINT).contentType(APPLICATION_FORM_URLENCODED) + .with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("client_id", SCIM_DEVICE_CLIENT_ID) + .param("scope", "openid profile offline_access scim:read scim:write")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.user_code").isString()) + .andExpect(jsonPath("$.device_code").isString()) + .andExpect(jsonPath("$.verification_uri", equalTo(DEVICE_USER_URL))) + .andReturn() + .getResponse() + .getContentAsString(); + + JsonNode responseJson = mapper.readTree(response); + + String userCode = responseJson.get("user_code").asText(); + String deviceCode = responseJson.get("device_code").asText(); + + mvc + .perform( + post(TOKEN_ENDPOINT).with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("grant_type", DEVICE_CODE_GRANT_TYPE) + .param("device_code", deviceCode)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.error", equalTo("authorization_pending"))) + .andExpect(jsonPath("$.error_description", + equalTo("Authorization pending for code: " + deviceCode))); + + MockHttpSession session = (MockHttpSession) mvc.perform(get(DEVICE_USER_URL)) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("http://localhost:8080/login")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc.perform(get("http://localhost:8080/login").session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("iam/login")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc + .perform(post(LOGIN_URL).param("username", TEST_USERNAME) + .param("password", TEST_PASSWORD) + .param("submit", "Login") + .session(session)) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl(DEVICE_USER_URL)) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc.perform(get(DEVICE_USER_URL).session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("requestUserCode")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc + .perform(post(DEVICE_USER_VERIFY_URL).param("user_code", userCode).session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("approveDevice")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc + .perform(post(DEVICE_USER_APPROVE_URL).param("user_code", userCode) + .param("user_oauth_approval", "true") + .session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("deviceApproved")) + .andReturn() + .getRequest() + .getSession(); + + + String tokenResponse = mvc + .perform( + post(TOKEN_ENDPOINT).with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("grant_type", DEVICE_CODE_GRANT_TYPE) + .param("device_code", deviceCode)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.refresh_token").exists()) + .andExpect(jsonPath("$.id_token").exists()) + .andExpect(jsonPath("$.scope").exists()) + .andExpect(jsonPath("$.scope", containsString("openid"))) + .andExpect(jsonPath("$.scope", containsString("profile"))) + .andExpect(jsonPath("$.scope", containsString("offline_access"))) + .andExpect(jsonPath("$.scope", containsString("scim:read"))) + .andExpect(jsonPath("$.scope", containsString("scim:write"))) + .andExpect(jsonPath("$.scope", not(containsString("email")))) + .andExpect(jsonPath("$.scope", not(containsString("phone")))) + .andExpect(jsonPath("$.scope", not(containsString("address")))) + .andReturn() + .getResponse() + .getContentAsString(); + + JsonNode tokenResponseJson = mapper.readTree(tokenResponse); + + String accessToken = tokenResponseJson.get("access_token").asText(); + String refreshToken = tokenResponseJson.get("refresh_token").asText(); + + String authorizationHeader = String.format("Bearer %s", accessToken); + + // Check that the token can be used for userinfo and introspection + mvc.perform(get(USERINFO_ENDPOINT).header("Authorization", authorizationHeader)) + .andExpect(status().isOk()); + + mvc + .perform(post(INTROSPECTION_ENDPOINT) + .with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("token", accessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.active", equalTo(true))); + + String refreshTokenResponse = mvc + .perform( + post(TOKEN_ENDPOINT).with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("grant_type", "refresh_token") + .param("refresh_token", refreshToken) + .param("scope", "openid")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.id_token").exists()) + .andExpect(jsonPath("$.scope").exists()) + .andExpect(jsonPath("$.scope", containsString("openid"))) + .andExpect(jsonPath("$.scope", not(containsString("scim:read")))) + .andExpect(jsonPath("$.scope", not(containsString("scim:write")))) + .andReturn() + .getResponse() + .getContentAsString(); + + String accessTokenNoSCIM = mapper.readTree(refreshTokenResponse).get("access_token").asText(); + + String scimAuthorizationHeader = String.format("Bearer %s", accessTokenNoSCIM); + + mvc.perform(get("/scim/Users").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc.perform(get("/scim/Groups").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(get("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(get("/scim/Groups/c617d586-54e6-411d-8e38-649677980001").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(delete("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(delete("/scim/Groups/c617d586-54e6-411d-8e38-649677980001").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java index 7c2ed1e0f..ba2f2aacc 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/ScimMeEndpointTests.java @@ -26,6 +26,7 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.web.servlet.MockMvc; @@ -42,7 +43,7 @@ public class ScimMeEndpointTests { @Autowired private MockOAuth2Filter mockOAuth2Filter; - + @Autowired private MockMvc mvc; @@ -55,11 +56,21 @@ public void setup() throws Exception { public void teardown() { mockOAuth2Filter.cleanupSecurityContext(); } - + @Test @WithMockOAuthUser(clientId = "password-grant", user = "test", authorities = {"ROLE_USER"}, - scopes = {"openid", "profile"}) - public void meEndpointUserInfo() throws Exception { + scopes = {"openid", "profile", "scim:read"}) + public void meEndpointUserInfoWithToken() throws Exception { + //@formatter:off + mvc.perform(get(ME_ENDPOINT) + .contentType(SCIM_CONTENT_TYPE)) + .andExpect(status().isOk()); + //@formatter:on + } + + @Test + @WithMockUser(username = "test", roles = {"USER"}) + public void meEndpointUserInfoNoToken() throws Exception { //@formatter:off mvc.perform(get(ME_ENDPOINT) .contentType(SCIM_CONTENT_TYPE)) @@ -76,6 +87,6 @@ public void meEndpointFailsForClientWithoutUser() throws Exception { .andExpect(jsonPath("$.status", equalTo("400"))) .andExpect(jsonPath("$.detail", equalTo("No user linked to the current OAuth token"))); } - - + + } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java index 12020dca2..56a4faa0e 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchAddTests.java @@ -28,6 +28,7 @@ import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.http.HttpStatus; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringRunner; import it.infn.mw.iam.IamLoginService; @@ -43,13 +44,11 @@ import it.infn.mw.iam.test.util.WithMockOAuthUser; import it.infn.mw.iam.test.util.annotation.IamMockMvcIntegrationTest; - @RunWith(SpringRunner.class) @IamMockMvcIntegrationTest @SpringBootTest( classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}, webEnvironment = WebEnvironment.MOCK) -@WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}) public class ScimMeEndpointPatchAddTests extends ScimMeEndpointUtils { final static String TEST_USERNAME = "test_103"; @@ -57,45 +56,95 @@ public class ScimMeEndpointPatchAddTests extends ScimMeEndpointUtils { @Autowired private ScimRestUtilsMvc scimUtils; - @Test - public void testPatchGivenAndFamilyName() throws Exception { - - ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); + private void patchNameAndAssert(ScimUser updates) throws Exception { + scimUtils.patchMe(add, updates); + ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); + assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); + } + private void patchPicture(ScimUser updates) throws Exception { scimUtils.patchMe(add, updates); + ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getPhotos(), hasSize(equalTo(1))); + assertThat(userAfter.getPhotos().get(0), equalTo(TESTUSER_NEWPHOTO)); + } + private void patchEmail(ScimUser updates) throws Exception { + scimUtils.patchMe(add, updates); ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); + } + private void patchMultiple(ScimUser updates) throws Exception { + scimUtils.patchMe(add, updates); + ScimUser userAfter = scimUtils.getMe(); assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); + assertThat(userAfter.getPhotos(), hasSize(1)); + assertThat(userAfter.getPhotos().get(0), equalTo(TESTUSER_NEWPHOTO)); + assertThat(userAfter.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); + } + + private void patch(ScimUser updates) throws Exception { + scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); + ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getIndigoUser(), nullValue()); + } + + + @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) + public void testPatchGivenAndFamilyName() throws Exception { + ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); + patchNameAndAssert(updates); } @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchGivenAndFamilyNameNoToken() throws Exception { + ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); + patchNameAndAssert(updates); + } + + @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchPicture() throws Exception { ScimUser updates = ScimUser.builder().addPhoto(TESTUSER_NEWPHOTO).build(); + patchPicture(updates); + } - scimUtils.patchMe(add, updates); - - ScimUser userAfter = scimUtils.getMe(); + @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchPictureNoToken() throws Exception { - assertThat(userAfter.getPhotos(), hasSize(equalTo(1))); - assertThat(userAfter.getPhotos().get(0), equalTo(TESTUSER_NEWPHOTO)); + ScimUser updates = ScimUser.builder().addPhoto(TESTUSER_NEWPHOTO).build(); + patchPicture(updates); } @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchEmail() throws Exception { ScimUser updates = ScimUser.builder().addEmail(TESTUSER_NEWEMAIL).build(); + patchEmail(updates); + } - scimUtils.patchMe(add, updates); - - ScimUser userAfter = scimUtils.getMe(); + @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchEmailNoEmail() throws Exception { - assertThat(userAfter.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); + ScimUser updates = ScimUser.builder().addEmail(TESTUSER_NEWEMAIL).build(); + patchEmail(updates); } @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchMultiple() throws Exception { final ScimUser updates = ScimUser.builder() @@ -104,30 +153,50 @@ public void testPatchMultiple() throws Exception { .addPhoto(TESTUSER_NEWPHOTO) .build(); - scimUtils.patchMe(add, updates); + patchMultiple(updates); + } - ScimUser userAfter = scimUtils.getMe(); + @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchMultipleNoToken() throws Exception { - assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); - assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); - assertThat(userAfter.getPhotos(), hasSize(1)); - assertThat(userAfter.getPhotos().get(0), equalTo(TESTUSER_NEWPHOTO)); - assertThat(userAfter.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); + final ScimUser updates = ScimUser.builder() + .name(TESTUSER_NEWNAME) + .addEmail(TESTUSER_NEWEMAIL) + .addPhoto(TESTUSER_NEWPHOTO) + .build(); + + patchMultiple(updates); } @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchPasswordNotSupported() throws Exception { final String NEW_PASSWORD = "newpassword"; ScimUser updates = ScimUser.builder().password(NEW_PASSWORD).build(); - scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); - ScimUser userAfter = scimUtils.getMe(); - assertThat(userAfter.getIndigoUser(), nullValue()); + patch(updates); + } @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchPasswordNotSupportedNoToken() throws Exception { + + final String NEW_PASSWORD = "newpassword"; + + ScimUser updates = ScimUser.builder().password(NEW_PASSWORD).build(); + + patch(updates); + + } + + @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchAddOidcIdNotSupported() throws Exception { ScimOidcId NEW_TESTUSER_OIDCID = @@ -135,26 +204,68 @@ public void testPatchAddOidcIdNotSupported() throws Exception { ScimUser updates = ScimUser.builder().addOidcId(NEW_TESTUSER_OIDCID).build(); - scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); - ScimUser userAfter = scimUtils.getMe(); - assertThat(userAfter.getIndigoUser(), nullValue()); + patch(updates); } @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchAddOidcIdNotSupportedNoToken() throws Exception { + + ScimOidcId NEW_TESTUSER_OIDCID = + ScimOidcId.builder().issuer("new_test_issuer").subject("new_user_subject").build(); + + ScimUser updates = ScimUser.builder().addOidcId(NEW_TESTUSER_OIDCID).build(); + + patch(updates); + } + + @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchAddSamlIdNotSupported() throws Exception { ScimSamlId TESTUSER_SAMLID = ScimSamlId.builder().idpId("AA").userId("BB").build(); ScimUser updates = ScimUser.builder().addSamlId(TESTUSER_SAMLID).build(); - scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); - + patch(updates); + } + + @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchAddSamlIdNotSupportedNoToken() throws Exception { + + ScimSamlId TESTUSER_SAMLID = ScimSamlId.builder().idpId("AA").userId("BB").build(); + + ScimUser updates = ScimUser.builder().addSamlId(TESTUSER_SAMLID).build(); + + patch(updates); + } + + @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) + public void testPatchAddAndRemoveSsHKeyIsSupported() throws Exception { + + ScimSshKey NEW_SSH_KEY = + ScimSshKey.builder().display("ssh-key").value(SshKeyUtils.sshKeys.get(0).key).build(); + + ScimUser updates = ScimUser.builder().addSshKey(NEW_SSH_KEY).build(); + + scimUtils.patchMe(add, updates, HttpStatus.NO_CONTENT); + ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getIndigoUser().getSshKeys(), hasSize(equalTo(1))); + + scimUtils.patchMe(remove, updates, HttpStatus.NO_CONTENT); + + userAfter = scimUtils.getMe(); assertThat(userAfter.getIndigoUser(), nullValue()); } @Test - public void testPatchAddAndRemoveSsHKeyIsSupported() throws Exception { + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + public void testPatchAddAndRemoveSsHKeyIsSupportedNoToken() throws Exception { ScimSshKey NEW_SSH_KEY = ScimSshKey.builder().display("ssh-key").value(SshKeyUtils.sshKeys.get(0).key).build(); @@ -173,6 +284,8 @@ public void testPatchAddAndRemoveSsHKeyIsSupported() throws Exception { } @Test + @WithMockOAuthUser(user = ScimMeEndpointPatchAddTests.TEST_USERNAME, authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchAddX509CertificateNotSupported() throws Exception { ScimX509Certificate NEW_X509_CERT = ScimX509Certificate.builder() @@ -182,9 +295,21 @@ public void testPatchAddX509CertificateNotSupported() throws Exception { ScimUser updates = ScimUser.builder().addX509Certificate(NEW_X509_CERT).build(); - scimUtils.patchMe(add, updates, HttpStatus.BAD_REQUEST); + patch(updates); + } - ScimUser userAfter = scimUtils.getMe(); - assertThat(userAfter.getIndigoUser(), nullValue()); + @Test + @WithMockUser(username = ScimMeEndpointPatchAddTests.TEST_USERNAME, roles = {"USER"}) + + public void testPatchAddX509CertificateNotSupportedNoToken() throws Exception { + + ScimX509Certificate NEW_X509_CERT = ScimX509Certificate.builder() + .display("x509-cert") + .pemEncodedCertificate(X509Utils.x509Certs.get(0).certificate) + .build(); + + ScimUser updates = ScimUser.builder().addX509Certificate(NEW_X509_CERT).build(); + + patch(updates); } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java index 62ebdaf88..171dcc9a6 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchRemoveTests.java @@ -28,6 +28,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringRunner; import com.google.common.collect.Lists; @@ -50,7 +51,6 @@ @SpringBootTest( classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}, webEnvironment = WebEnvironment.MOCK) -@WithMockOAuthUser(user = "test_104", authorities = {"ROLE_USER"}) public class ScimMeEndpointPatchRemoveTests { @Autowired @@ -77,6 +77,8 @@ public void init() throws Exception { } @Test + @WithMockOAuthUser(user = "test_104", authorities = {"ROLE_USER"}, + scopes = {"scim:write", "scim:read"}) public void testPatchRemovePicture() throws Exception { ScimPhoto currentPhoto = scimUtils.getMe().getPhotos().get(0); @@ -89,6 +91,8 @@ public void testPatchRemovePicture() throws Exception { } @Test + @WithMockOAuthUser(user = "test_104", authorities = {"ROLE_USER"}, + scopes = {"scim:write", "scim:read"}) public void testPatchRemoveOidcId() throws Exception { ScimOidcId currentOidcId = scimUtils.getMe().getIndigoUser().getOidcIds().get(0); @@ -101,6 +105,8 @@ public void testPatchRemoveOidcId() throws Exception { } @Test + @WithMockOAuthUser(user = "test_104", authorities = {"ROLE_USER"}, + scopes = {"scim:write", "scim:read"}) public void testPatchRemoveSamlId() throws Exception { ScimSamlId currentSamlId = scimUtils.getMe().getIndigoUser().getSamlIds().get(0); @@ -111,4 +117,43 @@ public void testPatchRemoveSamlId() throws Exception { assertThat(scimUtils.getMe().getIndigoUser().getSamlIds(), hasSize(equalTo(0))); } + + @Test + @WithMockUser(username = "test_104", roles = {"USER"}) + public void testPatchRemovePictureNoToken() throws Exception { + + ScimPhoto currentPhoto = scimUtils.getMe().getPhotos().get(0); + + ScimUser updates = ScimUser.builder().addPhoto(currentPhoto).build(); + + scimUtils.patchMe(remove, updates); + + assertThat(scimUtils.getMe().hasPhotos(), equalTo(false)); + } + + @Test + @WithMockUser(username = "test_104", roles = {"USER"}) + public void testPatchRemoveOidcIdNoToken() throws Exception { + + ScimOidcId currentOidcId = scimUtils.getMe().getIndigoUser().getOidcIds().get(0); + + ScimUser updates = ScimUser.builder().addOidcId(currentOidcId).build(); + + scimUtils.patchMe(remove, updates); + + assertThat(scimUtils.getMe().getIndigoUser().getOidcIds(), hasSize(equalTo(0))); + } + + @Test + @WithMockUser(username = "test_104", roles = {"USER"}) + public void testPatchRemoveSamlIdNoToken() throws Exception { + + ScimSamlId currentSamlId = scimUtils.getMe().getIndigoUser().getSamlIds().get(0); + + ScimUser updates = ScimUser.builder().addSamlId(currentSamlId).build(); + + scimUtils.patchMe(remove, updates); + + assertThat(scimUtils.getMe().getIndigoUser().getSamlIds(), hasSize(equalTo(0))); + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java index cad85797a..ddc0cf0f0 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/scim/me/patch/ScimMeEndpointPatchReplaceTests.java @@ -30,6 +30,7 @@ import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; import org.springframework.http.HttpStatus; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringRunner; import com.google.common.collect.Lists; @@ -50,7 +51,6 @@ @SpringBootTest( classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class}, webEnvironment = WebEnvironment.MOCK) -@WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}) public class ScimMeEndpointPatchReplaceTests extends ScimMeEndpointUtils { @Autowired @@ -76,7 +76,28 @@ public void init() throws Exception { provider.update(uuid, operations); } + private void patchNameAndAssert(ScimUser updates) throws Exception { + scimUtils.patchMe(replace, updates); + ScimUser userAfter = scimUtils.getMe(); + assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); + assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); + } + + private void patchPicture(ScimUser updates) throws Exception { + scimUtils.patchMe(replace, updates); + ScimPhoto updatedPhoto = scimUtils.getMe().getPhotos().get(0); + assertThat(updatedPhoto, equalTo(TESTUSER_NEWPHOTO)); + } + + private void patchEmail(ScimUser updates) throws Exception { + scimUtils.patchMe(replace, updates); + ScimUser updatedUser = scimUtils.getMe(); + assertThat(updatedUser.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); + } + @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplacePasswordNotSupported() throws Exception { final String NEW_PASSWORD = "newpassword"; @@ -87,45 +108,76 @@ public void testPatchReplacePasswordNotSupported() throws Exception { } @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplacePasswordNotSupportedNoToken() throws Exception { + + final String NEW_PASSWORD = "newpassword"; + + ScimUser updates = ScimUser.builder().password(NEW_PASSWORD).build(); + + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST); + } + + @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceGivenAndFamilyName() throws Exception { ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); - scimUtils.patchMe(replace, updates); + patchNameAndAssert(updates); + } - ScimUser userAfter = scimUtils.getMe(); + @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceGivenAndFamilyNameNoToken() throws Exception { - assertThat(userAfter.getName().getGivenName(), equalTo(updates.getName().getGivenName())); - assertThat(userAfter.getName().getFamilyName(), equalTo(updates.getName().getFamilyName())); + ScimUser updates = ScimUser.builder().name(TESTUSER_NEWNAME).build(); + + patchNameAndAssert(updates); } @Test - + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplacePicture() throws Exception { ScimUser updates = ScimUser.builder().addPhoto(TESTUSER_NEWPHOTO).build(); - scimUtils.patchMe(replace, updates); + patchPicture(updates); + } - ScimPhoto updatedPhoto = scimUtils.getMe().getPhotos().get(0); + @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplacePictureNoToken() throws Exception { - assertThat(updatedPhoto, equalTo(TESTUSER_NEWPHOTO)); + ScimUser updates = ScimUser.builder().addPhoto(TESTUSER_NEWPHOTO).build(); + + patchPicture(updates); } @Test - + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceEmail() throws Exception { ScimUser updates = ScimUser.builder().addEmail(TESTUSER_NEWEMAIL).build(); - scimUtils.patchMe(replace, updates); + patchEmail(updates); + } - ScimUser updatedUser = scimUtils.getMe(); + @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceEmailNoToken() throws Exception { - assertThat(updatedUser.getEmails().get(0), equalTo(TESTUSER_NEWEMAIL)); + ScimUser updates = ScimUser.builder().addEmail(TESTUSER_NEWEMAIL).build(); + + patchEmail(updates); } @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceAlreadyUsedEmail() throws Exception { ScimUser updates = ScimUser.builder().addEmail(ANOTHERUSER_EMAIL).build(); @@ -135,6 +187,18 @@ public void testPatchReplaceAlreadyUsedEmail() throws Exception { } @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceAlreadyUsedEmailNoTken() throws Exception { + + ScimUser updates = ScimUser.builder().addEmail(ANOTHERUSER_EMAIL).build(); + + scimUtils.patchMe(replace, updates, HttpStatus.CONFLICT) + .andExpect(jsonPath("$.detail", containsString("already bound to another user"))); + } + + @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceOidcIdNotSupported() throws Exception { ScimUser updates = ScimUser.builder().addOidcId(TESTUSER_OIDCID).build(); @@ -144,6 +208,18 @@ public void testPatchReplaceOidcIdNotSupported() throws Exception { } @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceOidcIdNotSupportedNoToken() throws Exception { + + ScimUser updates = ScimUser.builder().addOidcId(TESTUSER_OIDCID).build(); + + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); + } + + @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceSamlIdNotSupported() throws Exception { ScimUser updates = ScimUser.builder().addSamlId(TESTUSER_SAMLID).build(); @@ -153,6 +229,18 @@ public void testPatchReplaceSamlIdNotSupported() throws Exception { } @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceSamlIdNotSupportedNoToken() throws Exception { + + ScimUser updates = ScimUser.builder().addSamlId(TESTUSER_SAMLID).build(); + + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); + } + + @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceX509CertificateNotSupported() throws Exception { ScimUser updates = ScimUser.builder().addX509Certificate(TESTUSER_X509CERT).build(); @@ -162,6 +250,18 @@ public void testPatchReplaceX509CertificateNotSupported() throws Exception { } @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceX509CertificateNotSupportedNoToken() throws Exception { + + ScimUser updates = ScimUser.builder().addX509Certificate(TESTUSER_X509CERT).build(); + + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); + } + + @Test + @WithMockOAuthUser(user = "test_105", authorities = {"ROLE_USER"}, + scopes = {"scim:read", "scim:write"}) public void testPatchReplaceSshKeyNotSupported() throws Exception { ScimUser updates = ScimUser.builder().addSshKey(TESTUSER_SSHKEY).build(); @@ -169,4 +269,14 @@ public void testPatchReplaceSshKeyNotSupported() throws Exception { scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); } + + @Test + @WithMockUser(username = "test_105", roles = {"USER"}) + public void testPatchReplaceSshKeyNotSupportedNoToken() throws Exception { + + ScimUser updates = ScimUser.builder().addSshKey(TESTUSER_SSHKEY).build(); + + scimUtils.patchMe(replace, updates, HttpStatus.BAD_REQUEST) + .andExpect(jsonPath("$.detail", containsString("replace operation not supported"))); + } } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java index 4ca9d922d..6b29737f8 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/service/client/ClientManagementServiceTests.java @@ -101,10 +101,10 @@ public void testPagedClientLookup() { ListResponseDTO clients = managementService.retrieveAllClients(pageable); - assertThat(clients.getTotalResults(), is(16L)); + assertThat(clients.getTotalResults(), is(18L)); assertThat(clients.getItemsPerPage(), is(10)); assertThat(clients.getStartIndex(), is(1)); - assertThat(clients.getResources().get(0).getClientId(), is("client")); + assertThat(clients.getResources().get(0).getClientId(), is("admin-client-ro")); } diff --git a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql index 2462c35e5..db5561968 100644 --- a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql +++ b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql @@ -34,6 +34,12 @@ INSERT INTO client_details (id, client_id, client_secret, client_name, dynamical false, null, 3600, 600, true,'PRIVATE_KEY', false, 'RS256', '{"keys":[{"kty":"RSA","e":"AQAB","kid":"rsa1","n":"1y1CP181zqPNPlV1JDM7Xv0QnGswhSTHe8_XPZHxDTJkykpk_1BmgA3ovP62QRE2ORgsv5oSBI_Z_RaOc4Zx2FonjEJF2oBHtBjsAiF-pxGkM5ZPjFNgFTGp1yUUBjFDcEeIGCwPEyYSt93sQIP_0DRbViMUnpyn3xgM_a1dO5brEWR2n1Uqff1yA5NXfLS03qpl2dpH4HFY5-Zs4bvtJykpAOhoHuIQbz-hmxb9MZ3uTAwsx2HiyEJtz-suyTBHO3BM2o8UcCeyfa34ShPB8i86-sf78fOk2KeRIW1Bju3ANmdV3sxL0j29cesxKCZ06u2ZiGR3Srbft8EdLPzf-w"}]}'); +INSERT INTO client_details (id, client_id, client_secret, client_name, dynamically_registered, + refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection, + token_endpoint_auth_method, require_auth_time, created_at) VALUES +(17, 'admin-client-ro', 'secret', 'Admin client (read-only)', false, null, 3600, 600, true, 'SECRET_POST',false, CURRENT_TIMESTAMP()), +(18, 'admin-client-rw', 'secret', 'Admin client (read-write)', false, null, 3600, 600, true, 'SECRET_POST',false, CURRENT_TIMESTAMP()); + INSERT INTO client_scope (owner_id, scope) VALUES (1, 'openid'), (1, 'profile'), @@ -46,6 +52,10 @@ INSERT INTO client_scope (owner_id, scope) VALUES (1, 'read:/'), (1, 'write:/'), (1, 'attr'), + (1, 'scim:read'), + (1, 'scim:write'), + (1, 'iam:admin.read'), + (1, 'iam:admin.write'), (2, 'openid'), (2, 'profile'), (2, 'read-tasks'), @@ -133,7 +143,10 @@ INSERT INTO client_scope (owner_id, scope) VALUES (14, 'profile'), (14, 'email'), (14, 'address'), - (14, 'phone'); + (14, 'phone'), + (17, 'iam:admin.read'), + (18, 'iam:admin.read'), + (18, 'iam:admin.write'); INSERT INTO client_redirect_uri (owner_id, redirect_uri) VALUES @@ -157,6 +170,8 @@ INSERT INTO client_grant_type (owner_id, grant_type) VALUES (5, 'refresh_token'), (6, 'client_credentials'), (7, 'client_credentials'), + (7, 'refresh_token'), + (7, 'urn:ietf:params:oauth:grant-type:device_code'), (8, 'urn:ietf:params:oauth:grant-type:token-exchange'), (8, 'client_credentials'), (8, 'password'), @@ -173,7 +188,13 @@ INSERT INTO client_grant_type (owner_id, grant_type) VALUES (12, 'refresh_token'), (12, 'urn:ietf:params:oauth:grant-type:device_code'), (13, 'implicit'), - (14, 'urn:ietf:params:oauth:grant-type:device_code'); + (14, 'urn:ietf:params:oauth:grant-type:device_code'), + (17, 'client_credentials'), + (17, 'urn:ietf:params:oauth:grant-type:device_code'), + (17, 'authorization_code'), + (18, 'client_credentials'), + (18, 'urn:ietf:params:oauth:grant-type:device_code'), + (18, 'authorization_code'); INSERT INTO iam_user_info(ID,GIVENNAME,FAMILYNAME, EMAIL, EMAILVERIFIED, BIRTHDATE, GENDER) VALUES (2, 'Test', 'User', 'test@iam.test', true, '1950-01-01','M'),