Skip to content
Snippets Groups Projects
Commit 3fccb1f9 authored by OZGCloud's avatar OZGCloud
Browse files

Ozg-5176 Require ADMIN_ADMIN role for configuration endpoint

parent 3efb9c83
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
+ 2
2
View file @ 3fccb1f9
...@@ -55,8 +55,8 @@ public class SecurityConfiguration { ...@@ -55,8 +55,8 @@ public class SecurityConfiguration {
http.authorizeHttpRequests(requests -> requests http.authorizeHttpRequests(requests -> requests
.requestMatchers(HttpMethod.GET, "/api/environment").permitAll() .requestMatchers(HttpMethod.GET, "/api/environment").permitAll()
.requestMatchers("/api/configuration/settings").hasRole(UserRole.ADMIN_USER) .requestMatchers("/api/configuration").hasRole(UserRole.ADMIN_USER)
.requestMatchers("/api/configuration/settings/**").hasRole(UserRole.ADMIN_USER) .requestMatchers("/api/configuration/**").hasRole(UserRole.ADMIN_USER)
.requestMatchers("/api").authenticated() .requestMatchers("/api").authenticated()
.requestMatchers("/api/**").authenticated() .requestMatchers("/api/**").authenticated()
.requestMatchers("/actuator").permitAll() .requestMatchers("/actuator").permitAll()
......
src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
+ 25
18
View file @ 3fccb1f9
...@@ -138,35 +138,33 @@ class SecurityConfigurationITCase { ...@@ -138,35 +138,33 @@ class SecurityConfigurationITCase {
@Nested @Nested
class TestWithAuthentication { class TestWithAuthentication {
static final String CLAIMS = """ @Test
{
"preferredUsername": "testUser",
"scope": "openid testscope"
}""";
@SneakyThrows @SneakyThrows
@ParameterizedTest @WithMockUser
@ValueSource(strings = { void shouldAllowApiEndpoint() {
"/api/environment", var result = doPerformAuthenticated("/api");
"/configserver/name/profile",
"/api", "/api/configuration"
})
@WithJwt(CLAIMS)
void shouldAllow(String path) {
var result = doPerformAuthenticated(path);
result.andExpect(status().isOk()); result.andExpect(status().isOk());
} }
@Test @Test
@SneakyThrows @SneakyThrows
@WithJwt(CLAIMS) @WithMockUser
void shouldForbid() { void shouldForbidSettingsEndpoint() {
var result = doPerformAuthenticated("/api/configuration/settings"); var result = doPerformAuthenticated("/api/configuration/settings");
result.andExpect(status().isForbidden()); result.andExpect(status().isForbidden());
} }
@Test
@SneakyThrows
@WithMockUser
void shouldForbidConfigurationsEndpoint() {
var result = doPerformAuthenticated("/api/configuration");
result.andExpect(status().isForbidden());
}
@SneakyThrows @SneakyThrows
private ResultActions doPerformAuthenticated(String path) { private ResultActions doPerformAuthenticated(String path) {
return mockMvc.perform(get(path)); return mockMvc.perform(get(path));
...@@ -179,10 +177,19 @@ class SecurityConfigurationITCase { ...@@ -179,10 +177,19 @@ class SecurityConfigurationITCase {
@Test @Test
@SneakyThrows @SneakyThrows
@WithMockUser(roles = UserRole.ADMIN_USER) @WithMockUser(roles = UserRole.ADMIN_USER)
void shouldAllow() { void shouldAllowSettings() {
var result = mockMvc.perform(get("/api/configuration/settings")); var result = mockMvc.perform(get("/api/configuration/settings"));
result.andExpect(status().isOk()); result.andExpect(status().isOk());
} }
@Test
@SneakyThrows
@WithMockUser(roles = UserRole.ADMIN_USER)
void shouldAllowConfiguration() {
var result = mockMvc.perform(get("/api/configuration"));
result.andExpect(status().isOk());
}
} }
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Impressum - Datenschutz - Barrierefreiheit