From 3fccb1f90131b62fabd6a8669eb5441063cf75bd Mon Sep 17 00:00:00 2001
From: OZGCloud <ozgcloud@mgm-tp.com>
Date: Thu, 21 Mar 2024 15:32:54 +0100
Subject: [PATCH] Ozg-5176 Require ADMIN_ADMIN role for configuration endpoint

---
 .../admin/security/SecurityConfiguration.java |  4 +-
 .../security/SecurityConfigurationITCase.java | 43 +++++++++++--------
 2 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java b/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
index cacf2095..fcf7f24b 100644
--- a/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
+++ b/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
@@ -55,8 +55,8 @@ public class SecurityConfiguration {
 
 		http.authorizeHttpRequests(requests -> requests
 				.requestMatchers(HttpMethod.GET, "/api/environment").permitAll()
-				.requestMatchers("/api/configuration/settings").hasRole(UserRole.ADMIN_USER)
-				.requestMatchers("/api/configuration/settings/**").hasRole(UserRole.ADMIN_USER)
+				.requestMatchers("/api/configuration").hasRole(UserRole.ADMIN_USER)
+				.requestMatchers("/api/configuration/**").hasRole(UserRole.ADMIN_USER)
 				.requestMatchers("/api").authenticated()
 				.requestMatchers("/api/**").authenticated()
 				.requestMatchers("/actuator").permitAll()
diff --git a/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java b/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
index c20d573b..6e84b054 100644
--- a/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
+++ b/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
@@ -138,35 +138,33 @@ class SecurityConfigurationITCase {
 	@Nested
 	class TestWithAuthentication {
 
-		static final String CLAIMS = """
-				{
-				  "preferredUsername": "testUser",
-				  "scope": "openid testscope"
-				}""";
-
+		@Test
 		@SneakyThrows
-		@ParameterizedTest
-		@ValueSource(strings = {
-				"/api/environment",
-				"/configserver/name/profile",
-				"/api", "/api/configuration"
-		})
-		@WithJwt(CLAIMS)
-		void shouldAllow(String path) {
-			var result = doPerformAuthenticated(path);
+		@WithMockUser
+		void shouldAllowApiEndpoint() {
+			var result = doPerformAuthenticated("/api");
 
 			result.andExpect(status().isOk());
 		}
 
 		@Test
 		@SneakyThrows
-		@WithJwt(CLAIMS)
-		void shouldForbid() {
+		@WithMockUser
+		void shouldForbidSettingsEndpoint() {
 			var result = doPerformAuthenticated("/api/configuration/settings");
 
 			result.andExpect(status().isForbidden());
 		}
 
+		@Test
+		@SneakyThrows
+		@WithMockUser
+		void shouldForbidConfigurationsEndpoint() {
+			var result = doPerformAuthenticated("/api/configuration");
+
+			result.andExpect(status().isForbidden());
+		}
+
 		@SneakyThrows
 		private ResultActions doPerformAuthenticated(String path) {
 			return mockMvc.perform(get(path));
@@ -179,10 +177,19 @@ class SecurityConfigurationITCase {
 		@Test
 		@SneakyThrows
 		@WithMockUser(roles = UserRole.ADMIN_USER)
-		void shouldAllow() {
+		void shouldAllowSettings() {
 			var result = mockMvc.perform(get("/api/configuration/settings"));
 
 			result.andExpect(status().isOk());
 		}
+
+		@Test
+		@SneakyThrows
+		@WithMockUser(roles = UserRole.ADMIN_USER)
+		void shouldAllowConfiguration() {
+			var result = mockMvc.perform(get("/api/configuration"));
+
+			result.andExpect(status().isOk());
+		}
 	}
 }
-- 
GitLab