OZG-5176 Added Authorization check to settings endpoint

be00ce10 · OZGCloud · 5d736478 · be00ce10 · be00ce10
Commit be00ce10 authored 1 year ago by OZGCloud
--- a/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
+++ b/src/main/java/de/ozgcloud/admin/security/SecurityConfiguration.java
@@ -54,6 +54,8 @@ public class SecurityConfiguration {

 		http.authorizeHttpRequests(requests -> requests
 				.requestMatchers(HttpMethod.GET, "/api/environment").permitAll()
+				.requestMatchers("/api/configuration/settings").hasRole("ADMIN_ADMIN")
+				.requestMatchers("/api/configuration/settings/**").hasRole("ADMIN_ADMIN")
 				.requestMatchers("/api").authenticated()
 				.requestMatchers("/api/**").authenticated()
 				.requestMatchers("/actuator").permitAll()

--- a/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
+++ b/src/test/java/de/ozgcloud/admin/security/SecurityConfigurationITCase.java
@@ -33,6 +33,7 @@ import org.junit.jupiter.params.provider.ValueSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultActions;

@@ -46,9 +47,9 @@ class SecurityConfigurationITCase {
 	@Autowired
 	private MockMvc mockMvc;

-	@DisplayName("without authorization")
+	@DisplayName("without authentication")
 	@Nested
-	class TestWithoutAuthorization {
+	class TestWithoutAuthentication {

 		@DisplayName("allow for not found")
 		@SneakyThrows
@@ -132,9 +133,9 @@ class SecurityConfigurationITCase {
 		}
 	}

-	@DisplayName("with authorization")
+	@DisplayName("with authentication")
 	@Nested
-	class TestWithAuthorization {
+	class TestWithAuthentication {

 		static final String CLAIMS = """
 				{
@@ -147,7 +148,7 @@ class SecurityConfigurationITCase {
 		@ValueSource(strings = {
 				"/api/environment",
 				"/configserver/name/profile",
-				"/api", "/api/configuration", "/api/configuration/settings",
+				"/api", "/api/configuration"
 		})
 		@WithJwt(CLAIMS)
 		void shouldAllow(String path) {
@@ -156,9 +157,31 @@ class SecurityConfigurationITCase {
 			result.andExpect(status().isOk());
 		}

+		@Test
+		@SneakyThrows
+		@WithJwt(CLAIMS)
+		void shouldForbid() {
+			var result = doPerformAuthenticated("/api/configuration/settings");
+
+			result.andExpect(status().isForbidden());
+		}
+
 		@SneakyThrows
 		private ResultActions doPerformAuthenticated(String path) {
 			return mockMvc.perform(get(path));
 		}
 	}
+
+	@DisplayName("with admin role")
+	@Nested
+	class TestWithAdminRole {
+		@Test
+		@SneakyThrows
+		@WithMockUser(roles = "ADMIN_ADMIN")
+		void shouldAllow() {
+			var result = mockMvc.perform(get("/api/configuration/settings"));
+
+			result.andExpect(status().isOk());
+		}
+	}
 }