[SELC-4802] Feat: Added @PerAuthorize for getProductBrokers API (#448)

pagopa · May 28, 2024 · 4c41382 · 4c41382
1 parent c5a5fd3
commit 4c41382
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 15 deletions.
diff --git a/connector/rest/docs/openapi/selfcare-user-docs.json b/connector/rest/docs/openapi/selfcare-user-docs.json
@@ -1,7 +1,7 @@
 {
   "openapi" : "3.0.3",
   "info" : {
-    "title" : "user-ms API",
+    "title" : "User API",
     "version" : "1.0.0"
   },
   "servers" : [ {
@@ -12,16 +12,14 @@
     "description" : "Auto generated value"
   } ],
   "paths" : {
-    "/authorize/{institutionId}" : {
+    "/authorize" : {
       "get" : {
         "tags" : [ "User Permission Controller" ],
         "summary" : "Get permission for a user in an institution",
         "parameters" : [ {
           "name" : "institutionId",
-          "in" : "path",
-          "required" : true,
+          "in" : "query",
           "schema" : {
-            "minLength" : 1,
             "type" : "string"
           }
         }, {
@@ -660,10 +658,9 @@
           "schema" : {
             "type" : "string"
           }
-        },{
+        }, {
           "name" : "productRole",
           "in" : "query",
-          "required" : false,
           "schema" : {
             "type" : "string"
           }
@@ -1136,7 +1133,7 @@
         "type" : "string"
       },
       "Product" : {
-        "required" : [ "productId", "role" ],
+        "required" : [ "productId", "role", "productRoles" ],
         "type" : "object",
         "properties" : {
           "productId" : {
@@ -1158,7 +1155,7 @@
         }
       },
       "Product1" : {
-        "required" : [ "productId", "role" ],
+        "required" : [ "productId", "role", "productRoles" ],
         "type" : "object",
         "properties" : {
           "productId" : {
@@ -1193,6 +1190,7 @@
         }
       },
       "UpdateUserRequest" : {
+        "required" : [ "email" ],
         "type" : "object",
         "properties" : {
           "name" : {

diff --git a/...tor/rest/src/main/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImpl.java b/...tor/rest/src/main/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImpl.java
@@ -90,7 +90,7 @@ public Boolean hasPermission(String institutionId, String permission, String pro
         log.debug("permissionInstitutionIdPermissionGet institutionId = {}, permission = {}, productId = {}", institutionId, permission, productId);
 
         PermissionTypeEnum permissionTypeEnum = PermissionTypeEnum.fromValue(permission);
-        Boolean result = userPermissionRestClient._authorizeInstitutionIdGet(institutionId, permissionTypeEnum, productId).getBody();
+        Boolean result = userPermissionRestClient._authorizeGet(permissionTypeEnum, institutionId, productId).getBody();
 
         log.debug("permissionInstitutionIdPermissionGet result = {}", result);
         log.trace("permissionInstitutionIdPermissionGet end");

diff --git a/...rest/src/test/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImplTest.java b/...rest/src/test/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImplTest.java
@@ -233,7 +233,7 @@ void hasPermissionTrue() {
         String institutionId = "institutionId";
         String permission = "ADMIN";
         String productId = "productId";
-        when(userPermissionRestClient._authorizeInstitutionIdGet(institutionId, PermissionTypeEnum.ADMIN, productId)).thenReturn(new ResponseEntity<>(true, HttpStatus.OK));
+        when(userPermissionRestClient._authorizeGet(PermissionTypeEnum.ADMIN, institutionId, productId)).thenReturn(new ResponseEntity<>(true, HttpStatus.OK));
         //when
         Boolean result = userConnector.hasPermission(institutionId, permission, productId);
         //then
@@ -247,7 +247,7 @@ void hasPermissionFalse() {
         String institutionId = "institutionId";
         String permission = "ADMIN";
         String productId = "productId";
-        when(userPermissionRestClient._authorizeInstitutionIdGet(institutionId, PermissionTypeEnum.ADMIN, productId)).thenReturn(new ResponseEntity<>(false, HttpStatus.OK));
+        when(userPermissionRestClient._authorizeGet(PermissionTypeEnum.ADMIN, institutionId, productId)).thenReturn(new ResponseEntity<>(false, HttpStatus.OK));
         //when
         Boolean result = userConnector.hasPermission(institutionId, permission, productId);
         //then

diff --git a/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/ProductController.java b/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/ProductController.java
@@ -5,6 +5,7 @@
 import io.swagger.annotations.ApiParam;
 import it.pagopa.selfcare.commons.base.utils.InstitutionType;
 import it.pagopa.selfcare.dashboard.connector.model.backoffice.BrokerInfo;
+
 import it.pagopa.selfcare.dashboard.core.BrokerService;
 import it.pagopa.selfcare.dashboard.core.ProductService;
 import it.pagopa.selfcare.dashboard.web.model.mapper.BrokerResourceMapper;
@@ -15,6 +16,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.Collection;
@@ -58,6 +60,7 @@ public Collection<ProductRoleMappingsResource> getProductRoles(@ApiParam("${swag
     @GetMapping(value = "/{productId}/brokers/{institutionType}", produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseStatus(HttpStatus.OK)
     @ApiOperation(value = "", notes = "${swagger.dashboard.product.api.getProductBrokers}")
+    @PreAuthorize("hasPermission(#productId, 'productId', 'ANY')")
     public Collection<BrokerResource> getProductBrokers(@ApiParam("${swagger.dashboard.products.model.id}")
                                                         @PathVariable("productId")
                                                         String productId,

diff --git a/...rc/main/java/it/pagopa/selfcare/dashboard/web/security/SelfCarePermissionEvaluatorV2.java b/...rc/main/java/it/pagopa/selfcare/dashboard/web/security/SelfCarePermissionEvaluatorV2.java
@@ -19,6 +19,8 @@ public class SelfCarePermissionEvaluatorV2 implements PermissionEvaluator {
 
     private final UserGroupConnector userGroupConnector;
 
+    private static final String PRODUCT_ID = "productId";
+
     public SelfCarePermissionEvaluatorV2(UserApiConnector userApiConnector, UserGroupConnector userGroupConnector) {
         this.userApiConnector = userApiConnector;
         this.userGroupConnector = userGroupConnector;
@@ -57,12 +59,13 @@ public boolean hasPermission(Authentication authentication, Serializable targetI
         if (targetId != null && InstitutionResource.class.getSimpleName().equals(targetType)) {
             Assert.notNull(targetId.toString(), "InstitutionId is required");
             result = userApiConnector.hasPermission(targetId.toString(), permission.toString(), null);
-        }
-
-        if (targetId != null && UserGroupResource.class.getSimpleName().equals(targetType)) {
+        } else if (targetId != null && UserGroupResource.class.getSimpleName().equals(targetType)) {
             Assert.notNull(targetId.toString(), "UserGroupId is required");
             UserGroupInfo userGroupInfo = userGroupConnector.getUserGroupById(targetId.toString());
             result = userApiConnector.hasPermission(userGroupInfo.getInstitutionId(), permission.toString(), userGroupInfo.getProductId());
+        } else if(targetId != null && PRODUCT_ID.equalsIgnoreCase(targetType)){
+            Assert.notNull(targetId.toString(), "ProductId is required");
+            result = userApiConnector.hasPermission(null, permission.toString(), targetId.toString());
         }
 
         log.debug("check Permission result = {}", result);