From 4c41382fba0b02946b7f16f5230004e6c2c75e13 Mon Sep 17 00:00:00 2001 From: flaminiaScarciofolo <113031535+flaminiaScarciofolo@users.noreply.github.com> Date: Tue, 28 May 2024 14:19:59 +0200 Subject: [PATCH] [SELC-4802] Feat: Added @PerAuthorize for getProductBrokers API (#448) --- .../rest/docs/openapi/selfcare-user-docs.json | 16 +++++++--------- .../connector/rest/UserConnectorImpl.java | 2 +- .../connector/rest/UserConnectorImplTest.java | 4 ++-- .../web/controller/ProductController.java | 3 +++ .../security/SelfCarePermissionEvaluatorV2.java | 9 ++++++--- 5 files changed, 19 insertions(+), 15 deletions(-) diff --git a/connector/rest/docs/openapi/selfcare-user-docs.json b/connector/rest/docs/openapi/selfcare-user-docs.json index 80775fb3..a9bdf2ad 100644 --- a/connector/rest/docs/openapi/selfcare-user-docs.json +++ b/connector/rest/docs/openapi/selfcare-user-docs.json @@ -1,7 +1,7 @@ { "openapi" : "3.0.3", "info" : { - "title" : "user-ms API", + "title" : "User API", "version" : "1.0.0" }, "servers" : [ { @@ -12,16 +12,14 @@ "description" : "Auto generated value" } ], "paths" : { - "/authorize/{institutionId}" : { + "/authorize" : { "get" : { "tags" : [ "User Permission Controller" ], "summary" : "Get permission for a user in an institution", "parameters" : [ { "name" : "institutionId", - "in" : "path", - "required" : true, + "in" : "query", "schema" : { - "minLength" : 1, "type" : "string" } }, { @@ -660,10 +658,9 @@ "schema" : { "type" : "string" } - },{ + }, { "name" : "productRole", "in" : "query", - "required" : false, "schema" : { "type" : "string" } @@ -1136,7 +1133,7 @@ "type" : "string" }, "Product" : { - "required" : [ "productId", "role" ], + "required" : [ "productId", "role", "productRoles" ], "type" : "object", "properties" : { "productId" : { @@ -1158,7 +1155,7 @@ } }, "Product1" : { - "required" : [ "productId", "role" ], + "required" : [ "productId", "role", "productRoles" ], "type" : "object", "properties" : { "productId" : { @@ -1193,6 +1190,7 @@ } }, "UpdateUserRequest" : { + "required" : [ "email" ], "type" : "object", "properties" : { "name" : { diff --git a/connector/rest/src/main/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImpl.java b/connector/rest/src/main/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImpl.java index d694dea2..b8369190 100644 --- a/connector/rest/src/main/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImpl.java +++ b/connector/rest/src/main/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImpl.java @@ -90,7 +90,7 @@ public Boolean hasPermission(String institutionId, String permission, String pro log.debug("permissionInstitutionIdPermissionGet institutionId = {}, permission = {}, productId = {}", institutionId, permission, productId); PermissionTypeEnum permissionTypeEnum = PermissionTypeEnum.fromValue(permission); - Boolean result = userPermissionRestClient._authorizeInstitutionIdGet(institutionId, permissionTypeEnum, productId).getBody(); + Boolean result = userPermissionRestClient._authorizeGet(permissionTypeEnum, institutionId, productId).getBody(); log.debug("permissionInstitutionIdPermissionGet result = {}", result); log.trace("permissionInstitutionIdPermissionGet end"); diff --git a/connector/rest/src/test/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImplTest.java b/connector/rest/src/test/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImplTest.java index 2d6a793b..96551aff 100644 --- a/connector/rest/src/test/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImplTest.java +++ b/connector/rest/src/test/java/it/pagopa/selfcare/dashboard/connector/rest/UserConnectorImplTest.java @@ -233,7 +233,7 @@ void hasPermissionTrue() { String institutionId = "institutionId"; String permission = "ADMIN"; String productId = "productId"; - when(userPermissionRestClient._authorizeInstitutionIdGet(institutionId, PermissionTypeEnum.ADMIN, productId)).thenReturn(new ResponseEntity<>(true, HttpStatus.OK)); + when(userPermissionRestClient._authorizeGet(PermissionTypeEnum.ADMIN, institutionId, productId)).thenReturn(new ResponseEntity<>(true, HttpStatus.OK)); //when Boolean result = userConnector.hasPermission(institutionId, permission, productId); //then @@ -247,7 +247,7 @@ void hasPermissionFalse() { String institutionId = "institutionId"; String permission = "ADMIN"; String productId = "productId"; - when(userPermissionRestClient._authorizeInstitutionIdGet(institutionId, PermissionTypeEnum.ADMIN, productId)).thenReturn(new ResponseEntity<>(false, HttpStatus.OK)); + when(userPermissionRestClient._authorizeGet(PermissionTypeEnum.ADMIN, institutionId, productId)).thenReturn(new ResponseEntity<>(false, HttpStatus.OK)); //when Boolean result = userConnector.hasPermission(institutionId, permission, productId); //then diff --git a/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/ProductController.java b/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/ProductController.java index 6fb0a3ba..dac517ac 100644 --- a/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/ProductController.java +++ b/web/src/main/java/it/pagopa/selfcare/dashboard/web/controller/ProductController.java @@ -5,6 +5,7 @@ import io.swagger.annotations.ApiParam; import it.pagopa.selfcare.commons.base.utils.InstitutionType; import it.pagopa.selfcare.dashboard.connector.model.backoffice.BrokerInfo; + import it.pagopa.selfcare.dashboard.core.BrokerService; import it.pagopa.selfcare.dashboard.core.ProductService; import it.pagopa.selfcare.dashboard.web.model.mapper.BrokerResourceMapper; @@ -15,6 +16,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import java.util.Collection; @@ -58,6 +60,7 @@ public Collection getProductRoles(@ApiParam("${swag @GetMapping(value = "/{productId}/brokers/{institutionType}", produces = MediaType.APPLICATION_JSON_VALUE) @ResponseStatus(HttpStatus.OK) @ApiOperation(value = "", notes = "${swagger.dashboard.product.api.getProductBrokers}") + @PreAuthorize("hasPermission(#productId, 'productId', 'ANY')") public Collection getProductBrokers(@ApiParam("${swagger.dashboard.products.model.id}") @PathVariable("productId") String productId, diff --git a/web/src/main/java/it/pagopa/selfcare/dashboard/web/security/SelfCarePermissionEvaluatorV2.java b/web/src/main/java/it/pagopa/selfcare/dashboard/web/security/SelfCarePermissionEvaluatorV2.java index c72caa75..c789c291 100644 --- a/web/src/main/java/it/pagopa/selfcare/dashboard/web/security/SelfCarePermissionEvaluatorV2.java +++ b/web/src/main/java/it/pagopa/selfcare/dashboard/web/security/SelfCarePermissionEvaluatorV2.java @@ -19,6 +19,8 @@ public class SelfCarePermissionEvaluatorV2 implements PermissionEvaluator { private final UserGroupConnector userGroupConnector; + private static final String PRODUCT_ID = "productId"; + public SelfCarePermissionEvaluatorV2(UserApiConnector userApiConnector, UserGroupConnector userGroupConnector) { this.userApiConnector = userApiConnector; this.userGroupConnector = userGroupConnector; @@ -57,12 +59,13 @@ public boolean hasPermission(Authentication authentication, Serializable targetI if (targetId != null && InstitutionResource.class.getSimpleName().equals(targetType)) { Assert.notNull(targetId.toString(), "InstitutionId is required"); result = userApiConnector.hasPermission(targetId.toString(), permission.toString(), null); - } - - if (targetId != null && UserGroupResource.class.getSimpleName().equals(targetType)) { + } else if (targetId != null && UserGroupResource.class.getSimpleName().equals(targetType)) { Assert.notNull(targetId.toString(), "UserGroupId is required"); UserGroupInfo userGroupInfo = userGroupConnector.getUserGroupById(targetId.toString()); result = userApiConnector.hasPermission(userGroupInfo.getInstitutionId(), permission.toString(), userGroupInfo.getProductId()); + } else if(targetId != null && PRODUCT_ID.equalsIgnoreCase(targetType)){ + Assert.notNull(targetId.toString(), "ProductId is required"); + result = userApiConnector.hasPermission(null, permission.toString(), targetId.toString()); } log.debug("check Permission result = {}", result);