fix(api): restrain access to provider configurations with menu access (…

…#11939)
centreon · Oct 5, 2022 · 26d7d9c · 26d7d9c
1 parent 2e03601
commit 26d7d9c
Show file tree

Hide file tree

Showing 13 changed files with 83 additions and 8 deletions.
diff --git a/src/Centreon/Domain/Contact/Contact.php b/src/Centreon/Domain/Contact/Contact.php
@@ -71,6 +71,7 @@ class Contact implements UserInterface, ContactInterface
     public const ROLE_CONFIGURATION_CONTACTS_READ = 'ROLE_CONFIGURATION_USERS_CONTACTS__USERS_R';
     public const ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_READ_WRITE = 'ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_RW';
     public const ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_READ = 'ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_R';
+    public const ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE = 'ROLE_ADMINISTRATION_AUTHENTICATION_RW';
 
     /**
      * @var string

diff --git a/...ructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationController.php b/...ructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationController.php
@@ -22,6 +22,8 @@
 
 namespace Core\Security\Infrastructure\ProviderConfiguration\Local\Api\FindConfiguration;
 
+use Centreon\Domain\Contact\Contact;
+use Symfony\Component\HttpFoundation\Response;
 use Centreon\Application\Controller\AbstractController;
 use Core\Security\Application\ProviderConfiguration\Local\UseCase\FindConfiguration\FindConfiguration;
 use Core\Security\Application\ProviderConfiguration\Local\UseCase\FindConfiguration\FindConfigurationPresenterInterface;
@@ -38,6 +40,13 @@ public function __invoke(
         FindConfigurationPresenterInterface $presenter,
     ): object {
         $this->denyAccessUnlessGrantedForApiConfiguration();
+        /**
+         * @var Contact $contact
+         */
+        $contact = $this->getUser();
+        if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) {
+            return $this->view(null, Response::HTTP_FORBIDDEN);
+        }
 
         $useCase($presenter);
 

diff --git a/...ure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationController.php b/...ure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationController.php
@@ -23,7 +23,9 @@
 
 namespace Core\Security\Infrastructure\ProviderConfiguration\Local\Api\UpdateConfiguration;
 
+use Centreon\Domain\Contact\Contact;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Centreon\Application\Controller\AbstractController;
 use Core\Security\Application\ProviderConfiguration\Local\UseCase\UpdateConfiguration\UpdateConfiguration;
 use Core\Security\Application\ProviderConfiguration\Local\UseCase\UpdateConfiguration\UpdateConfigurationRequest;
@@ -45,6 +47,13 @@ public function __invoke(
         UpdateConfigurationPresenterInterface $presenter,
     ): object {
         $this->denyAccessUnlessGrantedForApiConfiguration();
+        /**
+         * @var Contact $contact
+         */
+        $contact = $this->getUser();
+        if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) {
+            return $this->view(null, Response::HTTP_FORBIDDEN);
+        }
         $this->validateDataSent($request, __DIR__ . '/UpdateConfigurationSchema.json');
         $updateConfigurationRequest = $this->createUpdateConfigurationRequest($request);
         $useCase($presenter, $updateConfigurationRequest);

diff --git a/...derConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationController.php b/...derConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationController.php
@@ -23,6 +23,8 @@
 
 namespace Core\Security\Infrastructure\ProviderConfiguration\OpenId\Api\FindOpenIdConfiguration;
 
+use Centreon\Domain\Contact\Contact;
+use Symfony\Component\HttpFoundation\Response;
 use Centreon\Application\Controller\AbstractController;
 use Core\Security\Application\ProviderConfiguration\OpenId\UseCase\FindOpenIdConfiguration\{
     FindOpenIdConfiguration,
@@ -41,6 +43,13 @@ public function __invoke(
         FindOpenIdConfigurationPresenterInterface $presenter
     ): object {
         $this->denyAccessUnlessGrantedForApiConfiguration();
+        /**
+         * @var Contact $contact
+         */
+        $contact = $this->getUser();
+        if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) {
+            return $this->view(null, Response::HTTP_FORBIDDEN);
+        }
         $useCase($presenter);
 
         return $presenter->show();

diff --git a/...onfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationController.php b/...onfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationController.php
@@ -23,7 +23,9 @@
 
 namespace Core\Security\Infrastructure\ProviderConfiguration\OpenId\Api\UpdateOpenIdConfiguration;
 
+use Centreon\Domain\Contact\Contact;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Centreon\Application\Controller\AbstractController;
 use Core\Security\Application\ProviderConfiguration\OpenId\UseCase\UpdateOpenIdConfiguration\{
     UpdateOpenIdConfiguration,
@@ -45,6 +47,13 @@ public function __invoke(
         UpdateOpenIdConfigurationPresenterInterface $presenter
     ): object {
         $this->denyAccessUnlessGrantedForApiConfiguration();
+        /**
+         * @var Contact $contact
+         */
+        $contact = $this->getUser();
+        if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) {
+            return $this->view(null, Response::HTTP_FORBIDDEN);
+        }
         $this->validateDataSent($request, __DIR__ . '/UpdateOpenIdConfigurationSchema.json');
         $updateOpenIdConfigurationRequest = $this->createUpdateOpenIdConfigurationRequest($request);
         $useCase($presenter, $updateOpenIdConfigurationRequest);

diff --git a/...derConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationController.php b/...derConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationController.php
@@ -23,6 +23,8 @@
 
 namespace Core\Security\Infrastructure\ProviderConfiguration\WebSSO\Api\FindWebSSOConfiguration;
 
+use Centreon\Domain\Contact\Contact;
+use Symfony\Component\HttpFoundation\Response;
 use Centreon\Application\Controller\AbstractController;
 use Core\Security\Application\ProviderConfiguration\WebSSO\UseCase\FindWebSSOConfiguration\{
     FindWebSSOConfiguration,
@@ -41,6 +43,13 @@ public function __invoke(
         FindWebSSOConfigurationPresenterInterface $presenter
     ): object {
         $this->denyAccessUnlessGrantedForApiConfiguration();
+        /**
+         * @var Contact $contact
+         */
+        $contact = $this->getUser();
+        if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) {
+            return $this->view(null, Response::HTTP_FORBIDDEN);
+        }
         $useCase($presenter);
 
         return $presenter->show();

diff --git a/...onfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationController.php b/...onfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationController.php
@@ -23,7 +23,9 @@
 
 namespace Core\Security\Infrastructure\ProviderConfiguration\WebSSO\Api\UpdateWebSSOConfiguration;
 
+use Centreon\Domain\Contact\Contact;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Centreon\Application\Controller\AbstractController;
 use Centreon\Domain\Log\LoggerTrait;
 use Core\Security\Application\ProviderConfiguration\WebSSO\UseCase\UpdateWebSSOConfiguration\{
@@ -48,6 +50,13 @@ public function __invoke(
         UpdateWebSSOConfigurationPresenterInterface $presenter
     ): object {
         $this->denyAccessUnlessGrantedForApiConfiguration();
+        /**
+         * @var Contact $contact
+         */
+        $contact = $this->getUser();
+        if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) {
+            return $this->view(null, Response::HTTP_FORBIDDEN);
+        }
         $this->info('Validating request body...');
         $this->validateDataSent($request, __DIR__ . '/UpdateWebSSOConfigurationSchema.json');
         $updateWebSSOConfigurationRequest = $this->createUpdateWebSSOConfigurationRequest($request);

diff --git a/...ure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationControllerTest.php b/...ure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationControllerTest.php
@@ -57,10 +57,11 @@ public function setUp(): void
 
         $timezone = new \DateTimeZone('Europe/Paris');
         $adminContact = (new Contact())
-        ->setId(1)
-        ->setName('admin')
-        ->setAdmin(true)
-        ->setTimezone($timezone);
+            ->setId(1)
+            ->setName('admin')
+            ->setAdmin(true)
+            ->setTimezone($timezone);
+        $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE);
 
         $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authorizationChecker->expects($this->once())
@@ -83,10 +84,12 @@ public function setUp(): void
             ->method('get')
             ->withConsecutive(
                 [$this->equalTo('security.authorization_checker')],
+                [$this->equalTo('security.token_storage')],
                 [$this->equalTo('parameter_bag')]
             )
             ->willReturnOnConsecutiveCalls(
                 $authorizationChecker,
+                $tokenStorage,
                 new class () {
                     public function get(): string
                     {

diff --git a/...ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationControllerTest.php b/...ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationControllerTest.php
@@ -70,6 +70,7 @@ public function setUp(): void
             ->setName('admin')
             ->setAdmin(true)
             ->setTimezone($timezone);
+        $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE);
 
         $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
         $authorizationChecker->expects($this->once())
@@ -92,10 +93,12 @@ public function setUp(): void
             ->method('get')
             ->withConsecutive(
                 [$this->equalTo('security.authorization_checker')],
+                [$this->equalTo('security.token_storage')],
                 [$this->equalTo('parameter_bag')]
             )
             ->willReturnOnConsecutiveCalls(
                 $authorizationChecker,
+                $tokenStorage,
                 new class () {
                     public function get(): string
                     {

diff --git a/...onfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationControllerTest.php b/...onfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationControllerTest.php
@@ -42,10 +42,11 @@
 
     $timezone = new \DateTimeZone('Europe/Paris');
     $adminContact = (new Contact())
-    ->setId(1)
-    ->setName('admin')
-    ->setAdmin(true)
-    ->setTimezone($timezone);
+        ->setId(1)
+        ->setName('admin')
+        ->setAdmin(true)
+        ->setTimezone($timezone);
+    $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE);
 
     $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
     $authorizationChecker->expects($this->once())
@@ -68,10 +69,12 @@
         ->method('get')
         ->withConsecutive(
             [$this->equalTo('security.authorization_checker')],
+            [$this->equalTo('security.token_storage')],
             [$this->equalTo('parameter_bag')]
         )
         ->willReturnOnConsecutiveCalls(
             $authorizationChecker,
+            $tokenStorage,
             new class () {
                 public function get(): string
                 {

diff --git a/...guration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationControllerTest.php b/...guration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationControllerTest.php
@@ -48,6 +48,7 @@
         ->setName('admin')
         ->setAdmin(true)
         ->setTimezone($timezone);
+    $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE);
 
     $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
     $authorizationChecker->expects($this->once())
@@ -70,10 +71,12 @@
         ->method('get')
         ->withConsecutive(
             [$this->equalTo('security.authorization_checker')],
+            [$this->equalTo('security.token_storage')],
             [$this->equalTo('parameter_bag')]
         )
         ->willReturnOnConsecutiveCalls(
             $authorizationChecker,
+            $tokenStorage,
             new class () {
                 public function get(): string
                 {

diff --git a/...onfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationControllerTest.php b/...onfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationControllerTest.php
@@ -47,6 +47,8 @@
         ->setName('admin')
         ->setAdmin(true)
         ->setTimezone($timezone);
+    $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE);
+
     $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
     $authorizationChecker->expects($this->once())
         ->method('isGranted')
@@ -67,10 +69,12 @@
         ->method('get')
         ->withConsecutive(
             [$this->equalTo('security.authorization_checker')],
+            [$this->equalTo('security.token_storage')],
             [$this->equalTo('parameter_bag')]
         )
         ->willReturnOnConsecutiveCalls(
             $authorizationChecker,
+            $tokenStorage,
             new class () {
                 public function get(): string
                 {

diff --git a/...guration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationControllerTest.php b/...guration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationControllerTest.php
@@ -47,6 +47,8 @@
         ->setName('admin')
         ->setAdmin(true)
         ->setTimezone($timezone);
+    $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE);
+
     $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class);
     $authorizationChecker->expects($this->once())
         ->method('isGranted')
@@ -67,10 +69,12 @@
         ->method('get')
         ->withConsecutive(
             [$this->equalTo('security.authorization_checker')],
+            [$this->equalTo('security.token_storage')],
             [$this->equalTo('parameter_bag')]
         )
         ->willReturnOnConsecutiveCalls(
             $authorizationChecker,
+            $tokenStorage,
             new class () {
                 public function get(): string
                 {