diff --git a/src/Centreon/Domain/Contact/Contact.php b/src/Centreon/Domain/Contact/Contact.php index 6afcb4bb164..a37dcb2a350 100644 --- a/src/Centreon/Domain/Contact/Contact.php +++ b/src/Centreon/Domain/Contact/Contact.php @@ -71,6 +71,7 @@ class Contact implements UserInterface, ContactInterface public const ROLE_CONFIGURATION_CONTACTS_READ = 'ROLE_CONFIGURATION_USERS_CONTACTS__USERS_R'; public const ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_READ_WRITE = 'ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_RW'; public const ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_READ = 'ROLE_CONFIGURATION_USERS_CONTACT_GROUPS_R'; + public const ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE = 'ROLE_ADMINISTRATION_AUTHENTICATION_RW'; /** * @var string diff --git a/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationController.php b/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationController.php index bf69a4d8b72..b72ae690c3c 100644 --- a/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationController.php +++ b/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationController.php @@ -22,6 +22,8 @@ namespace Core\Security\Infrastructure\ProviderConfiguration\Local\Api\FindConfiguration; +use Centreon\Domain\Contact\Contact; +use Symfony\Component\HttpFoundation\Response; use Centreon\Application\Controller\AbstractController; use Core\Security\Application\ProviderConfiguration\Local\UseCase\FindConfiguration\FindConfiguration; use Core\Security\Application\ProviderConfiguration\Local\UseCase\FindConfiguration\FindConfigurationPresenterInterface; @@ -38,6 +40,13 @@ public function __invoke( FindConfigurationPresenterInterface $presenter, ): object { $this->denyAccessUnlessGrantedForApiConfiguration(); + /** + * @var Contact $contact + */ + $contact = $this->getUser(); + if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) { + return $this->view(null, Response::HTTP_FORBIDDEN); + } $useCase($presenter); diff --git a/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationController.php b/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationController.php index 15ad76b326e..c7738b7a743 100644 --- a/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationController.php +++ b/src/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationController.php @@ -23,7 +23,9 @@ namespace Core\Security\Infrastructure\ProviderConfiguration\Local\Api\UpdateConfiguration; +use Centreon\Domain\Contact\Contact; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpFoundation\Response; use Centreon\Application\Controller\AbstractController; use Core\Security\Application\ProviderConfiguration\Local\UseCase\UpdateConfiguration\UpdateConfiguration; use Core\Security\Application\ProviderConfiguration\Local\UseCase\UpdateConfiguration\UpdateConfigurationRequest; @@ -45,6 +47,13 @@ public function __invoke( UpdateConfigurationPresenterInterface $presenter, ): object { $this->denyAccessUnlessGrantedForApiConfiguration(); + /** + * @var Contact $contact + */ + $contact = $this->getUser(); + if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) { + return $this->view(null, Response::HTTP_FORBIDDEN); + } $this->validateDataSent($request, __DIR__ . '/UpdateConfigurationSchema.json'); $updateConfigurationRequest = $this->createUpdateConfigurationRequest($request); $useCase($presenter, $updateConfigurationRequest); diff --git a/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationController.php b/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationController.php index 07ceadf68b1..c58a7c0a725 100644 --- a/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationController.php +++ b/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationController.php @@ -23,6 +23,8 @@ namespace Core\Security\Infrastructure\ProviderConfiguration\OpenId\Api\FindOpenIdConfiguration; +use Centreon\Domain\Contact\Contact; +use Symfony\Component\HttpFoundation\Response; use Centreon\Application\Controller\AbstractController; use Core\Security\Application\ProviderConfiguration\OpenId\UseCase\FindOpenIdConfiguration\{ FindOpenIdConfiguration, @@ -41,6 +43,13 @@ public function __invoke( FindOpenIdConfigurationPresenterInterface $presenter ): object { $this->denyAccessUnlessGrantedForApiConfiguration(); + /** + * @var Contact $contact + */ + $contact = $this->getUser(); + if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) { + return $this->view(null, Response::HTTP_FORBIDDEN); + } $useCase($presenter); return $presenter->show(); diff --git a/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationController.php b/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationController.php index abfe56b8df7..873b0e2756e 100644 --- a/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationController.php +++ b/src/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationController.php @@ -23,7 +23,9 @@ namespace Core\Security\Infrastructure\ProviderConfiguration\OpenId\Api\UpdateOpenIdConfiguration; +use Centreon\Domain\Contact\Contact; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpFoundation\Response; use Centreon\Application\Controller\AbstractController; use Core\Security\Application\ProviderConfiguration\OpenId\UseCase\UpdateOpenIdConfiguration\{ UpdateOpenIdConfiguration, @@ -45,6 +47,13 @@ public function __invoke( UpdateOpenIdConfigurationPresenterInterface $presenter ): object { $this->denyAccessUnlessGrantedForApiConfiguration(); + /** + * @var Contact $contact + */ + $contact = $this->getUser(); + if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) { + return $this->view(null, Response::HTTP_FORBIDDEN); + } $this->validateDataSent($request, __DIR__ . '/UpdateOpenIdConfigurationSchema.json'); $updateOpenIdConfigurationRequest = $this->createUpdateOpenIdConfigurationRequest($request); $useCase($presenter, $updateOpenIdConfigurationRequest); diff --git a/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationController.php b/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationController.php index 66befcd3de8..cae8faa9927 100644 --- a/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationController.php +++ b/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationController.php @@ -23,6 +23,8 @@ namespace Core\Security\Infrastructure\ProviderConfiguration\WebSSO\Api\FindWebSSOConfiguration; +use Centreon\Domain\Contact\Contact; +use Symfony\Component\HttpFoundation\Response; use Centreon\Application\Controller\AbstractController; use Core\Security\Application\ProviderConfiguration\WebSSO\UseCase\FindWebSSOConfiguration\{ FindWebSSOConfiguration, @@ -41,6 +43,13 @@ public function __invoke( FindWebSSOConfigurationPresenterInterface $presenter ): object { $this->denyAccessUnlessGrantedForApiConfiguration(); + /** + * @var Contact $contact + */ + $contact = $this->getUser(); + if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) { + return $this->view(null, Response::HTTP_FORBIDDEN); + } $useCase($presenter); return $presenter->show(); diff --git a/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationController.php b/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationController.php index 4a8bf6e0013..7652e72112b 100644 --- a/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationController.php +++ b/src/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationController.php @@ -23,7 +23,9 @@ namespace Core\Security\Infrastructure\ProviderConfiguration\WebSSO\Api\UpdateWebSSOConfiguration; +use Centreon\Domain\Contact\Contact; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpFoundation\Response; use Centreon\Application\Controller\AbstractController; use Centreon\Domain\Log\LoggerTrait; use Core\Security\Application\ProviderConfiguration\WebSSO\UseCase\UpdateWebSSOConfiguration\{ @@ -48,6 +50,13 @@ public function __invoke( UpdateWebSSOConfigurationPresenterInterface $presenter ): object { $this->denyAccessUnlessGrantedForApiConfiguration(); + /** + * @var Contact $contact + */ + $contact = $this->getUser(); + if (! $contact->hasTopologyRole(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE)) { + return $this->view(null, Response::HTTP_FORBIDDEN); + } $this->info('Validating request body...'); $this->validateDataSent($request, __DIR__ . '/UpdateWebSSOConfigurationSchema.json'); $updateWebSSOConfigurationRequest = $this->createUpdateWebSSOConfigurationRequest($request); diff --git a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationControllerTest.php b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationControllerTest.php index f81ab66d059..c72acd91a8c 100644 --- a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationControllerTest.php +++ b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/FindConfiguration/FindConfigurationControllerTest.php @@ -57,10 +57,11 @@ public function setUp(): void $timezone = new \DateTimeZone('Europe/Paris'); $adminContact = (new Contact()) - ->setId(1) - ->setName('admin') - ->setAdmin(true) - ->setTimezone($timezone); + ->setId(1) + ->setName('admin') + ->setAdmin(true) + ->setTimezone($timezone); + $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE); $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class); $authorizationChecker->expects($this->once()) @@ -83,10 +84,12 @@ public function setUp(): void ->method('get') ->withConsecutive( [$this->equalTo('security.authorization_checker')], + [$this->equalTo('security.token_storage')], [$this->equalTo('parameter_bag')] ) ->willReturnOnConsecutiveCalls( $authorizationChecker, + $tokenStorage, new class () { public function get(): string { diff --git a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationControllerTest.php b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationControllerTest.php index 1588b6864d9..862d146262b 100644 --- a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationControllerTest.php +++ b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/Local/Api/UpdateConfiguration/UpdateConfigurationControllerTest.php @@ -70,6 +70,7 @@ public function setUp(): void ->setName('admin') ->setAdmin(true) ->setTimezone($timezone); + $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE); $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class); $authorizationChecker->expects($this->once()) @@ -92,10 +93,12 @@ public function setUp(): void ->method('get') ->withConsecutive( [$this->equalTo('security.authorization_checker')], + [$this->equalTo('security.token_storage')], [$this->equalTo('parameter_bag')] ) ->willReturnOnConsecutiveCalls( $authorizationChecker, + $tokenStorage, new class () { public function get(): string { diff --git a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationControllerTest.php b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationControllerTest.php index dcd9ae18e79..c5fbc02b48f 100644 --- a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationControllerTest.php +++ b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/FindOpenIdConfiguration/FindOpenIdConfigurationControllerTest.php @@ -42,10 +42,11 @@ $timezone = new \DateTimeZone('Europe/Paris'); $adminContact = (new Contact()) - ->setId(1) - ->setName('admin') - ->setAdmin(true) - ->setTimezone($timezone); + ->setId(1) + ->setName('admin') + ->setAdmin(true) + ->setTimezone($timezone); + $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE); $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class); $authorizationChecker->expects($this->once()) @@ -68,10 +69,12 @@ ->method('get') ->withConsecutive( [$this->equalTo('security.authorization_checker')], + [$this->equalTo('security.token_storage')], [$this->equalTo('parameter_bag')] ) ->willReturnOnConsecutiveCalls( $authorizationChecker, + $tokenStorage, new class () { public function get(): string { diff --git a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationControllerTest.php b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationControllerTest.php index e7468416661..50d9c094548 100644 --- a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationControllerTest.php +++ b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/OpenId/Api/UpdateOpenIdConfiguration/UpdateOpenIdConfigurationControllerTest.php @@ -48,6 +48,7 @@ ->setName('admin') ->setAdmin(true) ->setTimezone($timezone); + $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE); $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class); $authorizationChecker->expects($this->once()) @@ -70,10 +71,12 @@ ->method('get') ->withConsecutive( [$this->equalTo('security.authorization_checker')], + [$this->equalTo('security.token_storage')], [$this->equalTo('parameter_bag')] ) ->willReturnOnConsecutiveCalls( $authorizationChecker, + $tokenStorage, new class () { public function get(): string { diff --git a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationControllerTest.php b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationControllerTest.php index 005a4e8572e..ec4eb44eda2 100644 --- a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationControllerTest.php +++ b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/FindWebSSOConfiguration/FindWebSSOConfigurationControllerTest.php @@ -47,6 +47,8 @@ ->setName('admin') ->setAdmin(true) ->setTimezone($timezone); + $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE); + $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class); $authorizationChecker->expects($this->once()) ->method('isGranted') @@ -67,10 +69,12 @@ ->method('get') ->withConsecutive( [$this->equalTo('security.authorization_checker')], + [$this->equalTo('security.token_storage')], [$this->equalTo('parameter_bag')] ) ->willReturnOnConsecutiveCalls( $authorizationChecker, + $tokenStorage, new class () { public function get(): string { diff --git a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationControllerTest.php b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationControllerTest.php index 40e2fcfc73c..b9d191777c9 100644 --- a/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationControllerTest.php +++ b/tests/php/Core/Security/Infrastructure/ProviderConfiguration/WebSSO/Api/UpdateWebSSOConfiguration/UpdateWebSSOConfigurationControllerTest.php @@ -47,6 +47,8 @@ ->setName('admin') ->setAdmin(true) ->setTimezone($timezone); + $adminContact->addTopologyRule(Contact::ROLE_ADMINISTRATION_AUTHENTICATION_READ_WRITE); + $authorizationChecker = $this->createMock(AuthorizationCheckerInterface::class); $authorizationChecker->expects($this->once()) ->method('isGranted') @@ -67,10 +69,12 @@ ->method('get') ->withConsecutive( [$this->equalTo('security.authorization_checker')], + [$this->equalTo('security.token_storage')], [$this->equalTo('parameter_bag')] ) ->willReturnOnConsecutiveCalls( $authorizationChecker, + $tokenStorage, new class () { public function get(): string {