diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java index 57d6e5f49..b5adc6604 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java @@ -72,7 +72,7 @@ private void handleValidationError(BindingResult result) { } @RequestMapping(value = "/iam/account/{id}/attributes", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") public List getAttributes(@PathVariable String id) { IamAccount account = @@ -85,7 +85,7 @@ public List getAttributes(@PathVariable String id) { } @RequestMapping(value = "/iam/account/{id}/attributes", method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute, final BindingResult validationResult) { @@ -99,7 +99,7 @@ public void setAttribute(@PathVariable String id, @RequestBody @Validated Attrib } @RequestMapping(value = "/iam/account/{id}/attributes", method = DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = NO_CONTENT) public void deleteAttribute(@PathVariable String id, @Validated AttributeDTO attribute, final BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java index 6b836f88c..6e4cede2c 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java @@ -68,14 +68,14 @@ protected IamAccount findAccountByName(String name) { .orElseThrow(() -> new NoSuchAccountError(format("No account found for name '%s'", name))); } - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')") @RequestMapping(value = "/me/authorities", method = RequestMethod.GET) public AuthoritySetDTO getAuthoritiesForMe(Authentication authn) { return AuthoritySetDTO .fromAuthorities(authorityService.getAccountAuthorities(findAccountByName(authn.getName()))); } - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.GET) @ResponseBody public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) { @@ -83,7 +83,7 @@ public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) { .fromAuthorities(authorityService.getAccountAuthorities(findAccountById(id))); } - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.POST) public void addAuthorityToAccount(@PathVariable("id") String id, @Valid AuthorityDTO authority, BindingResult validationResult) { @@ -96,7 +96,7 @@ public void addAuthorityToAccount(@PathVariable("id") String id, @Valid Authorit } - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.DELETE) public void removeAuthorityFromAccount(@PathVariable("id") String id, @Valid AuthorityDTO authority, BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java index 38a52d67f..2356b93ee 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java @@ -36,7 +36,7 @@ import it.infn.mw.iam.api.scim.model.ScimUser; @RestController -@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") +@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public class FindAccountController { public static final String INVALID_FIND_ACCOUNT_REQUEST = "Invalid find account request"; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java index c7316a43a..994f2b529 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java @@ -57,7 +57,7 @@ public AccountGroupController(IamAccountService accountService, IamGroupService @RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = POST) @ResponseStatus(value = HttpStatus.CREATED) - @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')") + @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')") public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable String groupUuid) { IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid)); @@ -75,7 +75,7 @@ public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable St @RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = DELETE) @ResponseStatus(value = HttpStatus.NO_CONTENT) - @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')") + @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')") public void removeAccountFromGroup(@PathVariable String accountUuid, @PathVariable String groupUuid) { IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid)); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java index 6a52268b2..b5682e58a 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java @@ -63,7 +63,7 @@ public AccountGroupManagerController(AccountGroupManagerService service, @RequestMapping(value = "/iam/account/{accountId}/managed-groups", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)") public AccountManagedGroupsDTO getAccountManagedGroupsInformation( @PathVariable String accountId) { IamAccount account = accountRepository.findByUuid(accountId) @@ -74,7 +74,7 @@ public AccountManagedGroupsDTO getAccountManagedGroupsInformation( @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}", method = RequestMethod.POST) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = HttpStatus.CREATED) public void addManagedGroupToAccount(@PathVariable String accountId, @PathVariable String groupId) { @@ -90,7 +90,7 @@ public void addManagedGroupToAccount(@PathVariable String accountId, @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}", method = RequestMethod.DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = HttpStatus.NO_CONTENT) public void removeManagedGroupFromAccount(@PathVariable String accountId, @PathVariable String groupId) { @@ -105,7 +105,7 @@ public void removeManagedGroupFromAccount(@PathVariable String accountId, } @RequestMapping(value = "/iam/group/{groupId}/group-managers", method=RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)") public List getGroupManagersForGroup(@PathVariable String groupId) { IamGroup group = groupRepository.findByUuid(groupId) .orElseThrow(() -> InvalidManagedGroupError.groupNotFoundException(groupId)); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java index dbbd9eb8d..41f047614 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java @@ -75,7 +75,7 @@ private void handleValidationError(BindingResult result) { } @RequestMapping(method = GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)") public List getLabels(@PathVariable String id) { IamAccount account = service.findByUuid(id).orElseThrow(noSuchAccountError(id)); @@ -88,7 +88,7 @@ public List getLabels(@PathVariable String id) { } @RequestMapping(method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO label, BindingResult validationResult) { handleValidationError(validationResult); @@ -98,7 +98,7 @@ public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO l } @RequestMapping(method = DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(NO_CONTENT) public void deleteLabel(@PathVariable String id, @Validated LabelDTO label, BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java index 7f7bfa542..2a3e443a3 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java @@ -42,7 +42,7 @@ @RestController @RequestMapping(value = AccountLifecycleController.BASE_RESOURCE) -@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") +@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public class AccountLifecycleController { public static final String BASE_RESOURCE = "/iam/account/{id}/endTime"; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java index 1b2a81540..b64d11340 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java @@ -77,7 +77,7 @@ private void handleValidationError(BindingResult result) { } @RequestMapping(value = "/iam/account/me/proxycert", method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')") public void addProxyCertificate( @RequestBody @Validated( value = ProxyCertificateDTO.AddProxyCertValidation.class) ProxyCertificateDTO proxyCert, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java index 7062a1ae9..50c4f7e72 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java @@ -38,7 +38,7 @@ @RestController @Transactional -@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") +@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") @RequestMapping(AccountSearchController.ACCOUNT_SEARCH_ENDPOINT) public class AccountSearchController extends AbstractSearchController { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java index 41c2dc06e..6f352bf5d 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java @@ -42,7 +42,7 @@ @RestController @Transactional -@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #oauth2.hasScope('iam:admin.read')") +@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #iam.hasScope('iam:admin.read')") @RequestMapping(GroupSearchController.GROUP_SEARCH_ENDPOINT) public class GroupSearchController extends AbstractSearchController { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java index f7db70d31..b8db5f862 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java @@ -101,7 +101,7 @@ public AupSignatureDTO getSignature() throws AccountNotFoundException { } @RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)") public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) throws AccountNotFoundException { IamAccount account = accountUtils.getByAccountId(accountId) .orElseThrow(accountNotFoundException("Account not found for id: " + accountId)); @@ -113,7 +113,7 @@ public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) th } @RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.PATCH) - @PreAuthorize("#oauth2.hasScope('iam:admin.write')") + @PreAuthorize("#iam.hasScope('iam:admin.write')") public void setSignatureForAccount(@PathVariable String accountId, @RequestBody @Validated AupSignatureDTO dto) throws AccountNotFoundException { IamAccount account = accountUtils.getByAccountId(accountId) diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java index 08395290f..a761d86df 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java @@ -68,7 +68,7 @@ public ClientManagementAPIController(ClientManagementService managementService) @PostMapping @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO saveNewClient(@RequestBody RegisteredClientDTO client) throws ParseException { return managementService.saveNewClient(client); @@ -76,7 +76,7 @@ public RegisteredClientDTO saveNewClient(@RequestBody RegisteredClientDTO client @JsonView({ClientViews.ClientManagement.class}) @GetMapping - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public ListResponseDTO retrieveClients( @RequestParam final Optional count, @RequestParam final Optional startIndex, @@ -94,14 +94,14 @@ public ListResponseDTO retrieveClients( @JsonView({ClientViews.ClientManagement.class}) @GetMapping("/{clientId}") - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO retrieveClient(@PathVariable String clientId) { return managementService.retrieveClientByClientId(clientId) .orElseThrow(clientNotFound(clientId)); } @GetMapping("/{clientId}/owners") - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public ListResponseDTO retrieveClientOwners(@PathVariable String clientId, @RequestParam final Optional count, @RequestParam final Optional startIndex) { @@ -111,7 +111,7 @@ public ListResponseDTO retrieveClientOwners(@PathVariable String clien @PostMapping("/{clientId}/owners/{accountId}") @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void assignClientOwner(@PathVariable String clientId, @PathVariable final String accountId) { managementService.assignClientOwner(clientId, accountId); @@ -119,21 +119,21 @@ public void assignClientOwner(@PathVariable String clientId, @PostMapping("/{clientId}/rat") @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO rotateRegistrationAccessToken(@PathVariable String clientId) { return managementService.rotateRegistrationAccessToken(clientId); } @DeleteMapping("/{clientId}/owners/{accountId}") @ResponseStatus(NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void removeClientOwner(@PathVariable String clientId, @PathVariable final String accountId) { managementService.removeClientOwner(clientId, accountId); } @PutMapping("/{clientId}") - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO updateClient(@PathVariable String clientId, @RequestBody RegisteredClientDTO client) throws ParseException { @@ -142,14 +142,14 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId, @PostMapping("/{clientId}/secret") @ResponseStatus(CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public RegisteredClientDTO rotateClientSecret(@PathVariable String clientId) { return managementService.generateNewClientSecret(clientId); } @DeleteMapping("/{clientId}") @ResponseStatus(NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteClient(@PathVariable String clientId) { managementService.deleteClientByClientId(clientId); } diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java index be9aa82a2..fa524d114 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java @@ -36,7 +36,7 @@ @RestController @RequestMapping(SearchClientController.ENDPOINT) -@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") +@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public class SearchClientController { public static final int MAX_PAGE_SIZE = 100; diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java index 7bf1a4d62..210431e0f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java @@ -62,7 +62,7 @@ protected InvalidExchangePolicyError buildValidationError(BindingResult result) } @RequestMapping(value = "/policies", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public List getExchangePolicies() { Page resultsPage = service.getTokenExchangePolicies(UNPAGED); if (resultsPage.hasNext()) { @@ -74,14 +74,14 @@ public List getExchangePolicies() { @RequestMapping(value = "/policies/{id}", method = RequestMethod.DELETE) @ResponseStatus(code = HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteExchangePolicy(@PathVariable Long id) { service.deleteTokenExchangePolicyById(id); } @RequestMapping(value = "/policies", method = RequestMethod.POST) @ResponseStatus(code = HttpStatus.CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void createExchangePolicy(@Valid @RequestBody ExchangePolicyDTO dto, BindingResult validationResult) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java index 9963eed00..28ea8c02b 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/group/GroupController.java @@ -86,7 +86,7 @@ private void handleValidationError(String prefix, BindingResult result) { @RequestMapping(value = "/iam/group", method = POST) @ResponseStatus(value = HttpStatus.CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public GroupDTO createGroup(@RequestBody @Validated(CreateGroup.class) GroupDTO group, final BindingResult validationResult) { handleValidationError(INVALID_GROUP,validationResult); @@ -97,7 +97,7 @@ public GroupDTO createGroup(@RequestBody @Validated(CreateGroup.class) GroupDTO } @RequestMapping(value = "/iam/group/{id}", method = PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") public GroupDTO updateGroup(@PathVariable String id, @RequestBody @Validated(UpdateGroup.class) GroupDTO group, final BindingResult validationResult) { handleValidationError(INVALID_GROUP, validationResult); @@ -107,7 +107,7 @@ public GroupDTO updateGroup(@PathVariable String id, @RequestBody @Validated(Upd } @RequestMapping(value = "/iam/group/{id}/attributes", method=RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#id)") public List getAttributes(@PathVariable String id){ IamGroup entity = groupService.findByUuid(id).orElseThrow(()->NoSuchGroupError.forUuid(id)); @@ -119,7 +119,7 @@ public List getAttributes(@PathVariable String id){ } @RequestMapping(value = "/iam/group/{id}/attributes", method= PUT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute, final BindingResult validationResult) { handleValidationError(INVALID_ATTRIBUTE,validationResult); IamGroup entity = groupService.findByUuid(id).orElseThrow(()->NoSuchGroupError.forUuid(id)); @@ -130,7 +130,7 @@ public void setAttribute(@PathVariable String id, @RequestBody @Validated Attrib } @RequestMapping(value = "/iam/group/{id}/attributes", method=DELETE) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") @ResponseStatus(value = HttpStatus.NO_CONTENT) public void deleteAttribute(@PathVariable String id, @Validated AttributeDTO attribute, final BindingResult validationResult) { handleValidationError(INVALID_ATTRIBUTE, validationResult); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java index f20954ca0..98569a0c6 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimGroupController.java @@ -73,7 +73,7 @@ private Set parseAttributes(final String attributesParameter) { @Autowired ScimGroupProvisioning groupProvisioningService; - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimGroup getGroup(@PathVariable final String id) { @@ -81,7 +81,7 @@ public ScimGroup getGroup(@PathVariable final String id) { return groupProvisioningService.getById(id); } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public MappingJacksonValue listGroups(@RequestParam(required = false) final Integer count, @RequestParam(required = false) final Integer startIndex, @@ -104,7 +104,7 @@ public MappingJacksonValue listGroups(@RequestParam(required = false) final Inte return wrapper; } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.POST, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.CREATED) @@ -115,7 +115,7 @@ public ScimGroup create(@RequestBody @Validated final ScimGroup group, return groupProvisioningService.create(group); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.OK) @@ -128,7 +128,7 @@ public ScimGroup replaceGroup(@PathVariable final String id, } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}", method = RequestMethod.PATCH, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) @@ -141,7 +141,7 @@ public void updateGroup(@PathVariable final String id, groupProvisioningService.update(id, groupPatchRequest.getOperations()); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}", method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) public void deleteGroup(@PathVariable final String id) { @@ -150,7 +150,7 @@ public void deleteGroup(@PathVariable final String id) { } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}/members", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimListResponse listMembers(@PathVariable final String id, @@ -161,7 +161,7 @@ public ScimListResponse listMembers(@PathVariable final String id buildPageRequest(count, startIndex, SCIM_MEMBERS_MAX_PAGE_SIZE)); } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAdminOrGMDashboardRoleOfGroup(#id)") @RequestMapping(value = "/{id}/subgroups", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimListResponse listSubgroups(@PathVariable final String id, diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java index a340f6f15..b3e03044f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimMeController.java @@ -126,7 +126,7 @@ public void setApplicationEventPublisher(ApplicationEventPublisher publisher) { this.eventPublisher = publisher; } - @PreAuthorize("#oauth2.hasScope('scim:read') or hasRole('USER')") + @PreAuthorize("#iam.hasScope('scim:read') or hasRole('USER')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimUser whoami() { @@ -135,7 +135,7 @@ public ScimUser whoami() { } - @PreAuthorize("#oauth2.hasScope('scim:write') or hasRole('USER')") + @PreAuthorize("#iam.hasScope('scim:write') or hasRole('USER')") @RequestMapping(method = RequestMethod.PATCH, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) public void updateUser( diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java index c1e104868..11e2e4606 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scim/controller/ScimUserController.java @@ -75,7 +75,7 @@ private Set parseAttributes(final String attributesParameter) { return result; } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public MappingJacksonValue listUsers(@RequestParam(required = false) final Integer count, @RequestParam(required = false) final Integer startIndex, @@ -98,7 +98,7 @@ public MappingJacksonValue listUsers(@RequestParam(required = false) final Integ return wrapper; } - @PreAuthorize("#oauth2.hasScope('scim:read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") + @PreAuthorize("#iam.hasScope('scim:read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')") @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = ScimConstants.SCIM_CONTENT_TYPE) public ScimUser getUser(@PathVariable final String id) { @@ -106,7 +106,7 @@ public ScimUser getUser(@PathVariable final String id) { return userProvisioningService.getById(id); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(method = RequestMethod.POST, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.CREATED) @@ -120,7 +120,7 @@ public MappingJacksonValue create( return new MappingJacksonValue(result); } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = ScimConstants.SCIM_CONTENT_TYPE, produces = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.OK) @@ -134,7 +134,7 @@ public ScimUser replaceUser(@PathVariable final String id, } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.PATCH, consumes = ScimConstants.SCIM_CONTENT_TYPE) @ResponseStatus(HttpStatus.NO_CONTENT) @@ -148,7 +148,7 @@ public void updateUser(@PathVariable final String id, } - @PreAuthorize("#oauth2.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('scim:write') or #iam.hasDashboardRole('ROLE_ADMIN')") @RequestMapping(value = "/{id}", method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) public void deleteUser(@PathVariable final String id) { diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java index 84937b5a1..7f8962c15 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/scope_policy/ScopePolicyController.java @@ -55,7 +55,7 @@ public ScopePolicyController(ScopePolicyService policyService, } @RequestMapping(value = "/iam/scope_policies", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public List listScopePolicies() { Iterable policies = policyService.findAllScopePolicies(); @@ -70,7 +70,7 @@ public List listScopePolicies() { @RequestMapping(value = "/iam/scope_policies", method = RequestMethod.POST) @ResponseStatus(code = HttpStatus.CREATED) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void addScopePolicy(@Valid @RequestBody ScopePolicyDTO policy, BindingResult validationResult) { @@ -83,7 +83,7 @@ public void addScopePolicy(@Valid @RequestBody ScopePolicyDTO policy, @RequestMapping(value = "/iam/scope_policies/{id}", method = RequestMethod.GET) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public ScopePolicyDTO getScopePolicy(@PathVariable Long id) { IamScopePolicy p = policyService.findScopePolicyById(id) @@ -95,7 +95,7 @@ public ScopePolicyDTO getScopePolicy(@PathVariable Long id) { @RequestMapping(value = "/iam/scope_policies/{id}", method = RequestMethod.PUT) @ResponseStatus(code = HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void updateScopePolicy(@PathVariable Long id, @Valid @RequestBody ScopePolicyDTO policy, BindingResult validationResult) { @@ -110,7 +110,7 @@ public void updateScopePolicy(@PathVariable Long id, @RequestMapping(value = "/iam/scope_policies/{id}", method = RequestMethod.DELETE) @ResponseStatus(code = HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteScopePolicy(@PathVariable Long id) { policyService.deleteScopePolicyById(id); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java index 5113ab640..49fc09f64 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/AccessTokensController.java @@ -49,7 +49,7 @@ public class AccessTokensController extends TokensControllerSupport { private TokenService tokenService; @RequestMapping(method = RequestMethod.GET, produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public MappingJacksonValue listAccessTokens(@RequestParam(required = false) Integer count, @RequestParam(required = false) Integer startIndex, @RequestParam(required = false) String userId, @@ -63,7 +63,7 @@ public MappingJacksonValue listAccessTokens(@RequestParam(required = false) Inte @RequestMapping(method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteAllTokens() { tokenService.deleteAllTokens(); } @@ -87,7 +87,7 @@ private ListResponseDTO getFilteredList(TokensPageRequest pageReque } @RequestMapping(method = RequestMethod.GET, value = "/{id}", produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public AccessToken getAccessToken(@PathVariable("id") Long id) { return tokenService.getTokenById(id); @@ -95,7 +95,7 @@ public AccessToken getAccessToken(@PathVariable("id") Long id) { @RequestMapping(method = RequestMethod.DELETE, value = "/{id}") @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void revokeAccessToken(@PathVariable("id") Long id) { tokenService.revokeTokenById(id); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java index 28b232c36..90c7f68b2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/tokens/RefreshTokensController.java @@ -49,7 +49,7 @@ public class RefreshTokensController extends TokensControllerSupport { private TokenService tokenService; @RequestMapping(method = RequestMethod.GET, produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public MappingJacksonValue lisRefreshTokens(@RequestParam(required = false) Integer count, @RequestParam(required = false) Integer startIndex, @RequestParam(required = false) String userId, @@ -63,7 +63,7 @@ public MappingJacksonValue lisRefreshTokens(@RequestParam(required = false) Inte @RequestMapping(method = RequestMethod.DELETE) @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void deleteAllTokens() { tokenService.deleteAllTokens(); } @@ -87,7 +87,7 @@ private ListResponseDTO getFilteredList(TokensPageRequest pageRequ } @RequestMapping(method = RequestMethod.GET, value = "/{id}", produces = APPLICATION_JSON_CONTENT_TYPE) - @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')") public RefreshToken getRefreshToken(@PathVariable("id") Long id) { return tokenService.getTokenById(id); @@ -95,7 +95,7 @@ public RefreshToken getRefreshToken(@PathVariable("id") Long id) { @RequestMapping(method = RequestMethod.DELETE, value = "/{id}") @ResponseStatus(HttpStatus.NO_CONTENT) - @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") + @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')") public void revokeRefreshToken(@PathVariable("id") Long id) { tokenService.revokeTokenById(id); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java index 271624d60..7b4563381 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/userinfo/IamUserInfoEndpoint.java @@ -57,7 +57,7 @@ public IamUserInfoEndpoint(JWTProfileResolver profileResolver, this.scopeResolver = scopeResolver; } - @PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('" + SystemScopeService.OPENID_SCOPE + @PreAuthorize("hasRole('ROLE_USER') and #iam.hasScope('" + SystemScopeService.OPENID_SCOPE + "')") @RequestMapping(method = RequestMethod.GET, produces = {MediaType.APPLICATION_JSON_VALUE}) public String getInfo( diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java b/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java index 04561f271..abe92b7f2 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/registration/RegistrationApiController.java @@ -95,7 +95,7 @@ private Optional getExternalAuthenticati - @PreAuthorize("#oauth2.hasScope('registration:read') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:read') or hasRole('ADMIN')") @RequestMapping(value = "/registration/list", method = RequestMethod.GET) @ResponseBody public List listRequests( @@ -104,7 +104,7 @@ public List listRequests( return service.listRequests(status); } - @PreAuthorize("#oauth2.hasScope('registration:read') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:read') or hasRole('ADMIN')") @RequestMapping(value = "/registration/list/pending", method = RequestMethod.GET) @ResponseBody public List listPendingRequests() { @@ -121,13 +121,13 @@ public RegistrationRequestDto createRegistrationRequest( } - @PreAuthorize("#oauth2.hasScope('registration:write') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:write') or hasRole('ADMIN')") @RequestMapping(value = "/registration/approve/{uuid}", method = RequestMethod.POST) public RegistrationRequestDto approveRequest(@PathVariable("uuid") String uuid) { return service.approveRequest(uuid); } - @PreAuthorize("#oauth2.hasScope('registration:write') or hasRole('ADMIN')") + @PreAuthorize("#iam.hasScope('registration:write') or hasRole('ADMIN')") @RequestMapping(value = "/registration/reject/{uuid}", method = RequestMethod.POST) public RegistrationRequestDto rejectRequest(@PathVariable("uuid") String uuid, @RequestParam(required = false) String motivation) { diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java index c352cafb1..6c991f018 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/core/MeControllerTests.java @@ -18,8 +18,8 @@ import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_CLIENT_ID; import static it.infn.mw.iam.test.scim.ScimUtils.SCIM_READ_SCOPE; import static org.hamcrest.CoreMatchers.is; -import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; import static org.springframework.http.HttpStatus.BAD_REQUEST; import static org.springframework.http.HttpStatus.FORBIDDEN; import static org.springframework.http.HttpStatus.NOT_FOUND; @@ -32,6 +32,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.context.SpringBootTest.WebEnvironment; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.junit4.SpringRunner; import it.infn.mw.iam.IamLoginService; @@ -69,22 +70,43 @@ public void teardown() { } @Test - @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {}) + @WithMockOAuthUser(user = TESTUSER_USERNAME, scopes = {}) public void insufficientScopeUser() throws Exception { restUtils.getMe(FORBIDDEN); } @Test - @WithMockOAuthUser(user = NOT_FOUND_USERNAME, authorities = {"ROLE_USER"}) + @WithMockUser(username = TESTUSER_USERNAME, roles = {}) + public void insufficientAuthoritiesUser() throws Exception { + + restUtils.getMe(FORBIDDEN); + } + + @Test + @WithMockOAuthUser(user = NOT_FOUND_USERNAME, scopes = {SCIM_READ_SCOPE}) + public void notFoundUserWithToken() throws Exception { + + restUtils.getMe(NOT_FOUND); + } + + @Test + @WithMockUser(username = NOT_FOUND_USERNAME, roles = {"USER"}) public void notFoundUser() throws Exception { restUtils.getMe(NOT_FOUND); } @Test - @WithMockOAuthUser(user = TESTUSER_USERNAME, authorities = {"ROLE_USER"}) - public void authenticatedUser() throws Exception { + @WithMockOAuthUser(user = TESTUSER_USERNAME, scopes = {SCIM_READ_SCOPE}) + public void authenticatedUserWithToken() throws Exception { + + assertThat(restUtils.getMe().getUserName(), equalTo(TESTUSER_USERNAME)); + } + + @Test + @WithMockUser(username = TESTUSER_USERNAME, roles = {"USER"}) + public void authenticatedUserNoToken() throws Exception { assertThat(restUtils.getMe().getUserName(), equalTo(TESTUSER_USERNAME)); } diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java index 6c6897d2f..e41ae79d0 100644 --- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java +++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java @@ -22,10 +22,12 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; +import static org.hamcrest.Matchers.not; import static org.junit.Assert.assertNotNull; import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; import static org.springframework.http.MediaType.APPLICATION_JSON; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; @@ -392,6 +394,9 @@ public void testDeviceCodeApprovalFlowWorks() throws Exception { .andExpect(jsonPath("$.scope", containsString("openid"))) .andExpect(jsonPath("$.scope", containsString("profile"))) .andExpect(jsonPath("$.scope", containsString("offline_access"))) + .andExpect(jsonPath("$.scope", not(containsString("email")))) + .andExpect(jsonPath("$.scope", not(containsString("phone")))) + .andExpect(jsonPath("$.scope", not(containsString("address")))) .andReturn() .getResponse() .getContentAsString(); @@ -723,4 +728,173 @@ public void publicClientDeviceCodeWorks() throws Exception { mvc.perform(get(USERINFO_ENDPOINT).header("Authorization", authorizationHeader)) .andExpect(status().isOk()); } + + @Test + public void testRefreshedTokenAfterDeviceCodeApprovalFlowWorks() throws Exception { + + final String SCIM_DEVICE_CLIENT_ID = "scim-client-rw"; + final String SCIM_DEVICE_CLIENT_SECRET = "secret"; + + String response = mvc + .perform(post(DEVICE_CODE_ENDPOINT).contentType(APPLICATION_FORM_URLENCODED) + .with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("client_id", SCIM_DEVICE_CLIENT_ID) + .param("scope", "openid profile offline_access scim:read scim:write")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.user_code").isString()) + .andExpect(jsonPath("$.device_code").isString()) + .andExpect(jsonPath("$.verification_uri", equalTo(DEVICE_USER_URL))) + .andReturn() + .getResponse() + .getContentAsString(); + + JsonNode responseJson = mapper.readTree(response); + + String userCode = responseJson.get("user_code").asText(); + String deviceCode = responseJson.get("device_code").asText(); + + mvc + .perform( + post(TOKEN_ENDPOINT).with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("grant_type", DEVICE_CODE_GRANT_TYPE) + .param("device_code", deviceCode)) + .andExpect(status().isBadRequest()) + .andExpect(jsonPath("$.error", equalTo("authorization_pending"))) + .andExpect(jsonPath("$.error_description", + equalTo("Authorization pending for code: " + deviceCode))); + + MockHttpSession session = (MockHttpSession) mvc.perform(get(DEVICE_USER_URL)) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl("http://localhost:8080/login")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc.perform(get("http://localhost:8080/login").session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("iam/login")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc + .perform(post(LOGIN_URL).param("username", TEST_USERNAME) + .param("password", TEST_PASSWORD) + .param("submit", "Login") + .session(session)) + .andExpect(status().is3xxRedirection()) + .andExpect(redirectedUrl(DEVICE_USER_URL)) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc.perform(get(DEVICE_USER_URL).session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("requestUserCode")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc + .perform(post(DEVICE_USER_VERIFY_URL).param("user_code", userCode).session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("approveDevice")) + .andReturn() + .getRequest() + .getSession(); + + session = (MockHttpSession) mvc + .perform(post(DEVICE_USER_APPROVE_URL).param("user_code", userCode) + .param("user_oauth_approval", "true") + .session(session)) + .andExpect(status().isOk()) + .andExpect(view().name("deviceApproved")) + .andReturn() + .getRequest() + .getSession(); + + + String tokenResponse = mvc + .perform( + post(TOKEN_ENDPOINT).with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("grant_type", DEVICE_CODE_GRANT_TYPE) + .param("device_code", deviceCode)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.refresh_token").exists()) + .andExpect(jsonPath("$.id_token").exists()) + .andExpect(jsonPath("$.scope").exists()) + .andExpect(jsonPath("$.scope", containsString("openid"))) + .andExpect(jsonPath("$.scope", containsString("profile"))) + .andExpect(jsonPath("$.scope", containsString("offline_access"))) + .andExpect(jsonPath("$.scope", containsString("scim:read"))) + .andExpect(jsonPath("$.scope", containsString("scim:write"))) + .andExpect(jsonPath("$.scope", not(containsString("email")))) + .andExpect(jsonPath("$.scope", not(containsString("phone")))) + .andExpect(jsonPath("$.scope", not(containsString("address")))) + .andReturn() + .getResponse() + .getContentAsString(); + + JsonNode tokenResponseJson = mapper.readTree(tokenResponse); + + String accessToken = tokenResponseJson.get("access_token").asText(); + String refreshToken = tokenResponseJson.get("refresh_token").asText(); + + String authorizationHeader = String.format("Bearer %s", accessToken); + + // Check that the token can be used for userinfo and introspection + mvc.perform(get(USERINFO_ENDPOINT).header("Authorization", authorizationHeader)) + .andExpect(status().isOk()); + + mvc + .perform(post(INTROSPECTION_ENDPOINT) + .with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("token", accessToken)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.active", equalTo(true))); + + String refreshTokenResponse = mvc + .perform( + post(TOKEN_ENDPOINT).with(httpBasic(SCIM_DEVICE_CLIENT_ID, SCIM_DEVICE_CLIENT_SECRET)) + .param("grant_type", "refresh_token") + .param("refresh_token", refreshToken) + .param("scope", "openid")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.access_token").exists()) + .andExpect(jsonPath("$.id_token").exists()) + .andExpect(jsonPath("$.scope").exists()) + .andExpect(jsonPath("$.scope", containsString("openid"))) + .andExpect(jsonPath("$.scope", not(containsString("scim:read")))) + .andExpect(jsonPath("$.scope", not(containsString("scim:write")))) + .andReturn() + .getResponse() + .getContentAsString(); + + String accessTokenNoSCIM = mapper.readTree(refreshTokenResponse).get("access_token").asText(); + + String scimAuthorizationHeader = String.format("Bearer %s", accessTokenNoSCIM); + + mvc.perform(get("/scim/Users").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc.perform(get("/scim/Groups").header("Authorization", scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(get("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(get("/scim/Groups/c617d586-54e6-411d-8e38-649677980001").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(delete("/scim/Users/80e5fb8d-b7c8-451a-89ba-346ae278a66f").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + mvc + .perform(delete("/scim/Groups/c617d586-54e6-411d-8e38-649677980001").header("Authorization", + scimAuthorizationHeader)) + .andExpect(status().isForbidden()); + + } } diff --git a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql index 2462c35e5..6142aa8d3 100644 --- a/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql +++ b/iam-persistence/src/main/resources/db/migration/test/V100000___test_data.sql @@ -157,6 +157,8 @@ INSERT INTO client_grant_type (owner_id, grant_type) VALUES (5, 'refresh_token'), (6, 'client_credentials'), (7, 'client_credentials'), + (7, 'refresh_token'), + (7, 'urn:ietf:params:oauth:grant-type:device_code'), (8, 'urn:ietf:params:oauth:grant-type:token-exchange'), (8, 'client_credentials'), (8, 'password'),