diff options
Diffstat (limited to 'app')
6 files changed, 128 insertions, 24 deletions
diff --git a/app/src/main/resources/application-access-control.yml b/app/src/main/resources/application-access-control.yml deleted file mode 100644 index 6fda781..0000000 --- a/app/src/main/resources/application-access-control.yml +++ /dev/null @@ -1,21 +0,0 @@ -bff: - access-control: - ACTIONS_CREATE: [ portal_admin, portal_designer, portal_operator ] - ACTIONS_GET: [ portal_admin, portal_designer, portal_operator ] - ACTIONS_LIST: [ portal_admin, portal_designer, portal_operator ] - ACTIVE_ALARM_LIST: [portal_admin, portal_designer, portal_operator] - KEY_ENCRYPT_BY_USER: [portal_admin, portal_designer, portal_operator] - KEY_ENCRYPT_BY_VALUE: [portal_admin, portal_designer, portal_operator] - PREFERENCES_CREATE: [portal_admin, portal_designer, portal_operator] - PREFERENCES_GET: [portal_admin, portal_designer, portal_operator] - PREFERENCES_UPDATE: [portal_admin, portal_designer, portal_operator] - ROLE_LIST: ["*"] - USER_CREATE: [portal_admin, portal_designer, portal_operator] - USER_DELETE: [portal_admin, portal_designer, portal_operator] - USER_GET: [portal_admin, portal_designer, portal_operator] - USER_LIST_AVAILABLE_ROLES: [portal_admin, portal_designer, portal_operator] - USER_LIST_ROLES: [portal_admin, portal_designer, portal_operator] - USER_LIST: [portal_admin, portal_designer, portal_operator] - USER_UPDATE_PASSWORD: [portal_admin, portal_designer, portal_operator] - USER_UPDATE_ROLES: [portal_admin, portal_designer, portal_operator] - USER_UPDATE: [portal_admin, portal_designer, portal_operator] diff --git a/app/src/main/resources/application.yml b/app/src/main/resources/application.yml index a99ff0b..f93d4d6 100644 --- a/app/src/main/resources/application.yml +++ b/app/src/main/resources/application.yml @@ -52,8 +52,10 @@ bff: preferences-url: ${PREFERENCES_URL} history-url: ${HISTORY_URL} keycloak-url: ${KEYCLOAK_URL} + keycloak-client-id: ${KEYCLOAK_CLIENT_ID} endpoints: unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/** + rbac: - endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/** + endpoints-excluded: ${RBAC_EXCLUDED_ENDPOINTS}:-/api-docs.html, /api.yaml, /webjars/**, /actuator/**, /users**, /roles**, /preferences**, /actions**} diff --git a/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java b/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java index a69516c..63d702c 100644 --- a/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java +++ b/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java @@ -115,6 +115,20 @@ public abstract class BaseIntegrationTest { .put("session_state", UUID.randomUUID().toString()) .put("scope", "email profile") .toString()))); + + /* + * MockAuth for new RBAC permission via keycloak + */ + WireMock.stubFor( + WireMock.post( + WireMock.urlMatching( + String.format("/realms/%s/protocol/openid-connect/token", realm))) + .withRequestBody( + WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket")) + .willReturn( + WireMock.aResponse() + .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE) + .withBody(objectMapper.createObjectNode().put("result", "true").toString()))); } /** diff --git a/app/src/test/java/org/onap/portalng/bff/rbac/RoleBaseAccessIntegrationTest.java b/app/src/test/java/org/onap/portalng/bff/rbac/RoleBaseAccessIntegrationTest.java new file mode 100644 index 0000000..2c89547 --- /dev/null +++ b/app/src/test/java/org/onap/portalng/bff/rbac/RoleBaseAccessIntegrationTest.java @@ -0,0 +1,104 @@ +/* + * + * Copyright (c) 2024. Deutsche Telekom AG + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * + * + */ + +package org.onap.portalng.bff.rbac; + +import com.github.tomakehurst.wiremock.client.WireMock; +import io.restassured.http.Header; +import org.junit.jupiter.api.Test; +import org.onap.portalng.bff.BaseIntegrationTest; +import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; + +public class RoleBaseAccessIntegrationTest extends BaseIntegrationTest { + + @Test + void thatRoleIsNotSufficient() { + + WireMock.stubFor( + WireMock.post( + WireMock.urlMatching( + String.format("/realms/%s/protocol/openid-connect/token", realm))) + .withRequestBody( + WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket")) + .willReturn( + WireMock.aResponse() + .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE) + .withStatus(HttpStatus.FORBIDDEN.value()))); + + requestSpecification() + .given() + .accept(MediaType.APPLICATION_JSON_VALUE) + .header(new Header("X-Request-Id", "addf6005-3075-4c80-b7bc-2c70b7d42b57")) + .when() + .get("/roles") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + } + + @Test + void thatResourceIsNotAvailable() { + + WireMock.stubFor( + WireMock.post( + WireMock.urlMatching( + String.format("/realms/%s/protocol/openid-connect/token", realm))) + .withRequestBody( + WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket")) + .willReturn( + WireMock.aResponse() + .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE) + .withStatus(HttpStatus.BAD_REQUEST.value()))); + + requestSpecification() + .given() + .accept(MediaType.APPLICATION_JSON_VALUE) + .header(new Header("X-Request-Id", "addf6005-3075-4c80-b7bc-2c70b7d42b57")) + .when() + .get("/roles") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + } + + @Test + void thatRoleBaseCheckIsMalformed() { + + WireMock.stubFor( + WireMock.post( + WireMock.urlMatching( + String.format("/realms/%s/protocol/openid-connect/token", realm))) + .withRequestBody( + WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket")) + .willReturn( + WireMock.aResponse() + .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE) + .withBody(objectMapper.createObjectNode().put("result", "false").toString()))); + + requestSpecification() + .given() + .accept(MediaType.APPLICATION_JSON_VALUE) + .header(new Header("X-Request-Id", "addf6005-3075-4c80-b7bc-2c70b7d42b57")) + .when() + .get("/roles") + .then() + .statusCode(HttpStatus.FORBIDDEN.value()); + } +} diff --git a/app/src/test/resources/application-development.yml b/app/src/test/resources/application-development.yml index 23602d1..5dbb9f6 100644 --- a/app/src/test/resources/application-development.yml +++ b/app/src/test/resources/application-development.yml @@ -30,3 +30,8 @@ bff: preferences-url: http://localhost:${wiremock.server.port} history-url: http://localhost:${wiremock.server.port} keycloak-url: http://localhost:${wiremock.server.port} + keycloak-client-id: test + endpoints: + unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/** + rbac: + endpoints-excluded: /api-docs.html, /api.yaml, /webjars/**, /actuator/** diff --git a/app/src/test/resources/application.yml b/app/src/test/resources/application.yml index 04e6a57..7764fbf 100644 --- a/app/src/test/resources/application.yml +++ b/app/src/test/resources/application.yml @@ -27,8 +27,8 @@ bff: preferences-url: http://localhost:${wiremock.server.port} history-url: http://localhost:${wiremock.server.port} keycloak-url: http://localhost:${wiremock.server.port} + keycloak-client-id: test endpoints: unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/** rbac: - endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/** - + endpoints-excluded: /api-docs.html, /api.yaml, /webjars/**, /actuator/** |