From ce874175496e7d72af763bb8e82c2d260fecad06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Tue, 29 Oct 2024 17:46:55 +0100 Subject: [PATCH 1/5] Add Spring security configuration for /runs endpoints --- .../security/AbstractSecurityConfiguration.kt | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt index 3648dff7..b3d5118e 100644 --- a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt +++ b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt @@ -35,6 +35,8 @@ const val ROLE_SOLUTION_READER = "Solution.Reader" const val ROLE_SOLUTION_WRITER = "Solution.Writer" const val ROLE_WORKSPACE_READER = "Workspace.Reader" const val ROLE_WORKSPACE_WRITER = "Workspace.Writer" +const val ROLE_RUN_READER = "Run.Reader" +const val ROLE_RUN_WRITER = "Run.Writer" // Allowed read scopes const val SCOPE_CONNECTOR_READ = "SCOPE_csm.connector.read" @@ -42,6 +44,7 @@ const val SCOPE_ORGANIZATION_READ = "SCOPE_csm.organization.read" const val SCOPE_DATASET_READ = "SCOPE_csm.dataset.read" const val SCOPE_SOLUTION_READ = "SCOPE_csm.solution.read" const val SCOPE_WORKSPACE_READ = "SCOPE_csm.workspace.read" +const val SCOPE_RUN_READ = "SCOPE_csm.run.read" // Allowed write scopes const val SCOPE_CONNECTOR_WRITE = "SCOPE_csm.connector.write" @@ -49,6 +52,7 @@ const val SCOPE_ORGANIZATION_WRITE = "SCOPE_csm.organization.write" const val SCOPE_DATASET_WRITE = "SCOPE_csm.dataset.write" const val SCOPE_SOLUTION_WRITE = "SCOPE_csm.solution.write" const val SCOPE_WORKSPACE_WRITE = "SCOPE_csm.workspace.write" +const val SCOPE_RUN_WRITE = "SCOPE_csm.run.write" // Endpoints paths const val PATH_CONNECTORS = "/connectors" @@ -77,6 +81,13 @@ const val PATH_WORKSPACES_USERS = "/organizations/*/workspaces/*/users" val PATHS_WORKSPACES = listOf(PATH_WORKSPACES, PATH_WORKSPACES_USERS) const val PATH_WORKSPACES_FILES = "/organizations/*/workspaces/*/files" +const val PATH_RUNS = "/organizations/*/workspaces/*/runners/*/runs" +const val PATH_RUNS_DATA_QUERY = "/organizations/*/workspaces/*/runners/*/runs/*/data/query" +const val PATH_RUNS_SEND_QUERY = "/organizations/*/workspaces/*/runners/*/runs/*/data/send" +const val PATH_RUNS_LOGS = "/organizations/*/workspaces/*/runners/*/runs/*/logs" +const val PATH_RUNS_STATUS = "/organizations/*/workspaces/*/runners/*/runs/*/status" +val PATHS_RUNS = + listOf(PATH_RUNS, PATH_RUNS_DATA_QUERY, PATH_RUNS_SEND_QUERY, PATH_RUNS_LOGS, PATH_RUNS_STATUS) // Endpoints roles val endpointSecurityPublic = listOf( @@ -183,6 +194,25 @@ internal fun endpointSecurityReaders( SCOPE_WORKSPACE_WRITE, customOrganizationUser, customOrganizationViewer), + customAdmin = customOrganizationAdmin), + CsmSecurityEndpointsRolesReader( + paths = PATHS_RUNS, + roles = + arrayOf( + ROLE_RUN_READER, + ROLE_RUN_WRITER, + ROLE_WORKSPACE_READER, + ROLE_WORKSPACE_WRITER, + ROLE_CONNECTOR_DEVELOPER, + ROLE_ORGANIZATION_ADMIN, + ROLE_ORGANIZATION_COLLABORATOR, + ROLE_ORGANIZATION_MODELER, + ROLE_ORGANIZATION_USER, + ROLE_ORGANIZATION_VIEWER, + SCOPE_RUN_READ, + SCOPE_RUN_WRITE, + customOrganizationUser, + customOrganizationViewer), customAdmin = customOrganizationAdmin)) @Suppress("LongMethod") @@ -233,6 +263,16 @@ internal fun endpointSecurityWriters( ROLE_ORGANIZATION_COLLABORATOR, SCOPE_WORKSPACE_WRITE), customAdmin = customOrganizationAdmin), + CsmSecurityEndpointsRolesWriter( + paths = PATHS_RUNS, + roles = + arrayOf( + ROLE_RUN_WRITER, + ROLE_WORKSPACE_WRITER, + ROLE_ORGANIZATION_ADMIN, + ROLE_ORGANIZATION_COLLABORATOR, + SCOPE_RUN_WRITE), + customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = listOf(PATH_WORKSPACES_FILES), roles = From 4abc7ed742953c84ebcde97b8fbb7d0f9a8c9497 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Tue, 29 Oct 2024 17:56:15 +0100 Subject: [PATCH 2/5] Add Spring security configuration for /runners endpoints --- .../security/AbstractSecurityConfiguration.kt | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt index b3d5118e..d07eb1f3 100644 --- a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt +++ b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt @@ -37,6 +37,8 @@ const val ROLE_WORKSPACE_READER = "Workspace.Reader" const val ROLE_WORKSPACE_WRITER = "Workspace.Writer" const val ROLE_RUN_READER = "Run.Reader" const val ROLE_RUN_WRITER = "Run.Writer" +const val ROLE_RUNNER_READER = "Runner.Reader" +const val ROLE_RUNNER_WRITER = "Runner.Writer" // Allowed read scopes const val SCOPE_CONNECTOR_READ = "SCOPE_csm.connector.read" @@ -45,6 +47,7 @@ const val SCOPE_DATASET_READ = "SCOPE_csm.dataset.read" const val SCOPE_SOLUTION_READ = "SCOPE_csm.solution.read" const val SCOPE_WORKSPACE_READ = "SCOPE_csm.workspace.read" const val SCOPE_RUN_READ = "SCOPE_csm.run.read" +const val SCOPE_RUNNER_READ = "SCOPE_csm.runner.read" // Allowed write scopes const val SCOPE_CONNECTOR_WRITE = "SCOPE_csm.connector.write" @@ -53,6 +56,7 @@ const val SCOPE_DATASET_WRITE = "SCOPE_csm.dataset.write" const val SCOPE_SOLUTION_WRITE = "SCOPE_csm.solution.write" const val SCOPE_WORKSPACE_WRITE = "SCOPE_csm.workspace.write" const val SCOPE_RUN_WRITE = "SCOPE_csm.run.write" +const val SCOPE_RUNNER_WRITE = "SCOPE_csm.runner.write" // Endpoints paths const val PATH_CONNECTORS = "/connectors" @@ -88,6 +92,27 @@ const val PATH_RUNS_LOGS = "/organizations/*/workspaces/*/runners/*/runs/*/logs" const val PATH_RUNS_STATUS = "/organizations/*/workspaces/*/runners/*/runs/*/status" val PATHS_RUNS = listOf(PATH_RUNS, PATH_RUNS_DATA_QUERY, PATH_RUNS_SEND_QUERY, PATH_RUNS_LOGS, PATH_RUNS_STATUS) + +const val PATH_RUNNERS = "/organizations/*/workspaces/*/runners" +const val PATH_RUNNERS_PERMISSIONS = "/organizations/*/workspaces/*/runners/*/permissions" +const val PATH_RUNNERS_SECURITY = "/organizations/*/workspaces/*/runners/*/security" +const val PATH_RUNNERS_SECURITY_DEFAULT = "/organizations/*/workspaces/*/runners/*/security/default" +const val PATH_RUNNERS_SECURITY_USERS = "/organizations/*/workspaces/*/runners/*/security/users" +const val PATH_RUNNERS_SECURITY_ACCESS = "/organizations/*/workspaces/*/runners/*/security/access" +const val PATH_RUNNERS_START = "/organizations/*/workspaces/*/runners/*/start" +const val PATH_RUNNERS_STOP = "/organizations/*/workspaces/*/runners/*/stop" + +val PATHS_RUNNERS = + listOf( + PATH_RUNNERS, + PATH_RUNNERS_PERMISSIONS, + PATH_RUNNERS_SECURITY, + PATH_RUNNERS_SECURITY_DEFAULT, + PATH_RUNNERS_SECURITY_USERS, + PATH_RUNNERS_SECURITY_ACCESS, + PATH_RUNNERS_START, + PATH_RUNNERS_STOP) + // Endpoints roles val endpointSecurityPublic = listOf( @@ -213,6 +238,27 @@ internal fun endpointSecurityReaders( SCOPE_RUN_WRITE, customOrganizationUser, customOrganizationViewer), + customAdmin = customOrganizationAdmin), + CsmSecurityEndpointsRolesReader( + paths = PATHS_RUNNERS, + roles = + arrayOf( + ROLE_RUNNER_READER, + ROLE_RUNNER_WRITER, + ROLE_RUN_READER, + ROLE_RUN_WRITER, + ROLE_WORKSPACE_READER, + ROLE_WORKSPACE_WRITER, + ROLE_CONNECTOR_DEVELOPER, + ROLE_ORGANIZATION_ADMIN, + ROLE_ORGANIZATION_COLLABORATOR, + ROLE_ORGANIZATION_MODELER, + ROLE_ORGANIZATION_USER, + ROLE_ORGANIZATION_VIEWER, + SCOPE_RUNNER_READ, + SCOPE_RUNNER_WRITE, + customOrganizationUser, + customOrganizationViewer), customAdmin = customOrganizationAdmin)) @Suppress("LongMethod") @@ -270,9 +316,21 @@ internal fun endpointSecurityWriters( ROLE_RUN_WRITER, ROLE_WORKSPACE_WRITER, ROLE_ORGANIZATION_ADMIN, + ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_COLLABORATOR, SCOPE_RUN_WRITE), customAdmin = customOrganizationAdmin), + CsmSecurityEndpointsRolesWriter( + paths = PATHS_RUNNERS, + roles = + arrayOf( + ROLE_RUNNER_WRITER, + ROLE_WORKSPACE_WRITER, + ROLE_ORGANIZATION_ADMIN, + ROLE_ORGANIZATION_USER, + ROLE_ORGANIZATION_COLLABORATOR, + SCOPE_RUNNER_WRITE), + customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = listOf(PATH_WORKSPACES_FILES), roles = From 1f3a1200bae88042b703bd9c14ee87752515f0b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Tue, 29 Oct 2024 18:04:39 +0100 Subject: [PATCH 3/5] Remove unnecessarily roles --- .../api/security/AbstractSecurityConfiguration.kt | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt index d07eb1f3..d9e04e57 100644 --- a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt +++ b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt @@ -35,10 +35,6 @@ const val ROLE_SOLUTION_READER = "Solution.Reader" const val ROLE_SOLUTION_WRITER = "Solution.Writer" const val ROLE_WORKSPACE_READER = "Workspace.Reader" const val ROLE_WORKSPACE_WRITER = "Workspace.Writer" -const val ROLE_RUN_READER = "Run.Reader" -const val ROLE_RUN_WRITER = "Run.Writer" -const val ROLE_RUNNER_READER = "Runner.Reader" -const val ROLE_RUNNER_WRITER = "Runner.Writer" // Allowed read scopes const val SCOPE_CONNECTOR_READ = "SCOPE_csm.connector.read" @@ -224,8 +220,6 @@ internal fun endpointSecurityReaders( paths = PATHS_RUNS, roles = arrayOf( - ROLE_RUN_READER, - ROLE_RUN_WRITER, ROLE_WORKSPACE_READER, ROLE_WORKSPACE_WRITER, ROLE_CONNECTOR_DEVELOPER, @@ -243,10 +237,6 @@ internal fun endpointSecurityReaders( paths = PATHS_RUNNERS, roles = arrayOf( - ROLE_RUNNER_READER, - ROLE_RUNNER_WRITER, - ROLE_RUN_READER, - ROLE_RUN_WRITER, ROLE_WORKSPACE_READER, ROLE_WORKSPACE_WRITER, ROLE_CONNECTOR_DEVELOPER, @@ -313,7 +303,6 @@ internal fun endpointSecurityWriters( paths = PATHS_RUNS, roles = arrayOf( - ROLE_RUN_WRITER, ROLE_WORKSPACE_WRITER, ROLE_ORGANIZATION_ADMIN, ROLE_ORGANIZATION_USER, @@ -324,7 +313,6 @@ internal fun endpointSecurityWriters( paths = PATHS_RUNNERS, roles = arrayOf( - ROLE_RUNNER_WRITER, ROLE_WORKSPACE_WRITER, ROLE_ORGANIZATION_ADMIN, ROLE_ORGANIZATION_USER, From 38fffd7d51138aa2918f04063e02cbfeec24bc80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Wed, 30 Oct 2024 12:03:15 +0100 Subject: [PATCH 4/5] Remove useless roles and specify all URL pattern instead of accept everything after a list of base URLs --- .../security/AbstractSecurityConfiguration.kt | 270 +++++++----------- 1 file changed, 107 insertions(+), 163 deletions(-) diff --git a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt index d9e04e57..7770a301 100644 --- a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt +++ b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt @@ -17,25 +17,9 @@ import org.springframework.web.cors.CorsConfiguration // Business roles const val ROLE_PLATFORM_ADMIN = "Platform.Admin" -const val ROLE_CONNECTOR_DEVELOPER = "Connector.Developer" -const val ROLE_ORGANIZATION_ADMIN = "Organization.Admin" -const val ROLE_ORGANIZATION_COLLABORATOR = "Organization.Collaborator" -const val ROLE_ORGANIZATION_MODELER = "Organization.Modeler" const val ROLE_ORGANIZATION_USER = "Organization.User" const val ROLE_ORGANIZATION_VIEWER = "Organization.Viewer" -// Endpoints roles -const val ROLE_CONNECTOR_READER = "Connector.Reader" -const val ROLE_CONNECTOR_WRITER = "Connector.Writer" -const val ROLE_DATASET_READER = "Dataset.Reader" -const val ROLE_DATASET_WRITER = "Dataset.Writer" -const val ROLE_ORGANIZATION_READER = "Organization.Reader" -const val ROLE_ORGANIZATION_WRITER = "Organization.Writer" -const val ROLE_SOLUTION_READER = "Solution.Reader" -const val ROLE_SOLUTION_WRITER = "Solution.Writer" -const val ROLE_WORKSPACE_READER = "Workspace.Reader" -const val ROLE_WORKSPACE_WRITER = "Workspace.Writer" - // Allowed read scopes const val SCOPE_CONNECTOR_READ = "SCOPE_csm.connector.read" const val SCOPE_ORGANIZATION_READ = "SCOPE_csm.organization.read" @@ -54,60 +38,104 @@ const val SCOPE_WORKSPACE_WRITE = "SCOPE_csm.workspace.write" const val SCOPE_RUN_WRITE = "SCOPE_csm.run.write" const val SCOPE_RUNNER_WRITE = "SCOPE_csm.runner.write" -// Endpoints paths -const val PATH_CONNECTORS = "/connectors" -const val PATH_DATASETS = "/organizations/*/datasets" -const val PATH_ORGANIZATIONS = "/organizations" -const val PATH_ORGANIZATIONS_USERS = "/organizations/*/users" -const val PATH_ORGANIZATIONS_SERVICES = "/organizations/*/services" +// Path Connectors +val PATHS_CONNECTORS = listOf("/connectors", "/connectors/*") +// Path Datasets +val PATHS_DATASETS = + listOf( + "/organizations/*/datasets", + "/organizations/*/datasets/copy", + "/organizations/*/datasets/search", + "/organizations/*/datasets/twingraph/download/*", + "/organizations/*/datasets/*", + "/organizations/*/datasets/*/batch", + "/organizations/*/datasets/*/batch-query", + "/organizations/*/datasets/*/compatibility", + "/organizations/*/datasets/*/link", + "/organizations/*/datasets/*/refresh", + "/organizations/*/datasets/*/refresh/rollback", + "/organizations/*/datasets/*/security", + "/organizations/*/datasets/*/security/access", + "/organizations/*/datasets/*/security/access/*", + "/organizations/*/datasets/*/security/default", + "/organizations/*/datasets/*/security/users", + "/organizations/*/datasets/*/status", + "/organizations/*/datasets/*/subdataset", + "/organizations/*/datasets/*/twingraph", + "/organizations/*/datasets/*/twingraph/*", + "/organizations/*/datasets/*/unlink") + +// Path Organizations val PATHS_ORGANIZATIONS = - listOf(PATH_ORGANIZATIONS, PATH_ORGANIZATIONS_USERS, PATH_ORGANIZATIONS_SERVICES) + listOf( + "/organizations", + "/organizations/permissions", + "/organizations/*", + "/organizations/*/permissions/*", + "/organizations/*/security", + "/organizations/*/security/access", + "/organizations/*/security/access/*", + "/organizations/*/security/default", + "/organizations/*/security/users") -// Path Solutions -const val PATH_SOLUTIONS = "/organizations/*/solutions" -const val PATH_SOLUTIONS_PARAMETERS = "/organizations/*/solutions/*/parameters" -const val PATH_SOLUTIONS_PARAMETERGROUPS = "/organizations/*/solutions/*/parameterGroups" -const val PATH_SOLUTIONS_RUNTEMPLATES = "/organizations/*/solutions/*/runTemplates" -val PATHS_SOLUTIONS = +// Path Runs +val PATHS_RUNS = listOf( - PATH_SOLUTIONS, - PATH_SOLUTIONS_PARAMETERS, - PATH_SOLUTIONS_PARAMETERGROUPS, - PATH_SOLUTIONS_RUNTEMPLATES) + "/organizations/*/workspaces/*/runners/*/runs", + "/organizations/*/workspaces/*/runners/*/runs/*/data/query", + "/organizations/*/workspaces/*/runners/*/runs/*/data/send", + "/organizations/*/workspaces/*/runners/*/runs/*/logs", + "/organizations/*/workspaces/*/runners/*/runs/*/status") -// Path Workspaces -const val PATH_WORKSPACES = "/organizations/*/workspaces" -const val PATH_WORKSPACES_USERS = "/organizations/*/workspaces/*/users" -val PATHS_WORKSPACES = listOf(PATH_WORKSPACES, PATH_WORKSPACES_USERS) -const val PATH_WORKSPACES_FILES = "/organizations/*/workspaces/*/files" +// Path Runners +val PATHS_RUNNERS = + listOf( + "/organizations/*/workspaces/*/runners", + "/organizations/*/workspaces/*/runners/*/permissions", + "/organizations/*/workspaces/*/runners/*/security", + "/organizations/*/workspaces/*/runners/*/security/default", + "/organizations/*/workspaces/*/runners/*/security/users", + "/organizations/*/workspaces/*/runners/*/security/access", + "/organizations/*/workspaces/*/runners/*/start", + "/organizations/*/workspaces/*/runners/*/stop") -const val PATH_RUNS = "/organizations/*/workspaces/*/runners/*/runs" -const val PATH_RUNS_DATA_QUERY = "/organizations/*/workspaces/*/runners/*/runs/*/data/query" -const val PATH_RUNS_SEND_QUERY = "/organizations/*/workspaces/*/runners/*/runs/*/data/send" -const val PATH_RUNS_LOGS = "/organizations/*/workspaces/*/runners/*/runs/*/logs" -const val PATH_RUNS_STATUS = "/organizations/*/workspaces/*/runners/*/runs/*/status" -val PATHS_RUNS = - listOf(PATH_RUNS, PATH_RUNS_DATA_QUERY, PATH_RUNS_SEND_QUERY, PATH_RUNS_LOGS, PATH_RUNS_STATUS) +// Path Solutions +val PATHS_SOLUTIONS = + listOf( + "/organizations/*/solutions", + "/organizations/*/solutions/*", + "/organizations/*/solutions/*/parameterGroups", + "/organizations/*/solutions/*/parameters", + "/organizations/*/solutions/*/runTemplates", + "/organizations/*/solutions/*/runTemplates/*", + "/organizations/*/solutions/*/security", + "/organizations/*/solutions/*/security/access", + "/organizations/*/solutions/*/security/access/*", + "/organizations/*/solutions/*/security/default", + "/organizations/*/solutions/*/security/users", + ) -const val PATH_RUNNERS = "/organizations/*/workspaces/*/runners" -const val PATH_RUNNERS_PERMISSIONS = "/organizations/*/workspaces/*/runners/*/permissions" -const val PATH_RUNNERS_SECURITY = "/organizations/*/workspaces/*/runners/*/security" -const val PATH_RUNNERS_SECURITY_DEFAULT = "/organizations/*/workspaces/*/runners/*/security/default" -const val PATH_RUNNERS_SECURITY_USERS = "/organizations/*/workspaces/*/runners/*/security/users" -const val PATH_RUNNERS_SECURITY_ACCESS = "/organizations/*/workspaces/*/runners/*/security/access" -const val PATH_RUNNERS_START = "/organizations/*/workspaces/*/runners/*/start" -const val PATH_RUNNERS_STOP = "/organizations/*/workspaces/*/runners/*/stop" +// Path Workspaces files +val PATHS_WORKSPACES_FILES = + listOf( + "/organizations/*/workspaces/*/files", + "/organizations/*/workspaces/*/files/delete", + "/organizations/*/workspaces/*/files/download") -val PATHS_RUNNERS = +// Path Workspaces +val PATHS_WORKSPACES = listOf( - PATH_RUNNERS, - PATH_RUNNERS_PERMISSIONS, - PATH_RUNNERS_SECURITY, - PATH_RUNNERS_SECURITY_DEFAULT, - PATH_RUNNERS_SECURITY_USERS, - PATH_RUNNERS_SECURITY_ACCESS, - PATH_RUNNERS_START, - PATH_RUNNERS_STOP) + "/organizations/*/workspaces", + "/organizations/*/workspaces/*", + "/organizations/*/workspaces/*/link", + "/organizations/*/workspaces/*/permissions/*", + "/organizations/*/workspaces/*/security", + "/organizations/*/workspaces/*/security/access", + "/organizations/*/workspaces/*/security/access/*", + "/organizations/*/workspaces/*/security/default", + "/organizations/*/workspaces/*/security/users", + "/organizations/*/workspaces/*/security/unlink", + ) // Endpoints roles val endpointSecurityPublic = @@ -132,15 +160,9 @@ internal fun endpointSecurityReaders( ) = listOf( CsmSecurityEndpointsRolesReader( - paths = listOf(PATH_CONNECTORS), + paths = PATHS_CONNECTORS, roles = arrayOf( - ROLE_CONNECTOR_READER, - ROLE_CONNECTOR_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_CONNECTOR_READ, @@ -149,15 +171,9 @@ internal fun endpointSecurityReaders( customOrganizationViewer), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesReader( - paths = listOf(PATH_DATASETS), + paths = PATHS_DATASETS, roles = arrayOf( - ROLE_DATASET_READER, - ROLE_DATASET_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_DATASET_READ, @@ -169,12 +185,6 @@ internal fun endpointSecurityReaders( paths = PATHS_ORGANIZATIONS, roles = arrayOf( - ROLE_ORGANIZATION_READER, - ROLE_ORGANIZATION_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_ORGANIZATION_READ, @@ -186,12 +196,6 @@ internal fun endpointSecurityReaders( paths = PATHS_SOLUTIONS, roles = arrayOf( - ROLE_SOLUTION_READER, - ROLE_SOLUTION_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_SOLUTION_READ, @@ -203,12 +207,6 @@ internal fun endpointSecurityReaders( paths = PATHS_WORKSPACES, roles = arrayOf( - ROLE_WORKSPACE_READER, - ROLE_WORKSPACE_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_WORKSPACE_READ, @@ -220,12 +218,6 @@ internal fun endpointSecurityReaders( paths = PATHS_RUNS, roles = arrayOf( - ROLE_WORKSPACE_READER, - ROLE_WORKSPACE_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_RUN_READ, @@ -237,12 +229,6 @@ internal fun endpointSecurityReaders( paths = PATHS_RUNNERS, roles = arrayOf( - ROLE_WORKSPACE_READER, - ROLE_WORKSPACE_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, ROLE_ORGANIZATION_USER, ROLE_ORGANIZATION_VIEWER, SCOPE_RUNNER_READ, @@ -258,78 +244,36 @@ internal fun endpointSecurityWriters( ) = listOf( CsmSecurityEndpointsRolesWriter( - paths = listOf(PATH_CONNECTORS), - roles = arrayOf(ROLE_CONNECTOR_WRITER, ROLE_CONNECTOR_DEVELOPER, SCOPE_CONNECTOR_WRITE), + paths = PATHS_CONNECTORS, + roles = arrayOf(SCOPE_CONNECTOR_WRITE), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( - paths = listOf(PATH_DATASETS), - roles = - arrayOf( - ROLE_DATASET_WRITER, - ROLE_CONNECTOR_DEVELOPER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, - ROLE_ORGANIZATION_USER, - SCOPE_DATASET_WRITE, - customOrganizationUser), + paths = PATHS_DATASETS, + roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_DATASET_WRITE, customOrganizationUser), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = PATHS_ORGANIZATIONS, - roles = - arrayOf( - ROLE_ORGANIZATION_WRITER, ROLE_ORGANIZATION_ADMIN, SCOPE_ORGANIZATION_WRITE), + roles = arrayOf(SCOPE_ORGANIZATION_WRITE), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = PATHS_SOLUTIONS, - roles = - arrayOf( - ROLE_SOLUTION_WRITER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, - SCOPE_SOLUTION_WRITE), + roles = arrayOf(SCOPE_SOLUTION_WRITE), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = PATHS_WORKSPACES, - roles = - arrayOf( - ROLE_WORKSPACE_WRITER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - SCOPE_WORKSPACE_WRITE), + roles = arrayOf(SCOPE_WORKSPACE_WRITE), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = PATHS_RUNS, - roles = - arrayOf( - ROLE_WORKSPACE_WRITER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_USER, - ROLE_ORGANIZATION_COLLABORATOR, - SCOPE_RUN_WRITE), + roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_RUN_WRITE, customOrganizationUser), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( paths = PATHS_RUNNERS, - roles = - arrayOf( - ROLE_WORKSPACE_WRITER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_USER, - ROLE_ORGANIZATION_COLLABORATOR, - SCOPE_RUNNER_WRITE), + roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_RUNNER_WRITE, customOrganizationUser), customAdmin = customOrganizationAdmin), CsmSecurityEndpointsRolesWriter( - paths = listOf(PATH_WORKSPACES_FILES), - roles = - arrayOf( - ROLE_WORKSPACE_WRITER, - ROLE_ORGANIZATION_ADMIN, - ROLE_ORGANIZATION_COLLABORATOR, - ROLE_ORGANIZATION_MODELER, - ROLE_ORGANIZATION_USER, - SCOPE_WORKSPACE_WRITE, - customOrganizationUser), + paths = PATHS_WORKSPACES_FILES, + roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_WORKSPACE_WRITE, customOrganizationUser), customAdmin = customOrganizationAdmin), ) @@ -408,11 +352,11 @@ internal class CsmSecurityEndpointsRolesWriter( val authoritiesList = addAdminRolesIfNotAlreadyDefined(this.roles) this.paths.forEach { path -> requests - .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.POST, "$path/**")) + .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.POST, path)) .hasAnyAuthority(*authoritiesList.toTypedArray()) - .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.PATCH, "$path/**")) + .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.PATCH, path)) .hasAnyAuthority(*authoritiesList.toTypedArray()) - .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.DELETE, "$path/**")) + .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.DELETE, path)) .hasAnyAuthority(*authoritiesList.toTypedArray()) } } @@ -443,7 +387,7 @@ internal class CsmSecurityEndpointsRolesReader( val authoritiesList = addAdminRolesIfNotAlreadyDefined(this.roles) this.paths.forEach { path -> requests - .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.GET, "$path/**")) + .requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.GET, path)) .hasAnyAuthority(*authoritiesList.toTypedArray()) } } From fffc783d9078f1bd9a52eac51b6f13a8847dbb7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Wed, 30 Oct 2024 15:18:43 +0100 Subject: [PATCH 5/5] Add missing pattern un run/runner --- .../api/security/AbstractSecurityConfiguration.kt | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt index 7770a301..85dcdca8 100644 --- a/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt +++ b/src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt @@ -82,6 +82,7 @@ val PATHS_ORGANIZATIONS = val PATHS_RUNS = listOf( "/organizations/*/workspaces/*/runners/*/runs", + "/organizations/*/workspaces/*/runners/*/runs/*", "/organizations/*/workspaces/*/runners/*/runs/*/data/query", "/organizations/*/workspaces/*/runners/*/runs/*/data/send", "/organizations/*/workspaces/*/runners/*/runs/*/logs", @@ -91,11 +92,13 @@ val PATHS_RUNS = val PATHS_RUNNERS = listOf( "/organizations/*/workspaces/*/runners", - "/organizations/*/workspaces/*/runners/*/permissions", + "/organizations/*/workspaces/*/runners/*", + "/organizations/*/workspaces/*/runners/*/permissions/*", "/organizations/*/workspaces/*/runners/*/security", + "/organizations/*/workspaces/*/runners/*/security/access", + "/organizations/*/workspaces/*/runners/*/security/access/*", "/organizations/*/workspaces/*/runners/*/security/default", "/organizations/*/workspaces/*/runners/*/security/users", - "/organizations/*/workspaces/*/runners/*/security/access", "/organizations/*/workspaces/*/runners/*/start", "/organizations/*/workspaces/*/runners/*/stop")