Skip to content

Jrey/add spring secu run runner #234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 30, 2024
Merged

Jrey/add spring secu run runner #234

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ce87417
Add Spring security configuration for /runs endpoints
jreynard-code Oct 29, 2024
4abc7ed
Add Spring security configuration for /runners endpoints
jreynard-code Oct 29, 2024
1f3a120
Remove unnecessarily roles
jreynard-code Oct 29, 2024
38fffd7
Remove useless roles and specify all URL pattern instead of accept ev…
jreynard-code Oct 30, 2024
fffc783
Add missing pattern un run/runner
jreynard-code Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
253 changes: 143 additions & 110 deletions src/main/kotlin/com/cosmotech/api/security/AbstractSecurityConfiguration.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,65 +17,128 @@ import org.springframework.web.cors.CorsConfiguration

// Business roles
const val ROLE_PLATFORM_ADMIN = "Platform.Admin"
const val ROLE_CONNECTOR_DEVELOPER = "Connector.Developer"
const val ROLE_ORGANIZATION_ADMIN = "Organization.Admin"
const val ROLE_ORGANIZATION_COLLABORATOR = "Organization.Collaborator"
const val ROLE_ORGANIZATION_MODELER = "Organization.Modeler"
const val ROLE_ORGANIZATION_USER = "Organization.User"
const val ROLE_ORGANIZATION_VIEWER = "Organization.Viewer"

// Endpoints roles
const val ROLE_CONNECTOR_READER = "Connector.Reader"
const val ROLE_CONNECTOR_WRITER = "Connector.Writer"
const val ROLE_DATASET_READER = "Dataset.Reader"
const val ROLE_DATASET_WRITER = "Dataset.Writer"
const val ROLE_ORGANIZATION_READER = "Organization.Reader"
const val ROLE_ORGANIZATION_WRITER = "Organization.Writer"
const val ROLE_SOLUTION_READER = "Solution.Reader"
const val ROLE_SOLUTION_WRITER = "Solution.Writer"
const val ROLE_WORKSPACE_READER = "Workspace.Reader"
const val ROLE_WORKSPACE_WRITER = "Workspace.Writer"

// Allowed read scopes
const val SCOPE_CONNECTOR_READ = "SCOPE_csm.connector.read"
const val SCOPE_ORGANIZATION_READ = "SCOPE_csm.organization.read"
const val SCOPE_DATASET_READ = "SCOPE_csm.dataset.read"
const val SCOPE_SOLUTION_READ = "SCOPE_csm.solution.read"
const val SCOPE_WORKSPACE_READ = "SCOPE_csm.workspace.read"
const val SCOPE_RUN_READ = "SCOPE_csm.run.read"
const val SCOPE_RUNNER_READ = "SCOPE_csm.runner.read"

// Allowed write scopes
const val SCOPE_CONNECTOR_WRITE = "SCOPE_csm.connector.write"
const val SCOPE_ORGANIZATION_WRITE = "SCOPE_csm.organization.write"
const val SCOPE_DATASET_WRITE = "SCOPE_csm.dataset.write"
const val SCOPE_SOLUTION_WRITE = "SCOPE_csm.solution.write"
const val SCOPE_WORKSPACE_WRITE = "SCOPE_csm.workspace.write"
const val SCOPE_RUN_WRITE = "SCOPE_csm.run.write"
const val SCOPE_RUNNER_WRITE = "SCOPE_csm.runner.write"

// Path Connectors
val PATHS_CONNECTORS = listOf("/connectors", "/connectors/*")
// Path Datasets
val PATHS_DATASETS =
listOf(
"/organizations/*/datasets",
"/organizations/*/datasets/copy",
"/organizations/*/datasets/search",
"/organizations/*/datasets/twingraph/download/*",
"/organizations/*/datasets/*",
"/organizations/*/datasets/*/batch",
"/organizations/*/datasets/*/batch-query",
"/organizations/*/datasets/*/compatibility",
"/organizations/*/datasets/*/link",
"/organizations/*/datasets/*/refresh",
"/organizations/*/datasets/*/refresh/rollback",
"/organizations/*/datasets/*/security",
"/organizations/*/datasets/*/security/access",
"/organizations/*/datasets/*/security/access/*",
"/organizations/*/datasets/*/security/default",
"/organizations/*/datasets/*/security/users",
"/organizations/*/datasets/*/status",
"/organizations/*/datasets/*/subdataset",
"/organizations/*/datasets/*/twingraph",
"/organizations/*/datasets/*/twingraph/*",
"/organizations/*/datasets/*/unlink")

// Endpoints paths
const val PATH_CONNECTORS = "/connectors"
const val PATH_DATASETS = "/organizations/*/datasets"
const val PATH_ORGANIZATIONS = "/organizations"
const val PATH_ORGANIZATIONS_USERS = "/organizations/*/users"
const val PATH_ORGANIZATIONS_SERVICES = "/organizations/*/services"
// Path Organizations
val PATHS_ORGANIZATIONS =
listOf(PATH_ORGANIZATIONS, PATH_ORGANIZATIONS_USERS, PATH_ORGANIZATIONS_SERVICES)
listOf(
"/organizations",
"/organizations/permissions",
"/organizations/*",
"/organizations/*/permissions/*",
"/organizations/*/security",
"/organizations/*/security/access",
"/organizations/*/security/access/*",
"/organizations/*/security/default",
"/organizations/*/security/users")

// Path Runs
val PATHS_RUNS =
listOf(
"/organizations/*/workspaces/*/runners/*/runs",
"/organizations/*/workspaces/*/runners/*/runs/*",
"/organizations/*/workspaces/*/runners/*/runs/*/data/query",
"/organizations/*/workspaces/*/runners/*/runs/*/data/send",
"/organizations/*/workspaces/*/runners/*/runs/*/logs",
"/organizations/*/workspaces/*/runners/*/runs/*/status")

// Path Runners
val PATHS_RUNNERS =
listOf(
"/organizations/*/workspaces/*/runners",
"/organizations/*/workspaces/*/runners/*",
"/organizations/*/workspaces/*/runners/*/permissions/*",
"/organizations/*/workspaces/*/runners/*/security",
"/organizations/*/workspaces/*/runners/*/security/access",
"/organizations/*/workspaces/*/runners/*/security/access/*",
"/organizations/*/workspaces/*/runners/*/security/default",
"/organizations/*/workspaces/*/runners/*/security/users",
"/organizations/*/workspaces/*/runners/*/start",
"/organizations/*/workspaces/*/runners/*/stop")

// Path Solutions
const val PATH_SOLUTIONS = "/organizations/*/solutions"
const val PATH_SOLUTIONS_PARAMETERS = "/organizations/*/solutions/*/parameters"
const val PATH_SOLUTIONS_PARAMETERGROUPS = "/organizations/*/solutions/*/parameterGroups"
const val PATH_SOLUTIONS_RUNTEMPLATES = "/organizations/*/solutions/*/runTemplates"
val PATHS_SOLUTIONS =
listOf(
PATH_SOLUTIONS,
PATH_SOLUTIONS_PARAMETERS,
PATH_SOLUTIONS_PARAMETERGROUPS,
PATH_SOLUTIONS_RUNTEMPLATES)
"/organizations/*/solutions",
"/organizations/*/solutions/*",
"/organizations/*/solutions/*/parameterGroups",
"/organizations/*/solutions/*/parameters",
"/organizations/*/solutions/*/runTemplates",
"/organizations/*/solutions/*/runTemplates/*",
"/organizations/*/solutions/*/security",
"/organizations/*/solutions/*/security/access",
"/organizations/*/solutions/*/security/access/*",
"/organizations/*/solutions/*/security/default",
"/organizations/*/solutions/*/security/users",
)

// Path Workspaces files
val PATHS_WORKSPACES_FILES =
listOf(
"/organizations/*/workspaces/*/files",
"/organizations/*/workspaces/*/files/delete",
"/organizations/*/workspaces/*/files/download")

// Path Workspaces
const val PATH_WORKSPACES = "/organizations/*/workspaces"
const val PATH_WORKSPACES_USERS = "/organizations/*/workspaces/*/users"
val PATHS_WORKSPACES = listOf(PATH_WORKSPACES, PATH_WORKSPACES_USERS)
const val PATH_WORKSPACES_FILES = "/organizations/*/workspaces/*/files"
val PATHS_WORKSPACES =
listOf(
"/organizations/*/workspaces",
"/organizations/*/workspaces/*",
"/organizations/*/workspaces/*/link",
"/organizations/*/workspaces/*/permissions/*",
"/organizations/*/workspaces/*/security",
"/organizations/*/workspaces/*/security/access",
"/organizations/*/workspaces/*/security/access/*",
"/organizations/*/workspaces/*/security/default",
"/organizations/*/workspaces/*/security/users",
"/organizations/*/workspaces/*/security/unlink",
)

// Endpoints roles
val endpointSecurityPublic =
Expand All @@ -100,15 +163,9 @@ internal fun endpointSecurityReaders(
) =
listOf(
CsmSecurityEndpointsRolesReader(
paths = listOf(PATH_CONNECTORS),
paths = PATHS_CONNECTORS,
roles =
arrayOf(
ROLE_CONNECTOR_READER,
ROLE_CONNECTOR_WRITER,
ROLE_CONNECTOR_DEVELOPER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_CONNECTOR_READ,
Expand All @@ -117,15 +174,9 @@ internal fun endpointSecurityReaders(
customOrganizationViewer),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesReader(
paths = listOf(PATH_DATASETS),
paths = PATHS_DATASETS,
roles =
arrayOf(
ROLE_DATASET_READER,
ROLE_DATASET_WRITER,
ROLE_CONNECTOR_DEVELOPER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_DATASET_READ,
Expand All @@ -137,12 +188,6 @@ internal fun endpointSecurityReaders(
paths = PATHS_ORGANIZATIONS,
roles =
arrayOf(
ROLE_ORGANIZATION_READER,
ROLE_ORGANIZATION_WRITER,
ROLE_CONNECTOR_DEVELOPER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_ORGANIZATION_READ,
Expand All @@ -154,12 +199,6 @@ internal fun endpointSecurityReaders(
paths = PATHS_SOLUTIONS,
roles =
arrayOf(
ROLE_SOLUTION_READER,
ROLE_SOLUTION_WRITER,
ROLE_CONNECTOR_DEVELOPER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_SOLUTION_READ,
Expand All @@ -171,18 +210,34 @@ internal fun endpointSecurityReaders(
paths = PATHS_WORKSPACES,
roles =
arrayOf(
ROLE_WORKSPACE_READER,
ROLE_WORKSPACE_WRITER,
ROLE_CONNECTOR_DEVELOPER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_WORKSPACE_READ,
SCOPE_WORKSPACE_WRITE,
customOrganizationUser,
customOrganizationViewer),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesReader(
paths = PATHS_RUNS,
roles =
arrayOf(
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_RUN_READ,
SCOPE_RUN_WRITE,
customOrganizationUser,
customOrganizationViewer),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesReader(
paths = PATHS_RUNNERS,
roles =
arrayOf(
ROLE_ORGANIZATION_USER,
ROLE_ORGANIZATION_VIEWER,
SCOPE_RUNNER_READ,
SCOPE_RUNNER_WRITE,
customOrganizationUser,
customOrganizationViewer),
customAdmin = customOrganizationAdmin))

@Suppress("LongMethod")
Expand All @@ -192,58 +247,36 @@ internal fun endpointSecurityWriters(
) =
listOf(
CsmSecurityEndpointsRolesWriter(
paths = listOf(PATH_CONNECTORS),
roles = arrayOf(ROLE_CONNECTOR_WRITER, ROLE_CONNECTOR_DEVELOPER, SCOPE_CONNECTOR_WRITE),
paths = PATHS_CONNECTORS,
roles = arrayOf(SCOPE_CONNECTOR_WRITE),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = listOf(PATH_DATASETS),
roles =
arrayOf(
ROLE_DATASET_WRITER,
ROLE_CONNECTOR_DEVELOPER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
SCOPE_DATASET_WRITE,
customOrganizationUser),
paths = PATHS_DATASETS,
roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_DATASET_WRITE, customOrganizationUser),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = PATHS_ORGANIZATIONS,
roles =
arrayOf(
ROLE_ORGANIZATION_WRITER, ROLE_ORGANIZATION_ADMIN, SCOPE_ORGANIZATION_WRITE),
roles = arrayOf(SCOPE_ORGANIZATION_WRITE),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = PATHS_SOLUTIONS,
roles =
arrayOf(
ROLE_SOLUTION_WRITER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
SCOPE_SOLUTION_WRITE),
roles = arrayOf(SCOPE_SOLUTION_WRITE),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = PATHS_WORKSPACES,
roles =
arrayOf(
ROLE_WORKSPACE_WRITER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
SCOPE_WORKSPACE_WRITE),
roles = arrayOf(SCOPE_WORKSPACE_WRITE),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = listOf(PATH_WORKSPACES_FILES),
roles =
arrayOf(
ROLE_WORKSPACE_WRITER,
ROLE_ORGANIZATION_ADMIN,
ROLE_ORGANIZATION_COLLABORATOR,
ROLE_ORGANIZATION_MODELER,
ROLE_ORGANIZATION_USER,
SCOPE_WORKSPACE_WRITE,
customOrganizationUser),
paths = PATHS_RUNS,
roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_RUN_WRITE, customOrganizationUser),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = PATHS_RUNNERS,
roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_RUNNER_WRITE, customOrganizationUser),
customAdmin = customOrganizationAdmin),
CsmSecurityEndpointsRolesWriter(
paths = PATHS_WORKSPACES_FILES,
roles = arrayOf(ROLE_ORGANIZATION_USER, SCOPE_WORKSPACE_WRITE, customOrganizationUser),
customAdmin = customOrganizationAdmin),
)

Expand Down Expand Up @@ -322,11 +355,11 @@ internal class CsmSecurityEndpointsRolesWriter(
val authoritiesList = addAdminRolesIfNotAlreadyDefined(this.roles)
this.paths.forEach { path ->
requests
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.POST, "$path/**"))
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.POST, path))
.hasAnyAuthority(*authoritiesList.toTypedArray())
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.PATCH, "$path/**"))
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.PATCH, path))
.hasAnyAuthority(*authoritiesList.toTypedArray())
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.DELETE, "$path/**"))
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.DELETE, path))
.hasAnyAuthority(*authoritiesList.toTypedArray())
}
}
Expand Down Expand Up @@ -357,7 +390,7 @@ internal class CsmSecurityEndpointsRolesReader(
val authoritiesList = addAdminRolesIfNotAlreadyDefined(this.roles)
this.paths.forEach { path ->
requests
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.GET, "$path/**"))
.requestMatchers(AntPathRequestMatcher.antMatcher(HttpMethod.GET, path))
.hasAnyAuthority(*authoritiesList.toTypedArray())
}
}
Expand Down