jans(config-api): static scope id and feature and admin level scopes (#…

…3126) * fix(config-api): fix for swagger spec for scope creation and sessoin endpoint filter * ci: add yurem to linux setup codeowners * chore(image): sync missing localized attributes for sql and spanner (#2927) * chore(image): sync missing localized attributes for sql and spanner * chore(image): sync jans-schema.json template * Update restarting-services.md (#2941) Restart command and output were merged which made "copy" / "paste" hard.... * Update restarting-services.md (#2942) Removed "$" sign from command.... * Update restarting-services.md (#2943) Adding some other service related info... * feat: allow to use like with lower together (#2944) Co-authored-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * chore: remove unused merthod (#2945) Co-authored-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): corrected GluuOrganization - refactor getOrganizationName() #2947 (#2948) * feat(config-api): super scope implementation * feat(config-api): static scope * feat(config-api): comprehensive claims for authurization * feat(config-api): endpoint group and admin scope * feat(config-api): sync with main * feat(config-api): endpoint group and admin scope * feat(config-api): scope change - wip * feat(config-api): scope change - wip * feat(config-api): scope enhancements * feat(config-api): scope enhancement * feat(config-api): scope enhancement wip * feat(config-api): scope enhancement- wip * feat(config-api): scope enhancement- wip * feat: jans-linux-setup config-api scope creation with static inum (ref: #3097) * feat(config-api): scope enhancement - wip * fix: jans-linux-setup create scope if inum exists (ref: #3097) * feat: jans-linux-setup config-api scope creation (ref: #3097) * feat(config-api): scope enhancement - wip * feat(config-api): scope enhancement Co-authored-by: moabu <47318409+moabu@users.noreply.github.com> Co-authored-by: Isman Firmansyah <iromli@users.noreply.github.com> Co-authored-by: mzico <mohib@gluu.org> Co-authored-by: Yuriy M <95305560+yuremm@users.noreply.github.com> Co-authored-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> Co-authored-by: YuriyZ <yzabrovarniy@gmail.com> Co-authored-by: Mustafa Baser <mbaser@mail.com>
JanssenProject · Nov 30, 2022 · 34bd41d · 34bd41d
1 parent 0522e61
commit 34bd41d
Show file tree

Hide file tree

Showing 34 changed files with 2,488 additions and 883 deletions.
diff --git a/jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java b/jans-config-api/common/src/main/java/io/jans/configapi/util/ApiAccessConstants.java
@@ -69,5 +69,18 @@ private ApiAccessConstants() {
     public static final String JANS_AUTH_SESSION_READ_ACCESS = "https://jans.io/oauth/jans-auth-server/session.readonly";
     public static final String JANS_AUTH_SESSION_DELETE_ACCESS = "https://jans.io/oauth/jans-auth-server/session.delete";
     public static final String JANS_AUTH_REVOKE_SESSION  = "revoke_session";
-
+
+    // Super Scopes
+    public static final String SUPER_ADMIN_READ_ACCESS  = "https://jans.io/oauth/config/read-all";
+    public static final String SUPER_ADMIN_WRITE_ACCESS  = "https://jans.io/oauth/config/write-all";
+    public static final String SUPER_ADMIN_DELETE_ACCESS  = "https://jans.io/oauth/config/delete-all";
+
+    // Feature Scope
+    public static final String OPENID_READ_ACCESS  = "https://jans.io/oauth/config/openid-read";
+    public static final String OPENID_WRITE_ACCESS = "https://jans.io/oauth/config/openid/openid-write";
+    public static final String OPENID_DELETE_ACCESS = "https://jans.io/oauth/config/openid/openid-delete";
+
+    public static final String UMA_READ_ACCESS  = "https://jans.io/oauth/config/uma-read";
+    public static final String UMA_WRITE_ACCESS = "https://jans.io/oauth/config/uma-write";
+    public static final String UMA_DELETE_ACCESS = "https://jans.io/oauth/config/uma-delete";
 }
diff --git a/jans-config-api/docs/jans-config-api-swagger-auto.yaml b/jans-config-api/docs/jans-config-api-swagger-auto.yaml
@@ -132,6 +132,8 @@ paths:
       security:
       - oauth2:
         - https://jans.io/oauth/config/acrs.readonly
+        - https://jans.io/oauth/config/acrs.write
+        - https://jans.io/oauth/config/read-all
     put:
       tags:
       - Default Authentication Method
@@ -167,6 +169,7 @@ paths:
       security:
       - oauth2:
         - https://jans.io/oauth/config/acrs.write
+        - https://jans.io/oauth/config/write-all
   /api/v1/agama:
     get:
       tags:
@@ -243,6 +246,8 @@ paths:
       security:
       - oauth2:
         - https://jans.io/oauth/config/agama.readonly
+        - https://jans.io/oauth/config/agama.write
+        - https://jans.io/oauth/config/read-all
     post:
       tags:
       - Configuration – Agama Flow
@@ -333,6 +338,8 @@ paths:
       security:
       - oauth2:
         - https://jans.io/oauth/config/agama.readonly
+        - https://jans.io/oauth/config/agama.write
+        - https://jans.io/oauth/config/read-all
     post:
       tags:
       - Configuration – Agama Flow
@@ -7178,19 +7185,19 @@ components:
           $ref: '#/components/schemas/AttributeValidation'
         tooltip:
           type: string
-        whitePagesCanView:
+        adminCanEdit:
           type: boolean
-        adminCanAccess:
+        userCanEdit:
           type: boolean
         adminCanView:
           type: boolean
-        userCanAccess:
+        userCanView:
           type: boolean
-        adminCanEdit:
+        adminCanAccess:
           type: boolean
-        userCanView:
+        userCanAccess:
           type: boolean
-        userCanEdit:
+        whitePagesCanView:
           type: boolean
         baseDn:
           type: string
@@ -7620,6 +7627,15 @@ components:
           format: int32
         allowOfflineAccessWithoutConsent:
           type: boolean
+        minimumAcrLevel:
+          type: integer
+          format: int32
+        minimumAcrLevelAutoresolve:
+          type: boolean
+        minimumAcrPriorityList:
+          type: array
+          items:
+            type: string
     CustomObjectAttribute:
       type: object
       properties:
@@ -8334,6 +8350,15 @@ components:
           $ref: '#/components/schemas/EngineConfig'
         ssaConfiguration:
           $ref: '#/components/schemas/SsaConfiguration'
+        allResponseTypesSupported:
+          uniqueItems: true
+          type: array
+          items:
+            type: string
+            enum:
+            - code
+            - token
+            - id_token
         enabledFeatureFlags:
           uniqueItems: true
           type: array
@@ -8361,15 +8386,6 @@ components:
             - STAT
             - PAR
             - SSA
-        allResponseTypesSupported:
-          uniqueItems: true
-          type: array
-          items:
-            type: string
-            enum:
-            - code
-            - token
-            - id_token
         fapi:
           type: boolean
     AuthenticationFilter:

diff --git a/jans-config-api/profiles/local/test.properties b/jans-config-api/profiles/local/test.properties
@@ -2,8 +2,8 @@
 test.scopes=https://jans.io/oauth/config/acrs.readonly https://jans.io/oauth/config/acrs.write https://jans.io/oauth/config/attributes.readonly https://jans.io/oauth/config/attributes.write https://jans.io/oauth/config/attributes.delete https://jans.io/oauth/config/cache.readonly https://jans.io/oauth/config/cache.write https://jans.io/oauth/config/openid/clients.readonly https://jans.io/oauth/config/openid/clients.write https://jans.io/oauth/config/openid/clients.delete https://jans.io/oauth/jans-auth-server/config/properties.readonly https://jans.io/oauth/jans-auth-server/config/properties.write https://jans.io/oauth/config/smtp.readonly https://jans.io/oauth/config/smtp.write https://jans.io/oauth/config/smtp.delete https://jans.io/oauth/config/scripts.readonly https://jans.io/oauth/config/scripts.write https://jans.io/oauth/config/scripts.delete https://jans.io/oauth/config/fido2.readonly https://jans.io/oauth/config/fido2.write https://jans.io/oauth/config/jwks.readonly https://jans.io/oauth/config/jwks.write https://jans.io/oauth/config/jwks.delete https://jans.io/oauth/config/database/ldap.readonly https://jans.io/oauth/config/database/ldap.write https://jans.io/oauth/config/database/ldap.delete https://jans.io/oauth/config/logging.readonly https://jans.io/oauth/config/logging.write https://jans.io/oauth/config/scopes.readonly https://jans.io/oauth/config/scopes.write https://jans.io/oauth/config/scopes.delete https://jans.io/oauth/config/uma/resources.readonly https://jans.io/oauth/config/uma/resources.write https://jans.io/oauth/config/uma/resources.delete https://jans.io/oauth/config/database/sql.readonly https://jans.io/oauth/config/database/sql.write https://jans.io/oauth/config/database/sql.delete https://jans.io/oauth/config/stats.readonly jans_stat https://jans.io/scim/users.read https://jans.io/scim/users.write https://jans.io/oauth/config/scim/users.read https://jans.io/oauth/config/scim/users.write https://jans.io/scim/config.readonly https://jans.io/scim/config.write https://jans.io/oauth/config/organization.readonly https://jans.io/oauth/config/organization.write https://jans.io/oauth/config/user.readonly https://jans.io/oauth/config/user.write https://jans.io/oauth/config/user.delete https://jans.io/oauth/config/agama.readonly https://jans.io/oauth/config/agama.write https://jans.io/oauth/config/agama.delete https://jans.io/oauth/jans-auth-server/session.readonly https://jans.io/oauth/jans-auth-server/session.delete revoke_session
 
 # jans.server
-token.endpoint=https://jans.server2/jans-auth/restv1/token
+token.endpoint=https://jans.server1/jans-auth/restv1/token
 token.grant.type=client_credentials
-test.client.id=1800.768b3d38-a6e8-4be4-93d1-72df33d34fd6
-test.client.secret=vA2TTjAOTfQY
-test.issuer=https://jans.server2/
+test.client.id=1800.5957dfad-b2cb-4764-85fe-841e6bc870ff
+test.client.secret=ozu4fjIzoEbe
+test.issuer=https://jans.server1/
diff --git a/jans-config-api/server/src/main/java/io/jans/configapi/configuration/AppInitializer.java b/jans-config-api/server/src/main/java/io/jans/configapi/configuration/AppInitializer.java
@@ -153,7 +153,7 @@ public PersistenceEntryManager createPersistenceEntryManager() throws OxIntializ
     @ApplicationScoped
     @Named("authorizationService")
     private AuthorizationService createAuthorizationService() {
-        log.info(
+        log.error(
                 "=============  AppInitializer::createAuthorizationService() - configurationFactory.getApiProtectionType():{} ",
                 configurationFactory.getApiProtectionType());
 

diff --git a/jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AcrsResource.java b/jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AcrsResource.java
@@ -48,13 +48,15 @@ public class AcrsResource extends ConfigBaseResource {
 
     @Operation(summary = "Gets default authentication method.", description = "Gets default authentication method.", operationId = "get-acrs", tags = {
             "Default Authentication Method" }, security = @SecurityRequirement(name = "oauth2", scopes = {
-                    ApiAccessConstants.ACRS_READ_ACCESS }))
+                    ApiAccessConstants.ACRS_READ_ACCESS, ApiAccessConstants.ACRS_WRITE_ACCESS,
+                    ApiAccessConstants.SUPER_ADMIN_READ_ACCESS }))
     @ApiResponses(value = {
-            @ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = AuthenticationMethod.class) , examples = @ExampleObject(name = "Response example" , value = "example/acr/acr.json"))),
+            @ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = AuthenticationMethod.class), examples = @ExampleObject(name = "Response example", value = "example/acr/acr.json"))),
             @ApiResponse(responseCode = "401", description = "Unauthorized"),
             @ApiResponse(responseCode = "500", description = "InternalServerError") })
     @GET
-    @ProtectedApi(scopes = { ApiAccessConstants.ACRS_READ_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.ACRS_READ_ACCESS }, groupScopes = {
+            ApiAccessConstants.ACRS_WRITE_ACCESS }, superScopes = { ApiAccessConstants.SUPER_ADMIN_READ_ACCESS })
     public Response getDefaultAuthenticationMethod() {
         final GluuConfiguration gluuConfiguration = configurationService.findGluuConfiguration();
 
@@ -65,15 +67,16 @@ public Response getDefaultAuthenticationMethod() {
 
     @Operation(summary = "Updates default authentication method.", description = "Updates default authentication method.", operationId = "put-acrs", tags = {
             "Default Authentication Method" }, security = @SecurityRequirement(name = "oauth2", scopes = {
-                    ApiAccessConstants.ACRS_WRITE_ACCESS }))
+                    ApiAccessConstants.ACRS_WRITE_ACCESS, ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS }))
     @RequestBody(description = "String representing patch-document.", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = AuthenticationMethod.class), examples = @ExampleObject(name = "Request json example", value = "example/acr/acr.json")))
     @ApiResponses(value = {
             @ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = AuthenticationMethod.class))),
             @ApiResponse(responseCode = "400", description = "Bad Request"),
             @ApiResponse(responseCode = "401", description = "Unauthorized"),
             @ApiResponse(responseCode = "500", description = "InternalServerError") })
     @PUT
-    @ProtectedApi(scopes = { ApiAccessConstants.ACRS_WRITE_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.ACRS_WRITE_ACCESS }, superScopes = {
+            ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response updateDefaultAuthenticationMethod(@NotNull AuthenticationMethod authenticationMethod) {
         log.debug("ACRS details to  update - authenticationMethod:{}", authenticationMethod);
 

diff --git a/jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AgamaResource.java b/jans-config-api/server/src/main/java/io/jans/configapi/rest/resource/auth/AgamaResource.java
@@ -61,13 +61,15 @@ public class AgamaResource extends ConfigBaseResource {
 
     @Operation(summary = "Fetches all agama flow.", description = "Fetches all agama flow.", operationId = "get-agama-flows", tags = {
             "Configuration – Agama Flow" }, security = @SecurityRequirement(name = "oauth2", scopes = {
-                    ApiAccessConstants.AGAMA_READ_ACCESS }))
+                    ApiAccessConstants.AGAMA_READ_ACCESS, ApiAccessConstants.AGAMA_WRITE_ACCESS,
+                    ApiAccessConstants.SUPER_ADMIN_READ_ACCESS }))
     @ApiResponses(value = {
             @ApiResponse(responseCode = "200", description = "Agama Flows", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = PagedResult.class), examples = @ExampleObject(name = "Response json example", value = "example/agama/agama-get-all.json"))),
             @ApiResponse(responseCode = "401", description = "Unauthorized"),
             @ApiResponse(responseCode = "500", description = "InternalServerError") })
     @GET
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_READ_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_READ_ACCESS }, groupScopes = {
+            ApiAccessConstants.AGAMA_WRITE_ACCESS }, superScopes = { ApiAccessConstants.SUPER_ADMIN_READ_ACCESS })
     public Response getFlows(@DefaultValue("") @QueryParam(value = ApiConstants.PATTERN) String pattern,
             @DefaultValue(ApiConstants.DEFAULT_LIST_SIZE) @QueryParam(value = ApiConstants.LIMIT) int limit,
             @DefaultValue(ApiConstants.DEFAULT_LIST_START_INDEX) @QueryParam(value = ApiConstants.START_INDEX) int startIndex,
@@ -90,13 +92,15 @@ public Response getFlows(@DefaultValue("") @QueryParam(value = ApiConstants.PATT
 
     @Operation(summary = "Gets an agama flow based on Qname.", description = "Gets an agama flow based on Qname.", operationId = "get-agama-flow", tags = {
             "Configuration – Agama Flow" }, security = @SecurityRequirement(name = "oauth2", scopes = {
-                    ApiAccessConstants.AGAMA_READ_ACCESS }))
+                    ApiAccessConstants.AGAMA_READ_ACCESS, ApiAccessConstants.AGAMA_WRITE_ACCESS,
+                    ApiAccessConstants.SUPER_ADMIN_READ_ACCESS }))
     @ApiResponses(value = {
             @ApiResponse(responseCode = "200", description = "Agama Flow", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = Flow.class), examples = @ExampleObject(name = "Response json example", value = "example/agama/agama-get.json"))),
             @ApiResponse(responseCode = "401", description = "Unauthorized"),
             @ApiResponse(responseCode = "500", description = "InternalServerError") })
     @GET
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_READ_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_READ_ACCESS }, groupScopes = {
+            ApiAccessConstants.AGAMA_WRITE_ACCESS }, superScopes = { ApiAccessConstants.SUPER_ADMIN_READ_ACCESS })
     @Path(ApiConstants.QNAME_PATH)
     public Response getFlowByName(@PathParam(ApiConstants.QNAME) @NotNull String flowName,
             @DefaultValue("false") @QueryParam(value = ApiConstants.INCLUDE_SOURCE) boolean includeSource) {
@@ -121,7 +125,8 @@ public Response getFlowByName(@PathParam(ApiConstants.QNAME) @NotNull String flo
             @ApiResponse(responseCode = "401", description = "Unauthorized"),
             @ApiResponse(responseCode = "500", description = "InternalServerError") })
     @POST
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS }, superScopes = {
+            ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response createFlow(@Valid Flow flow)
             throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
         logger.debug(" Flow to be added flow:{}, flow.getQName():{}, flow.getSource():{} ", flow, flow.getQname(),
@@ -155,7 +160,8 @@ public Response createFlow(@Valid Flow flow)
     @POST
     @Consumes(MediaType.TEXT_PLAIN)
     @Path(ApiConstants.QNAME_PATH)
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS }, superScopes = {
+            ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response createFlowFromSource(@PathParam(ApiConstants.QNAME) @NotNull String flowName, @Valid String source)
             throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
         logger.debug(" Flow to be created flowName:{}, source:{}", flowName, source);
@@ -196,7 +202,8 @@ public Response createFlowFromSource(@PathParam(ApiConstants.QNAME) @NotNull Str
     @PUT
     @Consumes(MediaType.TEXT_PLAIN)
     @Path(ApiConstants.SOURCE + ApiConstants.QNAME_PATH)
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS }, superScopes = {
+            ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response updateFlowSource(@PathParam(ApiConstants.QNAME) @NotNull String flowName, @Valid String source)
             throws NoSuchMethodException, IllegalAccessException, InvocationTargetException {
         logger.debug(" Flow to be updated flowName:{}, source:{}", flowName, source);
@@ -232,7 +239,8 @@ public Response updateFlowSource(@PathParam(ApiConstants.QNAME) @NotNull String
     @PATCH
     @Consumes(MediaType.APPLICATION_JSON_PATCH_JSON)
     @Path(ApiConstants.QNAME_PATH)
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_WRITE_ACCESS }, superScopes = {
+            ApiAccessConstants.SUPER_ADMIN_WRITE_ACCESS })
     public Response patchFlow(@PathParam(ApiConstants.QNAME) @NotNull String flowName, @NotNull JsonPatch jsonPatch)
             throws JsonPatchException, IOException, NoSuchMethodException, IllegalAccessException,
             InvocationTargetException {
@@ -267,7 +275,8 @@ public Response patchFlow(@PathParam(ApiConstants.QNAME) @NotNull String flowNam
             @ApiResponse(responseCode = "500", description = "InternalServerError") })
     @DELETE
     @Path(ApiConstants.QNAME_PATH)
-    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_DELETE_ACCESS })
+    @ProtectedApi(scopes = { ApiAccessConstants.AGAMA_DELETE_ACCESS }, superScopes = {
+            ApiAccessConstants.SUPER_ADMIN_DELETE_ACCESS })
     public Response delete(@PathParam(ApiConstants.QNAME) @NotNull String flowName) {
         logger.debug(" Flow to delete - flowName:{}", flowName);
         String decodedFlowName = getURLDecodedValue(flowName);