diff --git a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/license/LicenseResource.java b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/license/LicenseResource.java index 65357d84588..6d4a4634035 100644 --- a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/license/LicenseResource.java +++ b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/license/LicenseResource.java @@ -5,9 +5,11 @@ import io.jans.ca.plugin.adminui.model.auth.LicenseRequest; import io.jans.ca.plugin.adminui.model.auth.LicenseResponse; import io.jans.ca.plugin.adminui.service.license.LicenseDetailsService; +import io.jans.ca.plugin.adminui.utils.AppConstants; import io.jans.ca.plugin.adminui.utils.ErrorResponse; import io.jans.configapi.core.rest.ProtectedApi; +import io.jans.configapi.util.ApiAccessConstants; import io.swagger.v3.oas.annotations.Operation; import io.swagger.v3.oas.annotations.parameters.RequestBody; import io.swagger.v3.oas.annotations.media.Content; @@ -53,7 +55,7 @@ public class LicenseResource { @ApiResponse(responseCode = "500", description = "InternalServerError", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = LicenseApiResponse.class, description = "License response")))}) @GET @Path(IS_ACTIVE) - @ProtectedApi(scopes = {SCOPE_LICENSE_READ}, groupScopes = {SCOPE_LICENSE_WRITE}) + @ProtectedApi(scopes = {SCOPE_LICENSE_READ}, groupScopes = {SCOPE_LICENSE_WRITE}, superScopes = { AppConstants.SCOPE_ADMINUI_READ }) @Produces(MediaType.APPLICATION_JSON) public Response isActive() { LicenseApiResponse licenseResponse = null; @@ -79,7 +81,7 @@ public Response isActive() { @ApiResponse(responseCode = "500", description = "InternalServerError", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = LicenseApiResponse.class, description = "License response")))}) @POST @Path(ACTIVATE_LICENSE) - @ProtectedApi(scopes = {SCOPE_LICENSE_WRITE}) + @ProtectedApi(scopes = {SCOPE_LICENSE_WRITE}, superScopes = { AppConstants.SCOPE_ADMINUI_WRITE }) @Produces(MediaType.APPLICATION_JSON) public Response activateLicense(@Valid @NotNull LicenseRequest licenseRequest) { LicenseApiResponse licenseResponse = null; @@ -105,7 +107,7 @@ public Response activateLicense(@Valid @NotNull LicenseRequest licenseRequest) { @ApiResponse(responseCode = "500", description = "InternalServerError", content = @Content(mediaType = MediaType.APPLICATION_JSON, schema = @Schema(implementation = LicenseApiResponse.class, description = "License response")))}) @POST @Path(SAVE_API_CREDENTIALS) - @ProtectedApi(scopes = {SCOPE_LICENSE_WRITE}) + @ProtectedApi(scopes = {SCOPE_LICENSE_WRITE}, superScopes = { AppConstants.SCOPE_ADMINUI_WRITE }) @Produces(MediaType.APPLICATION_JSON) public Response saveLicenseCredentials(@Valid @NotNull LicenseSpringCredentials licenseSpringCredentials) { LicenseApiResponse licenseResponse = null; @@ -130,7 +132,7 @@ public Response saveLicenseCredentials(@Valid @NotNull LicenseSpringCredentials @ApiResponse(responseCode = "500", description = "InternalServerError")}) @GET @Path(LICENSE_DETAILS) - @ProtectedApi(scopes = {SCOPE_LICENSE_READ}, groupScopes = {SCOPE_LICENSE_WRITE}) + @ProtectedApi(scopes = {SCOPE_LICENSE_READ}, groupScopes = {SCOPE_LICENSE_WRITE}, superScopes = { AppConstants.SCOPE_ADMINUI_READ }) @Produces(MediaType.APPLICATION_JSON) public Response getLicenseDetails() { try { diff --git a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/user/UserManagementResource.java b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/user/UserManagementResource.java index 603fa4c015b..5769f1b94e7 100644 --- a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/user/UserManagementResource.java +++ b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/user/UserManagementResource.java @@ -5,6 +5,7 @@ import io.jans.as.model.config.adminui.RolePermissionMapping; import io.jans.ca.plugin.adminui.model.exception.ApplicationException; import io.jans.ca.plugin.adminui.service.user.UserManagementService; +import io.jans.ca.plugin.adminui.utils.AppConstants; import io.jans.ca.plugin.adminui.utils.ErrorResponse; import io.jans.configapi.core.rest.ProtectedApi; import io.swagger.v3.oas.annotations.Operation; @@ -62,7 +63,7 @@ public class UserManagementResource { @GET @Path(ROLES) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = {SCOPE_ROLE_READ}, groupScopes = {SCOPE_ROLE_WRITE}) + @ProtectedApi(scopes = {SCOPE_ROLE_READ}, groupScopes = {SCOPE_ROLE_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_READ}) public Response getAllRoles() { try { log.info("Get all Admin-UI roles."); @@ -90,7 +91,7 @@ public Response getAllRoles() { @POST @Path(ROLES) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_ROLE_WRITE) + @ProtectedApi(scopes = {SCOPE_ROLE_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_WRITE}) public Response addRole(@Valid @NotNull AdminRole roleArg) { try { log.info("Adding Admin-UI role."); @@ -118,7 +119,7 @@ public Response addRole(@Valid @NotNull AdminRole roleArg) { @PUT @Path(ROLES) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_ROLE_WRITE) + @ProtectedApi(scopes = {SCOPE_ROLE_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_WRITE}) public Response editRole(@Valid @NotNull AdminRole roleArg) { try { log.info("Editing Admin-UI role."); @@ -145,7 +146,7 @@ public Response editRole(@Valid @NotNull AdminRole roleArg) { @GET @Path(ROLES + ROLE_PATH_VARIABLE) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = {SCOPE_ROLE_READ}, groupScopes = {SCOPE_ROLE_WRITE}) + @ProtectedApi(scopes = {SCOPE_ROLE_READ}, groupScopes = {SCOPE_ROLE_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_READ}) public Response getRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) { try { log.info("Get all Admin-UI roles."); @@ -172,7 +173,7 @@ public Response getRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) { @DELETE @Path(ROLES + ROLE_PATH_VARIABLE) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_ROLE_DELETE) + @ProtectedApi(scopes = {SCOPE_ROLE_DELETE}, superScopes = {AppConstants.SCOPE_ADMINUI_DELETE}) public Response deleteRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) { try { log.info("Deleting Admin-UI role."); @@ -199,7 +200,7 @@ public Response deleteRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) { @GET @Path(PERMISSIONS) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = {SCOPE_PERMISSION_READ}, groupScopes = {SCOPE_PERMISSION_WRITE}) + @ProtectedApi(scopes = {SCOPE_PERMISSION_READ}, groupScopes = {SCOPE_PERMISSION_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_READ}) public Response getAllPermissions() { try { log.info("Get all Admin-UI permissions."); @@ -227,7 +228,7 @@ public Response getAllPermissions() { @POST @Path(PERMISSIONS) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_PERMISSION_WRITE) + @ProtectedApi(scopes = {SCOPE_PERMISSION_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_WRITE}) public Response addPermission(@Valid @NotNull AdminPermission permissionArg) { try { log.info("Adding Admin-UI permissions."); @@ -255,7 +256,7 @@ public Response addPermission(@Valid @NotNull AdminPermission permissionArg) { @PUT @Path(PERMISSIONS) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_PERMISSION_WRITE) + @ProtectedApi(scopes = {SCOPE_PERMISSION_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_WRITE}) public Response editPermission(@Valid @NotNull AdminPermission permissionArg) { try { log.info("Editing Admin-UI permissions."); @@ -282,7 +283,7 @@ public Response editPermission(@Valid @NotNull AdminPermission permissionArg) { @GET @Path(PERMISSIONS + PERMISSION_PATH_VARIABLE) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = {SCOPE_PERMISSION_READ}, groupScopes = {SCOPE_PERMISSION_WRITE}) + @ProtectedApi(scopes = {SCOPE_PERMISSION_READ}, groupScopes = {SCOPE_PERMISSION_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_READ}) public Response getPermission(@PathParam(PERMISSION_CONST) @NotNull String adminUIPermission) { try { log.info("Get Admin-UI permission."); @@ -309,7 +310,7 @@ public Response getPermission(@PathParam(PERMISSION_CONST) @NotNull String admin @DELETE @Path(PERMISSIONS + PERMISSION_PATH_VARIABLE) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_PERMISSION_DELETE) + @ProtectedApi(scopes = {SCOPE_PERMISSION_DELETE}, superScopes = {AppConstants.SCOPE_ADMINUI_DELETE}) public Response deletePermission(@PathParam(PERMISSION_CONST) @NotNull String adminUIPermission) { try { log.info("Deleting Admin-UI permission."); @@ -336,7 +337,7 @@ public Response deletePermission(@PathParam(PERMISSION_CONST) @NotNull String ad @GET @Path(ROLE_PERMISSIONS_MAPPING) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_READ}, groupScopes = {SCOPE_ROLE_PERMISSION_MAPPING_WRITE}) + @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_READ}, groupScopes = {SCOPE_ROLE_PERMISSION_MAPPING_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_READ}) public Response getAllAdminUIRolePermissionsMapping() { try { log.info("Get all Admin-UI role-permissions mapping."); @@ -364,7 +365,7 @@ public Response getAllAdminUIRolePermissionsMapping() { @POST @Path(ROLE_PERMISSIONS_MAPPING) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_ROLE_PERMISSION_MAPPING_WRITE) + @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_WRITE}) public Response addPermissionsToRole(@Valid @NotNull RolePermissionMapping rolePermissionMappingArg) { try { log.info("Adding role-permissions to Admin-UI."); @@ -392,7 +393,7 @@ public Response addPermissionsToRole(@Valid @NotNull RolePermissionMapping roleP @PUT @Path(ROLE_PERMISSIONS_MAPPING) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_ROLE_PERMISSION_MAPPING_WRITE) + @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_WRITE}) public Response mapPermissionsToRole(@Valid @NotNull RolePermissionMapping rolePermissionMappingArg) { try { log.info("Mapping permissions to Admin-UI role."); @@ -419,7 +420,7 @@ public Response mapPermissionsToRole(@Valid @NotNull RolePermissionMapping roleP @GET @Path(ROLE_PERMISSIONS_MAPPING + ROLE_PATH_VARIABLE) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_READ}, groupScopes = {SCOPE_ROLE_PERMISSION_MAPPING_WRITE}) + @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_READ}, groupScopes = {SCOPE_ROLE_PERMISSION_MAPPING_WRITE}, superScopes = {AppConstants.SCOPE_ADMINUI_READ}) public Response getAdminUIRolePermissionsMapping(@PathParam(ROLE_CONST) @NotNull String adminUIRole) { try { log.info("Get Admin-UI role-permissions mapping by role-name."); @@ -446,7 +447,7 @@ public Response getAdminUIRolePermissionsMapping(@PathParam(ROLE_CONST) @NotNull @DELETE @Path(ROLE_PERMISSIONS_MAPPING + ROLE_PATH_VARIABLE) @Produces(MediaType.APPLICATION_JSON) - @ProtectedApi(scopes = SCOPE_ROLE_PERMISSION_MAPPING_DELETE) + @ProtectedApi(scopes = {SCOPE_ROLE_PERMISSION_MAPPING_DELETE}, superScopes = {AppConstants.SCOPE_ADMINUI_DELETE}) public Response removePermissionsFromRole(@PathParam(ROLE_CONST) @NotNull String role) { try { log.info("Removing permissions to Admin-UI role."); diff --git a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/utils/AppConstants.java b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/utils/AppConstants.java index bd8685459df..4aac6f41a21 100644 --- a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/utils/AppConstants.java +++ b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/utils/AppConstants.java @@ -7,4 +7,7 @@ public interface AppConstants { //application type public static final String APPLICATION_KEY_ADMIN_UI = "admin-ui"; public static final String APPLICATION_KEY_ADS = "ads"; + public static final String SCOPE_ADMINUI_READ = "https://jans.io/oauth/jans-auth-server/config/adminui/read-all"; + public static final String SCOPE_ADMINUI_WRITE = "https://jans.io/oauth/jans-auth-server/config/adminui/write-all"; + public static final String SCOPE_ADMINUI_DELETE = "https://jans.io/oauth/jans-auth-server/config/adminui/delete-all"; } diff --git a/jans-config-api/server/src/main/resources/config-api-rs-protect.json b/jans-config-api/server/src/main/resources/config-api-rs-protect.json index 3dc5dd5aa6c..47027e4ea86 100644 --- a/jans-config-api/server/src/main/resources/config-api-rs-protect.json +++ b/jans-config-api/server/src/main/resources/config-api-rs-protect.json @@ -1757,23 +1757,16 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write" } ], - "superScopes": [] - }, - { - "httpMethods": [ - "POST" - ], - "scopes": [ + "superScopes": [ { - "inum": "1800.04.2", - "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write" + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" } - ], - "groupScopes": [], - "superScopes": [] + ] }, { "httpMethods": [ + "POST", "PUT" ], "scopes": [ @@ -1783,7 +1776,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.13", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/write-all" + } + ] } ] }, @@ -1806,7 +1804,12 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write" } ], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" + } + ] }, { "httpMethods": [ @@ -1819,7 +1822,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.14", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/delete-all" + } + ] } ] }, @@ -1842,23 +1850,16 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write" } ], - "superScopes": [] - }, - { - "httpMethods": [ - "POST" - ], - "scopes": [ + "superScopes": [ { - "inum": "1800.04.5", - "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write" + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" } - ], - "groupScopes": [], - "superScopes": [] + ] }, { "httpMethods": [ + "POST", "PUT" ], "scopes": [ @@ -1868,7 +1869,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.13", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/write-all" + } + ] } ] }, @@ -1891,7 +1897,12 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write" } ], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" + } + ] }, { "httpMethods": [ @@ -1904,7 +1915,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.14", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/delete-all" + } + ] } ] }, @@ -1927,23 +1943,16 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write" } ], - "superScopes": [] - }, - { - "httpMethods": [ - "POST" - ], - "scopes": [ + "superScopes": [ { - "inum": "1800.04.8", - "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write" + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" } - ], - "groupScopes": [], - "superScopes": [] + ] }, { "httpMethods": [ + "POST", "PUT" ], "scopes": [ @@ -1953,7 +1962,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.13", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/write-all" + } + ] } ] }, @@ -1976,7 +1990,12 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write" } ], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" + } + ] }, { "httpMethods": [ @@ -1989,7 +2008,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.14", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/delete-all" + } + ] } ] }, @@ -2012,7 +2036,12 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/license.write" } ], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" + } + ] } ] }, @@ -2030,7 +2059,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.13", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/write-all" + } + ] } ] }, @@ -2053,7 +2087,12 @@ "name": "https://jans.io/oauth/jans-auth-server/config/adminui/license.write" } ], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.12", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/read-all" + } + ] } ] }, @@ -2071,7 +2110,12 @@ } ], "groupScopes": [], - "superScopes": [] + "superScopes": [ + { + "inum": "1800.04.13", + "name": "https://jans.io/oauth/jans-auth-server/config/adminui/write-all" + } + ] } ] }