Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: the admin-ui role/permission/mapping delete apis are not protected by appropriate permissions #2991 #2992

Merged
merged 1 commit into from
Nov 16, 2022
+9 −6
Merged

fix: the admin-ui role/permission/mapping delete apis are not protected by appropriate permissions #2991 #2992

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions ...n-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/user/UserManagementResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,13 @@ public class UserManagementResource {
static final String ROLE_PERMISSIONS_MAPPING = "/adminUIRolePermissionsMapping";
static final String SCOPE_ROLE_READ = "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly";
static final String SCOPE_ROLE_WRITE = "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write";
static final String SCOPE_ROLE_DELETE = "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete";
static final String SCOPE_PERMISSION_READ = "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly";
static final String SCOPE_PERMISSION_WRITE = "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write";
static final String SCOPE_PERMISSION_DELETE = "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete";
static final String SCOPE_ROLE_PERMISSION_MAPPING_READ = "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly";
static final String SCOPE_ROLE_PERMISSION_MAPPING_WRITE = "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write";
static final String SCOPE_ROLE_PERMISSION_MAPPING_DELETE = "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete";

@Inject
Logger log;
Expand Down Expand Up @@ -160,7 +163,7 @@ public Response getRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) {

@Operation(summary = "Delete admin ui role by role-name", description = "Delete admin ui role by role-name", operationId = "delete-adminui-role", tags = {
"Admin UI - Role"}, security = @SecurityRequirement(name = "oauth2", scopes = {
SCOPE_ROLE_WRITE}))
SCOPE_ROLE_DELETE}))
@ApiResponses(value = {
@ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = MediaType.APPLICATION_JSON, array = @ArraySchema(schema = @Schema(implementation = AdminRole.class, description = "List of AdminRole")))),
@ApiResponse(responseCode = "400", description = "Bad Request"),
Expand All @@ -169,7 +172,7 @@ public Response getRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) {
@DELETE
@Path(ROLES + ROLE_PATH_VARIABLE)
@Produces(MediaType.APPLICATION_JSON)
@ProtectedApi(scopes = SCOPE_ROLE_WRITE)
@ProtectedApi(scopes = SCOPE_ROLE_DELETE)
public Response deleteRole(@PathParam(ROLE_CONST) @NotNull String adminUIRole) {
try {
log.info("Deleting Admin-UI role.");
Expand Down Expand Up @@ -297,7 +300,7 @@ public Response getPermission(@PathParam(PERMISSION_CONST) @NotNull String admin

@Operation(summary = "Delete admin ui permission by permission-name", description = "Delete admin ui permission by permission-name", operationId = "delete-adminui-permission", tags = {
"Admin UI - Permission"}, security = @SecurityRequirement(name = "oauth2", scopes = {
SCOPE_PERMISSION_WRITE}))
SCOPE_PERMISSION_DELETE}))
@ApiResponses(value = {
@ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = MediaType.APPLICATION_JSON, array = @ArraySchema(schema = @Schema(implementation = AdminPermission.class, description = "List of AdminPermission")))),
@ApiResponse(responseCode = "400", description = "Bad Request"),
Expand All @@ -306,7 +309,7 @@ public Response getPermission(@PathParam(PERMISSION_CONST) @NotNull String admin
@DELETE
@Path(PERMISSIONS + PERMISSION_PATH_VARIABLE)
@Produces(MediaType.APPLICATION_JSON)
@ProtectedApi(scopes = SCOPE_PERMISSION_WRITE)
@ProtectedApi(scopes = SCOPE_PERMISSION_DELETE)
public Response deletePermission(@PathParam(PERMISSION_CONST) @NotNull String adminUIPermission) {
try {
log.info("Deleting Admin-UI permission.");
Expand Down Expand Up @@ -434,7 +437,7 @@ public Response getAdminUIRolePermissionsMapping(@PathParam(ROLE_CONST) @NotNull

@Operation(summary = "Remove role-permissions mapping by role-name", description = "Remove role-permissions mapping by role-name", operationId = "remove-role-permissions-permission", tags = {
"Admin UI - Role-Permissions Mapping"}, security = @SecurityRequirement(name = "oauth2", scopes = {
SCOPE_ROLE_PERMISSION_MAPPING_WRITE}))
SCOPE_ROLE_PERMISSION_MAPPING_DELETE}))
@ApiResponses(value = {
@ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = MediaType.APPLICATION_JSON, array = @ArraySchema(schema = @Schema(implementation = RolePermissionMapping.class, description = "List of RolePermissionMapping")))),
@ApiResponse(responseCode = "400", description = "Bad Request"),
Expand All @@ -443,7 +446,7 @@ public Response getAdminUIRolePermissionsMapping(@PathParam(ROLE_CONST) @NotNull
@DELETE
@Path(ROLE_PERMISSIONS_MAPPING + ROLE_PATH_VARIABLE)
@Produces(MediaType.APPLICATION_JSON)
@ProtectedApi(scopes = SCOPE_ROLE_PERMISSION_MAPPING_WRITE)
@ProtectedApi(scopes = SCOPE_ROLE_PERMISSION_MAPPING_DELETE)
public Response removePermissionsFromRole(@PathParam(ROLE_CONST) @NotNull String role) {
try {
log.info("Removing permissions to Admin-UI role.");
Expand Down