From 518466d8934b9a00f977e0361b3863988864638a Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 1 Jul 2024 14:56:33 +0200 Subject: [PATCH] Enforce scope on entity deletion --- .../main/java/manage/control/MetaDataController.java | 1 + .../src/main/java/manage/web/ScopeEnforcer.java | 6 ++++++ .../src/test/java/manage/web/ScopeEnforcerTest.java | 11 +++++++++++ 3 files changed, 18 insertions(+) diff --git a/manage-server/src/main/java/manage/control/MetaDataController.java b/manage-server/src/main/java/manage/control/MetaDataController.java index 39d02826..a58266ad 100644 --- a/manage-server/src/main/java/manage/control/MetaDataController.java +++ b/manage-server/src/main/java/manage/control/MetaDataController.java @@ -218,6 +218,7 @@ public boolean remove(@PathVariable("type") String type, public boolean removeInternal(@PathVariable("type") String type, @PathVariable("id") String id, APIUser apiUser) { + ScopeEnforcer.enforceDeleteScope(apiUser, EntityType.fromType(type)); return metaDataService.doRemove(type, id, apiUser, "Deleted by APIUser " + apiUser.getName()); } diff --git a/manage-server/src/main/java/manage/web/ScopeEnforcer.java b/manage-server/src/main/java/manage/web/ScopeEnforcer.java index 7eb007a5..2bd18580 100644 --- a/manage-server/src/main/java/manage/web/ScopeEnforcer.java +++ b/manage-server/src/main/java/manage/web/ScopeEnforcer.java @@ -28,6 +28,12 @@ public static void enforceChangeRequestScope(APIUser apiUser, EntityType entityT enforceScope(entityType, apiUser, CHANGE_REQUEST_IDP, CHANGE_REQUEST_SP, "change request"); } + public static void enforceDeleteScope(APIUser apiUser, EntityType entityType) { + if (!spEntityTypes.contains(entityType) || !apiUser.isAllowed(DELETE_SP)) { + throw new EndpointNotAllowed(String.format("APIUser %s is not allowed to delete an entity %s", apiUser.getName(), entityType.getType())); + } + } + private static void enforceScope(EntityType entityType, APIUser apiUser, Scope writeIdp, Scope writeSp, String action) { if (entityType.equals(EntityType.IDP) && !apiUser.isAllowed(writeIdp)) { throw new EndpointNotAllowed(String.format("APIUser %s is not allowed to %s for entity %s", apiUser.getName(), action, entityType.getType())); diff --git a/manage-server/src/test/java/manage/web/ScopeEnforcerTest.java b/manage-server/src/test/java/manage/web/ScopeEnforcerTest.java index afaac7b1..9acfdd5e 100644 --- a/manage-server/src/test/java/manage/web/ScopeEnforcerTest.java +++ b/manage-server/src/test/java/manage/web/ScopeEnforcerTest.java @@ -61,4 +61,15 @@ public void enforceChangeRequestScopeAllowedIdP() { public void enforceChangeRequestScopeAllowedSP() { ScopeEnforcer.enforceChangeRequestScope(new APIUser("test", List.of(Scope.CHANGE_REQUEST_SP)), EntityType.SP); } + + @Test(expected = EndpointNotAllowed.class) + public void enforceDeleteScopeIdP() { + ScopeEnforcer.enforceDeleteScope(new APIUser("test", List.of(Scope.DELETE_SP)), EntityType.IDP); + } + + @Test + public void enforceDeleteScopeIdPNotAllowed() { + ScopeEnforcer.enforceDeleteScope(new APIUser("test", List.of(Scope.DELETE_SP)), EntityType.SRAM); + } + } \ No newline at end of file