Restrict findByUUID endpoint to admins (#792)

indigo-iam · Jun 19, 2024 · 7d0c523 · 7d0c523
1 parent 4bc7379
commit 7d0c523
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 21 deletions.
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
@@ -25,7 +25,11 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.BindingResult;
 import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
 
 import it.infn.mw.iam.api.common.ListResponseDTO;
 import it.infn.mw.iam.api.common.form.PaginatedRequestWithFilterForm;
@@ -120,7 +124,6 @@ public ListResponseDTO<ScimUser> findNotInGroup(@PathVariable String groupUuid,
   }
 
   @GetMapping(value = FIND_BY_UUID_RESOURCE, produces = ScimConstants.SCIM_CONTENT_TYPE)
-  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or hasRole('USER')")
   public ListResponseDTO<ScimUser> findByUuid(@PathVariable String accountUuid) {
     return service.findAccountByUuid(accountUuid);
   }

diff --git a/...ain/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js b/...ain/webapp/resources/iam/apps/dashboard-app/components/clients/client/client.component.js
@@ -133,12 +133,8 @@
             });
         }
 
-        function getClientStatusMessage(){
-            FindService.findAccountByUuid(self.clientVal.status_changed_by).then(function(res){
-                self.clientStatusMessage = "Suspended by " + res.userName + " on " + getFormatedDate(self.clientVal.status_changed_on);                                            
-            }).catch(function (res) {
-                console.debug("Error retrieving user account!", res);
-            });           
+        function getClientStatusMessage() {
+            self.clientStatusMessage = "Suspended by a VO admin on " + getFormatedDate(self.clientVal.status_changed_on);
         }
 
         function getFormatedDate(dateToFormat){

diff --git a/.../resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js b/.../resources/iam/apps/dashboard-app/components/clients/clientslist/clientslist.component.js
@@ -120,12 +120,8 @@
             });
         }
 
-        function getClientStatusMessage(client){
-            FindService.findAccountByUuid(client.status_changed_by).then(function(res){
-                self.clientStatusMessage = "Suspended by " + res.userName + " on " + getFormatedDate(client.status_changed_on);                                            
-            }).catch(function (res) {
-                console.debug("Error retrieving user account!", res);
-            });           
+        function getClientStatusMessage(client) {
+            self.clientStatusMessage = "Suspended by a VO admin on " + getFormatedDate(client.status_changed_on);
         }
 
         function getFormatedDate(dateToFormat){

diff --git a/.../webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js b/.../webapp/resources/iam/apps/dashboard-app/components/user/myclients/myclients.component.js
@@ -121,11 +121,7 @@
         }
 
         function getClientStatusMessage(client){
-            FindService.findAccountByUuid(client.status_changed_by).then(function(res){
-                self.clientStatusMessage = "Suspended by " + res.userName + " on " + getFormatedDate(client.status_changed_on);                                            
-            }).catch(function (res) {
-                console.debug("Error retrieving user account!", res);
-            });           
+            self.clientStatusMessage = "Suspended by a VO admin on " + getFormatedDate(client.status_changed_on);
         }
 
         function getFormatedDate(dateToFormat){

diff --git a/...rvice/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java b/...rvice/src/test/java/it/infn/mw/iam/test/api/account/find/FindAccountIntegrationTests.java
@@ -293,7 +293,6 @@ public void findNotInGroupWorks() throws Exception {
   }
 
   @Test
-  @WithMockUser(username = "test", roles = "USER")
   public void findByUUIDWorks() throws Exception {
 
     IamAccount testAccount = accountRepo.findByUuid(TEST_USER_UUID)
@@ -308,10 +307,27 @@ public void findByUUIDWorks() throws Exception {
 
   @Test
   @WithMockUser(username = "test", roles = "USER")
-  public void totalResultDoesNotExistForUnknownUUID() throws Exception {
+  public void findByUUIDForbiddenForUsers() throws Exception {
+
+    IamAccount testAccount = accountRepo.findByUuid(TEST_USER_UUID)
+      .orElseThrow(assertionError(EXPECTED_ACCOUNT_NOT_FOUND));
+
+    mvc.perform(get(FIND_BY_UUID_RESOURCE, testAccount.getUuid()))
+      .andExpect(FORBIDDEN);
+  }
+
+  @Test
+  public void emptyResultForUnknownUUIDIfAdmin() throws Exception {
     mvc.perform(get(FIND_BY_UUID_RESOURCE, "unknown_uuid"))
        .andExpect(OK)
        .andExpect(jsonPath("$.totalResults").doesNotExist())
        .andExpect(jsonPath("$.Resources", emptyIterable()));
   }
+
+  @Test
+  @WithMockUser(username = "test", roles = "USER")
+  public void forbiddenForUnknownUUIDIfUser() throws Exception {
+    mvc.perform(get(FIND_BY_UUID_RESOURCE, "unknown_uuid"))
+       .andExpect(FORBIDDEN);
+  }
 }