patch for security with different roles.

adorsys · Oct 30, 2023 · 31f5006 · 31f5006
1 parent 81404be
commit 31f5006
Show file tree

Hide file tree

Showing 18 changed files with 125 additions and 85 deletions.
diff --git a/.env b/.env
@@ -1 +1 @@
-LEDGERS_VERSION=develop
+LEDGERS_VERSION=5.0
diff --git a/ledgers-app/src/main/java/de/adorsys/ledgers/app/server/auth/WebSecurityConfigKeycloak.java b/ledgers-app/src/main/java/de/adorsys/ledgers/app/server/auth/WebSecurityConfigKeycloak.java
@@ -18,11 +18,11 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -31,6 +31,7 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.web.context.annotation.RequestScope;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -51,6 +52,7 @@
 public class WebSecurityConfigKeycloak {
 
     private final KeycloakAuthMapper authMapper;
+    private final Environment environment;
 
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) {
@@ -63,11 +65,6 @@ public void configureGlobal(AuthenticationManagerBuilder auth) {
     @Bean
     @SuppressWarnings("PMD.SignatureDeclareThrowsException")
     SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-
-        http
-                .sessionManagement()
-                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
-
         http
                 .authorizeHttpRequests()
                 .requestMatchers(INDEX_WHITELIST).permitAll()
@@ -77,13 +74,15 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                 .requestMatchers(APP_WHITELIST).permitAll()
                 .anyRequest()
                 .authenticated()
-                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-                .and().oauth2ResourceServer()
+                .and()
+                .oauth2ResourceServer()
                 .jwt().jwtAuthenticationConverter(new KeycloakJwtAuthenticationConverter()).and()
-                .and().cors().disable() // by default uses a Bean by the name of corsConfigurationSource
+                .and()
+                .cors().disable() // by default uses a Bean by the name of corsConfigurationSource
                 .csrf().disable()
                 .formLogin().disable()
-                .httpBasic().disable();
+                .httpBasic().disable()
+                .addFilterBefore(new DisableEndpointFilter(environment), BasicAuthenticationFilter.class);
 
         return http.build();
     }

diff --git a/ledgers-app/src/main/resources/application.yml b/ledgers-app/src/main/resources/application.yml
@@ -40,7 +40,10 @@ springdoc:
   swagger-ui:
     path: /swagger-ui.html
 
+
 spring:
+  main:
+    allow-bean-definition-overriding: true
   security:
     oauth2:
       resourceserver:

diff --git a/...er/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountMgmStaffResource.java b/...er/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountMgmStaffResource.java
@@ -35,47 +35,47 @@ public class AccountMgmStaffResource implements AccountMgmStaffResourceAPI {
     private final ScaInfoHolder scaInfoHolder;
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountIban(#iban)")
+    @PreAuthorize("hasManagerAccessToAccountIban(#iban)")
     public ResponseEntity<List<AccountDetailsTO>> getAccountsByIbanAndCurrency(String iban, String currency) {
         return ResponseEntity.ok(middlewareAccountService.getAccountsByIbanAndCurrency(iban, currency));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)")
+    @PreAuthorize("hasManagerAccessToUser(#userId)")
     public ResponseEntity<Boolean> createDepositAccountForUser(String userId, AccountDetailsTO accountDetailsTO) {
         boolean created = middlewareAccountService.createDepositAccount(userId, scaInfoHolder.getScaInfo(), accountDetailsTO);
         return ResponseEntity.ok(created);
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')")
+    @PreAuthorize("hasRole('STAFF')")
     public ResponseEntity<List<AccountDetailsTO>> getListOfAccounts() {
         return ResponseEntity.ok(middlewareAccountService.listDepositAccountsByBranch(scaInfoHolder.getUserId()));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')")
+    @PreAuthorize("hasRole('STAFF')")
     public ResponseEntity<CustomPageImpl<AccountDetailsTO>> getListOfAccountsPaged(String queryParam, int page, int size, boolean withBalance) {
         CustomPageableImpl pageable = new CustomPageableImpl(page, size);
         CustomPageImpl<AccountDetailsTO> details = middlewareAccountService.listDepositAccountsByBranchPaged(scaInfoHolder.getUserId(), queryParam, withBalance, pageable);
         return ResponseEntity.ok(details);
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId)")
     public ResponseEntity<AccountDetailsTO> getAccountDetailsById(String accountId) {
         return ResponseEntity.ok(middlewareAccountService.getDepositAccountById(accountId, LocalDateTime.now(), true));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId) && @accountAccessSecurityFilter.isEnabledAccount(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId) && isEnabledAccount(#accountId)")
     public ResponseEntity<Void> depositCash(String accountId, AmountTO amount) {
         middlewareAccountService.depositCash(scaInfoHolder.getScaInfo(), accountId, amount);
         return ResponseEntity.accepted().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId)")
     public ResponseEntity<AccountReportTO> getExtendedAccountDetailsById(String accountId) {
         long start = System.nanoTime();
         AccountReportTO accountReport = middlewareAccountService.getAccountReport(accountId);
@@ -84,13 +84,13 @@ public ResponseEntity<AccountReportTO> getExtendedAccountDetailsById(String acco
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId)")
     public ResponseEntity<Boolean> changeStatus(String accountId) {
         return ResponseEntity.ok(middlewareAccountService.changeStatus(accountId, false));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId)")
     public ResponseEntity<Void> changeCreditLimit(String accountId, BigDecimal creditLimit) {
         middlewareAccountService.changeCreditLimit(accountId, creditLimit);
         return ResponseEntity.accepted().build();

diff --git a/...est-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountResource.java b/...est-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountResource.java
@@ -44,34 +44,34 @@ public class AccountResource implements AccountRestAPI {
      * @return : the list of accounts linked with the current customer.
      */
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('CUSTOMER','SYSTEM')")
+    @PreAuthorize("hasAnyRole('CUSTOMER','SYSTEM')")
     public ResponseEntity<List<AccountDetailsTO>> getListOfAccounts() {
         return ResponseEntity.ok(middlewareAccountService.listDepositAccounts(scaInfoHolder.getUserId()));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)")
+    @PreAuthorize("hasAccessToAccount(#accountId)")
     public ResponseEntity<AccountDetailsTO> getAccountDetailsById(String accountId) {
         return ResponseEntity.ok(middlewareAccountService.getDepositAccountById(accountId, LocalDateTime.now(), true));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)")
+    @PreAuthorize("hasAccessToAccount(#accountId)")
     public ResponseEntity<List<AccountBalanceTO>> getBalances(String accountId) {
         AccountDetailsTO accountDetails = middlewareAccountService.getDepositAccountById(accountId, LocalDateTime.now(), true);
         return ResponseEntity.ok(accountDetails.getBalances());
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)")
+    @PreAuthorize("hasAccessToAccount(#accountId)")
     public ResponseEntity<List<TransactionTO>> getTransactionByDates(String accountId, LocalDate dateFrom, LocalDate dateTo) {
         dateChecker(dateFrom, dateTo);
         List<TransactionTO> transactions = middlewareAccountService.getTransactionsByDates(accountId, validDate(dateFrom), validDate(dateTo));
         return ResponseEntity.ok(transactions);
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)")
+    @PreAuthorize("hasAccessToAccount(#accountId)")
     public ResponseEntity<CustomPageImpl<TransactionTO>> getTransactionByDatesPaged(String accountId, LocalDate dateFrom, LocalDate dateTo, int page, int size) {
         dateChecker(dateFrom, dateTo);
         CustomPageableImpl pageable = new CustomPageableImpl(page, size);
@@ -80,13 +80,13 @@ public ResponseEntity<CustomPageImpl<TransactionTO>> getTransactionByDatesPaged(
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)")
+    @PreAuthorize("hasAccessToAccount(#accountId)")
     public ResponseEntity<TransactionTO> getTransactionById(String accountId, String transactionId) {
         return ResponseEntity.ok(middlewareAccountService.getTransactionById(accountId, transactionId));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountWithIban(#request.psuAccount.iban)")
+    @PreAuthorize("hasAccessToAccountWithIban(#request.psuAccount.iban)")
     public ResponseEntity<Boolean> fundsConfirmation(FundsConfirmationRequestTO request) {
         if (request.getInstructedAmount().getAmount().compareTo(BigDecimal.ZERO) <= 0) { //TODO move to validation filter
             throw MiddlewareModuleException.builder()
@@ -99,7 +99,7 @@ public ResponseEntity<Boolean> fundsConfirmation(FundsConfirmationRequestTO requ
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.accountInfoByIdentifier(#accountIdentifierType, #accountIdentifier)")
+    @PreAuthorize("accountInfoByIdentifier(#accountIdentifierType, #accountIdentifier)")
     public ResponseEntity<List<AdditionalAccountInformationTO>> getAdditionalAccountInfo(AccountIdentifierTypeTO accountIdentifierType, String accountIdentifier) {
         return ResponseEntity.ok(userManagementService.getAdditionalInformation(scaInfoHolder.getScaInfo(), accountIdentifierType, accountIdentifier));
     }

diff --git a/...-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AdminResource.java b/...-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AdminResource.java
@@ -47,56 +47,56 @@ public class AdminResource implements AdminResourceAPI {
     private final UserMapper userMapper;
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('SYSTEM')")
+    @PreAuthorize("hasAnyRole('SYSTEM')")
     public ResponseEntity<List<UserTO>> getAllUsers() {
         return ResponseEntity.ok(middlewareUserService.listUsers(0, Integer.MAX_VALUE));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<CustomPageImpl<UserExtendedTO>> users(String countryCode, String branchId, String branchLogin, String userLogin, UserRoleTO role, Boolean blocked, int page, int size) {
         CustomPageableImpl pageable = new CustomPageableImpl(page, size);
         List<UserRoleTO> roles = Optional.ofNullable(role).map(Collections::singletonList).orElseGet(() -> Arrays.asList(STAFF, CUSTOMER));
         return ResponseEntity.ok(middlewareUserService.getUsersByBranchAndRolesExtended(countryCode, branchId, branchLogin, userLogin, roles, blocked, pageable));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<CustomPageImpl<UserTO>> admins(int page, int size) {
         CustomPageableImpl pageable = new CustomPageableImpl(page, size);
         return ResponseEntity.ok(middlewareUserService.getUsersByRoles(Collections.singletonList(SYSTEM), pageable));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<CustomPageImpl<AccountDetailsExtendedTO>> accounts(String countryCode, String branchId, String branchLogin, String iban, Boolean blocked, int page, int size) {
         CustomPageableImpl pageable = new CustomPageableImpl(page, size);
         return ResponseEntity.ok(accountManagementService.getAccountsByBranchAndMultipleParams(countryCode, branchId, branchLogin, iban, blocked, pageable));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<Void> updatePassword(String branchId, String password) {
         middlewareUserService.updatePasswordById(branchId, password);
         return ResponseEntity.accepted().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<Boolean> changeStatus(String userId) {
         return ResponseEntity.ok(appManagementService.changeBlockedStatus(userId, false));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<UserTO> register(UserTO user) {
         UserTO createdUser = middlewareUserService.create(user);
         createdUser.setPin(null);
         return ResponseEntity.ok(createdUser);
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM') and @accountAccessSecurityFilter.isEnabledUser(#user.id)")
+    @PreAuthorize("hasRole('SYSTEM') and isEnabledUser(#user.id)")
     public ResponseEntity<Void> user(UserTO user) {
         checkUpdateData(user);
         middlewareUserService.updateUser(user.getBranch(), user);

diff --git a/...est-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AppMgmtResource.java b/...est-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AppMgmtResource.java
@@ -41,7 +41,7 @@ public ResponseEntity<String> ping() {
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')")
+    @PreAuthorize("hasRole('SYSTEM')")
     public ResponseEntity<Void> initApp() {
         appManagementService.initApp();
         return ResponseEntity.ok().build();

diff --git a/...est-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/ConsentResource.java b/...est-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/ConsentResource.java
@@ -27,13 +27,13 @@ public class ConsentResource implements ConsentRestAPI {
     private final MiddlewareAccountManagementService middlewareAccountService;
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','CUSTOMER') and @accountAccessSecurityFilter.hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)")
+    @PreAuthorize("hasAnyRole('STAFF','CUSTOMER') and hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)")
     public ResponseEntity<SCAConsentResponseTO> initiateAisConsent(String consentId, AisConsentTO aisConsent) {
         return ResponseEntity.ok(middlewareAccountService.startAisConsent(scaInfoHolder.getScaInfo(), consentId, aisConsent));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','CUSTOMER') and @accountAccessSecurityFilter.hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)")
+    @PreAuthorize("hasAnyRole('STAFF','CUSTOMER') and hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)")
     public ResponseEntity<SCAConsentResponseTO> initiatePiisConsent(AisConsentTO aisConsent) {
         return ResponseEntity.ok(middlewareAccountService.startPiisConsent(scaInfoHolder.getScaInfo(), aisConsent));
     }

diff --git a/...rver/src/main/java/de/adorsys/ledgers/middleware/rest/resource/DataMgmtStaffResource.java b/...rver/src/main/java/de/adorsys/ledgers/middleware/rest/resource/DataMgmtStaffResource.java
@@ -34,42 +34,42 @@ public class DataMgmtStaffResource implements DataMgmtStaffAPI {
     private final MiddlewareRecoveryService recoveryService;
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId)")
     public ResponseEntity<Void> account(String accountId) {
         cleanupService.deleteTransactions(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), accountId);
         return ResponseEntity.ok().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)")
+    @PreAuthorize("hasManagerAccessToAccountId(#accountId)")
     public ResponseEntity<Void> depositAccount(String accountId) {
         cleanupService.deleteAccount(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), accountId);
         return ResponseEntity.ok().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)")
+    @PreAuthorize("hasManagerAccessToUser(#userId)")
     public ResponseEntity<Void> user(String userId) {
         cleanupService.deleteUser(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), userId);
         return ResponseEntity.ok().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#branchId)")
+    @PreAuthorize("hasManagerAccessToUser(#branchId)")
     public ResponseEntity<Void> branch(String branchId) {
         cleanupService.removeBranch(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), branchId);
         return ResponseEntity.ok().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','SYSTEM')")
+    @PreAuthorize("hasAnyRole('STAFF','SYSTEM')")
     public ResponseEntity<Void> uploadData(UploadedDataTO data) {
         appManagementService.uploadData(data, scaInfoHolder.getScaInfo());
         return ResponseEntity.ok().build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','SYSTEM')")
+    @PreAuthorize("hasAnyRole('STAFF','SYSTEM')")
     public ResponseEntity<Set<Currency>> currencies() {
         return ResponseEntity.ok(currencyService.getSupportedCurrencies());
     }
@@ -80,26 +80,26 @@ public ResponseEntity<String> branchId(BbanStructure bbanStructure) {
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')")
+    @PreAuthorize("hasRole('STAFF')")
     public ResponseEntity<Void> createPoint(RecoveryPointTO recoveryPoint) {
         recoveryService.createRecoveryPoint(scaInfoHolder.getUserId(), recoveryPoint);
         return ResponseEntity.status(HttpStatus.CREATED).build();
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')")
+    @PreAuthorize("hasRole('STAFF')")
     public ResponseEntity<List<RecoveryPointTO>> getAllPoints() {
         return ResponseEntity.ok(recoveryService.getAll(scaInfoHolder.getUserId()));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')")
+    @PreAuthorize("hasRole('STAFF')")
     public ResponseEntity<RecoveryPointTO> getPoint(Long id) {
         return ResponseEntity.ok(recoveryService.getPointById(scaInfoHolder.getUserId(), id));
     }
 
     @Override
-    @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')")
+    @PreAuthorize("hasRole('STAFF')")
     public ResponseEntity<Void> deletePoint(Long id) {
         recoveryService.deleteById(scaInfoHolder.getUserId(), id);
         return ResponseEntity.status(HttpStatus.NO_CONTENT).build();