diff --git a/.env b/.env index 704414b1d..8bbcef4d1 100644 --- a/.env +++ b/.env @@ -1 +1 @@ -LEDGERS_VERSION=develop +LEDGERS_VERSION=5.0 diff --git a/ledgers-app/src/main/java/de/adorsys/ledgers/app/server/auth/WebSecurityConfigKeycloak.java b/ledgers-app/src/main/java/de/adorsys/ledgers/app/server/auth/WebSecurityConfigKeycloak.java index b33d26dbe..65802680a 100644 --- a/ledgers-app/src/main/java/de/adorsys/ledgers/app/server/auth/WebSecurityConfigKeycloak.java +++ b/ledgers-app/src/main/java/de/adorsys/ledgers/app/server/auth/WebSecurityConfigKeycloak.java @@ -18,11 +18,11 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.env.Environment; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper; import org.springframework.security.core.context.SecurityContextHolder; @@ -31,6 +31,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.web.context.annotation.RequestScope; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; @@ -51,6 +52,7 @@ public class WebSecurityConfigKeycloak { private final KeycloakAuthMapper authMapper; + private final Environment environment; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { @@ -63,11 +65,6 @@ public void configureGlobal(AuthenticationManagerBuilder auth) { @Bean @SuppressWarnings("PMD.SignatureDeclareThrowsException") SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { - - http - .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.ALWAYS); - http .authorizeHttpRequests() .requestMatchers(INDEX_WHITELIST).permitAll() @@ -77,13 +74,15 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { .requestMatchers(APP_WHITELIST).permitAll() .anyRequest() .authenticated() - .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) - .and().oauth2ResourceServer() + .and() + .oauth2ResourceServer() .jwt().jwtAuthenticationConverter(new KeycloakJwtAuthenticationConverter()).and() - .and().cors().disable() // by default uses a Bean by the name of corsConfigurationSource + .and() + .cors().disable() // by default uses a Bean by the name of corsConfigurationSource .csrf().disable() .formLogin().disable() - .httpBasic().disable(); + .httpBasic().disable() + .addFilterBefore(new DisableEndpointFilter(environment), BasicAuthenticationFilter.class); return http.build(); } diff --git a/ledgers-app/src/main/resources/application.yml b/ledgers-app/src/main/resources/application.yml index 4ce04896e..42915cc58 100644 --- a/ledgers-app/src/main/resources/application.yml +++ b/ledgers-app/src/main/resources/application.yml @@ -40,7 +40,10 @@ springdoc: swagger-ui: path: /swagger-ui.html + spring: + main: + allow-bean-definition-overriding: true security: oauth2: resourceserver: diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountMgmStaffResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountMgmStaffResource.java index 7bef38eb5..140772146 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountMgmStaffResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountMgmStaffResource.java @@ -35,26 +35,26 @@ public class AccountMgmStaffResource implements AccountMgmStaffResourceAPI { private final ScaInfoHolder scaInfoHolder; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountIban(#iban)") + @PreAuthorize("hasManagerAccessToAccountIban(#iban)") public ResponseEntity> getAccountsByIbanAndCurrency(String iban, String currency) { return ResponseEntity.ok(middlewareAccountService.getAccountsByIbanAndCurrency(iban, currency)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)") + @PreAuthorize("hasManagerAccessToUser(#userId)") public ResponseEntity createDepositAccountForUser(String userId, AccountDetailsTO accountDetailsTO) { boolean created = middlewareAccountService.createDepositAccount(userId, scaInfoHolder.getScaInfo(), accountDetailsTO); return ResponseEntity.ok(created); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity> getListOfAccounts() { return ResponseEntity.ok(middlewareAccountService.listDepositAccountsByBranch(scaInfoHolder.getUserId())); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity> getListOfAccountsPaged(String queryParam, int page, int size, boolean withBalance) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); CustomPageImpl details = middlewareAccountService.listDepositAccountsByBranchPaged(scaInfoHolder.getUserId(), queryParam, withBalance, pageable); @@ -62,20 +62,20 @@ public ResponseEntity> getListOfAccountsPaged(S } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId)") public ResponseEntity getAccountDetailsById(String accountId) { return ResponseEntity.ok(middlewareAccountService.getDepositAccountById(accountId, LocalDateTime.now(), true)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId) && @accountAccessSecurityFilter.isEnabledAccount(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId) && isEnabledAccount(#accountId)") public ResponseEntity depositCash(String accountId, AmountTO amount) { middlewareAccountService.depositCash(scaInfoHolder.getScaInfo(), accountId, amount); return ResponseEntity.accepted().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId)") public ResponseEntity getExtendedAccountDetailsById(String accountId) { long start = System.nanoTime(); AccountReportTO accountReport = middlewareAccountService.getAccountReport(accountId); @@ -84,13 +84,13 @@ public ResponseEntity getExtendedAccountDetailsById(String acco } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId)") public ResponseEntity changeStatus(String accountId) { return ResponseEntity.ok(middlewareAccountService.changeStatus(accountId, false)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId)") public ResponseEntity changeCreditLimit(String accountId, BigDecimal creditLimit) { middlewareAccountService.changeCreditLimit(accountId, creditLimit); return ResponseEntity.accepted().build(); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountResource.java index 9f87cbdab..9d8da5d1b 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AccountResource.java @@ -44,26 +44,26 @@ public class AccountResource implements AccountRestAPI { * @return : the list of accounts linked with the current customer. */ @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('CUSTOMER','SYSTEM')") + @PreAuthorize("hasAnyRole('CUSTOMER','SYSTEM')") public ResponseEntity> getListOfAccounts() { return ResponseEntity.ok(middlewareAccountService.listDepositAccounts(scaInfoHolder.getUserId())); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)") + @PreAuthorize("hasAccessToAccount(#accountId)") public ResponseEntity getAccountDetailsById(String accountId) { return ResponseEntity.ok(middlewareAccountService.getDepositAccountById(accountId, LocalDateTime.now(), true)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)") + @PreAuthorize("hasAccessToAccount(#accountId)") public ResponseEntity> getBalances(String accountId) { AccountDetailsTO accountDetails = middlewareAccountService.getDepositAccountById(accountId, LocalDateTime.now(), true); return ResponseEntity.ok(accountDetails.getBalances()); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)") + @PreAuthorize("hasAccessToAccount(#accountId)") public ResponseEntity> getTransactionByDates(String accountId, LocalDate dateFrom, LocalDate dateTo) { dateChecker(dateFrom, dateTo); List transactions = middlewareAccountService.getTransactionsByDates(accountId, validDate(dateFrom), validDate(dateTo)); @@ -71,7 +71,7 @@ public ResponseEntity> getTransactionByDates(String accountI } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)") + @PreAuthorize("hasAccessToAccount(#accountId)") public ResponseEntity> getTransactionByDatesPaged(String accountId, LocalDate dateFrom, LocalDate dateTo, int page, int size) { dateChecker(dateFrom, dateTo); CustomPageableImpl pageable = new CustomPageableImpl(page, size); @@ -80,13 +80,13 @@ public ResponseEntity> getTransactionByDatesPaged( } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccount(#accountId)") + @PreAuthorize("hasAccessToAccount(#accountId)") public ResponseEntity getTransactionById(String accountId, String transactionId) { return ResponseEntity.ok(middlewareAccountService.getTransactionById(accountId, transactionId)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountWithIban(#request.psuAccount.iban)") + @PreAuthorize("hasAccessToAccountWithIban(#request.psuAccount.iban)") public ResponseEntity fundsConfirmation(FundsConfirmationRequestTO request) { if (request.getInstructedAmount().getAmount().compareTo(BigDecimal.ZERO) <= 0) { //TODO move to validation filter throw MiddlewareModuleException.builder() @@ -99,7 +99,7 @@ public ResponseEntity fundsConfirmation(FundsConfirmationRequestTO requ } @Override - @PreAuthorize("@accountAccessSecurityFilter.accountInfoByIdentifier(#accountIdentifierType, #accountIdentifier)") + @PreAuthorize("accountInfoByIdentifier(#accountIdentifierType, #accountIdentifier)") public ResponseEntity> getAdditionalAccountInfo(AccountIdentifierTypeTO accountIdentifierType, String accountIdentifier) { return ResponseEntity.ok(userManagementService.getAdditionalInformation(scaInfoHolder.getScaInfo(), accountIdentifierType, accountIdentifier)); } diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AdminResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AdminResource.java index 48e97c9a4..cec737ed1 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AdminResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AdminResource.java @@ -47,13 +47,13 @@ public class AdminResource implements AdminResourceAPI { private final UserMapper userMapper; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('SYSTEM')") + @PreAuthorize("hasAnyRole('SYSTEM')") public ResponseEntity> getAllUsers() { return ResponseEntity.ok(middlewareUserService.listUsers(0, Integer.MAX_VALUE)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity> users(String countryCode, String branchId, String branchLogin, String userLogin, UserRoleTO role, Boolean blocked, int page, int size) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); List roles = Optional.ofNullable(role).map(Collections::singletonList).orElseGet(() -> Arrays.asList(STAFF, CUSTOMER)); @@ -61,34 +61,34 @@ public ResponseEntity> users(String countryCode, } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity> admins(int page, int size) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); return ResponseEntity.ok(middlewareUserService.getUsersByRoles(Collections.singletonList(SYSTEM), pageable)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity> accounts(String countryCode, String branchId, String branchLogin, String iban, Boolean blocked, int page, int size) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); return ResponseEntity.ok(accountManagementService.getAccountsByBranchAndMultipleParams(countryCode, branchId, branchLogin, iban, blocked, pageable)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity updatePassword(String branchId, String password) { middlewareUserService.updatePasswordById(branchId, password); return ResponseEntity.accepted().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity changeStatus(String userId) { return ResponseEntity.ok(appManagementService.changeBlockedStatus(userId, false)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity register(UserTO user) { UserTO createdUser = middlewareUserService.create(user); createdUser.setPin(null); @@ -96,7 +96,7 @@ public ResponseEntity register(UserTO user) { } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM') and @accountAccessSecurityFilter.isEnabledUser(#user.id)") + @PreAuthorize("hasRole('SYSTEM') and isEnabledUser(#user.id)") public ResponseEntity user(UserTO user) { checkUpdateData(user); middlewareUserService.updateUser(user.getBranch(), user); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AppMgmtResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AppMgmtResource.java index 0d5bdb81b..b61f352fc 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AppMgmtResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/AppMgmtResource.java @@ -41,7 +41,7 @@ public ResponseEntity ping() { } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity initApp() { appManagementService.initApp(); return ResponseEntity.ok().build(); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/ConsentResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/ConsentResource.java index 5dadba1a7..692973023 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/ConsentResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/ConsentResource.java @@ -27,13 +27,13 @@ public class ConsentResource implements ConsentRestAPI { private final MiddlewareAccountManagementService middlewareAccountService; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','CUSTOMER') and @accountAccessSecurityFilter.hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)") + @PreAuthorize("hasAnyRole('STAFF','CUSTOMER') and hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)") public ResponseEntity initiateAisConsent(String consentId, AisConsentTO aisConsent) { return ResponseEntity.ok(middlewareAccountService.startAisConsent(scaInfoHolder.getScaInfo(), consentId, aisConsent)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','CUSTOMER') and @accountAccessSecurityFilter.hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)") + @PreAuthorize("hasAnyRole('STAFF','CUSTOMER') and hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)") public ResponseEntity initiatePiisConsent(AisConsentTO aisConsent) { return ResponseEntity.ok(middlewareAccountService.startPiisConsent(scaInfoHolder.getScaInfo(), aisConsent)); } diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/DataMgmtStaffResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/DataMgmtStaffResource.java index 6c90fef88..7caac9983 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/DataMgmtStaffResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/DataMgmtStaffResource.java @@ -34,42 +34,42 @@ public class DataMgmtStaffResource implements DataMgmtStaffAPI { private final MiddlewareRecoveryService recoveryService; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId)") public ResponseEntity account(String accountId) { cleanupService.deleteTransactions(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), accountId); return ResponseEntity.ok().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToAccountId(#accountId)") + @PreAuthorize("hasManagerAccessToAccountId(#accountId)") public ResponseEntity depositAccount(String accountId) { cleanupService.deleteAccount(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), accountId); return ResponseEntity.ok().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)") + @PreAuthorize("hasManagerAccessToUser(#userId)") public ResponseEntity user(String userId) { cleanupService.deleteUser(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), userId); return ResponseEntity.ok().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#branchId)") + @PreAuthorize("hasManagerAccessToUser(#branchId)") public ResponseEntity branch(String branchId) { cleanupService.removeBranch(scaInfoHolder.getUserId(), scaInfoHolder.getScaInfo().getUserRole(), branchId); return ResponseEntity.ok().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','SYSTEM')") + @PreAuthorize("hasAnyRole('STAFF','SYSTEM')") public ResponseEntity uploadData(UploadedDataTO data) { appManagementService.uploadData(data, scaInfoHolder.getScaInfo()); return ResponseEntity.ok().build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','SYSTEM')") + @PreAuthorize("hasAnyRole('STAFF','SYSTEM')") public ResponseEntity> currencies() { return ResponseEntity.ok(currencyService.getSupportedCurrencies()); } @@ -80,26 +80,26 @@ public ResponseEntity branchId(BbanStructure bbanStructure) { } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity createPoint(RecoveryPointTO recoveryPoint) { recoveryService.createRecoveryPoint(scaInfoHolder.getUserId(), recoveryPoint); return ResponseEntity.status(HttpStatus.CREATED).build(); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity> getAllPoints() { return ResponseEntity.ok(recoveryService.getAll(scaInfoHolder.getUserId())); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity getPoint(Long id) { return ResponseEntity.ok(recoveryService.getPointById(scaInfoHolder.getUserId(), id)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity deletePoint(Long id) { recoveryService.deleteById(scaInfoHolder.getUserId(), id); return ResponseEntity.status(HttpStatus.NO_CONTENT).build(); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/OperationInitiationResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/OperationInitiationResource.java index 0d545e635..cf0f23874 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/OperationInitiationResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/OperationInitiationResource.java @@ -31,25 +31,25 @@ public class OperationInitiationResource implements OperationInitiationRestApi { private final ScaInfoHolder scaInfoHolder; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountWithIban(#payment.debtorAccount.iban)") + @PreAuthorize("hasAccessToAccountWithIban(#payment.debtorAccount.iban)") public ResponseEntity initiatePayment(PaymentTypeTO paymentType, PaymentTO payment) { return new ResponseEntity<>(operationService.resolveInitiation(OpTypeTO.PAYMENT, null, payment, scaInfoHolder.getScaInfo()), HttpStatus.CREATED); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#opId)") + @PreAuthorize("hasAccessToAccountByPaymentId(#opId)") public ResponseEntity initiatePmtCancellation(String opId) { return new ResponseEntity<>(operationService.resolveInitiation(OpTypeTO.CANCEL_PAYMENT, opId, null, scaInfoHolder.getScaInfo()), HttpStatus.CREATED); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','CUSTOMER') and @accountAccessSecurityFilter.hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)") + @PreAuthorize("hasAnyRole('STAFF','CUSTOMER') and hasAccessToAccountsWithIbans(#aisConsent.access.listedAccountsIbans)") public ResponseEntity initiateAisConsent(AisConsentTO aisConsent) { return new ResponseEntity<>(operationService.resolveInitiation(OpTypeTO.CONSENT, null, aisConsent, scaInfoHolder.getScaInfo()), HttpStatus.CREATED); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasPartialScope() and @accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#opId)") + @PreAuthorize("hasPartialScope() and hasAccessToAccountByPaymentId(#opId)") public ResponseEntity execution(OpTypeTO opType, String opId) { return ResponseEntity.ok(operationService.execute(opType, opId, scaInfoHolder.getScaInfo())); } diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/PaymentResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/PaymentResource.java index 2f2cb4655..da8ea64e6 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/PaymentResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/PaymentResource.java @@ -33,57 +33,57 @@ public class PaymentResource implements PaymentRestAPI { private final ScaInfoHolder scaInfoHolder; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#paymentId)") + @PreAuthorize("hasAccessToAccountByPaymentId(#paymentId)") public ResponseEntity getPaymentStatusById(String paymentId) { return ResponseEntity.ok(paymentService.getPaymentStatusById(paymentId)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#paymentId)") + @PreAuthorize("hasAccessToAccountByPaymentId(#paymentId)") public ResponseEntity getPaymentById(String paymentId) { return ResponseEntity.ok(paymentService.getPaymentById(paymentId)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('CUSTOMER')") + @PreAuthorize("hasRole('CUSTOMER')") public ResponseEntity> getPendingPeriodicPayments() { return ResponseEntity.ok(paymentService.getPendingPeriodicPayments(scaInfoHolder.getScaInfo())); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('CUSTOMER')") + @PreAuthorize("hasRole('CUSTOMER')") public ResponseEntity> getPendingPeriodicPaymentsPaged(int page, int size) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); return ResponseEntity.ok(paymentService.getPendingPeriodicPaymentsPaged(scaInfoHolder.getScaInfo(), pageable)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('CUSTOMER')") + @PreAuthorize("hasRole('CUSTOMER')") public ResponseEntity> getAllPaymentsPaged(int page, int size) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); return ResponseEntity.ok(paymentService.getAllPaymentsPaged(scaInfoHolder.getScaInfo(), pageable)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountWithIban(#payment.debtorAccount.iban)") + @PreAuthorize("hasAccessToAccountWithIban(#payment.debtorAccount.iban)") public ResponseEntity initiatePayment(PaymentTO payment) { return new ResponseEntity<>(paymentService.initiatePayment(scaInfoHolder.getScaInfo(), payment), HttpStatus.CREATED); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasPartialScope() and @accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#paymentId)") + @PreAuthorize("hasPartialScope() and hasAccessToAccountByPaymentId(#paymentId)") public ResponseEntity executePayment(String paymentId) { return ResponseEntity.accepted().body(paymentService.executePayment(scaInfoHolder.getScaInfo(), paymentId)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#paymentId)") + @PreAuthorize("hasAccessToAccountByPaymentId(#paymentId)") public ResponseEntity initiatePmtCancellation(String paymentId) { return ResponseEntity.ok(paymentService.initiatePaymentCancellation(scaInfoHolder.getScaInfo(), paymentId)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasPartialScope() and @accountAccessSecurityFilter.hasAccessToAccountByPaymentId(#paymentId)") + @PreAuthorize("hasPartialScope() and hasAccessToAccountByPaymentId(#paymentId)") public ResponseEntity executeCancelPayment(String paymentId) { return ResponseEntity.ok(paymentService.authorizeCancelPayment(scaInfoHolder.getScaInfo(), paymentId)); } diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/RedirectScaResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/RedirectScaResource.java index 6ce3f8762..3118a588d 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/RedirectScaResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/RedirectScaResource.java @@ -27,25 +27,25 @@ public class RedirectScaResource implements RedirectScaRestAPI { private final MiddlewareRedirectScaService scaService; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasScaScope() and @accountAccessSecurityFilter.hasAccessToAccountByScaOperation(#startScaOpr)") + @PreAuthorize("hasScaScope() and hasAccessToAccountByScaOperation(#startScaOpr)") public ResponseEntity startSca(StartScaOprTO startScaOpr) { return ResponseEntity.ok(scaService.startScaOperation(startScaOpr, scaInfoHolder.getScaInfo())); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasScaScope() and @accountAccessSecurityFilter.hasAccessToAccountByAuthorizationId(#authorisationId)") + @PreAuthorize("hasScaScope() and hasAccessToAccountByAuthorizationId(#authorisationId)") public ResponseEntity getSCA(String authorisationId) { return ResponseEntity.ok(scaService.getMethods(authorisationId, scaInfoHolder.getScaInfo())); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasScaScope() and @accountAccessSecurityFilter.hasAccessToAccountByAuthorizationId(#authorisationId)") + @PreAuthorize("hasScaScope() and hasAccessToAccountByAuthorizationId(#authorisationId)") public ResponseEntity selectMethod(String authorisationId, String scaMethodId) { return ResponseEntity.ok(scaService.selectMethod(scaInfoHolder.getScaInfoWithScaMethodIdAndAuthorisationId(scaMethodId, authorisationId))); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasScaScope() and @accountAccessSecurityFilter.hasAccessToAccountByAuthorizationId(#authorisationId)") + @PreAuthorize("hasScaScope() and hasAccessToAccountByAuthorizationId(#authorisationId)") public ResponseEntity validateScaCode(String authorisationId, String authCode) { return ResponseEntity.ok(scaService.confirmAuthorization(scaInfoHolder.getScaInfoWithAuthCodeAndAuthorisationId(authCode, authorisationId))); } diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/TransactionsStaffResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/TransactionsStaffResource.java index f88bfb076..9e03fb9a7 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/TransactionsStaffResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/TransactionsStaffResource.java @@ -29,7 +29,7 @@ public class TransactionsStaffResource implements TransactionsStaffResourceAPI { private final MockTransactionMapper transactionMapper; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity> transactions(List data) { List dataBO = transactionMapper.toMockTransactionDetailsBO(data); return new ResponseEntity<>(transactionService.bookMockTransaction(dataBO), HttpStatus.CREATED); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtResource.java index fb329bd37..1ef2fae8c 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtResource.java @@ -36,13 +36,13 @@ public class UserMgmtResource implements UserMgmtRestAPI { private final ScaInfoHolder scaInfoHolder; @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountByLogin(#login, #iban)") + @PreAuthorize("hasAccessToAccountByLogin(#login, #iban)") public ResponseEntity multilevel(String login, String iban) { return ResponseEntity.ok(middlewareUserService.checkMultilevelScaRequired(login, iban)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAccessToAccountsByLogin(#login, #references)") + @PreAuthorize("hasAccessToAccountsByLogin(#login, #references)") public ResponseEntity multilevelAccounts(String login, List references) { return ResponseEntity.ok(middlewareUserService.checkMultilevelScaRequired(login, references)); } @@ -55,7 +55,7 @@ public ResponseEntity register(String login, String email, String pin, U } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)") + @PreAuthorize("hasManagerAccessToUser(#userId)") public ResponseEntity getUserById(String userId) { return ResponseEntity.ok(middlewareUserService.findById(userId)); } @@ -66,7 +66,7 @@ public ResponseEntity getUser() { } @Override - @PreAuthorize("@accountAccessSecurityFilter.isSameUser(#user.id)") + @PreAuthorize("isSameUser(#user.id)") public ResponseEntity editSelf(UserTO user) { middlewareUserService.editBasicSelf(scaInfoHolder.getUserId(), user); return ResponseEntity.accepted().build(); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtStaffResource.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtStaffResource.java index 740618624..1571fc2cb 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtStaffResource.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/resource/UserMgmtStaffResource.java @@ -40,7 +40,7 @@ public class UserMgmtStaffResource implements UserMgmtStaffResourceAPI { private final MiddlewareRecoveryService middlewareRecoveryService; @Override - @PreAuthorize("@accountAccessSecurityFilter.isNewStaffUser(#branchStaff)") + @PreAuthorize("isNewStaffUser(#branchStaff)") public ResponseEntity register(String branch, UserTO branchStaff) { branchStaff.setBranch(branch); branchStaff.setUserRoles(Collections.singletonList(UserRoleTO.STAFF)); @@ -51,13 +51,13 @@ public ResponseEntity register(String branch, UserTO branchStaff) { } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#user.id)") + @PreAuthorize("hasManagerAccessToUser(#user.id)") public ResponseEntity modifyUser(String branch, UserTO user) { return ResponseEntity.ok(middlewareUserService.updateUser(branch, user)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity createUser(UserTO user) { UserTO branchStaff = middlewareUserService.findById(scaInfoHolder.getScaInfo().getUserId()); @@ -74,7 +74,7 @@ public ResponseEntity createUser(UserTO user) { } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('STAFF')") + @PreAuthorize("hasRole('STAFF')") public ResponseEntity> getBranchUsersByRoles(List roles, String queryParam, Boolean blockedParam, int page, int size) { CustomPageableImpl pageable = new CustomPageableImpl(page, size); UserTO branchStaff = middlewareUserService.findById(scaInfoHolder.getUserId()); @@ -83,7 +83,7 @@ public ResponseEntity> getBranchUsersByRoles(List> getBranchUserLogins() { UserTO branchStaff = middlewareUserService.findById(scaInfoHolder.getUserId()); List users = middlewareUserService.getBranchUserLogins(branchStaff.getBranch()); @@ -91,7 +91,7 @@ public ResponseEntity> getBranchUserLogins() { } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasRole('SYSTEM')") + @PreAuthorize("hasRole('SYSTEM')") public ResponseEntity> getBranchUserLoginsByBranchId(String branchId) { UserTO branchStaff = middlewareUserService.findById(branchId); List users = middlewareUserService.getBranchUserLogins(branchStaff.getBranch()); @@ -99,14 +99,14 @@ public ResponseEntity> getBranchUserLoginsByBranchId(String branchI } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)") + @PreAuthorize("hasManagerAccessToUser(#userId)") public ResponseEntity getBranchUserById(String userId) { UserTO user = middlewareUserService.findById(userId); return ResponseEntity.ok(user); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)") + @PreAuthorize("hasManagerAccessToUser(#userId)") public ResponseEntity updateUserScaData(String userId, List data) { UserTO userWithUpdatedSca = middlewareUserService.updateScaData(middlewareUserService.findById(userId).getLogin(), data); URI uri = UriComponentsBuilder.fromUriString("/staff-access" + UserMgmtRestAPI.BASE_PATH + "/" + userWithUpdatedSca.getId()) @@ -115,7 +115,7 @@ public ResponseEntity updateUserScaData(String userId, List } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF','SYSTEM')") + @PreAuthorize("hasAnyRole('STAFF','SYSTEM')") //TODO Check Account enabled, check initiator has accessTo Account, Check Same Branch as User/Check user is not a branch!!!, AccountExists public ResponseEntity updateAccountAccessForUser(String userId, AccountAccessTO access) { ScaInfoTO scaInfo = scaInfoHolder.getScaInfo(); @@ -124,13 +124,13 @@ public ResponseEntity updateAccountAccessForUser(String userId, AccountAcc } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasManagerAccessToUser(#userId)") + @PreAuthorize("hasManagerAccessToUser(#userId)") public ResponseEntity changeStatus(String userId) { return ResponseEntity.ok(middlewareUserService.changeStatus(userId, false)); } @Override - @PreAuthorize("@accountAccessSecurityFilter.hasAnyRole('STAFF') and @accountAccessSecurityFilter.isSameUser(#request.branchId)") + @PreAuthorize("hasAnyRole('STAFF') and isSameUser(#request.branchId)") public ResponseEntity revertDatabase(RevertRequestTO request) { middlewareRecoveryService.revertDatabase(request.getBranchId(), request.getRecoveryPointId()); return new ResponseEntity<>(HttpStatus.OK); diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/test/java/de/adorsys/ledgers/middleware/rest/config/MethodSecurityConfig.java b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/security/MethodSecurityConfig.java similarity index 83% rename from ledgers-middleware/ledgers-middleware-rest-server/src/test/java/de/adorsys/ledgers/middleware/rest/config/MethodSecurityConfig.java rename to ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/security/MethodSecurityConfig.java index d0be0b9de..bc587132c 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/test/java/de/adorsys/ledgers/middleware/rest/config/MethodSecurityConfig.java +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/main/java/de/adorsys/ledgers/middleware/rest/security/MethodSecurityConfig.java @@ -3,17 +3,18 @@ * All rights are reserved. */ -package de.adorsys.ledgers.middleware.rest.config; +package de.adorsys.ledgers.middleware.rest.security; import de.adorsys.ledgers.keycloak.client.mapper.KeycloakAuthMapper; import de.adorsys.ledgers.middleware.api.service.MiddlewareAccountManagementService; import de.adorsys.ledgers.middleware.api.service.MiddlewarePaymentService; import de.adorsys.ledgers.middleware.api.service.MiddlewareRedirectScaService; import de.adorsys.ledgers.middleware.api.service.MiddlewareUserManagementService; -import de.adorsys.ledgers.middleware.rest.security.AccountAccessSecurityFilterHandler; import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Configuration; import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; @@ -21,10 +22,11 @@ @RequiredArgsConstructor @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { + private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); private final MiddlewareAccountManagementService middlewareAccountService; private final MiddlewarePaymentService middlewareService; - private final KeycloakAuthMapper authMapper; private final MiddlewareUserManagementService userManagementService; + private final KeycloakAuthMapper authMapper; private final MiddlewareRedirectScaService scaService; @Override diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/test/java/de/adorsys/ledgers/middleware/rest/config/TestMethodSecurityConfig.java b/ledgers-middleware/ledgers-middleware-rest-server/src/test/java/de/adorsys/ledgers/middleware/rest/config/TestMethodSecurityConfig.java new file mode 100644 index 000000000..5cd3fd822 --- /dev/null +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/test/java/de/adorsys/ledgers/middleware/rest/config/TestMethodSecurityConfig.java @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2018-2023 adorsys GmbH and Co. KG + * All rights are reserved. + */ + +package de.adorsys.ledgers.middleware.rest.config; + +import de.adorsys.ledgers.keycloak.client.mapper.KeycloakAuthMapper; +import de.adorsys.ledgers.middleware.api.service.MiddlewareAccountManagementService; +import de.adorsys.ledgers.middleware.api.service.MiddlewarePaymentService; +import de.adorsys.ledgers.middleware.api.service.MiddlewareRedirectScaService; +import de.adorsys.ledgers.middleware.api.service.MiddlewareUserManagementService; +import de.adorsys.ledgers.middleware.rest.security.AccountAccessSecurityFilterHandler; +import lombok.RequiredArgsConstructor; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; +import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; + +@Configuration +@RequiredArgsConstructor +@EnableGlobalMethodSecurity(prePostEnabled = true) +public class TestMethodSecurityConfig extends GlobalMethodSecurityConfiguration { + private final MiddlewareAccountManagementService middlewareAccountService; + private final MiddlewarePaymentService middlewareService; + private final KeycloakAuthMapper authMapper; + private final MiddlewareUserManagementService userManagementService; + private final MiddlewareRedirectScaService scaService; + + @Override + protected MethodSecurityExpressionHandler createExpressionHandler() { + return new AccountAccessSecurityFilterHandler(middlewareAccountService, middlewareService, userManagementService, authMapper, scaService); + } +} diff --git a/ledgers-middleware/ledgers-middleware-rest-server/src/test/resources/application.yml b/ledgers-middleware/ledgers-middleware-rest-server/src/test/resources/application.yml index fb990fa1f..74b6296b3 100644 --- a/ledgers-middleware/ledgers-middleware-rest-server/src/test/resources/application.yml +++ b/ledgers-middleware/ledgers-middleware-rest-server/src/test/resources/application.yml @@ -20,6 +20,8 @@ db: spring: + main: + allow-bean-definition-overriding: true application.name: ledgers # profiles: default. This will prevent from running the h2 profile. datasource: