Skip to content

Commit

Permalink
fix(FSADT1-1275): filtering access by http method (#901)
Browse files Browse the repository at this point in the history
Co-authored-by: Maria Martinez <[email protected]>
  • Loading branch information
paulushcgcj and mamartinezmejia authored Mar 27, 2024
1 parent ffc210b commit 76cf9cf
Showing 1 changed file with 99 additions and 97 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,120 +7,122 @@
import org.springframework.stereotype.Component;

/**
* This class customizes the authorization rules for different API endpoints.
* It implements the Customizer interface and overrides the customize method to set the authorization rules.
* This class customizes the authorization rules for different API endpoints. It implements the
* Customizer interface and overrides the customize method to set the authorization rules.
*/
@Component
public class ApiAuthorizationCustomizer implements Customizer<AuthorizeExchangeSpec> {

/**
* This method customizes the AuthorizeExchangeSpec by setting the authorization rules for different API endpoints.
* The rules specify which roles can access which endpoints.
* This method customizes the AuthorizeExchangeSpec by setting the authorization rules for
* different API endpoints. The rules specify which roles can access which endpoints.
*
* @param authorize The AuthorizeExchangeSpec to be customized.
*/
@Override
public void customize(AuthorizeExchangeSpec authorize) {
// Begin authorization rules configuration
authorize

// Allow all access to metrics and health endpoints
.pathMatchers("/metrics/**", "/health/**").permitAll()

// Only service users can access the email endpoint
.pathMatchers("/api/ches/email")
.hasAnyRole(
ApplicationConstant.USERTYPE_SERVICE_USER
)

// Only BCeIdBusiness and BCSC users can access the duplicate endpoint
.pathMatchers("/api/ches/duplicate")
.hasAnyRole(
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER
)

// Only BCeIdBusiness and BCSC users can access the addresses endpoint
.pathMatchers("/api/addresses/**")
.hasAnyRole(
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER
)

// Viewer, editor, admin, BCeIdBusiness and BCSC users can access the codes endpoint
.pathMatchers("/api/codes/**")
.hasAnyRole(
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN,
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER
)

// Viewer, editor, admin, BCeIdBusiness, BCSC and service users can access the districts endpoint
.pathMatchers("/api/districts/**")
.hasAnyRole(
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN,
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER,
ApplicationConstant.USERTYPE_SERVICE_USER
)

// Viewer, editor, admin, BCeIdBusiness, BCSC and service users can access the countries endpoint
.pathMatchers("/api/countries/**")
.hasAnyRole(
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN,
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER,
ApplicationConstant.USERTYPE_SERVICE_USER
)
// This is due to the internal platform checks that require access to these endpoints
authorize
.pathMatchers(HttpMethod.GET, "/metrics/**", "/health/**").permitAll();

// Only service users can POST to the email endpoint
authorize
.pathMatchers(HttpMethod.POST, "/api/ches/email")
.hasAnyRole(ApplicationConstant.USERTYPE_SERVICE_USER);

// Only service users can send OPTIONS request to the email endpoint
authorize
.pathMatchers(HttpMethod.OPTIONS, "/api/ches/email")
.hasAnyRole(ApplicationConstant.USERTYPE_SERVICE_USER);

// Only BCeIDBusiness and BCSC users can POST to the duplicate endpoint
authorize
.pathMatchers(HttpMethod.POST, "/api/ches/duplicate")
.hasAnyRole(ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER);

// Only BCeIDBusiness and BCSC users can send OPTIONS request to the duplicate endpoint
authorize
.pathMatchers(HttpMethod.OPTIONS, "/api/ches/duplicate")
.hasAnyRole(ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER);

// Only BCeIDBusiness and BCSC users can GET from the addresses endpoint
authorize
.pathMatchers(HttpMethod.GET, "/api/addresses/**")
.hasAnyRole(ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER);

// Viewer, editor, admin, BCeIDBusiness and BCSC users can GET from the codes endpoint
authorize
.pathMatchers(HttpMethod.GET, "/api/codes/**")
.hasAnyRole(ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN,
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER);

// Viewer, editor, admin, BCeIDBusiness, BCSC and service users can GET from the districts
// endpoint
authorize
.pathMatchers(HttpMethod.GET, "/api/districts/**")
.hasAnyRole(ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN,
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER,
ApplicationConstant.USERTYPE_SERVICE_USER);

// Viewer, editor, admin, BCeIDBusiness, BCSC and service users can GET from the countries
// endpoint
authorize
.pathMatchers(HttpMethod.GET, "/api/countries/**")
.hasAnyRole(ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN,
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER,
ApplicationConstant.USERTYPE_SERVICE_USER);

// Only editor and admin can POST to the clients submissions endpoint with a specific id
.pathMatchers(HttpMethod.POST,"/api/clients/submissions/{id:[0-9]+}")
.hasAnyRole(
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN
)

// Viewer, editor and admin can access the clients submissions endpoint with a specific id
.pathMatchers("/api/clients/submissions/{id:[0-9]+}")
.hasAnyRole(
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN
)

// Only BCeIdBusiness and BCSC users can POST to the clients submissions endpoint
.pathMatchers(HttpMethod.POST, "/api/clients/submissions/**")
.hasAnyRole(
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER
)
authorize
.pathMatchers(HttpMethod.POST, "/api/clients/submissions/{id:[0-9]+}")
.hasAnyRole(ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN);

// Viewer, editor and admin can GET from the clients submissions endpoint with a specific id
authorize
.pathMatchers(HttpMethod.GET, "/api/clients/submissions/{id:[0-9]+}")
.hasAnyRole(ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN);

// Only BCeIDBusiness and BCSC users can POST to the clients submissions endpoint
authorize
.pathMatchers(HttpMethod.POST, "/api/clients/submissions/**")
.hasAnyRole(ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER);

// Viewer, editor and admin can GET from the clients submissions endpoint
.pathMatchers(HttpMethod.GET, "/api/clients/submissions/**")
.hasAnyRole(
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN
)

// BCeIdBusiness, BCSC, viewer, editor and admin users can access the clients endpoint
.pathMatchers("/api/clients/**")
.hasAnyRole(
ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER,
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN
)
authorize
.pathMatchers(HttpMethod.GET, "/api/clients/submissions/**")
.hasAnyRole(ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN);

// BCeIDBusiness, BCSC, viewer, editor and admin users can GET from the clients endpoint
authorize
.pathMatchers(HttpMethod.GET, "/api/clients/**")
.hasAnyRole(ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
ApplicationConstant.USERTYPE_BCSC_USER,
ApplicationConstant.ROLE_VIEWER,
ApplicationConstant.ROLE_EDITOR,
ApplicationConstant.ROLE_ADMIN);

// Deny all other requests
.anyExchange().denyAll();

authorize.anyExchange().denyAll();
}
}
}

0 comments on commit 76cf9cf

Please sign in to comment.