Revert "fix: [SRTP-155] remove authz on endpoint rtps (#34)"

This reverts commit e5d6cbc.
pagopa · Dec 11, 2024 · 9312235 · 9312235
1 parent ac76f26
commit 9312235
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 12 deletions.
diff --git a/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java
@@ -27,7 +27,7 @@ SecurityWebFilterChain securityWebFilterChain(
                 .csrf(ServerHttpSecurity.CsrfSpec::disable)
                 .logout(ServerHttpSecurity.LogoutSpec::disable)
                 .authorizeExchange(it -> it
-                        .pathMatchers("/actuator/**", "/rtps")
+                        .pathMatchers("/actuator/**")
                         .permitAll()
                         .anyExchange()
                         .authenticated()

diff --git a/src/main/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImpl.java b/src/main/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImpl.java
@@ -3,7 +3,9 @@
 import it.gov.pagopa.rtp.activator.controller.generated.send.RtpsApi;
 import it.gov.pagopa.rtp.activator.model.generated.send.CreateRtpDto;
 import it.gov.pagopa.rtp.activator.service.rtp.SendRTPService;
+
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.server.ServerWebExchange;
@@ -20,6 +22,7 @@ public SendAPIControllerImpl(SendRTPService sendRTPService) {
     }
 
     @Override
+    @PreAuthorize("hasRole('write_rtp_send')")
     public Mono<ResponseEntity<Void>> createRtp(Mono<CreateRtpDto> createRtpDto,
             ServerWebExchange exchange) {
         return createRtpDto

diff --git a/src/test/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImplTest.java b/src/test/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImplTest.java
@@ -1,30 +1,36 @@
 package it.gov.pagopa.rtp.activator.controller;
 
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.when;
-import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
-
-import it.gov.pagopa.rtp.activator.configuration.SecurityConfig;
-import it.gov.pagopa.rtp.activator.model.generated.send.CreateRtpDto;
-import it.gov.pagopa.rtp.activator.model.generated.send.PayeeDto;
-import it.gov.pagopa.rtp.activator.service.rtp.SendRTPService;
-import java.time.LocalDate;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
+
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.aot.DisabledInAotMode;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.web.reactive.server.WebTestClient;
+
+import it.gov.pagopa.rtp.activator.configuration.SecurityConfig;
+
+import it.gov.pagopa.rtp.activator.model.generated.send.CreateRtpDto;
+import it.gov.pagopa.rtp.activator.model.generated.send.PayeeDto;
+import it.gov.pagopa.rtp.activator.service.rtp.SendRTPService;
+import it.gov.pagopa.rtp.activator.utils.Users;
 import reactor.core.publisher.Mono;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity;
+
+import java.time.LocalDate;
+
 @ExtendWith(SpringExtension.class)
 @WebFluxTest(controllers = { SendAPIControllerImpl.class })
 @Import({ SecurityConfig.class })
@@ -49,6 +55,7 @@ void setup() {
     }
 
     @Test
+    @Users.RtpSenderWriter
     void testSendRtpSuccessful() {
 
         when(sendRTPService.send(anyString(), anyInt(), anyString(), any(), anyString(), anyString(), anyString(),
@@ -66,6 +73,7 @@ void testSendRtpSuccessful() {
     }
 
     @Test
+    @Users.RtpSenderWriter
     void testSendRtpWithWrongBody() {
 
         when(sendRTPService.send(anyString(), anyInt(), anyString(), any(), anyString(), anyString(), anyString(),
@@ -80,6 +88,17 @@ void testSendRtpWithWrongBody() {
                 .isEqualTo(HttpStatus.BAD_REQUEST);
     }
 
+    @Test
+    @WithMockUser
+    void userWithoutEnoughPermissionShouldNotSendRtp() {
+        webTestClient.post()
+                .uri("/rtps")
+                .bodyValue(generateSendRequest())
+                .exchange()
+                .expectStatus()
+                .isEqualTo(HttpStatus.FORBIDDEN);
+    }
+
     private CreateRtpDto generateSendRequest() {
         return new CreateRtpDto("311111111112222222", 1, "description", LocalDate.now(), "payerId",
                 new PayeeDto("77777777777", "payeeName"));