From 93122354ecbf1ffa6b5ec70e508b4a0509afb851 Mon Sep 17 00:00:00 2001 From: Andrea Morabito Date: Wed, 11 Dec 2024 10:27:37 +0100 Subject: [PATCH] Revert "fix: [SRTP-155] remove authz on endpoint rtps (#34)" This reverts commit e5d6cbc5d1cac32f6e6d9efd76fabc18694a2956. --- .../configuration/SecurityConfig.java | 2 +- .../controller/SendAPIControllerImpl.java | 3 ++ .../controller/SendAPIControllerImplTest.java | 41 ++++++++++++++----- 3 files changed, 34 insertions(+), 12 deletions(-) diff --git a/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java index 8a155ee..ffb7a17 100644 --- a/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java +++ b/src/main/java/it/gov/pagopa/rtp/activator/configuration/SecurityConfig.java @@ -27,7 +27,7 @@ SecurityWebFilterChain securityWebFilterChain( .csrf(ServerHttpSecurity.CsrfSpec::disable) .logout(ServerHttpSecurity.LogoutSpec::disable) .authorizeExchange(it -> it - .pathMatchers("/actuator/**", "/rtps") + .pathMatchers("/actuator/**") .permitAll() .anyExchange() .authenticated() diff --git a/src/main/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImpl.java b/src/main/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImpl.java index 8973056..64f9429 100644 --- a/src/main/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImpl.java +++ b/src/main/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImpl.java @@ -3,7 +3,9 @@ import it.gov.pagopa.rtp.activator.controller.generated.send.RtpsApi; import it.gov.pagopa.rtp.activator.model.generated.send.CreateRtpDto; import it.gov.pagopa.rtp.activator.service.rtp.SendRTPService; + import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.server.ServerWebExchange; @@ -20,6 +22,7 @@ public SendAPIControllerImpl(SendRTPService sendRTPService) { } @Override + @PreAuthorize("hasRole('write_rtp_send')") public Mono> createRtp(Mono createRtpDto, ServerWebExchange exchange) { return createRtpDto diff --git a/src/test/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImplTest.java b/src/test/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImplTest.java index 7a3396e..2bda121 100644 --- a/src/test/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImplTest.java +++ b/src/test/java/it/gov/pagopa/rtp/activator/controller/SendAPIControllerImplTest.java @@ -1,30 +1,36 @@ package it.gov.pagopa.rtp.activator.controller; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.anyInt; -import static org.mockito.ArgumentMatchers.anyString; -import static org.mockito.Mockito.when; -import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity; - -import it.gov.pagopa.rtp.activator.configuration.SecurityConfig; -import it.gov.pagopa.rtp.activator.model.generated.send.CreateRtpDto; -import it.gov.pagopa.rtp.activator.model.generated.send.PayeeDto; -import it.gov.pagopa.rtp.activator.service.rtp.SendRTPService; -import java.time.LocalDate; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.reactive.WebFluxTest; import org.springframework.boot.test.mock.mockito.MockBean; + import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Import; import org.springframework.http.HttpStatus; +import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.context.aot.DisabledInAotMode; import org.springframework.test.context.junit.jupiter.SpringExtension; import org.springframework.test.web.reactive.server.WebTestClient; + +import it.gov.pagopa.rtp.activator.configuration.SecurityConfig; + +import it.gov.pagopa.rtp.activator.model.generated.send.CreateRtpDto; +import it.gov.pagopa.rtp.activator.model.generated.send.PayeeDto; +import it.gov.pagopa.rtp.activator.service.rtp.SendRTPService; +import it.gov.pagopa.rtp.activator.utils.Users; import reactor.core.publisher.Mono; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyInt; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.when; +import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity; + +import java.time.LocalDate; + @ExtendWith(SpringExtension.class) @WebFluxTest(controllers = { SendAPIControllerImpl.class }) @Import({ SecurityConfig.class }) @@ -49,6 +55,7 @@ void setup() { } @Test + @Users.RtpSenderWriter void testSendRtpSuccessful() { when(sendRTPService.send(anyString(), anyInt(), anyString(), any(), anyString(), anyString(), anyString(), @@ -66,6 +73,7 @@ void testSendRtpSuccessful() { } @Test + @Users.RtpSenderWriter void testSendRtpWithWrongBody() { when(sendRTPService.send(anyString(), anyInt(), anyString(), any(), anyString(), anyString(), anyString(), @@ -80,6 +88,17 @@ void testSendRtpWithWrongBody() { .isEqualTo(HttpStatus.BAD_REQUEST); } + @Test + @WithMockUser + void userWithoutEnoughPermissionShouldNotSendRtp() { + webTestClient.post() + .uri("/rtps") + .bodyValue(generateSendRequest()) + .exchange() + .expectStatus() + .isEqualTo(HttpStatus.FORBIDDEN); + } + private CreateRtpDto generateSendRequest() { return new CreateRtpDto("311111111112222222", 1, "description", LocalDate.now(), "payerId", new PayeeDto("77777777777", "payeeName"));