From 6bac3fa640c7a5fcff70cd7f9c3203f76cb2d2c9 Mon Sep 17 00:00:00 2001 From: maverickstuder Date: Tue, 2 Jul 2024 16:20:47 +0200 Subject: [PATCH] RED-8491: Hide all KNECON_* roles for any possible access in all endpoints * implemented additional requirement for disabled role rank validation on target knecon role user --- .../service/UserService.java | 1 + .../tenantusermanagement/tests/UserTest.java | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java b/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java index 6af19a7..6b140fe 100644 --- a/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java +++ b/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java @@ -653,6 +653,7 @@ public class UserService { .max(Integer::compare) .orElse(-1); var targetRank = userRoles.stream() + .filter(ApplicationRoles::isNoKneconRole) .map(r -> roleMapping.getRole(r).getRank()) .max(Integer::compare) .orElse(-1); diff --git a/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java b/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java index 0a2da1a..720194f 100644 --- a/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java +++ b/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java @@ -497,6 +497,50 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest { e = assertThrows(FeignException.class, () -> userClient.setRoles(redUserAdmin.getUserId(), allRoles)); assertEquals(400, e.status()); + // reset password for authentication + userClient.resetPassword(noKneconUser.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build()); + + // authenticate with user without knecon roles + tokenService.setUser("nokneconroles@notknecon.com", "Secret@secured!23"); + + e = assertThrows(FeignException.class, () -> userClient.resetPassword(onlyKneconUser.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build())); + assertEquals(404, e.status()); + + userClient.resetPassword(user.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build()); + + userClient.activateProfile(user.getUserId(), true); + + userClient.deleteUser(user.getUserId()); + + e = assertThrows(FeignException.class, () -> userClient.getUserById(user.getUserId())); + assertEquals(404, e.status()); + // give the user the old roles back + addRoles(user.getUserId(), allButKneconRoles); + + // create several users with different roles for testing + createUserRequest = new CreateUserRequest(); + createUserRequest.setEmail("lesseruser@user.com"); + createUserRequest.setFirstName("Lesser"); + createUserRequest.setLastName("User"); + createUserRequest.setUsername("LesserSuperUser"); + var lesserUser = userClient.createUser(createUserRequest); + addRoles(lesserUser.getUserId(), Set.of("LESS_SUPER_USER")); + + // reset password for authentication + userClient.resetPassword(lesserUser.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build()); + + // authenticate with user without knecon roles + tokenService.setUser("lesseruser@user.com", "Secret@secured!23"); + + e = assertThrows(FeignException.class, () -> userClient.resetPassword(user.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build())); + assertEquals(403, e.status()); + + e = assertThrows(FeignException.class, () -> userClient.activateProfile(user.getUserId(), true)); + assertEquals(403, e.status()); + + e = assertThrows(FeignException.class, () -> userClient.deleteUser(user.getUserId())); + assertEquals(403, e.status()); + // authenticate as knecon admin again tokenService.setUser("admin@knecon.com", "secret");