RED-8491: Hide all KNECON_* roles for any possible access in all endpoints

* implemented additional requirement for disabled role rank validation on target knecon role user
2024-07-02 16:20:47 +02:00
2 changed files with 45 additions and 0 deletions
--- a/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java
+++ b/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java
@ -653,6 +653,7 @@ public class UserService {
                .max(Integer::compare)
                .orElse(-1);
        var targetRank = userRoles.stream()
+                .filter(ApplicationRoles::isNoKneconRole)
                .map(r -> roleMapping.getRole(r).getRank())
                .max(Integer::compare)
                .orElse(-1);
--- a/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java
+++ b/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java
@ -497,6 +497,50 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
        e = assertThrows(FeignException.class, () -> userClient.setRoles(redUserAdmin.getUserId(), allRoles));
        assertEquals(400, e.status());

+        // reset password for authentication
+        userClient.resetPassword(noKneconUser.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build());
+
+        // authenticate with user without knecon roles
+        tokenService.setUser("nokneconroles@notknecon.com", "Secret@secured!23");
+
+        e = assertThrows(FeignException.class, () -> userClient.resetPassword(onlyKneconUser.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build()));
+        assertEquals(404, e.status());
+
+        userClient.resetPassword(user.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build());
+
+        userClient.activateProfile(user.getUserId(), true);
+
+        userClient.deleteUser(user.getUserId());
+
+        e = assertThrows(FeignException.class, () -> userClient.getUserById(user.getUserId()));
+        assertEquals(404, e.status());
+        // give the user the old roles back
+        addRoles(user.getUserId(), allButKneconRoles);
+
+        // create several users with different roles for testing
+        createUserRequest = new CreateUserRequest();
+        createUserRequest.setEmail("lesseruser@user.com");
+        createUserRequest.setFirstName("Lesser");
+        createUserRequest.setLastName("User");
+        createUserRequest.setUsername("LesserSuperUser");
+        var lesserUser = userClient.createUser(createUserRequest);
+        addRoles(lesserUser.getUserId(), Set.of("LESS_SUPER_USER"));
+
+        // reset password for authentication
+        userClient.resetPassword(lesserUser.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build());
+
+        // authenticate with user without knecon roles
+        tokenService.setUser("lesseruser@user.com", "Secret@secured!23");
+
+        e = assertThrows(FeignException.class, () -> userClient.resetPassword(user.getUserId(), ResetPasswordRequest.builder().password("Secret@secured!23").build()));
+        assertEquals(403, e.status());
+
+        e = assertThrows(FeignException.class, () -> userClient.activateProfile(user.getUserId(), true));
+        assertEquals(403, e.status());
+
+        e = assertThrows(FeignException.class, () -> userClient.deleteUser(user.getUserId()));
+        assertEquals(403, e.status());
+
        // authenticate as knecon admin again
        tokenService.setUser("admin@knecon.com", "secret");