security - works ?

593eb3aa · Andrej Zabka · dbee6425 · 593eb3aa · 593eb3aa · 593eb3aa
Commit 593eb3aa authored 1 year ago by Andrej Zabka
--- a/README.md
+++ b/README.md
@@ -84,12 +84,12 @@ mvn spring-boot:run
 ```
 To see the running REST api's in action, use CURL or swagger UI:
-http://localhost:8080/swagger-ui/index.html
+http://localhost:8090/swagger-ui/index.html
 Just note that each module runs on a different port by default, so care where you send your requests.<br>
 **Default ports:**
- core module: 8080
+- core module: 8090
 - notifications module: 8083
 - visualization module: 8082
 - applications module: 8081

--- a/core/src/main/java/cz/muni/pa165/config/SecurityConfig.java
+++ b/core/src/main/java/cz/muni/pa165/config/SecurityConfig.java
 package cz.muni.pa165.config;
-import io.swagger.v3.oas.models.security.OAuthFlow;
+import io.swagger.v3.oas.models.security.*;
-import io.swagger.v3.oas.models.security.OAuthFlows;
-import io.swagger.v3.oas.models.security.Scopes;
-import io.swagger.v3.oas.models.security.SecurityScheme;
 import org.springdoc.core.customizers.OpenApiCustomizer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -22,34 +19,77 @@ public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http.csrf().disable();
        http
                .authorizeHttpRequests(x -> x
-                        .requestMatchers("/swagger-ui/**", "/v3/api-docs/**")
+                        .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
-                        .permitAll().anyRequest().authenticated()
+                        .requestMatchers(HttpMethod.POST,"/carComponent").hasAuthority("SCOPE_test_1")
+                        .requestMatchers(HttpMethod.GET, "/carComponent").hasAnyAuthority("SCOPE_test_5", "SCOPE_test_1")
+                        .requestMatchers("/carComponent/**").hasAnyAuthority("SCOPE_test_5", "SCOPE_test_1")
+                        .requestMatchers("/car", "/car/**", "/driver/**", "/driver").hasAuthority("SCOPE_test_5")
+                        .requestMatchers("/engineer", "/engineer/**", "/department", "/department/**").hasAuthority("SCOPE_test_5")
+                        .anyRequest().denyAll()
                )
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken)
        ;
        return http.build();
    }
+    //settings for swaggerUI, all of this should be in openapi.yaml, but it doesn't work when put there
    @Bean
    public OpenApiCustomizer openAPICustomizer() {
-        return openApi -> openApi.getComponents()
+        return openApi -> {
-                .addSecuritySchemes("OAuth2",
+            openApi.getComponents()
-                        new SecurityScheme()
+                    .addSecuritySchemes("OAuth2",
-                                .type(SecurityScheme.Type.OAUTH2)
+                            new SecurityScheme()
-                                .description("get access token with Authorization Code Grant")
+                                    .type(SecurityScheme.Type.OAUTH2)
-                                .flows(new OAuthFlows()
+                                    .description("get access token with Authorization Code Grant")
-                                        .authorizationCode(new OAuthFlow()
+                                    .flows(new OAuthFlows()
-                                                .authorizationUrl("https://oidc.muni.cz/oidc/authorize")
+                                            .authorizationCode(new OAuthFlow()
-                                                .tokenUrl("https://oidc.muni.cz/oidc/token")
+                                                    .authorizationUrl("https://oidc.muni.cz/oidc/authorize")
-                                                .scopes(new Scopes()
+                                                    .tokenUrl("https://oidc.muni.cz/oidc/token")
-                                                        .addString("openid", "idk")
+                                                    .scopes(new Scopes()
-                                                        .addString("test_5", "deleting events")
+                                                            //.addString("openid", "idk")
-                                                )
+                                                            .addString("test_5", "manager scope")
-                                        )
+                                                            .addString("test_1", "engineer scope")
-                                )
+                                                    )
-                );
+                                            )
+                                    )
+                    );
+            var managerScopeRequirement = new SecurityRequirement().addList("OAuth2", "test_5");
+            var engineerScopeRequirement = new SecurityRequirement().addList("OAuth2", "test_1");
+            openApi.getPaths().get("/car").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/car").getPost().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/car/driver").getPut().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/car/driver").getDelete().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/car/{id}").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/car/{id}").getDelete().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/car/{id}").getPatch().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/driver").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/driver").getPost().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/driver/{id}").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/driver/{id}").getDelete().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/driver/{id}").getPatch().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/driver/test").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/carComponent").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/carComponent/{id}").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/carComponent/{id}").getDelete().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/carComponent/{id}").getPatch().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/carComponent/type").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/department/{departmentId}").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/department/{departmentId}").getPut().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/department/{departmentId}").getDelete().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/department/{departmentId}").getPatch().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/department").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/department").getPost().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/engineer").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/engineer").getPost().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/engineer/{id}").getGet().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/engineer/{id}").getDelete().addSecurityItem(managerScopeRequirement);
+            openApi.getPaths().get("/carComponent").getPost().addSecurityItem(engineerScopeRequirement);
+        };
    }

--- a/core/src/main/resources/application.properties
+++ b/core/src/main/resources/application.properties
 logging.level.root=info
 logging.level.cz.muni=debug
-server.port=8080
+server.port=8090
 spring.jpa.open-in-view=false
 spring.datasource.url=jdbc:h2:mem:formula-core;MODE=PostgreSQL
 spring.datasource.driverClassName=org.h2.Driver
@@ -12,8 +12,7 @@ spring.jackson.property-naming-strategy=SNAKE_CASE
 spring.cache.type=NONE
 appconfig.enablecache=false
-#resource server nastavenia - toto by malo len znamenat ze ta nasa appka si na tejto adrese bude overovat tie tokeny co dostane v requestoch
+#resource server nastavenia
-#skopirovane z cvika
 spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://oidc.muni.cz/oidc/introspect
 spring.security.oauth2.resourceserver.opaquetoken.client-id=d57b3a8f-156e-46de-9f27-39c4daee05e1
 spring.security.oauth2.resourceserver.opaquetoken.client-secret=fa228ebc-4d54-4cda-901e-4d6287f8b1652a9c9c44-73c9-4502-973f-bcdb4a8ec96a
@@ -24,8 +23,5 @@ logging.level.org.springframework.security=DEBUG
 #swagger nastavenia
 springdoc.swagger-ui.oauth.client-id=7e02a0a9-446a-412d-ad2b-90add47b0fdd
 springdoc.swagger-ui.oauth.client-secret=48a2b2e3-4b2b-471e-b7b7-b81a85b6eeef22f347f2-3fc9-4e16-8698-3e2492701a89
-springdoc.swagger-ui.oauth.scopes=openid, test_5
+springdoc.swagger-ui.oauth.scopes=openid, test_1, test_5
-#bez tejto url to nefunguje - ta muni stranka vypise error, lenze tato url znamena ze po tej autentizacii to redirectne na hentaku neexistujucu url
-#myslim si ze je to chyba toho typka co to nastavoval a proste by to malo povolovat aj ine redirect adresy, ale neviem
-springdoc.swagger-ui.oauth2-redirect-url=http://localhost:8080/login/oauth2/code/muni