Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Read only users - Secure CrudApi #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
basejump merged 18 commits into from
Apr 29, 2025
Merged

Read only users - Secure CrudApi #873

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
faf6031
POC : Read only roles - Secure CrudApi
snimavat Mar 3, 2025
2ac9da4
Merge branch 'dev' into secure-crudapi
snimavat Mar 4, 2025
d544cc7
implement POC : read only access to api
snimavat Mar 4, 2025
3769518
Fix tests
snimavat Mar 4, 2025
749174f
Fix tests
snimavat Mar 5, 2025
7531b43
More tests
snimavat Mar 5, 2025
fd70b38
cleanup
snimavat Mar 5, 2025
0a3471d
Merge branch 'dev' into secure-crudapi
snimavat Mar 5, 2025
143cf7b
Merge branch 'dev' into secure-crudapi
snimavat Mar 5, 2025
153b035
Merge branch 'dev' into secure-crudapi
snimavat Mar 7, 2025
8b8d6a1
Use delegate pattern
snimavat Mar 11, 2025
adef531
Fix tests
snimavat Mar 11, 2025
8091b36
cleanup
snimavat Mar 11, 2025
0629fa4
cleanup
snimavat Mar 11, 2025
45236f2
cleanup
snimavat Mar 11, 2025
cb2cbaa
Merge branch 'dev' into secure-crudapi
jdabal Mar 24, 2025
a17d15a
Merge branch 'dev' into secure-crudapi
snimavat Apr 22, 2025
36d9b19
Merge branch 'dev' into secure-crudapi
basejump Apr 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/rally-api/grails-app/init/yakworks/rally/api/BootStrap.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ class BootStrap {
AppUser.withTransaction {
AppUser.repo.flush()
AppUser admin = new AppUser([
id: (Long)6, username: "[email protected]", email: "[email protected]", orgId: 2
id: 6L, username: "[email protected]", email: "[email protected]", orgId: 2
]).persist()
admin.addRole('ADMIN', true)
admin.addRole('MANAGER', true)
Expand Down
6 changes: 3 additions & 3 deletions examples/rally-api/src/integration-test/groovy/yakworks/SmokeRestApiSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ class SmokeRestApiSpec extends Specification implements OkHttpRestTrait {

String path = "/api/rally"

// def setup(){
// login()
// }
void setup(){
login()
}

// @Value('${local.server.port}')
// protected Integer serverPort;
Expand Down
3 changes: 2 additions & 1 deletion examples/rally-api/src/integration-test/groovy/yakworks/rest/BulkControllerSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ package yakworks.rest
import yakworks.rest.gorm.controller.CrudApiController
import grails.testing.mixin.integration.Integration
import org.apache.commons.lang3.StringUtils
import yakworks.testing.gorm.integration.SecuritySpecHelper
import yakworks.testing.rest.RestIntTest
import yakworks.rally.job.SyncJob
import yakworks.rally.orgs.model.Org
Expand All @@ -12,7 +13,7 @@ import static org.springframework.http.HttpStatus.MULTI_STATUS

// @Rollback
@Integration
class BulkControllerSpec extends RestIntTest {
class BulkControllerSpec extends RestIntTest implements SecuritySpecHelper {

CrudApiController<Org> controller

Expand Down
3 changes: 2 additions & 1 deletion examples/rally-api/src/integration-test/groovy/yakworks/rest/BulkCsvSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package yakworks.rest

import yakworks.testing.gorm.integration.SecuritySpecHelper

import java.nio.file.Path

Expand All @@ -18,7 +19,7 @@ import yakworks.testing.rest.RestIntTest

@Rollback
@Integration
class BulkCsvSpec extends RestIntTest {
class BulkCsvSpec extends RestIntTest implements SecuritySpecHelper {

CrudApiController<Contact> controller
AttachmentRepo attachmentRepo
Expand Down
2 changes: 1 addition & 1 deletion examples/rally-api/src/integration-test/groovy/yakworks/rest/CacheListApiSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ class CacheListApiSpec extends Specification implements OkHttpRestTrait, WithTrx
Map body = bodyToMap(resp)

then:
body
body.status == 429
resp.code() == HttpStatus.TOO_MANY_REQUESTS.value()

}

}
3 changes: 2 additions & 1 deletion examples/rally-api/src/integration-test/groovy/yakworks/rest/ContactControllerTests.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,13 @@ import yakworks.rest.gorm.controller.CrudApiController
import grails.gorm.transactions.Rollback
import grails.testing.mixin.integration.Integration
import yakworks.commons.map.Maps
import yakworks.testing.gorm.integration.SecuritySpecHelper
import yakworks.testing.rest.RestIntTest
import yakworks.rally.orgs.model.Contact

@Rollback
@Integration
class ContactControllerTests extends RestIntTest {
class ContactControllerTests extends RestIntTest implements SecuritySpecHelper {

CrudApiController<Contact> controller
// String controllerName = 'ContactController'
Expand Down
6 changes: 2 additions & 4 deletions examples/rally-api/src/integration-test/groovy/yakworks/rest/OrgControllerTests.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,19 @@
package yakworks.rest

import org.springframework.http.HttpStatus


import yakworks.rally.orgs.model.ContactFlex
import yakworks.rally.orgs.model.OrgFlex
import yakworks.rest.gorm.controller.CrudApiController
import grails.gorm.transactions.Rollback
import grails.testing.mixin.integration.Integration
import yakworks.commons.map.Maps
import yakworks.testing.gorm.integration.SecuritySpecHelper
import yakworks.testing.rest.RestIntTest
import yakworks.rally.orgs.model.Org
import yakworks.rally.tag.model.Tag

@Rollback
@Integration
class OrgControllerTests extends RestIntTest {
class OrgControllerTests extends RestIntTest implements SecuritySpecHelper {

CrudApiController<Org> controller

Expand Down
22 changes: 22 additions & 0 deletions examples/rally-api/src/integration-test/groovy/yakworks/rest/OrgRestApiSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import okhttp3.RequestBody
import org.apache.poi.xssf.usermodel.XSSFWorkbook
import org.springframework.http.HttpStatus
import spock.lang.IgnoreRest
import yakworks.rest.client.OkAuth
import yakworks.rest.client.OkHttpRestTrait
import grails.testing.mixin.integration.Integration
import okhttp3.HttpUrl
Expand Down Expand Up @@ -415,4 +416,25 @@ class OrgRestApiSpec extends Specification implements OkHttpRestTrait, WithTrx {
body.detail.contains "expecting '}'"
}

void "test readonly operation"() {
setup:
OkAuth.TOKEN = null
login("readonly", "123")

when:
String q = '{name: "Org20"}'
def resp = post(path, [num:"C1", name:"C1", type: 'Customer'])
Map body = bodyToMap(resp)

then:
resp.code() == HttpStatus.UNAUTHORIZED.value()
body
!body.ok
body.code == "error.unauthorized"
body.title == 'Unauthorized'
body.detail == 'Access Denied'

cleanup:
OkAuth.TOKEN = null
}
}
84 changes: 84 additions & 0 deletions examples/rally-api/src/integration-test/groovy/yakworks/rest/ReadonlyRestApiSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
package yakworks.rest

import grails.testing.mixin.integration.Integration
import okhttp3.Response
import org.springframework.http.HttpStatus
import spock.lang.Specification
import yakworks.rest.client.OkAuth
import yakworks.rest.client.OkHttpRestTrait

@Integration
class ReadonlyRestApiSpec extends Specification implements OkHttpRestTrait {

String path = "/api/rally/contact"

void setupSpec() {
OkAuth.TOKEN = null
}

void cleanupSpec() {
OkAuth.TOKEN = null
}

def setup(){
login("readonly", "123")
}

void "create"() {
when:
def resp = post(path, data)

then:
assertAccessDenied(resp)
}

void "update"() {
when:
def resp = put(path+"/1", data)

then:
assertAccessDenied(resp)
}

void "upsert"() {
when:
def resp = post(path+"/upsert", data)

then:
assertAccessDenied(resp)
}

void "remove"() {
when:
def resp = delete(path+"/1")

then:
assertAccessDenied(resp)
}

void "bulk"() {
when:
def resp = post(path+"/bulk?jobSource=Oracle&savePayload=false", [data])

then:
assertAccessDenied(resp)
}

void assertAccessDenied(Response resp) {
assert resp
assert resp.code() == HttpStatus.UNAUTHORIZED.value()

Map body = bodyToMap(resp)

assert body
assert !body.ok
assert body.code == "error.unauthorized"
assert body.title == 'Unauthorized'
assert body.detail == 'Access Denied'
}

Map getData() {
return [name: "C1", firstName: "C1", orgId: 2,]
//return [num:"T1", name:"T1", type: OrgType.Customer.name()]
}
}
20 changes: 13 additions & 7 deletions examples/rally-api/src/integration-test/groovy/yakworks/security/OpaqueRestApiSpec.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,21 @@
package yakworks.security

import java.time.Instant
import java.time.LocalDate
import java.time.LocalDateTime

import org.springframework.beans.factory.annotation.Autowired
import org.springframework.http.HttpStatus
import org.springframework.security.oauth2.core.OAuth2AccessToken

import grails.testing.mixin.integration.Integration
import spock.lang.Ignore
import spock.lang.Specification

import yakworks.rest.client.OkAuth
import yakworks.rest.client.OkHttpRestTrait
import yakworks.security.gorm.model.AppUserToken
import yakworks.security.spring.token.store.TokenStore

// @Ignore
import java.time.ZoneId

@Integration
class OpaqueRestApiSpec extends Specification implements OkHttpRestTrait {

Expand All @@ -27,7 +25,10 @@ class OpaqueRestApiSpec extends Specification implements OkHttpRestTrait {

def setup(){
OkAuth.TOKEN = "opq_123"
//OkAuth.BEARER_TOKEN = "Bearer opq_123"
}

void cleanupSpec() {
OkAuth.TOKEN = null
}

OAuth2AccessToken createOAuthToken(String tokenValue, Instant nowTime, Instant expireAt){
Expand All @@ -42,13 +43,15 @@ class OpaqueRestApiSpec extends Specification implements OkHttpRestTrait {

void "test get to make sure display false dont get returned"() {
setup:
// AppUserToken.create([username: 'admin', tokenValue: 'opq_123', expiresAt: LocalDateTime.now().plusDays(2)], flush: true)
//add token to the store.
def oat = createOAuthToken("opq_123", Instant.now(), Instant.now().plusSeconds(30))
LocalDateTime now = LocalDateTime.now()
Instant nowInstant = now.atZone(ZoneId.of("UTC")).toInstant()
def oat = createOAuthToken("opq_123", nowInstant, nowInstant.plusSeconds(20))
tokenStore.storeToken('admin', oat)

when:
def resp = get("$endpoint/1")
assert resp.code() == 200
Map body = bodyToMap(resp)

then:
Expand All @@ -57,6 +60,9 @@ class OpaqueRestApiSpec extends Specification implements OkHttpRestTrait {
//shoudl not have the display:false fields
!body.containsKey('passwordHash')
!body.containsKey('resetPasswordToken')

cleanup:
tokenStore.removeToken('opq_123')
}

}
Loading