Enforce scope on entity deletion

OpenConext · Jul 1, 2024 · 518466d · 518466d
1 parent 75bf91e
commit 518466d
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/manage-server/src/main/java/manage/control/MetaDataController.java b/manage-server/src/main/java/manage/control/MetaDataController.java
@@ -218,6 +218,7 @@ public boolean remove(@PathVariable("type") String type,
     public boolean removeInternal(@PathVariable("type") String type,
                                   @PathVariable("id") String id,
                                   APIUser apiUser) {
+        ScopeEnforcer.enforceDeleteScope(apiUser, EntityType.fromType(type));
         return metaDataService.doRemove(type, id, apiUser, "Deleted by APIUser " + apiUser.getName());
     }
 

diff --git a/manage-server/src/main/java/manage/web/ScopeEnforcer.java b/manage-server/src/main/java/manage/web/ScopeEnforcer.java
@@ -28,6 +28,12 @@ public static void enforceChangeRequestScope(APIUser apiUser, EntityType entityT
         enforceScope(entityType, apiUser, CHANGE_REQUEST_IDP, CHANGE_REQUEST_SP, "change request");
     }
 
+    public static void enforceDeleteScope(APIUser apiUser, EntityType entityType) {
+        if (!spEntityTypes.contains(entityType) || !apiUser.isAllowed(DELETE_SP)) {
+            throw new EndpointNotAllowed(String.format("APIUser %s is not allowed to delete an entity %s", apiUser.getName(), entityType.getType()));
+        }
+    }
+
     private static void enforceScope(EntityType entityType, APIUser apiUser, Scope writeIdp, Scope writeSp, String action) {
         if (entityType.equals(EntityType.IDP) && !apiUser.isAllowed(writeIdp)) {
             throw new EndpointNotAllowed(String.format("APIUser %s is not allowed to %s for entity %s", apiUser.getName(), action, entityType.getType()));

diff --git a/manage-server/src/test/java/manage/web/ScopeEnforcerTest.java b/manage-server/src/test/java/manage/web/ScopeEnforcerTest.java
@@ -61,4 +61,15 @@ public void enforceChangeRequestScopeAllowedIdP() {
     public void enforceChangeRequestScopeAllowedSP() {
         ScopeEnforcer.enforceChangeRequestScope(new APIUser("test", List.of(Scope.CHANGE_REQUEST_SP)), EntityType.SP);
     }
+
+    @Test(expected = EndpointNotAllowed.class)
+    public void enforceDeleteScopeIdP() {
+        ScopeEnforcer.enforceDeleteScope(new APIUser("test", List.of(Scope.DELETE_SP)), EntityType.IDP);
+    }
+
+    @Test
+    public void enforceDeleteScopeIdPNotAllowed() {
+        ScopeEnforcer.enforceDeleteScope(new APIUser("test", List.of(Scope.DELETE_SP)), EntityType.SRAM);
+    }
+
 }