fix: priviliges model, add separate authority to search agencies

src/main/java/de/caritas/cob/agencyservice/api/authorization/Authority.java

@@ -1,24 +1,35 @@
 package de.caritas.cob.agencyservice.api.authorization;
 
+import com.google.common.collect.Lists;
+import java.util.List;
 import java.util.stream.Stream;
+import lombok.Getter;
 
 /**
  * 
  * Definition of all authorities and of the role-authority-mapping.
  *
  */
+@Getter
 public enum Authority {
 
-  AGENCY_ADMIN("agency-admin", "AUTHORIZATION_AGENCY_ADMIN"),
-  TENANT_ADMIN("tenant-admin", "AUTHORIZATION_TENANT_ADMIN"),
-  RESTRICTED_AGENCY_ADMIN("restricted-agency-admin", "AUTHORIZATION_RESTRICTED_AGENCY_ADMIN");
+  AGENCY_ADMIN("agency-admin", AuthorityValue.AGENCY_ADMIN, AuthorityValue.SEARCH_AGENCIES),
+  TENANT_ADMIN("tenant-admin", AuthorityValue.TENANT_ADMIN),
+  RESTRICTED_AGENCY_ADMIN("restricted-agency-admin", AuthorityValue.RESTRICTED_AGENCY_ADMIN, AuthorityValue.SEARCH_AGENCIES),
+
+  RESTRICTED_CONSULTANT_ADMIN("restricted-consultant-admin", AuthorityValue.SEARCH_AGENCIES);
 
   private final String roleName;
-  private final String authorityName;
+  private final List<String> authorities;
 
   Authority(final String roleName, final String authorityName) {
     this.roleName = roleName;
-    this.authorityName = authorityName;
+    this.authorities = Lists.newArrayList(authorityName);
+  }
+
+  Authority(final String roleName, final String... authorities) {
+    this.roleName = roleName;
+    this.authorities = Lists.newArrayList(authorities);
   }
 
   /**
@@ -34,12 +45,18 @@ public static Authority fromRoleName(String roleName) {
         .orElse(null);
   }
 
-  public String getAuthority() {
-    return this.authorityName;
-  }
 
-  public String getRoleName() {
-    return this.roleName;
+  public static class AuthorityValue {
+
+    private AuthorityValue() {}
+
+    public static final String PREFIX = "AUTHORIZATION_";
+    public static final String AGENCY_ADMIN = PREFIX + "AGENCY_ADMIN";
+    public static final String SEARCH_AGENCIES = PREFIX + "SEARCH_AGENCIES";
+    public static final String TENANT_ADMIN = PREFIX + "TENANT_ADMIN";
+    public static final String RESTRICTED_AGENCY_ADMIN = PREFIX + "RESTRICTED_AGENCY_ADMIN";
+
   }
 
+
 }

src/main/java/de/caritas/cob/agencyservice/api/authorization/RoleAuthorizationAuthorityMapper.java

@@ -30,7 +30,8 @@ public Set<GrantedAuthority> mapAuthorities(Set<String> roleNames) {
     return roleNames.stream()
         .map(Authority::fromRoleName)
         .filter(Objects::nonNull)
-        .map(Authority::getAuthority)
+        .map(Authority::getAuthorities)
+        .flatMap(Collection::parallelStream)
         .map(SimpleGrantedAuthority::new)
         .collect(Collectors.toSet());
   }

src/main/java/de/caritas/cob/agencyservice/config/SecurityConfig.java

@@ -1,9 +1,6 @@
 package de.caritas.cob.agencyservice.config;
 
-import static de.caritas.cob.agencyservice.api.authorization.Authority.AGENCY_ADMIN;
-import static de.caritas.cob.agencyservice.api.authorization.Authority.RESTRICTED_AGENCY_ADMIN;
-import static de.caritas.cob.agencyservice.api.authorization.Authority.TENANT_ADMIN;
-
+import de.caritas.cob.agencyservice.api.authorization.Authority.AuthorityValue;
 import de.caritas.cob.agencyservice.config.security.AuthorisationService;
 import de.caritas.cob.agencyservice.config.security.JwtAuthConverter;
 import de.caritas.cob.agencyservice.config.security.JwtAuthConverterProperties;
@@ -16,6 +13,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.env.Environment;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -84,11 +82,13 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         .requestMatchers("/agencies/**").permitAll()
         .requestMatchers(WHITE_LIST).permitAll()
         .requestMatchers("/agencies").permitAll()
+        .requestMatchers(HttpMethod.GET, "/agencyadmin/agencies")
+        .hasAuthority(AuthorityValue.SEARCH_AGENCIES)
         .requestMatchers("/agencyadmin/agencies/tenant/*")
-        .access("hasAuthority('" + AGENCY_ADMIN.getAuthority()
-            + "') and hasAuthority('" + TENANT_ADMIN.getAuthority() + "')")
+        .access("hasAuthority('" + AuthorityValue.AGENCY_ADMIN
+            + "') and hasAuthority('" + AuthorityValue.TENANT_ADMIN + "')")
         .requestMatchers("/agencyadmin", "/agencyadmin/", "/agencyadmin/**")
-        .hasAnyAuthority(AGENCY_ADMIN.getAuthority(), RESTRICTED_AGENCY_ADMIN.getAuthority())
+        .hasAnyAuthority(AuthorityValue.AGENCY_ADMIN, AuthorityValue.RESTRICTED_AGENCY_ADMIN)
         .anyRequest().denyAll();
 
 

src/test/java/de/caritas/cob/agencyservice/api/authorization/AuthorityTest.java

@@ -2,40 +2,40 @@
 
 import static de.caritas.cob.agencyservice.api.authorization.Authority.AGENCY_ADMIN;
 import static de.caritas.cob.agencyservice.api.authorization.Authority.fromRoleName;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.is;
-import static org.hamcrest.Matchers.nullValue;
+import static org.assertj.core.api.Assertions.assertThat;
 
+import de.caritas.cob.agencyservice.api.authorization.Authority.AuthorityValue;
+import java.util.List;
 import org.junit.Test;
 
 public class AuthorityTest {
 
   @Test
   public void getAuthority_Should_returnExpectedAuthority_When_authorityIsAgencyAdmin() {
-    String authority = AGENCY_ADMIN.getAuthority();
+    List<String> authorities = AGENCY_ADMIN.getAuthorities();
 
-    assertThat(authority, is("AUTHORIZATION_AGENCY_ADMIN"));
+    assertThat(authorities).containsOnly(AuthorityValue.AGENCY_ADMIN, AuthorityValue.SEARCH_AGENCIES);
   }
 
   @Test
   public void fromRoleName_Should_returnNull_When_roleNameIsNull() {
     Authority authority = fromRoleName(null);
 
-    assertThat(authority, nullValue());
+    assertThat(authority).isNull();
   }
 
   @Test
   public void fromRoleName_Should_returnNull_When_roleNameDoesNotExist() {
     Authority authority = fromRoleName("not existing");
 
-    assertThat(authority, nullValue());
+    assertThat(authority).isNull();
   }
 
   @Test
   public void fromRoleName_Should_returnAgencyAdmin_When_roleNameIsAgencyAdmin() {
     Authority authority = fromRoleName("agency-admin");
 
-    assertThat(authority, is(AGENCY_ADMIN));
+    assertThat(authority.getAuthorities()).containsOnly(AuthorityValue.AGENCY_ADMIN, AuthorityValue.SEARCH_AGENCIES);
   }
 
 }

src/test/java/de/caritas/cob/agencyservice/api/authorization/RoleAuthorizationAuthorityMapperTest.java

@@ -2,10 +2,8 @@
 
 import static de.caritas.cob.agencyservice.api.authorization.Authority.AGENCY_ADMIN;
 import static java.util.Collections.emptyList;
-import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.hasSize;
-import static org.hamcrest.Matchers.is;
-
+import static org.assertj.core.api.Assertions.assertThat;
+import de.caritas.cob.agencyservice.api.authorization.Authority.AuthorityValue;
 import java.util.Collection;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -28,8 +26,10 @@ public void mapAuthorities_Should_returnGrantedAgencyAdminAuthority_When_authori
     Collection<? extends GrantedAuthority> mappedAuthorities = this.roleAuthorizationAuthorityMapper
         .mapAuthorities(grantedAuthorities);
 
-    assertThat(mappedAuthorities, hasSize(1));
-    assertThat(mappedAuthorities.iterator().next().getAuthority(), is(AGENCY_ADMIN.getAuthority()));
+    assertThat(mappedAuthorities).hasSize(2);
+    List<String> authorities = mappedAuthorities.stream()
+        .map(grantedAuthority -> grantedAuthority.getAuthority()).toList();
+    assertThat(authorities).containsAll(AGENCY_ADMIN.getAuthorities());
   }
 
   @Test
@@ -41,16 +41,32 @@ public void mapAuthorities_Should_returnGrantedAgencyAdminAuthority_When_authori
     Collection<? extends GrantedAuthority> mappedAuthorities = this.roleAuthorizationAuthorityMapper
         .mapAuthorities(grantedAuthorities);
 
-    assertThat(mappedAuthorities, hasSize(1));
-    assertThat(mappedAuthorities.iterator().next().getAuthority(), is(AGENCY_ADMIN.getAuthority()));
+    assertThat(mappedAuthorities).hasSize(2);
+    List<String> authorities = mappedAuthorities.stream()
+        .map(grantedAuthority -> grantedAuthority.getAuthority()).toList();
+    assertThat(authorities).containsAll(AGENCY_ADMIN.getAuthorities());
+
+  }
+
+  @Test
+  public void mapAuthorities_Should_returnGrantedAgencySearchAuthority_When_authoritiesRestrictedConsultantAdmin() {
+    List<GrantedAuthority> grantedAuthorities = Stream.of("a", "v", "restricted-consultant-admin", "c")
+        .map(SimpleGrantedAuthority::new)
+        .collect(Collectors.toList());
+
+    Collection<? extends GrantedAuthority> mappedAuthorities = this.roleAuthorizationAuthorityMapper
+        .mapAuthorities(grantedAuthorities);
+
+    assertThat(mappedAuthorities).hasSize(1);
+    assertThat(mappedAuthorities.iterator().next().getAuthority()).isEqualTo(AuthorityValue.SEARCH_AGENCIES);
   }
 
   @Test
   public void mapAuthorities_Should_returnEmptyCollection_When_authorityIsEmpty() {
     Collection<? extends GrantedAuthority> mappedAuthorities = this.roleAuthorizationAuthorityMapper
         .mapAuthorities(emptyList());
 
-    assertThat(mappedAuthorities, hasSize(0));
+    assertThat(mappedAuthorities).isEmpty();
   }
 
   @Test
@@ -62,7 +78,7 @@ public void mapAuthorities_Should_returnEmptyCollection_When_authoritiesAreNotPr
     Collection<? extends GrantedAuthority> mappedAuthorities = this.roleAuthorizationAuthorityMapper
         .mapAuthorities(grantedAuthorities);
 
-    assertThat(mappedAuthorities, hasSize(0));
+    assertThat(mappedAuthorities).isEmpty();
   }
 
 }