Merge pull request #554 from IABTechLab/wzh-UID2-5765-enclaveID-registration-authorization

Wzh UI d2 5765 enclave id registration authorization

Author: lizk886

pom.xml

@@ -16,7 +16,7 @@
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
         <junit-jupiter.version>5.11.2</junit-jupiter.version>
-        <uid2-shared.version>10.9.0</uid2-shared.version>
+        <uid2-shared.version>10.9.4</uid2-shared.version>
         <okta-jwt.version>0.5.10</okta-jwt.version>
         <image.version>${project.version}</image.version>
     </properties>

src/main/java/com/uid2/admin/auth/OktaCustomScope.java

@@ -11,6 +11,7 @@ public enum OktaCustomScope {
     SECRET_ROTATION("uid2.admin.secret-rotation", Role.SECRET_ROTATION),
     SITE_SYNC("uid2.admin.site-sync", Role.PRIVATE_OPERATOR_SYNC),
     METRICS_EXPORT("uid2.admin.metrics-export", Role.METRICS_EXPORT),
+    ENCLAVE_REGISTRAR("uid2.admin.enclave-registrar", Role.ENCLAVE_REGISTRAR),
     INVALID("invalid", Role.UNKNOWN);
     private final String name;
     private final Role role;

src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java

@@ -57,7 +57,7 @@ public void setupRoutes(Router router) {
             synchronized (writeLock) {
                 this.handleEnclaveAdd(ctx);
             }
-        }, new AuditParams(List.of("name", "protocol", "enclave_id"), Collections.emptyList()), Role.PRIVILEGED));
+        }, new AuditParams(List.of("name", "protocol", "enclave_id"), Collections.emptyList()), Role.PRIVILEGED, Role.ENCLAVE_REGISTRAR));
         router.post(API_ENCLAVE_DEL.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {
                 this.handleEnclaveDel(ctx);

src/test/java/com/uid2/admin/vertx/EnclaveIdServiceTest.java

@@ -96,7 +96,7 @@ public void enclaveId_Add_Success(String protocol, Vertx vertx, VertxTestContext
     }
 
     @ParameterizedTest
-    @EnumSource(value = Role.class, names = {"PRIVILEGED", "SUPER_USER"}, mode = EnumSource.Mode.EXCLUDE)
+    @EnumSource(value = Role.class, names = {"PRIVILEGED", "SUPER_USER", "ENCLAVE_REGISTRAR"}, mode = EnumSource.Mode.EXCLUDE)
     public void enclaveId_Add_NotAuthorized(Role role, Vertx vertx, VertxTestContext vertxTestContext) {
         fakeAuth(role);
 
@@ -238,4 +238,27 @@ public void enclaveId_Delete_NotAuthorized(Role role, Vertx vertx, VertxTestCont
         });
     }
 
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "/api/enclave/list",
+            "/api/enclave/metadata",
+            "/api/enclave/del?name=some-name",
+    })
+    public void enclaveId_Endpoints_NotAuthorized_ForEnclaveRegistrar(String url, Vertx vertx, VertxTestContext vertxTestContext) {
+        fakeAuth(Role.ENCLAVE_REGISTRAR);
+
+        // Use GET for list/metadata, POST for delete
+        if (url.contains("/del")) {
+            post(vertx, vertxTestContext, url, "", response -> {
+                assertEquals(401, response.statusCode());
+                vertxTestContext.completeNow();
+            });
+        } else {
+            get(vertx, vertxTestContext, url, response -> {
+                assertEquals(401, response.statusCode());
+                vertxTestContext.completeNow();
+            });
+        }
+    }
+
 }