Merge pull request #258 from InseeFr/devBackOfficeUserAuth

Back office role

Author: alexisszmundy

src/main/java/fr/insee/genesis/configuration/auth/security/ApplicationRole.java

@@ -7,6 +7,7 @@ public enum ApplicationRole {
     COLLECT_PLATFORM,
     SCHEDULER,
     READER,
+    USER_BACK_OFFICE,
     USER_BATCH_GENERIC
 }
 

src/main/java/fr/insee/genesis/configuration/auth/security/RoleConfiguration.java

@@ -31,6 +31,9 @@ public class RoleConfiguration {
     @Value("#{'${app.role.collect-platform.claims}'.split(',')}")
     private List<String> collectPlatformClaims;
 
+    @Value("#{'${app.role.user-back-office.claims}'.split(',')}")
+    private List<String> userBackOfficeClaims;
+
     @Value("#{'${app.role.scheduler.claims}'.split(',')}")
     private List<String> schedulerClaims;
 
@@ -54,11 +57,13 @@ static RoleHierarchy roleHierarchy() {
         return RoleHierarchyImpl.withDefaultRolePrefix()
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_KRAFTWERK.toString())
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_PLATINE.toString())
+                .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_BACK_OFFICE.toString())
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.COLLECT_PLATFORM.toString())
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.SCHEDULER.toString())
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_BATCH_GENERIC.toString())
                 .role(ApplicationRole.USER_KRAFTWERK.toString()).implies(ApplicationRole.READER.toString())
                 .role(ApplicationRole.USER_PLATINE.toString()).implies(ApplicationRole.READER.toString())
+                .role(ApplicationRole.USER_BACK_OFFICE.toString()).implies(ApplicationRole.READER.toString())
                 .build();
     }
 
@@ -90,6 +95,11 @@ public void initialization() {
                 .computeIfAbsent(claim, k -> new ArrayList<>())
                 .add(String.valueOf(ApplicationRole.USER_PLATINE)));
 
+        // Ajout des claims pour le rôle USER_BACK_OFFICE
+        userBackOfficeClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.USER_BACK_OFFICE)));
+
         // Add claims for the COLLECT_PLATFORM role
         collectPlatformClaims.forEach(claim -> rolesByClaim
                 .computeIfAbsent(claim, k -> new ArrayList<>())
@@ -112,5 +122,4 @@ public void initialization() {
 
         log.info("Roles configuration : {}", rolesByClaim);
     }
-
 }

src/main/java/fr/insee/genesis/controller/rest/DataProcessingContextController.java

@@ -46,7 +46,7 @@ public class DataProcessingContextController {
 
     @Operation(summary = "Create or update a data processing context")
     @PutMapping(path = "/review")
-    @PreAuthorize("hasRole('ADMIN')")
+    @PreAuthorize("hasRole('USER_BACK_OFFICE')")
     public ResponseEntity<Object> saveContext(
             @Parameter(description = "Identifier of the partition", required = true) @RequestParam("partitionId") String partitionId,
             @Parameter(description = "Allow reviewing") @RequestParam(value = "withReview", defaultValue = "false") Boolean withReview

src/main/java/fr/insee/genesis/controller/rest/LunaticModelController.java

@@ -31,7 +31,7 @@ public LunaticModelController(LunaticModelApiPort lunaticModelApiPort) {
 
     @Operation(summary = "Save lunatic json data from one interrogation in Genesis Database")
     @PutMapping(path = "/save")
-    @PreAuthorize("hasRole('ADMIN')")
+    @PreAuthorize("hasRole('USER_BACK_OFFICE')")
     public ResponseEntity<String> saveRawResponsesFromJsonBody(
             @RequestParam("questionnaireId") String questionnaireId,
             @RequestBody Map<String, Object> dataJson

src/main/java/fr/insee/genesis/controller/rest/responses/EditedResponseController.java

@@ -50,7 +50,7 @@ public ResponseEntity<Object> getEditedResponses(
 
     @Operation(summary = "Add edited previous json file")
     @PostMapping(path = "previous/json")
-    @PreAuthorize("hasAnyRole('USER_PLATINE','SCHEDULER')")
+    @PreAuthorize("hasAnyRole('USER_PLATINE','SCHEDULER','USER_BACK_OFFICE')")
     public ResponseEntity<Object> readEditedPreviousJson(
             @RequestParam("questionnaireId") String questionnaireId,
             @RequestParam("mode") Mode mode,
@@ -77,7 +77,7 @@ public ResponseEntity<Object> readEditedPreviousJson(
 
     @Operation(summary = "Add edited external json file")
     @PostMapping(path = "/external/json")
-    @PreAuthorize("hasAnyRole('USER_PLATINE','SCHEDULER')")
+    @PreAuthorize("hasAnyRole('USER_PLATINE','SCHEDULER','USER_BACK_OFFICE')")
     public ResponseEntity<Object> readEditedExternalJson(
             @RequestParam("questionnaireId") String questionnaireId,
             @RequestParam("mode") Mode mode,

src/main/resources/application-test-cucumber.properties

@@ -5,6 +5,7 @@ fr.insee.genesis.sourcefolder.specifications = /data/genesis
 app.role.admin.claims=administrateur_traiter
 app.role.user-kraftwerk.claims=utilisateur_Kraftwerk
 app.role.user-platine.claims=utilisateur_Platine
+app.role.user-back-office.claims=utilisateur_Back_Office
 app.role.reader.claims=lecteur_traiter
 app.role.collect-platform.claims=protools
 app.role.scheduler.claims=scheduler_traiter

src/main/resources/application-test.properties

@@ -5,6 +5,7 @@ fr.insee.genesis.sourcefolder.specifications = /data/genesis
 app.role.admin.claims=administrateur_traiter
 app.role.user-kraftwerk.claims=utilisateur_Kraftwerk
 app.role.user-platine.claims=utilisateur_Platine
+app.role.user-back-office.claims=utilisateur_Back_Office
 app.role.reader.claims=lecteur_traiter
 app.role.collect-platform.claims=protools
 app.role.scheduler.claims=scheduler_traiter

src/test/java/fr/insee/genesis/controller/rest/ControllerAccessTest.java

@@ -11,12 +11,14 @@
 import fr.insee.genesis.infrastructure.repository.RundeckExecutionDBRepository;
 import fr.insee.genesis.infrastructure.repository.SurveyUnitMongoDBRepository;
 import fr.insee.genesis.infrastructure.repository.VariableTypeMongoDBRepository;
+import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration;
 import org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration;
@@ -30,13 +32,15 @@
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 
+import java.util.HashMap;
 import java.util.stream.Stream;
 
 import static org.hamcrest.Matchers.oneOf;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.doNothing;
 import static org.springframework.http.HttpMethod.GET;
 import static org.springframework.http.HttpMethod.POST;
+import static org.springframework.http.HttpMethod.PUT;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -51,6 +55,12 @@
 @EnableAutoConfiguration(exclude = {MongoAutoConfiguration.class, MongoDataAutoConfiguration.class})
 class ControllerAccessTest {
 
+    // Constants for user roles
+    // JWT claim properties loaded from application properties
+    @Value("${fr.insee.genesis.security.token.oidc-claim-role}")
+    private String claimRoleDotRoles;
+    @Value("${fr.insee.genesis.security.token.oidc-claim-username}")
+    private String claimName;
     @Autowired
     private MockMvc mockMvc; // Simulates HTTP requests to the REST endpoints
 
@@ -108,6 +118,15 @@ private static Stream<Arguments> responseEndpoint() {
         );
     }
 
+    private static Stream<Arguments> backOfficeEndpointProd() {
+        return Stream.of(
+                Arguments.of(PUT,"/lunatic-model/save?questionnaireId=TEST", new HashMap<>()),
+                Arguments.of(POST,"/edited/previous/json?questionnaireId=TEST&mode=WEB&jsonFileName=truc.json"),
+                Arguments.of(POST,"/edited/external/json?questionnaireId=TEST&mode=WEB&jsonFileName=truc.json"),
+                Arguments.of(PUT,"/context/review?partitionId=TEST")
+        );
+    }
+
     /**
      * Tests that users with the "ADMIN" role can access read-only endpoints.
      */
@@ -150,6 +169,42 @@ void platine_users_should_access_reader_allowed_services(String endpointURI) thr
                 .andExpect(status().is(oneOf(200,404)));
     }
 
+    /**
+     * Tests that users with the "USER_BACK_OFFICE" role can access read-only endpoints.
+     */
+    @ParameterizedTest
+    @MethodSource("backOfficeEndpointProd")
+    @DisplayName("Back office users should access prod services")
+    void back_office_users_should_access_prod_services(HttpMethod method, String endpointURI) throws Exception {
+        switch (method.name()){
+            case "PUT" -> mockMvc.perform(
+                            put(endpointURI).with(
+                                    jwt().authorities(new SimpleGrantedAuthority("ROLE_USER_BACK_OFFICE")))
+                    )
+                    .andExpect(status().is(oneOf(200,400,404)));
+            case "POST" -> mockMvc.perform(
+                            post(endpointURI).with(
+                                    jwt().authorities(new SimpleGrantedAuthority("ROLE_USER_BACK_OFFICE")))
+                    )
+                    .andExpect(status().is(oneOf(200,400,404)));
+            default -> Assertions.fail("Method %s not supported".formatted(method.name()));
+        }
+    }
+
+    /**
+     * Tests that users with the "USER_BACK_OFFICE" role can access read-only endpoints.
+     */
+    @ParameterizedTest
+    @MethodSource("endpointsReader")
+    @DisplayName("Back office users should access reader-allowed services")
+    void back_office_users_should_access_reader_allowed_services(String endpointURI) throws Exception {
+        mockMvc.perform(
+                        get(endpointURI).with(
+                                jwt().authorities(new SimpleGrantedAuthority("ROLE_USER_BACK_OFFICE")))
+                )
+                .andExpect(status().is(oneOf(200,400,404)));
+    }
+
     /**
      * Tests that users with the "READER" role can access read-only endpoints.
      */
@@ -269,6 +324,4 @@ void invalid_roles_should_access_schedules_services() throws Exception {
                 jwt().authorities(new SimpleGrantedAuthority("ROLE_invalid"))))
                 .andExpect(status().isForbidden());
     }
-
-
 }