fix: allow elevated access for provisioner role (#5394)

paullatzelsperger · web-flow · commit 910fb7260e49 · 2025-12-03T11:55:40.000+01:00
diff --git a/extensions/common/auth/auth-authorization-oauth2-lib/src/main/java/org/eclipse/edc/api/authorization/service/AuthorizationServiceImpl.java b/extensions/common/auth/auth-authorization-oauth2-lib/src/main/java/org/eclipse/edc/api/authorization/service/AuthorizationServiceImpl.java
@@ -46,7 +46,7 @@ public ServiceResult<Void> authorize(SecurityContext securityContext, String res
             return ServiceResult.notFound("No Resource of type '%s' with ID '%s' was found for owner '%s'.".formatted(resourceClass, resourceId, resourceOwnerId));
         }
 
-        if (securityContext.isUserInRole(ParticipantPrincipal.ROLE_ADMIN)) {
+        if (securityContext.isUserInRole(ParticipantPrincipal.ROLE_ADMIN) || securityContext.isUserInRole(ParticipantPrincipal.ROLE_PROVISIONER)) {
             return ServiceResult.success();
         }
 
diff --git a/extensions/common/auth/auth-authorization-oauth2-lib/src/test/java/org/eclipse/edc/api/authorization/service/AuthorizationServiceImplTest.java b/extensions/common/auth/auth-authorization-oauth2-lib/src/test/java/org/eclipse/edc/api/authorization/service/AuthorizationServiceImplTest.java
@@ -18,12 +18,16 @@
 import org.eclipse.edc.participantcontext.spi.types.AbstractParticipantResource;
 import org.eclipse.edc.spi.result.ServiceFailure;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import java.security.Principal;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.eclipse.edc.junit.assertions.AbstractResultAssert.assertThat;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
@@ -88,8 +92,9 @@ public String getParticipantContextId() {
                 .isFailed();
     }
 
-    @Test
-    void isAuthorized_whenRoleIsAdmin() {
+    @ParameterizedTest
+    @ValueSource(strings = { "admin", "provisioner" })
+    void isAuthorized_whenRoleIsElevated(String role) {
         authorizationService.addLookupFunction(TestResource.class, (owner, id) -> new AbstractParticipantResource() {
             @Override
             public String getParticipantContextId() {
@@ -100,13 +105,12 @@ public String getParticipantContextId() {
         when(principal.getName()).thenReturn("test-id");
         var securityContext = mock(SecurityContext.class);
         when(securityContext.getUserPrincipal()).thenReturn(principal);
-
-        when(securityContext.isUserInRole(eq("admin"))).thenReturn(true);
+        when(securityContext.isUserInRole(eq(role))).thenReturn(true);
 
         assertThat(authorizationService.authorize(securityContext, "test-id", "test-resource-id", TestResource.class))
                 .isSucceeded();
 
-        verify(securityContext).isUserInRole(eq("admin"));
+        verify(securityContext, atLeastOnce()).isUserInRole(anyString());
         verify(securityContext).getUserPrincipal();
         verifyNoMoreInteractions(securityContext);
     }

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ public ServiceResult<Void> authorize(SecurityContext securityContext, String res`
`46`	`46`	`return ServiceResult.notFound("No Resource of type '%s' with ID '%s' was found for owner '%s'.".formatted(resourceClass, resourceId, resourceOwnerId));`
`47`	`47`	`}`
`48`	`48`
`49`		`- if (securityContext.isUserInRole(ParticipantPrincipal.ROLE_ADMIN)) {`
	`49`	`+ if (securityContext.isUserInRole(ParticipantPrincipal.ROLE_ADMIN) \|\| securityContext.isUserInRole(ParticipantPrincipal.ROLE_PROVISIONER)) {`
`50`	`50`	`return ServiceResult.success();`
`51`	`51`	`}`
`52`	`52`