From 56e11177ec0272153f50ca8c1c7f06f91ee2d225 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vincent=20Membr=C3=A9?= Date: Thu, 16 May 2024 23:44:35 +0200 Subject: [PATCH] Fixes #24872: Rework api authorization models --- .../rudder/rest/ApiDatastructures.scala | 4 +- .../rudder/rest/EndpointsDefinition.scala | 250 +++++++++++++++--- .../rudder/rest/RoleApiMapping.scala | 157 +---------- .../rudder/rest/lift/UserManagementApi.scala | 18 +- .../com/normation/rudder/MockServices.scala | 4 +- .../normation/rudder/rest/RestTestSetUp.scala | 2 +- .../main/scala/bootstrap/liftweb/Boot.scala | 5 +- .../bootstrap/liftweb/RudderConfig.scala | 2 +- 8 files changed, 246 insertions(+), 196 deletions(-) diff --git a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/ApiDatastructures.scala b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/ApiDatastructures.scala index d5854ba5929..8836ae0b549 100644 --- a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/ApiDatastructures.scala +++ b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/ApiDatastructures.scala @@ -226,8 +226,8 @@ trait EndpointSchema { // data container name: the expected object key in answer def dataContainer: Option[String] - // any authorization that allows to access that API - by default, admin.write - def authz: List[AuthorizationType] = List(AuthorizationType.Administration.Write) + // any authorization that allows to access that API + def authz: List[AuthorizationType] } trait EndpointSchema0 extends EndpointSchema { diff --git a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala index 5c31cd378a2..400eba1973a 100644 --- a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala +++ b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/EndpointsDefinition.scala @@ -37,6 +37,7 @@ package com.normation.rudder.rest +import com.normation.rudder.AuthorizationType import com.normation.rudder.api.HttpAction.* import com.normation.rudder.rest.EndpointSchema.syntax.* import enumeratum.* @@ -68,61 +69,71 @@ object CampaignApi extends Enum[CampaignApi] with ApiModuleProvider[Campai val z: Int = implicitly[Line].value val description = "Get all campaigns" val (action, path) = GET / "campaigns" - val dataContainer: Some[String] = Some("campaigns") + val dataContainer: Some[String] = Some("campaigns") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil } case object GetCampaignEvents extends CampaignApi with ZeroParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all campaigns events" val (action, path) = GET / "campaigns" / "events" - val dataContainer: Some[String] = Some("campaignEvents") + val dataContainer: Some[String] = Some("campaignEvents") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil } case object GetCampaignEventDetails extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a campaigns events details" val (action, path) = GET / "campaigns" / "events" / "{id}" - val dataContainer: Some[String] = Some("campaignEvents") + val dataContainer: Some[String] = Some("campaignEvents") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil } case object SaveCampaign extends CampaignApi with ZeroParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Save a campaign" val (action, path) = POST / "campaigns" - val dataContainer: Some[String] = Some("campaigns") + val dataContainer: Some[String] = Some("campaigns") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Write :: Nil } case object ScheduleCampaign extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Schedule an event for a campaign" val (action, path) = POST / "campaigns" / "{id}" / "schedule" - val dataContainer: Some[String] = Some("campaigns") + val dataContainer: Some[String] = Some("campaigns") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Write :: Nil } case object GetCampaignDetails extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a campaign" val (action, path) = GET / "campaigns" / "{id}" - val dataContainer: Some[String] = Some("campaigns") + val dataContainer: Some[String] = Some("campaigns") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil } case object DeleteCampaign extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete a campaign" val (action, path) = DELETE / "campaigns" / "{id}" - val dataContainer: Option[String] = None + val dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Write :: Nil } case object GetCampaignEventsForModel extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Get events for a campaign" val (action, path) = GET / "campaigns" / "{id}" / "events" - val dataContainer: Some[String] = Some("campaignEvents") + val dataContainer: Some[String] = Some("campaignEvents") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil } case object SaveCampaignEvent extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Save a campaign event" val (action, path) = POST / "campaigns" / "events" / "{id}" - val dataContainer: Some[String] = Some("campaignEvents") + val dataContainer: Some[String] = Some("campaignEvents") + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Write :: Nil } case object DeleteCampaignEvent extends CampaignApi with OneParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete a campaign event" val (action, path) = DELETE / "campaigns" / "events" / "{id}" - val dataContainer: Option[String] = None + val dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil } def endpoints: List[CampaignApi] = values.toList.sortBy(_.z) @@ -136,52 +147,60 @@ object ComplianceApi extends Enum[ComplianceApi] with ApiModuleProvider[Co val z: Int = implicitly[Line].value val description = "Get compliance information for all rules" val (action, path) = GET / "compliance" / "rules" - val dataContainer: Some[String] = Some("rules") + val dataContainer: Some[String] = Some("rules") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetRulesComplianceId extends ComplianceApi with GeneralApi with OneParam with StartsAtVersion7 with SortIndex { val z: Int = implicitly[Line].value val description = "Get compliance information for the given rule" val (action, path) = GET / "compliance" / "rules" / "{id}" - val dataContainer: Some[String] = Some("rules") + val dataContainer: Some[String] = Some("rules") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetNodesCompliance extends ComplianceApi with GeneralApi with ZeroParam with StartsAtVersion7 with SortIndex { val z: Int = implicitly[Line].value val description = "Get compliance information for all nodes" val (action, path) = GET / "compliance" / "nodes" - val dataContainer: Some[String] = Some("nodes") + val dataContainer: Some[String] = Some("nodes") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetNodeSystemCompliance extends ComplianceApi with InternalApi with OneParam with StartsAtVersion7 with SortIndex { val z: Int = implicitly[Line].value val description = "Get compliance information for the given node" val (action, path) = GET / "compliance" / "nodes" / "{id}" / "system" - val dataContainer: Some[String] = Some("nodes") + val dataContainer: Some[String] = Some("nodes") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetNodeComplianceId extends ComplianceApi with GeneralApi with OneParam with StartsAtVersion7 with SortIndex { val z: Int = implicitly[Line].value val description = "Get compliance information for the given node" val (action, path) = GET / "compliance" / "nodes" / "{id}" - val dataContainer: Some[String] = Some("nodes") + val dataContainer: Some[String] = Some("nodes") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetGlobalCompliance extends ComplianceApi with GeneralApi with ZeroParam with StartsAtVersion10 with SortIndex { val z: Int = implicitly[Line].value val description = "Get the global compliance (alike what one has on Rudder main dashboard)" val (action, path) = GET / "compliance" - val dataContainer: Some[String] = Some("globalCompliance") + val dataContainer: Some[String] = Some("globalCompliance") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetDirectiveComplianceId extends ComplianceApi with GeneralApi with OneParam with StartsAtVersion17 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a directive's compliance" val (action, path) = GET / "compliance" / "directives" / "{id}" - val dataContainer: Some[String] = Some("directiveCompliance") + val dataContainer: Some[String] = Some("directiveCompliance") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetDirectivesCompliance extends ComplianceApi with GeneralApi with ZeroParam with StartsAtVersion17 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all directive's compliance" val (action, path) = GET / "compliance" / "directives" - val dataContainer: Some[String] = Some("directivesCompliance") + val dataContainer: Some[String] = Some("directivesCompliance") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetNodeGroupComplianceSummary @@ -189,14 +208,16 @@ object ComplianceApi extends Enum[ComplianceApi] with ApiModuleProvider[Co val z = implicitly[Line].value val description = "Get a node group's compliance summary" val (action, path) = GET / "compliance" / "summary" / "groups" - val dataContainer: Some[String] = Some("groupCompliance") + val dataContainer: Some[String] = Some("groupCompliance") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetNodeGroupComplianceId extends ComplianceApi with GeneralApi with OneParam with StartsAtVersion17 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a node group's global compliance" val (action, path) = GET / "compliance" / "groups" / "{id}" - val dataContainer: Some[String] = Some("groupCompliance") + val dataContainer: Some[String] = Some("groupCompliance") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } case object GetNodeGroupComplianceTargetId @@ -204,7 +225,8 @@ object ComplianceApi extends Enum[ComplianceApi] with ApiModuleProvider[Co val z: Int = implicitly[Line].value val description = "Get a node group's targeted compliance" val (action, path) = GET / "compliance" / "groups" / "{id}" / "target" - val dataContainer: Some[String] = Some("groupCompliance") + val dataContainer: Some[String] = Some("groupCompliance") + val authz: List[AuthorizationType] = AuthorizationType.Compliance.Read :: Nil } def endpoints: List[ComplianceApi] = values.toList.sortBy(_.z) @@ -221,41 +243,49 @@ object GroupApi extends Enum[GroupApi] with ApiModuleProvider[GroupApi] { val z: Int = implicitly[Line].value val description = "List all groups with their information" val (action, path) = GET / "groups" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object CreateGroup extends GroupApi with GeneralApi with ZeroParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new group" val (action, path) = PUT / "groups" + val authz: List[AuthorizationType] = AuthorizationType.Group.Write :: Nil } case object GetGroupTree extends GroupApi with GeneralApi with ZeroParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "List all group categories and group in a tree format" val (action, path) = GET / "groups" / "tree" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object GroupDetails extends GroupApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about the given group" val (action, path) = GET / "groups" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object DeleteGroup extends GroupApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given group" val (action, path) = DELETE / "groups" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Group.Write :: Nil } case object UpdateGroup extends GroupApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Update given group" val (action, path) = POST / "groups" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Group.Write :: AuthorizationType.Group.Edit :: Nil } case object ReloadGroup extends GroupApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Update given dynamic group node list" val (action, path) = GET / "groups" / "{id}" / "reload" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object GroupInheritedProperties extends GroupApi with GeneralApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all proporeties for that group, included inherited ones" val (action, path) = GET / "groups" / "{id}" / "inheritedProperties" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } // API v5 updates 'Create' methods but no new endpoints // API v6 @@ -266,30 +296,36 @@ object GroupApi extends Enum[GroupApi] with ApiModuleProvider[GroupApi] { val description = "Get all proporeties for that group, included inherited ones, for displaying in group property tab (internal)" val (action, path) = GET / "groups" / "{id}" / "displayInheritedProperties" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object GetGroupCategoryDetails extends GroupApi with GeneralApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about the given group category" val (action, path) = GET / "groups" / "categories" / "{id}" override def dataContainer: Some[String] = Some("groupCategories") + + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object DeleteGroupCategory extends GroupApi with GeneralApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given group category" val (action, path) = DELETE / "groups" / "categories" / "{id}" - override def dataContainer: Some[String] = Some("groupCategories") + override def dataContainer: Some[String] = Some("groupCategories") + val authz: List[AuthorizationType] = AuthorizationType.Group.Write :: Nil } case object UpdateGroupCategory extends GroupApi with GeneralApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Update information for given group category" val (action, path) = POST / "groups" / "categories" / "{id}" - override def dataContainer: Some[String] = Some("groupCategories") + override def dataContainer: Some[String] = Some("groupCategories") + val authz: List[AuthorizationType] = AuthorizationType.Group.Write :: AuthorizationType.Group.Edit :: Nil } case object CreateGroupCategory extends GroupApi with GeneralApi with ZeroParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new group category" val (action, path) = PUT / "groups" / "categories" - override def dataContainer: Some[String] = Some("groupCategories") + override def dataContainer: Some[String] = Some("groupCategories") + val authz: List[AuthorizationType] = AuthorizationType.Group.Write :: Nil } def endpoints: List[GroupApi] = values.toList.sortBy(_.z) @@ -306,41 +342,49 @@ object DirectiveApi extends Enum[DirectiveApi] with ApiModuleProvider[Dire val z: Int = implicitly[Line].value val description = "List all directives" val (action, path) = GET / "directives" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Read :: Nil } case object DirectiveTree extends DirectiveApi with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get Directive tree" val (action, path) = GET / "directives" / "tree" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Read :: Nil } case object DirectiveDetails extends DirectiveApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about given directive" val (action, path) = GET / "directives" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Read :: Nil } case object DirectiveRevisions extends DirectiveApi with OneParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get revisions for given directive" val (action, path) = GET / "directives" / "{id}" / "revisions" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Read :: Nil } case object CreateDirective extends DirectiveApi with ZeroParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new directive or clone an existing one" val (action, path) = PUT / "directives" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Write :: Nil } case object DeleteDirective extends DirectiveApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given directive" val (action, path) = DELETE / "directives" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Write :: Nil } case object CheckDirective extends DirectiveApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Check if the given directive can be migrated to target technique version" val (action, path) = POST / "directives" / "{id}" / "check" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Write :: Nil } case object UpdateDirective extends DirectiveApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Update given directive information" val (action, path) = POST / "directives" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Directive.Write :: AuthorizationType.Directive.Edit :: Nil } def endpoints: List[DirectiveApi] = values.toList.sortBy(_.z) @@ -357,64 +401,75 @@ object NodeApi extends Enum[NodeApi] with ApiModuleProvider[NodeApi] { val z: Int = implicitly[Line].value val description = "List all accepted nodes with configurable details level" val (action, path) = GET / "nodes" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object GetNodesStatus extends NodeApi with GeneralApi with ZeroParam with StartsAtVersion13 with SortIndex { val z: Int = implicitly[Line].value val description = "Get the status (pending, accepted, unknown) of the comma separated list of nodes given by `ids` parameter" val (action, path) = GET / "nodes" / "status" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object ListPendingNodes extends NodeApi with GeneralApi with ZeroParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "List all pending nodes with configurable details level" val (action, path) = GET / "nodes" / "pending" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object PendingNodeDetails extends NodeApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about the given pending node" val (action, path) = GET / "nodes" / "pending" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeDetails extends NodeApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about the given accepted node" val (action, path) = GET / "nodes" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeInheritedProperties extends NodeApi with GeneralApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all properties for that node, included inherited ones" val (action, path) = GET / "nodes" / "{id}" / "inheritedProperties" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeGlobalScore extends NodeApi with InternalApi with OneParam with StartsAtVersion19 with SortIndex { val z: Int = implicitly[Line].value val description = "Get global score for a Node" val (action, path) = GET / "nodes" / "{id}" / "score" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeScoreDetails extends NodeApi with InternalApi with OneParam with StartsAtVersion19 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all score details for a Node" val (action, path) = GET / "nodes" / "{id}" / "score" / "details" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeScoreDetail extends NodeApi with InternalApi with TwoParam with StartsAtVersion19 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a score details for a Node" val (action, path) = GET / "nodes" / "{id}" / "score" / "details" / "{name}" - override def dataContainer: Some[String] = Some("score") + override def dataContainer: Some[String] = Some("score") + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object ApplyPolicyAllNodes extends NodeApi with GeneralApi with ZeroParam with StartsAtVersion8 with SortIndex { val z: Int = implicitly[Line].value val description = "Ask all nodes to start a run with the given policy" val (action, path) = POST / "nodes" / "applyPolicy" + val authz: List[AuthorizationType] = AuthorizationType.Node.Write :: Nil } case object ChangePendingNodeStatus extends NodeApi with GeneralApi with ZeroParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Accept or refuse pending nodes" val (action, path) = POST / "nodes" / "pending" + val authz: List[AuthorizationType] = AuthorizationType.Node.Write :: Nil } // WARNING: read_only user can access this endpoint @@ -425,47 +480,56 @@ object NodeApi extends Enum[NodeApi] with ApiModuleProvider[NodeApi] { val z: Int = implicitly[Line].value val description = "Get all properties for that node, included inherited ones, for displaying in node property tab (internal)" val (action, path) = GET / "nodes" / "{id}" / "displayInheritedProperties" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeDetailsTable extends NodeApi with InternalApi with ZeroParam with StartsAtVersion13 with SortIndex { val z: Int = implicitly[Line].value val description = "Getting data to build a Node table" val (action, path) = POST / "nodes" / "details" + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } case object NodeDetailsSoftware extends NodeApi with InternalApi with OneParam with StartsAtVersion13 with SortIndex { val z: Int = implicitly[Line].value val description = "Getting a software version for a set of Nodes" val (action, path) = POST / "nodes" / "details" / "software" / "{software}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object NodeDetailsProperty extends NodeApi with InternalApi with OneParam with StartsAtVersion13 with SortIndex { val z: Int = implicitly[Line].value val description = "Getting a property value for a set of Nodes" val (action, path) = POST / "nodes" / "details" / "property" / "{property}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object UpdateNode extends NodeApi with GeneralApi with OneParam with StartsAtVersion5 with SortIndex { val z: Int = implicitly[Line].value val description = "Update given node information (node properties, policy mode...)" val (action, path) = POST / "nodes" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Edit :: AuthorizationType.Node.Write :: Nil } case object DeleteNode extends NodeApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given node" val (action, path) = DELETE / "nodes" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Write :: Nil } case object ChangePendingNodeStatus2 extends NodeApi with GeneralApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value override val name = "ChangePendingNodeStatus" val description = "Accept or refuse given pending node" val (action, path) = POST / "nodes" / "pending" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Node.Write :: Nil } case object ApplyPolicy extends NodeApi with GeneralApi with OneParam with StartsAtVersion8 with SortIndex { val z: Int = implicitly[Line].value val description = "Ask given node to start a run with the given policy" val (action, path) = POST / "nodes" / "{id}" / "applyPolicy" + val authz: List[AuthorizationType] = AuthorizationType.Node.Write :: Nil } case object CreateNodes extends NodeApi with GeneralApi with ZeroParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Create one of more new nodes" val (action, path) = PUT / "nodes" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } def endpoints: List[NodeApi] = values.toList.sortBy(_.z) @@ -481,12 +545,14 @@ object ChangesApi extends Enum[ChangesApi] with ApiModuleProvider[ChangesA val z: Int = implicitly[Line].value val description = "Get changes for all Rules over the last 3 days (internal)" val (action, path) = GET / "changes" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } case object GetRuleRepairedReports extends ChangesApi with OneParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all repaired report for a Rule in a interval of time specified as parameter(internal)" val (action, path) = GET / "changes" / "{ruleId}" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } def endpoints: List[ChangesApi] = values.toList.sortBy(_.z) @@ -502,26 +568,31 @@ object ParameterApi extends Enum[ParameterApi] with ApiModuleProvider[Para val z: Int = implicitly[Line].value val description = "List all global parameters" val (action, path) = GET / "parameters" + val authz: List[AuthorizationType] = AuthorizationType.Parameter.Read :: Nil } case object CreateParameter extends ParameterApi with ZeroParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new parameter" val (action, path) = PUT / "parameters" + val authz: List[AuthorizationType] = AuthorizationType.Parameter.Write :: Nil } case object ParameterDetails extends ParameterApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about the given parameter" val (action, path) = GET / "parameters" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Parameter.Read :: Nil } case object DeleteParameter extends ParameterApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given parameter" val (action, path) = DELETE / "parameters" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Parameter.Write :: Nil } case object UpdateParameter extends ParameterApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Update information about given parameter" val (action, path) = POST / "parameters" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Parameter.Write :: AuthorizationType.Parameter.Edit :: Nil } def endpoints: List[ParameterApi] = values.toList.sortBy(_.z) @@ -537,43 +608,51 @@ object SettingsApi extends Enum[SettingsApi] with ApiModuleProvider[Settin val z: Int = implicitly[Line].value val description = "Get information about all Rudder settings" val (action, path) = GET / "settings" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object GetAllAllowedNetworks extends SettingsApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "List all allowed networks" val (action, path) = GET / "settings" / "allowed_networks" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object GetAllowedNetworks extends SettingsApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "List all allowed networks for one relay" val (action, path) = GET / "settings" / "allowed_networks" / "{nodeId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ModifyAllowedNetworks extends SettingsApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Update all allowed networks for one relay" val (action, path) = POST / "settings" / "allowed_networks" / "{nodeId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: AuthorizationType.Administration.Edit :: Nil } case object ModifyDiffAllowedNetworks extends SettingsApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Modify some allowed networks for one relay with a diff structure" val (action, path) = POST / "settings" / "allowed_networks" / "{nodeId}" / "diff" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: AuthorizationType.Administration.Edit :: Nil } case object GetSetting extends SettingsApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about given Rudder setting" val (action, path) = GET / "settings" / "{key}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ModifySettings extends SettingsApi with ZeroParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Update Rudder settings" val (action, path) = POST / "settings" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: AuthorizationType.Administration.Edit :: Nil } case object ModifySetting extends SettingsApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Update given Rudder setting" val (action, path) = POST / "settings" / "{key}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: AuthorizationType.Administration.Edit :: Nil } def endpoints: List[SettingsApi] = values.toList.sortBy(_.z) @@ -590,11 +669,13 @@ object PluginApi extends Enum[PluginApi] with ApiModuleProvider[PluginApi] val z: Int = implicitly[Line].value val description = "List plugin system settings" val (action, path) = GET / "plugins" / "settings" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object UpdatePluginsSettings extends PluginApi with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Update plugin system settings" val (action, path) = POST / "plugins" / "settings" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: AuthorizationType.Administration.Edit :: Nil } def endpoints: List[PluginApi] = values.toList.sortBy(_.z) @@ -613,79 +694,94 @@ object TechniqueApi extends Enum[TechniqueApi] with ApiModuleProvider[TechniqueA val z: Int = implicitly[Line].value val description = "Get all Techniques metadata" val (action, path) = GET / "techniques" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object UpdateTechniques extends TechniqueApiPub with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "reload techniques metadata from file system" val (action, path) = POST / "techniques" / "reload" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil } case object GetAllTechniqueCategories extends TechniqueApiPub with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all technique categories" val (action, path) = GET / "techniques" / "categories" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object ListTechniques extends TechniqueApiPub with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "List all techniques version" val (action, path) = GET / "techniques" / "versions" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object ListTechniquesDirectives extends TechniqueApiPub with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "List directives derived from given technique" val (action, path) = GET / "techniques" / "{name}" / "directives" - override def dataContainer: Some[String] = Some("directives") + override def dataContainer: Some[String] = Some("directives") + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object ListTechniqueDirectives extends TechniqueApiPub with TwoParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "List directives derived from given technique for given version" val (action, path) = GET / "techniques" / "{name}" / "{version}" / "directives" - override def dataContainer: Some[String] = Some("directives") + override def dataContainer: Some[String] = Some("directives") + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object TechniqueRevisions extends TechniqueApiPub with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get revisions for given technique" val (action, path) = GET / "techniques" / "{name}" / "{version}" / "revisions" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object UpdateTechnique extends TechniqueApiPub with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Update technique created with technique editor" val (action, path) = POST / "techniques" / "{techniqueId}" / "{version}" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil } case object CreateTechnique extends TechniqueApiPub with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new technique in Rudder from a technique in the technique editor" val (action, path) = PUT / "techniques" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: Nil } case object DeleteTechnique extends TechniqueApiPub with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete a technique from technique editor" val (action, path) = DELETE / "techniques" / "{techniqueId}" / "{techniqueVersion}" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: Nil } case object GetResources extends TechniqueApiPub with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get currently deployed resources of a technique" val (action, path) = GET / "techniques" / "{techniqueId}" / "{techniqueVersion}" / "resources" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object GetNewResources extends TechniqueApiPub with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get resources of a technique draft" val (action, path) = GET / "drafts" / "{techniqueId}" / "{techniqueVersion}" / "resources" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object CopyResourcesWhenCloning extends TechniqueApiPriv with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Copy resources from a technique to a technique draft" val (action, path) = POST / "drafts" / "{techniqueId}" / "{techniqueVersion}" / "resources" / "clone" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: Nil } case object GetTechniqueAllVersion extends TechniqueApiPub with OneParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all Techniques metadata" val (action, path) = GET / "techniques" / "{techniqueId}" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object GetTechnique extends TechniqueApiPub with TwoParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Get all Techniques metadata" val (action, path) = GET / "techniques" / "{techniqueId}" / "{techniqueVersion}" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } /* * Method are returned sorted alpha-numericaly @@ -694,16 +790,19 @@ object TechniqueApi extends Enum[TechniqueApi] with ApiModuleProvider[TechniqueA val z: Int = implicitly[Line].value val description = "Get all methods metadata" val (action, path) = GET / "methods" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Read :: Nil } case object UpdateMethods extends TechniqueApiPub with ZeroParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "reload methods metadata from file system" val (action, path) = POST / "methods" / "reload" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil } case object CheckTechnique extends TechniqueApiPub with ZeroParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Check if a techniques is valid yaml, with rudderc compilation, with various output (json ? yaml ?)" val (action, path) = POST / "techniques" / "check" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil } def endpoints: List[TechniqueApi] = values.toList.sortBy(_.z) @@ -720,57 +819,67 @@ object RuleApi extends Enum[RuleApi] with ApiModuleProvider[RuleApi] val z: Int = implicitly[Line].value val description = "List all rules with their information" val (action, path) = GET / "rules" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } case object CreateRule extends RuleApi with ZeroParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new rule" val (action, path) = PUT / "rules" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Write :: Nil } // must be before rule details, else it is never reached case object GetRuleTree extends RuleApi with ZeroParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Get rule categories and rule structured in a tree format" val (action, path) = GET / "rules" / "tree" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } case object RuleDetails extends RuleApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about given rule" val (action, path) = GET / "rules" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } case object DeleteRule extends RuleApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given rule" val (action, path) = DELETE / "rules" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Write :: Nil } case object UpdateRule extends RuleApi with OneParam with StartsAtVersion2 with SortIndex { val z: Int = implicitly[Line].value val description = "Update information about given rule" val (action, path) = POST / "rules" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Rule.Edit :: AuthorizationType.Rule.Write :: Nil } case object GetRuleCategoryDetails extends RuleApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about given rule category" val (action, path) = GET / "rules" / "categories" / "{id}" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } case object DeleteRuleCategory extends RuleApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete given category" val (action, path) = DELETE / "rules" / "categories" / "{id}" - override def dataContainer: Some[String] = Some("rulesCategories") + override def dataContainer: Some[String] = Some("rulesCategories") + val authz: List[AuthorizationType] = AuthorizationType.Rule.Write :: Nil } case object UpdateRuleCategory extends RuleApi with OneParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Update information about given rule category" val (action, path) = POST / "rules" / "categories" / "{id}" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Edit :: AuthorizationType.Rule.Write :: Nil } case object CreateRuleCategory extends RuleApi with ZeroParam with StartsAtVersion6 with SortIndex { val z: Int = implicitly[Line].value val description = "Create a new rule category" val (action, path) = PUT / "rules" / "categories" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Write :: Nil } // internal, because non definitive, API to load/unload a specific revision from git to ldap @@ -779,13 +888,16 @@ object RuleApi extends Enum[RuleApi] with ApiModuleProvider[RuleApi] val description = "Load a revision of a rule from config-repo to ldap, ready for next generation" val (action, path) = POST / "rules" / "revision" / "load" / "{id}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.Rule.Write :: Nil } case object UnloadRuleRevisionForGeneration extends RuleApi with OneParam with StartsAtVersion14 with SortIndex { val z: Int = implicitly[Line].value val description = "Unload a revision of a rule from ldap, it will not be used in next generation. Only rule with a revision can be unloaded" val (action, path) = POST / "rules" / "revision" / "unload" / "{id}" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Write :: Nil } def endpoints: List[RuleApi] = values.toList.sortBy(_.z) @@ -802,7 +914,8 @@ object RuleInternalApi extends Enum[RuleInternalApi] with ApiModuleProvide val z: Int = implicitly[Line].value val description = "Get the list of nodes and directives of a rule" val (action, path) = GET / "rulesinternal" / "nodesanddirectives" / "{id}" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } // For group page @@ -810,7 +923,8 @@ object RuleInternalApi extends Enum[RuleInternalApi] with ApiModuleProvide val z: Int = implicitly[Line].value val description = "List all info of rules in a tree format" val (action, path) = GET / "rulesinternal" / "relatedtree" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Rule.Read :: Nil } def endpoints: List[RuleInternalApi] = values.toList.sortBy(_.z) @@ -827,7 +941,8 @@ object GroupInternalApi extends Enum[GroupInternalApi] with ApiModuleProvider[Gr val z: Int = implicitly[Line].value val description = "Get the tree of groups with bare minimum group information" val (action, path) = GET / "groupsinternal" / "categorytree" - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.Group.Read :: Nil } def endpoints: List[GroupInternalApi] = values.toList.sortBy(_.z) @@ -845,6 +960,7 @@ object ScoreApi extends Enum[ScoreApi] with ApiModuleProvider[ScoreApi] { val z: Int = implicitly[Line].value val description = "List all info of all available scores" val (action, path) = GET / "scores" / "list" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil override def dataContainer: Option[String] = None } @@ -861,18 +977,21 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "Get information about system installation (version, etc)" val (action, path) = GET / "system" / "info" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object Status extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get Api status" val (action, path) = GET / "system" / "status" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object DebugInfo extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Launch the support info script and get the result" val (action, path) = GET / "system" / "debug" / "info" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } @@ -883,30 +1002,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "reload both techniques and dynamic groups" val (action, path) = POST / "system" / "reload" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object TechniquesReload extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "reload all techniques" // automatically done every 5 minutes val (action, path) = POST / "system" / "reload" / "techniques" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object DyngroupsReload extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "reload all dynamic groups" val (action, path) = POST / "system" / "reload" / "groups" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object PoliciesUpdate extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "update policies" val (action, path) = POST / "system" / "update" / "policies" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil } case object PoliciesRegenerate extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "regenerate all policies" val (action, path) = POST / "system" / "regenerate" / "policies" + val authz: List[AuthorizationType] = AuthorizationType.Technique.Write :: AuthorizationType.Technique.Edit :: Nil } // Archive list endpoints @@ -915,30 +1039,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "list groups archives" val (action, path) = GET / "system" / "archives" / "groups" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchivesDirectivesList extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "list directives archives" val (action, path) = GET / "system" / "archives" / "directives" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ArchivesRulesList extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "list rules archives" val (action, path) = GET / "system" / "archives" / "rules" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ArchivesParametersList extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "list parameters archives" val (action, path) = GET / "system" / "archives" / "parameters" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ArchivesFullList extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "list all archives" val (action, path) = GET / "system" / "archives" / "full" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } // Archive restore endpoints @@ -949,30 +1078,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "restore groups latest archive" val (action, path) = POST / "system" / "archives" / "groups" / "restore" / "latestArchive" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreDirectivesLatestArchive extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore directives latest archive" val (action, path) = POST / "system" / "archives" / "directives" / "restore" / "latestArchive" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreRulesLatestArchive extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore rules latest archive" val (action, path) = POST / "system" / "archives" / "rules" / "restore" / "latestArchive" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreParametersLatestArchive extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore parameters latest archive" val (action, path) = POST / "system" / "archives" / "parameters" / "restore" / "latestArchive" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreFullLatestArchive extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore all latest archive" val (action, path) = POST / "system" / "archives" / "full" / "restore" / "latestArchive" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } // Latest commit @@ -980,30 +1114,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "restore groups latest commit" val (action, path) = POST / "system" / "archives" / "groups" / "restore" / "latestCommit" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreDirectivesLatestCommit extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore directives latest commit" val (action, path) = POST / "system" / "archives" / "directives" / "restore" / "latestCommit" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreRulesLatestCommit extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore rules latest commit" val (action, path) = POST / "system" / "archives" / "rules" / "restore" / "latestCommit" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreParametersLatestCommit extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore parameters latest commit" val (action, path) = POST / "system" / "archives" / "parameters" / "restore" / "latestCommit" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object RestoreFullLatestCommit extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore full latest commit" val (action, path) = POST / "system" / "archives" / "full" / "restore" / "latestCommit" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } // Restore a particular entity base on its datetime @@ -1012,30 +1151,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "restore a group archive created on date passed as parameter" val (action, path) = POST / "system" / "archives" / "groups" / "restore" / "{dateTime}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveDirectiveDateRestore extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore a directive archive created on date passed as parameter" val (action, path) = POST / "system" / "archives" / "directives" / "restore" / "{dateTime}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveRuleDateRestore extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore a rule archive created on date passed as parameter" val (action, path) = POST / "system" / "archives" / "rules" / "restore" / "{dateTime}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveParameterDateRestore extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore a parameter archive created on date passed as parameter" val (action, path) = POST / "system" / "archives" / "parameters" / "restore" / "{dateTime}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveFullDateRestore extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "restore a full archive created on date passed as parameter" val (action, path) = POST / "system" / "archives" / "full" / "restore" / "{dateTime}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } // Archive endpoints @@ -1044,30 +1188,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "archive groups" val (action, path) = POST / "system" / "archives" / "groups" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveDirectives extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "archive directives" val (action, path) = POST / "system" / "archives" / "directives" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveRules extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "archive rules" val (action, path) = POST / "system" / "archives" / "rules" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveParameters extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "archive parameters" val (action, path) = POST / "system" / "archives" / "parameters" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object ArchiveFull extends SystemApi with ZeroParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "archive full" val (action, path) = POST / "system" / "archives" / "full" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } // ZIP Archive endpoints @@ -1076,30 +1225,35 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "Get a groups zip archive based on its commit id" val (action, path) = GET / "system" / "archives" / "groups" / "zip" / "{commitId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object GetDirectivesZipArchive extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a directives zip archive based on its commit id" val (action, path) = GET / "system" / "archives" / "directives" / "zip" / "{commitId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object GetRulesZipArchive extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a rules zip archive based on its commit id" val (action, path) = GET / "system" / "archives" / "rules" / "zip" / "{commitId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object GetParametersZipArchive extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a parameters zip archive based on its commit id" val (action, path) = GET / "system" / "archives" / "parameters" / "zip" / "{commitId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object GetAllZipArchive extends SystemApi with OneParam with StartsAtVersion11 with SortIndex { val z: Int = implicitly[Line].value val description = "Get a full zip archive based on its commit id" val (action, path) = GET / "system" / "archives" / "full" / "zip" / "{commitId}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } // Health check endpoints @@ -1109,12 +1263,14 @@ object SystemApi extends Enum[SystemApi] with ApiModuleProvider[SystemApi] val z: Int = implicitly[Line].value val description = "Result of a health check run" val (action, path) = GET / "system" / "healthcheck" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object PurgeSoftware extends SystemApi with ZeroParam with StartsAtVersion13 with SortIndex { val z: Int = implicitly[Line].value val description = "Trigger an async purge of softwares" val (action, path) = POST / "system" / "maintenance" / "purgeSoftware" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } def endpoints: List[SystemApi] = values.toList.sortBy(_.z) @@ -1131,18 +1287,21 @@ object InfoApi extends Enum[InfoApi] with ApiModuleProvider[InfoApi] val z: Int = implicitly[Line].value val description = "Get information about Rudder public API" val (action, path) = GET / "info" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ApiInformations extends InfoApi with OneParam with StartsAtVersion10 with SortIndex { val z: Int = implicitly[Line].value val description = "Get detailed information about Rudder public API with the given name" val (action, path) = GET / "info" / "details" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } case object ApiSubInformations extends InfoApi with OneParam with StartsAtVersion10 with SortIndex { val z: Int = implicitly[Line].value val description = "Get information about Rudder public API starting with given path" val (action, path) = GET / "info" / "{id}" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } def endpoints: List[InfoApi] = values.toList.sortBy(_.z) @@ -1158,6 +1317,7 @@ object HookApi extends Enum[HookApi] with ApiModuleProvider[HookApi] val z: Int = implicitly[Line].value val description = "Get all hooks" val (action, path) = GET / "hooks" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Read :: Nil } def endpoints: List[HookApi] = values.toList.sortBy(_.z) @@ -1180,6 +1340,7 @@ object InventoryApi extends Enum[InventoryApi] with ApiModuleProvider[Inve val z: Int = implicitly[Line].value val description = "Get information about inventory current processing status" val (action, path) = GET / "inventories" / "info" + val authz: List[AuthorizationType] = AuthorizationType.Node.Read :: Nil } case object UploadInventory extends InventoryApi with ZeroParam with StartsAtVersion12 with SortIndex { @@ -1187,24 +1348,28 @@ object InventoryApi extends Enum[InventoryApi] with ApiModuleProvider[Inve val description = "Upload an inventory (parameter 'file' and its signature (parameter 'signature') with 'content-disposition:file' attachement format" val (action, path) = POST / "inventories" / "upload" + val authz: List[AuthorizationType] = AuthorizationType.Node.Edit :: AuthorizationType.Node.Write :: Nil } case object FileWatcherStart extends InventoryApi with ZeroParam with StartsAtVersion12 with SortIndex { val z: Int = implicitly[Line].value val description = "Start inventory file watcher (inotify)" val (action, path) = POST / "inventories" / "watcher" / "start" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object FileWatcherStop extends InventoryApi with ZeroParam with StartsAtVersion12 with SortIndex { val z: Int = implicitly[Line].value val description = "Stop inventory file watcher (inotify)" val (action, path) = POST / "inventories" / "watcher" / "stop" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } case object FileWatcherRestart extends InventoryApi with ZeroParam with StartsAtVersion12 with SortIndex { val z: Int = implicitly[Line].value val description = "Restart inventory file watcher (inotify)" val (action, path) = POST / "inventories" / "watcher" / "restart" + val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil } def values: IndexedSeq[InventoryApi] = findValues @@ -1226,22 +1391,26 @@ object UserApi extends Enum[UserApi] with ApiModuleProvider[UserApi] val z: Int = implicitly[Line].value val description = "Get information about user personal UserApi token" val (action, path) = GET / "user" / "api" / "token" + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Read :: Nil } case object CreateApiToken extends UserApi with ZeroParam with StartsAtVersion10 with SortIndex { val z: Int = implicitly[Line].value val description = "Create user personal UserApi token" val (action, path) = PUT / "user" / "api" / "token" + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } case object DeleteApiToken extends UserApi with ZeroParam with StartsAtVersion10 with SortIndex { val z: Int = implicitly[Line].value val description = "Delete user personal UserApi token" val (action, path) = DELETE / "user" / "api" / "token" + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } case object UpdateApiToken extends UserApi with ZeroParam with StartsAtVersion10 with SortIndex { val z: Int = implicitly[Line].value val description = "Update user personal UserApi token" val (action, path) = POST / "user" / "api" / "token" + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: AuthorizationType.UserAccount.Edit :: Nil } def endpoints: List[UserApi] = values.toList.sortBy(_.z) @@ -1270,11 +1439,14 @@ object ArchiveApi extends Enum[ArchiveApi] with ApiModuleProvider[ArchiveA val z: Int = implicitly[Line].value val description = "Export the list of objects with their dependencies in a policy archive" val (action, path) = GET / "archives" / "export" + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Read :: Nil + } - case object Import extends ArchiveApi with ZeroParam with StartsAtVersion16 with SortIndex { + case object Import extends ArchiveApi with ZeroParam with StartsAtVersion16 with SortIndex { val z: Int = implicitly[Line].value val description = "Import policy archive" val (action, path) = POST / "archives" / "import" + val authz: List[AuthorizationType] = AuthorizationType.Configuration.Write :: Nil } def endpoints: List[ArchiveApi] = values.toList.sortBy(_.z) diff --git a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/RoleApiMapping.scala b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/RoleApiMapping.scala index ee591f2fd52..60305f2ad96 100644 --- a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/RoleApiMapping.scala +++ b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/RoleApiMapping.scala @@ -40,7 +40,6 @@ package com.normation.rudder.rest import com.normation.rudder.AuthorizationType import com.normation.rudder.Rights import com.normation.rudder.Role -import com.normation.rudder.api.AclPathSegment import com.normation.rudder.api.ApiAclElement import com.normation.rudder.api.ApiAuthorization as ApiAuthz @@ -61,6 +60,7 @@ class AuthorizationMappingListEndpoint(endpoints: List[EndpointSchema]) extends override def mapAuthorization(authz: AuthorizationType): List[ApiAclElement] = { acls.get(authz).getOrElse(Nil) + } } @@ -73,14 +73,17 @@ class ExtensibleAuthorizationApiMapping(base: List[AuthorizationApiMapping]) ext private var mappers: List[AuthorizationApiMapping] = base def addMapper(mapper: AuthorizationApiMapping): Unit = { - // no need to add again and again the default mapper - it's ok, we have it. - if (mapper != AuthorizationApiMapping.OnlyAdmin) { - mappers = mappers :+ mapper - } + mappers = mappers :+ mapper } override def mapAuthorization(authz: AuthorizationType): List[ApiAclElement] = { - mappers.flatMap(_.mapAuthorization(authz)) + import AuthorizationType.* + authz match { + case NoRights => Nil + case AnyRights => ApiAuthz.allAuthz.acl + case _ => + mappers.flatMap(_.mapAuthorization(authz)) + } } } @@ -89,148 +92,6 @@ object AuthorizationApiMapping { def x: ApiAclElement = AuthzForApi(api) } - /* - * A default mapping for "only 'all rights' (ie admin) can access it - */ - case object OnlyAdmin extends AuthorizationApiMapping { - override def mapAuthorization(authz: AuthorizationType): List[ApiAclElement] = Nil - } - - /* - * The core authorization/api mapping, ie the authorization for Rudder - * default API. - */ - object Core extends AuthorizationApiMapping { - - override def mapAuthorization(authz: AuthorizationType): List[ApiAclElement] = { - import AuthorizationType.* - // shorthand to get authz for a given api - authz match { - case NoRights => Nil - case AnyRights => ApiAuthz.allAuthz.acl - // Administration is Rudder setting - - case Administration.Read => - SettingsApi.GetAllSettings.x :: SettingsApi.GetSetting.x :: SystemApi.ArchivesDirectivesList.x :: - SystemApi.ArchivesFullList.x :: SystemApi.ArchivesGroupsList.x :: SystemApi.ArchivesRulesList.x :: - SystemApi.GetAllZipArchive.x :: SystemApi.GetDirectivesZipArchive.x :: SystemApi.GetGroupsZipArchive.x :: - SystemApi.GetRulesZipArchive.x :: SystemApi.Info.x :: SystemApi.Status.x :: SystemApi.ArchivesParametersList.x :: - SystemApi.GetParametersZipArchive.x :: SystemApi.GetHealthcheckResult.x :: PluginApi.GetPluginsSettings.x :: - SettingsApi.GetAllowedNetworks.x :: SettingsApi.GetAllAllowedNetworks.x :: HookApi.GetHooks.x :: InfoApi.endpoints.map( - _.x - ) - case Administration.Write => - PluginApi.UpdatePluginsSettings.x :: SettingsApi.ModifySettings.x :: SettingsApi.ModifySetting.x :: - InventoryApi.FileWatcherRestart.x :: InventoryApi.FileWatcherStart.x :: InventoryApi.FileWatcherStop.x :: - NodeApi.CreateNodes.x :: SystemApi.endpoints.map(_.x) - case Administration.Edit => - PluginApi.UpdatePluginsSettings.x :: SettingsApi.ModifySettings.x :: SettingsApi.ModifySetting.x :: - SettingsApi.ModifyAllowedNetworks.x :: SettingsApi.ModifyDiffAllowedNetworks.x :: - Nil - - case Compliance.Read => - ComplianceApi.GetGlobalCompliance.x :: ComplianceApi.GetRulesCompliance.x :: ComplianceApi.GetRulesComplianceId.x :: - ComplianceApi.GetNodesCompliance.x :: ComplianceApi.GetNodeComplianceId.x :: ChangesApi.GetRuleRepairedReports.x :: - ChangesApi.GetRecentChanges.x :: ComplianceApi.GetDirectiveComplianceId.x :: ComplianceApi.GetNodeSystemCompliance.x :: - ComplianceApi.GetDirectivesCompliance.x :: ComplianceApi.GetNodeGroupComplianceId.x :: ComplianceApi.GetNodeGroupComplianceTargetId.x :: - ComplianceApi.GetNodeGroupComplianceSummary.x :: Nil - case Compliance.Write => Nil - case Compliance.Edit => Nil - - case Configuration.Read => - (Parameter.Read :: Technique.Read :: Directive.Read :: Rule.Read :: Nil).flatMap(c => mapAuthorization(c)) - case Configuration.Write => - (Parameter.Write :: Technique.Write :: Directive.Write :: Rule.Write :: Nil).flatMap(c => mapAuthorization(c)) - case Configuration.Edit => - (Parameter.Edit :: Technique.Edit :: Directive.Edit :: Rule.Edit :: Nil).flatMap(c => mapAuthorization(c)) - - case Deployment.Read => Nil - case Deployment.Write => Nil - case Deployment.Edit => Nil - - case Deployer.Read => Nil // ChangeRequestApi.ListChangeRequests.x :: ChangeRequestApi.ChangeRequestsDetails.x :: Nil - case Deployer.Write => Nil // ChangeRequestApi.DeclineRequestsDetails.x :: ChangeRequestApi.AcceptRequestsDetails.x :: Nil - case Deployer.Edit => Nil // ChangeRequestApi.UpdateRequestsDetails.x :: Nil - - case Parameter.Read => ParameterApi.ListParameters.x :: ParameterApi.ParameterDetails.x :: Nil - case Parameter.Write => ParameterApi.CreateParameter.x :: ParameterApi.DeleteParameter.x :: Nil - case Parameter.Edit => ParameterApi.UpdateParameter.x :: Nil - - case Directive.Read => - DirectiveApi.ListDirectives.x :: DirectiveApi.DirectiveDetails.x :: - DirectiveApi.DirectiveTree.x :: DirectiveApi.DirectiveRevisions.x :: - Nil - case Directive.Write => - DirectiveApi.CreateDirective.x :: DirectiveApi.DeleteDirective.x :: - DirectiveApi.CheckDirective.x :: Nil - case Directive.Edit => DirectiveApi.UpdateDirective.x :: Nil - - case Group.Read => - GroupApi.ListGroups.x :: GroupApi.GroupDetails.x :: GroupApi.GetGroupTree.x :: - GroupApi.GetGroupCategoryDetails.x :: GroupApi.GroupInheritedProperties.x :: - NodeApi.NodeDetailsTable.x :: GroupApi.GroupDisplayInheritedProperties.x :: - GroupInternalApi.GetGroupCategoryTree.x :: Nil - case Group.Write => - GroupApi.CreateGroup.x :: GroupApi.DeleteGroup.x :: GroupApi.ReloadGroup.x :: - GroupApi.DeleteGroupCategory.x :: GroupApi.CreateGroupCategory.x :: Nil - case Group.Edit => GroupApi.UpdateGroup.x :: GroupApi.UpdateGroupCategory.x :: Nil - - case Node.Read => - NodeApi.ListAcceptedNodes.x :: NodeApi.ListPendingNodes.x :: NodeApi.NodeDetails.x :: - NodeApi.NodeInheritedProperties.x :: NodeApi.NodeDisplayInheritedProperties.x :: NodeApi.NodeDetailsTable.x :: - NodeApi.PendingNodeDetails.x :: NodeApi.NodeDetailsSoftware.x :: NodeApi.NodeDetailsProperty.x :: - NodeApi.GetNodesStatus.x :: InventoryApi.QueueInformation.x :: - NodeApi.NodeGlobalScore.x :: NodeApi.NodeScoreDetail.x :: NodeApi.NodeScoreDetails.x :: - NodeApi.GetNodesStatus.x :: - // score about node - NodeApi.NodeGlobalScore.x :: NodeApi.NodeScoreDetails.x :: NodeApi.NodeScoreDetail.x :: - InventoryApi.QueueInformation.x :: - // node read also allows to read some settings - AuthzForApi.withValues(SettingsApi.GetSetting, AclPathSegment.Segment("global_policy_mode") :: Nil) :: - AuthzForApi.withValues(SettingsApi.GetSetting, AclPathSegment.Segment("global_policy_mode_overridable") :: Nil) :: - ScoreApi.GetScoreList.x :: - Nil - case Node.Write => - NodeApi.DeleteNode.x :: NodeApi.ChangePendingNodeStatus.x :: NodeApi.ChangePendingNodeStatus2.x :: - NodeApi.ApplyPolicyAllNodes.x :: NodeApi.ApplyPolicy.x :: Nil - case Node.Edit => NodeApi.UpdateNode.x :: InventoryApi.UploadInventory.x :: Nil - - case Rule.Read => - RuleApi.ListRules.x :: RuleApi.RuleDetails.x :: RuleApi.GetRuleTree.x :: - RuleApi.GetRuleCategoryDetails.x :: RuleInternalApi.GetRuleNodesAndDirectives.x :: - RuleInternalApi.GetGroupRelatedRules.x :: - Nil - case Rule.Write => - RuleApi.CreateRule.x :: RuleApi.DeleteRule.x :: RuleApi.CreateRuleCategory.x :: - RuleApi.DeleteRuleCategory.x :: RuleApi.LoadRuleRevisionForGeneration.x :: RuleApi.UnloadRuleRevisionForGeneration.x :: - Nil - case Rule.Edit => RuleApi.UpdateRule.x :: RuleApi.UpdateRuleCategory.x :: Nil - - case Technique.Read => - TechniqueApi.ListTechniques.x :: TechniqueApi.ListTechniquesDirectives.x :: - TechniqueApi.ListTechniqueDirectives.x :: TechniqueApi.TechniqueRevisions.x :: - TechniqueApi.GetMethods.x :: TechniqueApi.GetTechniques.x :: - TechniqueApi.GetAllTechniqueCategories.x :: TechniqueApi.GetResources.x :: TechniqueApi.GetNewResources.x :: - TechniqueApi.GetTechniqueAllVersion.x :: TechniqueApi.GetTechnique.x :: Nil - case Technique.Write => - TechniqueApi.CreateTechnique.x :: SystemApi.PoliciesUpdate.x :: SystemApi.PoliciesRegenerate.x :: - TechniqueApi.DeleteTechnique.x :: Nil - case Technique.Edit => - TechniqueApi.UpdateTechnique.x :: SystemApi.PoliciesUpdate.x :: SystemApi.PoliciesRegenerate.x :: - TechniqueApi.UpdateTechniques.x :: TechniqueApi.UpdateMethods.x :: Nil - - case UserAccount.Read => UserApi.GetApiToken.x :: Nil - case UserAccount.Write => UserApi.CreateApiToken.x :: UserApi.DeleteApiToken.x :: Nil - case UserAccount.Edit => UserApi.UpdateApiToken.x :: Nil - - case Validator.Read => Nil // ChangeRequestApi.ListChangeRequests.x :: ChangeRequestApi.ChangeRequestsDetails.x :: Nil - case Validator.Write => - Nil // ChangeRequestApi.DeclineRequestsDetails.x :: ChangeRequestApi.AcceptRequestsDetails.x :: Nil - case Validator.Edit => Nil // ChangeRequestApi.UpdateRequestsDetails.x :: Nil - case _ => Nil // Done within plugin - } - } - } } /* diff --git a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/UserManagementApi.scala b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/UserManagementApi.scala index 8476e7825ee..5b578734000 100644 --- a/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/UserManagementApi.scala +++ b/webapp/sources/rudder/rudder-rest/src/main/scala/com/normation/rudder/rest/lift/UserManagementApi.scala @@ -128,8 +128,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val z = implicitly[Line].value val description = "Reload (read again rudder-users.xml and process result) information about registered users in Rudder" val (action, path) = POST / "usermanagement" / "users" / "reload" - - override def dataContainer: Option[String] = None + override def dataContainer: Option[String] = None + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object DeleteUser extends UserManagementApi with OneParam with StartsAtVersion10 { @@ -138,6 +138,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = DELETE / "usermanagement" / "{username}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object AddUser extends UserManagementApi with ZeroParam with StartsAtVersion10 { @@ -146,6 +148,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = POST / "usermanagement" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object UpdateUser extends UserManagementApi with OneParam with StartsAtVersion10 { @@ -154,6 +158,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = POST / "usermanagement" / "update" / "{username}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object UpdateUserInfo extends UserManagementApi with OneParam with StartsAtVersion10 { @@ -162,6 +168,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = POST / "usermanagement" / "update" / "info" / "{username}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object ActivateUser extends UserManagementApi with OneParam with StartsAtVersion10 { @@ -170,6 +178,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = PUT / "usermanagement" / "status" / "activate" / "{username}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object DisableUser extends UserManagementApi with OneParam with StartsAtVersion10 { @@ -178,6 +188,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = PUT / "usermanagement" / "status" / "disable" / "{username}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Write :: Nil } final case object RoleCoverage extends UserManagementApi with OneParam with StartsAtVersion10 { @@ -186,6 +198,8 @@ object UserManagementApi extends Enum[UserManagementApi] with ApiModuleProvider[ val (action, path) = POST / "usermanagement" / "coverage" / "{username}" override def dataContainer: Option[String] = None + + val authz: List[AuthorizationType] = AuthorizationType.UserAccount.Read :: Nil } def endpoints = values.toList.sortBy(_.z) diff --git a/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/MockServices.scala b/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/MockServices.scala index e92a6b7483a..f1a36894535 100644 --- a/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/MockServices.scala +++ b/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/MockServices.scala @@ -107,7 +107,7 @@ import com.normation.rudder.repository.FullNodeGroupCategory import com.normation.rudder.repository.RoNodeGroupRepository import com.normation.rudder.repository.RoRuleRepository import com.normation.rudder.repository.WoRuleRepository -import com.normation.rudder.rest.AuthorizationApiMapping +import com.normation.rudder.rest.ExtensibleAuthorizationApiMapping import com.normation.rudder.rest.ProviderRoleExtension import com.normation.rudder.rest.RoleApiMapping import com.normation.rudder.rest.lift.ComplianceAPIService @@ -858,7 +858,7 @@ class MockUserManagement(userInfos: List[UserInfo], userSessions: List[UserSessi val userService: FileUserDetailListProvider = { val usersFile = UserFile("test-users.xml", usersInputStream) - val roleApiMapping = new RoleApiMapping(AuthorizationApiMapping.Core) + val roleApiMapping = new RoleApiMapping(new ExtensibleAuthorizationApiMapping(Nil)) val res = new FileUserDetailListProvider(roleApiMapping, usersFile) res.reload() diff --git a/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/rest/RestTestSetUp.scala b/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/rest/RestTestSetUp.scala index e5d7d15435a..a01f8dbe3a6 100644 --- a/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/rest/RestTestSetUp.scala +++ b/webapp/sources/rudder/rudder-rest/src/test/scala/com/normation/rudder/rest/RestTestSetUp.scala @@ -955,7 +955,7 @@ class RestTestSetUp { mockUserManagement.userRepo, mockUserManagement.userService, mockUserManagement.userManagementService, - new RoleApiMapping(new ExtensibleAuthorizationApiMapping(AuthorizationApiMapping.Core :: Nil)), + new RoleApiMapping(new ExtensibleAuthorizationApiMapping(Nil)), () => mockUserManagement.providerRoleExtension, () => mockUserManagement.authBackendProviders ) diff --git a/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/Boot.scala b/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/Boot.scala index fe7621bd97d..ad68e0e2557 100644 --- a/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/Boot.scala +++ b/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/Boot.scala @@ -58,6 +58,7 @@ import com.normation.rudder.domain.logger.ApplicationLogger import com.normation.rudder.domain.logger.ApplicationLoggerPure import com.normation.rudder.domain.logger.PluginLogger import com.normation.rudder.rest.ApiModuleProvider +import com.normation.rudder.rest.AuthorizationMappingListEndpoint import com.normation.rudder.rest.EndpointSchema import com.normation.rudder.rest.InfoApi as InfoApiDef import com.normation.rudder.rest.lift.InfoApi @@ -534,13 +535,15 @@ class Boot extends Loggable { LiftRules.statelessDispatch.append(RudderConfig.eventLogApi) // REST API (all public/internal API) // we need to add "info" API here to have all used API (even plugins) - val infoApi = { + val infoApi = { // all used api - add info as it is not yet declared val schemas = RudderConfig.rudderApi.apis().map(_.schema) ++ InfoApiDef.endpoints val endpoints = schemas.flatMap(RudderConfig.apiDispatcher.withVersion(_, RudderConfig.ApiVersions)) new InfoApi(RudderConfig.restExtractorService, RudderConfig.ApiVersions, endpoints) } RudderConfig.rudderApi.addModules(infoApi.getLiftEndpoints()) + val apiRoleMapper = new AuthorizationMappingListEndpoint(RudderConfig.rudderApi.apis().map(_.schema)) + RudderConfig.authorizationApiMapping.addMapper(apiRoleMapper) LiftRules.statelessDispatch.append(RudderConfig.rudderApi.getLiftRestApi()) // URL rewrites diff --git a/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/RudderConfig.scala b/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/RudderConfig.scala index 05956ef07d1..4cd16fb98d3 100644 --- a/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/RudderConfig.scala +++ b/webapp/sources/rudder/rudder-web/src/main/scala/bootstrap/liftweb/RudderConfig.scala @@ -1515,7 +1515,7 @@ object RudderConfigInit { lazy val authenticationProviders = new AuthBackendProvidersManager() // Plugin input interface for Authorization for API - lazy val authorizationApiMapping = new ExtensibleAuthorizationApiMapping(AuthorizationApiMapping.Core :: Nil) + lazy val authorizationApiMapping = new ExtensibleAuthorizationApiMapping(Nil) ////////// end pluggable service providers //////////