From acb10b1d240023b345005821e6099691cb6b38ad Mon Sep 17 00:00:00 2001 From: Arnab Dutta Date: Wed, 28 Feb 2024 20:01:57 +0530 Subject: [PATCH] fix: the audit log API in Admin UI is not protected by authorization token #7836 (#7837) Signed-off-by: Arnab Dutta Co-authored-by: YuriyZ --- .../rest/logging/AuditLoggerResource.java | 3 +++ .../jans-auth/role-scope-mappings.json | 18 ++++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/logging/AuditLoggerResource.java b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/logging/AuditLoggerResource.java index 5c740f13968..9e2d5461524 100644 --- a/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/logging/AuditLoggerResource.java +++ b/jans-config-api/plugins/admin-ui-plugin/src/main/java/io/jans/ca/plugin/adminui/rest/logging/AuditLoggerResource.java @@ -2,6 +2,7 @@ import io.jans.ca.plugin.adminui.utils.CommonUtils; import io.jans.ca.plugin.adminui.utils.ErrorResponse; +import io.jans.configapi.core.rest.ProtectedApi; import io.swagger.v3.oas.annotations.Hidden; import jakarta.inject.Inject; import jakarta.validation.Valid; @@ -19,6 +20,7 @@ @Path("/admin-ui/logging") public class AuditLoggerResource { + public static final String AUDIT_LOGGING_WRITE_SCOPE = "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"; static final String AUDIT = "/audit"; @Inject @@ -26,6 +28,7 @@ public class AuditLoggerResource { @POST @Path(AUDIT) + @ProtectedApi(scopes = {AUDIT_LOGGING_WRITE_SCOPE}) @Produces(MediaType.APPLICATION_JSON) public Response auditLogging(@Valid @NotNull Map loggingRequest) { try { diff --git a/jans-linux-setup/jans_setup/templates/jans-auth/role-scope-mappings.json b/jans-linux-setup/jans_setup/templates/jans-auth/role-scope-mappings.json index 8448b075b8d..6b034b3e09f 100644 --- a/jans-linux-setup/jans_setup/templates/jans-auth/role-scope-mappings.json +++ b/jans-linux-setup/jans_setup/templates/jans-auth/role-scope-mappings.json @@ -497,6 +497,12 @@ "description": "", "defaultPermissionInToken": false, "tag": "properties" + }, + { + "permission": "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write", + "description": "", + "defaultPermissionInToken": false, + "tag": "logging" } ], "rolePermissionMapping": [ @@ -520,7 +526,8 @@ "https://jans.io/oauth/config/database/couchbase.readonly", "https://jans.io/oauth/config/database/sql.readonly", "https://jans.io/oauth/config/stats.readonly", - "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly" + "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly", + "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write" ] }, { @@ -559,7 +566,8 @@ "readonly", "https://jans.io/oauth/config/stats.readonly", "jans_stat", - "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly" + "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly", + "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write" ] }, { @@ -606,7 +614,8 @@ "readonly", "https://jans.io/oauth/config/stats.readonly", "jans_stat", - "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly" + "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly", + "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write" ] }, { @@ -679,7 +688,8 @@ "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write", "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete", "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly", - "https://jans.io/oauth/jans-auth-server/config/adminui/properties.write" + "https://jans.io/oauth/jans-auth-server/config/adminui/properties.write", + "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write" ] } ]