Add subfolder of management to protected paths

MTES-MCT · Dec 20, 2023 · 2429065 · 2429065
1 parent 5ecaee2
commit 2429065
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 4 deletions.
diff --git a/...test/kotlin/fr/gouv/cnsp/monitorfish/infrastructure/api/security/BffFilterConfigITests.kt b/...test/kotlin/fr/gouv/cnsp/monitorfish/infrastructure/api/security/BffFilterConfigITests.kt
@@ -10,6 +10,7 @@ import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
 import org.springframework.boot.test.mock.mockito.MockBean
 import org.springframework.context.annotation.Import
 import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
 import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
 
@@ -80,4 +81,18 @@ class BffFilterConfigITests {
                 .andExpect(status().isUnauthorized)
         }
     }
+
+    @Test
+    fun `Should return 401 for When deleting an user`() {
+        // When
+        listOf(
+            "/api/v1/authorization/management/dummy@user.com",
+        ).forEach {
+            mockMvc.perform(
+                delete(it),
+            )
+                // Then
+                .andExpect(status().isUnauthorized)
+        }
+    }
 }
diff --git a/backend/src/test/resources/application.properties b/backend/src/test/resources/application.properties
@@ -25,5 +25,5 @@ monitorfish.oidc.enabled=false
 monitorfish.api.protected.paths=/bff/*
 # Super-user paths of type /** are not supported
 monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
-monitorfish.api.protected.public-paths=/api/v1/authorization/management,/api/v1/beacon_malfunctions/*
+monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*
 monitorfish.api.protected.api-key=DUMMY-API-KEY
diff --git a/infra/configurations/application-dev.properties b/infra/configurations/application-dev.properties
@@ -17,7 +17,7 @@ monitorfish.oidc.userinfo-endpoint=/api/user
 monitorfish.api.protected.paths=/bff/*,/light/v1/vessels/*
 # Super-user paths of type /** are not supported
 monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
-monitorfish.api.protected.public-paths=/api/v1/authorization/management,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
+monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
 
 ###################
 # Database settings (URL) is injected at runtime with an environment variable

diff --git a/infra/configurations/application-local.properties b/infra/configurations/application-local.properties
@@ -21,7 +21,7 @@ monitorfish.oidc.userinfo-endpoint=/api/user
 monitorfish.api.protected.paths=/bff/*,/light/v1/vessels/*
 # Super-user paths of type /** are not supported
 monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
-monitorfish.api.protected.public-paths=/api/v1/authorization/management,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
+monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
 monitorfish.api.protected.api-key=DUMMY-API-KEY
 
 ###################

diff --git a/infra/configurations/application-prod.properties b/infra/configurations/application-prod.properties
@@ -17,7 +17,7 @@ monitorfish.oidc.userinfo-endpoint=/api/user
 monitorfish.api.protected.paths=/bff/*,/light/v1/vessels/*
 # Super-user paths of type /** are not supported
 monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
-monitorfish.api.protected.public-paths=/api/v1/authorization/management,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
+monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
 
 ###################
 # Database settings (URL) is injected at runtime with an environment variable