add /api/rbac/context + /api/hs/accounts/current endpoints (#189)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/189 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2025-08-21 12:45:59 +02:00
parent 60028697d6
commit 5a5c1466b0
51 changed files with 1034 additions and 129 deletions
@@ -8,6 +8,11 @@ servers:

 paths:

+  # current
+
+  /api/hs/accounts/current:
+    $ref: "current.yaml"
+
  # Contexts

  /api/hs/accounts/contexts:
@@ -21,7 +21,3 @@ components:
                    type: boolean
            required:
                - uuid
-                - type
-                - qualifier
-                - onlyForNaturalPersons
-                - publicAccess
@@ -3,6 +3,16 @@ components:

    schemas:

+        CurrentLoginUser:
+            type: object
+            properties:
+                subject:
+                    $ref: '../rbac/rbac-subject-schemas.yaml#/components/schemas/RbacSubject'
+                person:
+                    $ref: '../hs-office/hs-office-person-schemas.yaml#/components/schemas/HsOfficePerson'
+                globalAdmin:
+                    type: boolean
+
        Credentials:
            type: object
            properties:
@@ -101,7 +111,8 @@ components:
                    items:
                        $ref: 'context-schemas.yaml#/components/schemas/Context'
            required:
-                - uuid
+                - person.uuid
+                - nickname
                - active
            additionalProperties: false

@@ -4,7 +4,6 @@ get:
    description: 'Fetch a single  credentials its uuid, if visible for the current subject.'
    operationId: getSingleCredentialsByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
        - name: credentialsUuid
          in: path
          required: true
@@ -31,7 +30,6 @@ patch:
    description: 'Updates a single  credentials identified by its uuid, if permitted for the current subject.'
    operationId: patchCredentials
    parameters:
-        -   $ref: 'auth.yaml#/components/parameters/assumedRoles'
        -   name: credentialsUuid
            in: path
            required: true
@@ -61,8 +59,7 @@ delete:
    description: 'Delete a single  credentials identified by its uuid, if permitted for the current subject.'
    operationId: deleteCredentialsByUuid
    parameters:
-        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
-        - name: CredentialsUuid
+        - name: credentialsUuid
          in: path
          required: true
          schema:
@@ -32,8 +32,6 @@ post:
    tags:
        - credentials
    operationId: postNewCredentials
-    parameters:
-        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
    requestBody:
        description: A JSON object describing the new  credential.
        required: true
@@ -0,0 +1,17 @@
+get:
+    summary: Currently logged in user data.
+    description: Returns information about the currently logged in user.
+    tags:
+        - credentials
+    operationId: getCurrentLoginUser
+    responses:
+        "200":
+            description: OK
+            content:
+                'application/json':
+                    schema:
+                        $ref: 'credentials-schemas.yaml#/components/schemas/CurrentLoginUser'
+        "401":
+            $ref: 'error-responses.yaml#/components/responses/Unauthorized'
+        "403":
+            $ref: 'error-responses.yaml#/components/responses/Forbidden'
@@ -1,3 +1,4 @@
+
 components:

    responses:
@@ -12,6 +12,30 @@ get:
          schema:
              type: string
          description: Prefix of caption to filter the results.
+        - name: representedByPersonUuid
+          in: query
+          required: false
+          schema:
+              type: string
+              format: uuid
+          description: if given, if only persons represented given person uuid should be returned
+    x-parameter-dependencies:
+        oneOf:
+            - properties:
+                  name:
+                      type: string
+                  not:
+                      required: [ representedByPersonUuid ]
+            - properties:
+                  representedByPersonUuid:
+                      type: string
+                      format: uuid
+                  not:
+                      required: [ name ]
+            - not:
+                  anyOf:
+                      - required: [ name ]
+                      - required: [ representedByPersonUuid ]
    responses:
        "200":
            description: OK
@@ -0,0 +1,16 @@
+
+components:
+
+  schemas:
+
+    RbacContext:
+      type: object
+      properties:
+        subject:
+          $ref: 'rbac-subject-schemas.yaml#/components/schemas/RbacSubject'
+        assumedRoles:
+          type: array
+          items:
+            $ref: 'rbac-role-schemas.yaml#/components/schemas/RbacRole'
+        globalAdmin:
+          type: boolean
@@ -0,0 +1,18 @@
+get:
+    tags:
+        - rbac-context
+    description: Information about the current subject.
+    operationId: getContext
+    parameters:
+        - $ref: 'auth.yaml#/components/parameters/assumedRoles'
+    responses:
+        '200':
+            description: OK
+            content:
+                'application/json':
+                    schema:
+                        $ref: 'rbac-context-schemas.yaml#/components/schemas/RbacContext'
+        '401':
+            $ref: 'error-responses.yaml#/components/responses/Unauthorized'
+        '403':
+            $ref: 'error-responses.yaml#/components/responses/Forbidden'
@@ -8,6 +8,9 @@ servers:

 paths:

+    /api/rbac/context:
+        $ref: 'rbac-context.yaml'
+
    /api/rbac/subjects:
        $ref: 'rbac-subjects.yaml'

@@ -72,6 +72,9 @@ metrics:
 logging:
    level:
        org.springframework.security: info
+        org.springframework.web: DEBUG
+        org.springframework.web.method.annotation: DEBUG
+        org.springframework.validation: DEBUG
 # HOWTO configure logging, e.g. logging to a separate file, see:
 #   https://docs.spring.io/spring-boot/reference/features/logging.html

@@ -12,6 +12,9 @@ declare
    personAlexUuid uuid;
    superuserFranSubjectUuid uuid;
    personFranUuid uuid;
+    userDrewSubjectUuid uuid;
+    personDrewUuid uuid;
+

    context_HSADMIN_prod    hs_accounts.context;
    context_SSH_internal    hs_accounts.context;
@@ -26,6 +29,8 @@ begin
    personAlexUuid = (SELECT uuid FROM hs_office.person WHERE givenName='Alex');
    superuserFranSubjectUuid = (SELECT uuid FROM rbac.subject WHERE name='superuser-fran@hostsharing.net');
    personFranUuid = (SELECT uuid FROM hs_office.person WHERE givenName='Fran');
+    userDrewSubjectUuid = (SELECT uuid FROM rbac.subject WHERE name='selfregistered-user-drew@hostsharing.org');
+    personDrewUuid = (SELECT uuid FROM hs_office.person WHERE givenName='Drew');

    -- Add test contexts
    INSERT INTO hs_accounts.context (uuid, type, qualifier, only_for_natural_persons, public_access) VALUES
@@ -65,14 +70,17 @@ begin
    -- Add test credentials (linking to assumed rbac.subject UUIDs)
    INSERT INTO hs_accounts.credentials (uuid, version, person_uuid, active, global_uid, global_gid, onboarding_token, totp_secrets, phone_password, email_address, sms_number) VALUES
        ( superuserAlexSubjectUuid, 0, personAlexUuid, true, 1001, 1001, 'token-abc', ARRAY['otp-secret-1a', 'otp-secret-1b'], 'phone-pw-1', 'alex@example.com', '111-222-3333'),
-        ( superuserFranSubjectUuid, 0, personFranUuid, true, 1002, 1002, 'token-def', ARRAY['otp-secret-2'], 'phone-pw-2', 'fran@example.com', '444-555-6666');
+        ( superuserFranSubjectUuid, 0, personFranUuid, true, 1002, 1002, 'token-def', ARRAY['otp-secret-2'], 'phone-pw-2', 'fran@example.com', '444-555-6666'),
+        ( userDrewSubjectUuid, 0, personDrewUuid, true, 1003, 1003, 'token-def', ARRAY['otp-secret-3'], 'phone-pw-3', 'drew@example.org', '999-888-7777');

    -- Map credentials to contexts
    INSERT INTO hs_accounts.context_mapping (credentials_uuid, context_uuid) VALUES
        (superuserAlexSubjectUuid, context_HSADMIN_prod.uuid),
        (superuserFranSubjectUuid, context_HSADMIN_prod.uuid),
+        (userDrewSubjectUuid, context_HSADMIN_prod.uuid),
        (superuserAlexSubjectUuid, context_SSH_internal.uuid),
        (superuserFranSubjectUuid, context_SSH_internal.uuid),
+        (userDrewSubjectUuid, context_SSH_external.uuid),
        (superuserAlexSubjectUuid, context_MATRIX_internal.uuid),
        (superuserFranSubjectUuid, context_MATRIX_internal.uuid);

@@ -14,6 +14,7 @@ but\ is=ist aber

 # credentials validations
 existing\ {0}\ does\ not\ match\ given\ resource\ {1}=existierender Credentials-Context {0} passt nicht zum angegebenen {1}
+access-denied-personUuid-{0}-not-represented-by-currently-logged-in-person=Zugriff verweigert: personUuid "{0}" wird von der eingeloggten Person nicht repräsentiert

 # office.coop-shares
 for\ transactionType\={0},\ shareCount\ must\ be\ positive\ but\ is\ {1}=für transactionType={0}, muss shareCount positiv sein, ist aber {1}
@@ -5,4 +5,5 @@
 # But in that case, you can NOT use a prefix - or the prefix would be shown to the user as well.
 # I'm not sure, though, if using the english default translations as keys is really a good idea.

-
+# credentials validations
+access-denied-personUuid-{0}-not-represented-by-currently-logged-in-person=access denied: personUuid "{0}" not represented by currently logged in person