Changed DinaAdminCUDAuthorixationService

now using admin-based group check

dina-base-api/src/main/java/ca/gc/aafc/dina/security/auth/DinaAdminCUDAuthorizationService.java

@@ -7,7 +7,7 @@
 public class DinaAdminCUDAuthorizationService extends PermissionAuthorizationService {
 
   @Override
-  @PreAuthorize("hasDinaRole(@currentUser, 'DINA_ADMIN')")
+  @PreAuthorize("hasAdminRole(@currentUser, 'DINA_ADMIN')")
   public void authorizeCreate(Object entity) {
 
   }
@@ -18,13 +18,13 @@ public void authorizeRead(Object entity) {
   }
 
   @Override
-  @PreAuthorize("hasDinaRole(@currentUser, 'DINA_ADMIN')")
+  @PreAuthorize("hasAdminRole(@currentUser, 'DINA_ADMIN')")
   public void authorizeUpdate(Object entity) {
 
   }
 
   @Override
-  @PreAuthorize("hasDinaRole(@currentUser, 'DINA_ADMIN')")
+  @PreAuthorize("hasAdminRole(@currentUser, 'DINA_ADMIN')")
   public void authorizeDelete(Object entity) {
 
   }

dina-base-api/src/main/java/ca/gc/aafc/dina/security/spring/DinaPermissionEvaluator.java

@@ -92,6 +92,23 @@ public boolean hasDinaRole(DinaAuthenticatedUser user, String role) {
       .anyMatch(dinaRole -> dinaRole.name().equalsIgnoreCase(role.strip()));
   }
 
+  /**
+   * returns true if the given user has a given admin role
+   *
+   * @param user user with roles
+   * @param role admin role to check for
+   * @return - true if the given user has a given role in one of it's many groups
+   */
+  public boolean hasAdminRole(DinaAuthenticatedUser user, String role) {
+    if (user == null || StringUtils.isBlank(role)) {
+      return false;
+    }
+
+    return user.getAdminRoles()
+      .stream()
+      .anyMatch(dinaRole -> dinaRole.name().equalsIgnoreCase(role.strip()));
+  }
+
   /**
    * Returns true if the given authenticated user is a member of the group the given target object belongs to
    * and also has the given role for that group.

dina-base-api/src/test/java/ca/gc/aafc/dina/security/auth/DinaAdminOnlyAuthTest.java

@@ -67,7 +67,7 @@ void setUp() {
   }
 
   @Test
-  @WithMockKeycloakUser(groupRole = {"CNC:DINA_ADMIN"})
+  @WithMockKeycloakUser(adminRole = {"DINA_ADMIN"})
   public void create_WhenAdmin_CreatesObject() {
     ItemDto dto = ItemDto.builder().uuid(UUID.randomUUID()).group("g").build();
     ItemDto result = testRepo.create(dto);

dina-test-support/src/main/java/ca/gc/aafc/dina/testsupport/security/WithMockKeycloakSecurityContextFactory.java

@@ -35,10 +35,13 @@ public SecurityContext createSecurityContext(WithMockKeycloakUser mockKeycloakUs
     AccessToken accessToken = new AccessToken();
     accessToken.setRealmAccess(new AccessToken.Access());
 
-    List<String> groupRoles = Arrays.stream(mockKeycloakUser.groupRole())
+    if (mockKeycloakUser.groupRole() != null && mockKeycloakUser.groupRole().length > 0 &&
+      StringUtils.isNotBlank(mockKeycloakUser.groupRole()[0])) {
+      List<String> groupRoles = Arrays.stream(mockKeycloakUser.groupRole())
         .map(gr -> convertToKeycloakNotation(gr, mockKeycloakUser.failOnInvalidNotation()))
         .collect(Collectors.toList());
-    accessToken.setOtherClaims(GROUPS_CLAIM_KEY, groupRoles);
+      accessToken.setOtherClaims(GROUPS_CLAIM_KEY, groupRoles);
+    }
 
     if (StringUtils.isNotBlank(mockKeycloakUser.agentIdentifier())) {
       accessToken.setOtherClaims(AGENT_IDENTIFIER_CLAIM_KEY, mockKeycloakUser.agentIdentifier());