diff --git a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java index 021dbeb4e8..634230f276 100644 --- a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java +++ b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java @@ -1371,7 +1371,8 @@ private ArtifactMetaData handleIfExistsReturnOrUpdate(String groupId, String art content, contentType, references); } - private ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version, + @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write) + protected ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version, String name, String description, ContentHandle content, String contentType, List references) { diff --git a/app/src/main/java/io/apicurio/registry/rest/v3/GroupsResourceImpl.java b/app/src/main/java/io/apicurio/registry/rest/v3/GroupsResourceImpl.java index 164c59cda5..efa20cb51f 100644 --- a/app/src/main/java/io/apicurio/registry/rest/v3/GroupsResourceImpl.java +++ b/app/src/main/java/io/apicurio/registry/rest/v3/GroupsResourceImpl.java @@ -1280,7 +1280,8 @@ private CreateArtifactResponse handleIfExistsReturnOrUpdate(String groupId, Stri return updateArtifactInternal(groupId, artifactId, theVersion); } - private CreateArtifactResponse updateArtifactInternal(String groupId, String artifactId, + @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write) + protected CreateArtifactResponse updateArtifactInternal(String groupId, String artifactId, CreateVersion theVersion) { String version = theVersion.getVersion(); String name = theVersion.getName(); diff --git a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java index 471ad430e6..f20a071926 100644 --- a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java +++ b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java @@ -4,15 +4,7 @@ import io.apicurio.registry.AbstractResourceTestBase; import io.apicurio.registry.client.auth.VertXAuthFactory; import io.apicurio.registry.rest.client.RegistryClient; -import io.apicurio.registry.rest.client.models.ArtifactMetaData; -import io.apicurio.registry.rest.client.models.CreateArtifact; -import io.apicurio.registry.rest.client.models.CreateRule; -import io.apicurio.registry.rest.client.models.CreateVersion; -import io.apicurio.registry.rest.client.models.EditableArtifactMetaData; -import io.apicurio.registry.rest.client.models.RuleType; -import io.apicurio.registry.rest.client.models.UserInfo; -import io.apicurio.registry.rest.client.models.VersionContent; -import io.apicurio.registry.rest.client.models.VersionMetaData; +import io.apicurio.registry.rest.client.models.*; import io.apicurio.registry.rules.compatibility.CompatibilityLevel; import io.apicurio.registry.rules.validity.ValidityLevel; import io.apicurio.registry.types.ArtifactType; @@ -310,6 +302,18 @@ public void testOwnerOnlyAuthorization() throws Exception { createRule.setConfig(CompatibilityLevel.BACKWARD.name()); clientAdmin.groups().byGroupId(groupId).artifacts().byArtifactId(artifactId2).rules() .post(createRule); + + // Admin user will create an artifact + String artifactId1 = TestUtils.generateArtifactId(); + createArtifact.setArtifactId(artifactId1); + clientAdmin.groups().byGroupId(groupId).artifacts().post(createArtifact); + + // Dev user cannot update with ifExists the same artifact because Dev user is not the owner + Assertions.assertThrows(Exception.class, () -> { + clientDev.groups().byGroupId(groupId).artifacts().post(createArtifact, config -> { + config.queryParameters.ifExists = IfArtifactExists.CREATE_VERSION; + }); + }); } @Test diff --git a/app/src/test/java/io/apicurio/registry/storage/impl/readonly/ReadOnlyRegistryStorageTest.java b/app/src/test/java/io/apicurio/registry/storage/impl/readonly/ReadOnlyRegistryStorageTest.java index 2a10017b13..4153cdcabe 100644 --- a/app/src/test/java/io/apicurio/registry/storage/impl/readonly/ReadOnlyRegistryStorageTest.java +++ b/app/src/test/java/io/apicurio/registry/storage/impl/readonly/ReadOnlyRegistryStorageTest.java @@ -45,7 +45,7 @@ public class ReadOnlyRegistryStorageTest { new State(false, s -> s.countActiveArtifactVersions(null, null))), entry("countTotalArtifactVersions0", new State(false, RegistryStorage::countTotalArtifactVersions)), - entry("createArtifact10", + entry("createArtifact11", new State(true, s -> s.createArtifact(null, null, null, null, null, null, null, null, false, false, null))), @@ -53,7 +53,7 @@ public class ReadOnlyRegistryStorageTest { new State(true, s -> s.createArtifactRule(null, null, null, null))), entry("createArtifactVersionComment4", new State(true, s -> s.createArtifactVersionComment(null, null, null, null))), - entry("createArtifactVersion9", + entry("createArtifactVersion10", new State(true, s -> s.createArtifactVersion(null, null, null, null, null, null, null, false, false, null))), diff --git a/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java b/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java index a176ca890e..483b0a5285 100644 --- a/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java +++ b/integration-tests/src/test/java/io/apicurio/tests/ApicurioRegistryBaseIT.java @@ -609,7 +609,6 @@ protected void assertNotAuthorized(Exception exception) { } protected void assertForbidden(Exception exception) { - assertNotNull(exception); Assertions.assertEquals(ApiException.class, exception.getClass()); Assertions.assertEquals(403, ((ApiException) exception).getResponseStatusCode()); } diff --git a/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java b/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java index 0b181dc1ce..7342f76b29 100644 --- a/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java +++ b/integration-tests/src/test/java/io/apicurio/tests/auth/SimpleAuthIT.java @@ -2,15 +2,7 @@ import io.apicurio.registry.client.auth.VertXAuthFactory; import io.apicurio.registry.rest.client.RegistryClient; -import io.apicurio.registry.rest.client.models.ArtifactMetaData; -import io.apicurio.registry.rest.client.models.CreateArtifact; -import io.apicurio.registry.rest.client.models.CreateRule; -import io.apicurio.registry.rest.client.models.CreateVersion; -import io.apicurio.registry.rest.client.models.EditableArtifactMetaData; -import io.apicurio.registry.rest.client.models.RuleType; -import io.apicurio.registry.rest.client.models.UserInfo; -import io.apicurio.registry.rest.client.models.VersionContent; -import io.apicurio.registry.rest.client.models.VersionMetaData; +import io.apicurio.registry.rest.client.models.*; import io.apicurio.registry.rules.compatibility.CompatibilityLevel; import io.apicurio.registry.rules.validity.ValidityLevel; import io.apicurio.registry.types.ArtifactType; @@ -234,6 +226,18 @@ public void testOwnerOnlyAuthorization() throws Exception { createRule.setConfig(CompatibilityLevel.BACKWARD.name()); clientAdmin.groups().byGroupId(groupId).artifacts().byArtifactId(artifactId2).rules() .post(createRule); + + // Admin user will create an artifact + String artifactId1 = TestUtils.generateArtifactId(); + createArtifact.setArtifactId(artifactId1); + clientAdmin.groups().byGroupId(groupId).artifacts().post(createArtifact); + + // Dev user cannot update with ifExists the same artifact because Dev user is not the owner + Assertions.assertThrows(Exception.class, () -> { + clientDev.groups().byGroupId(groupId).artifacts().post(createArtifact, config -> { + config.queryParameters.ifExists = IfArtifactExists.CREATE_VERSION; + }); + }); } @Test diff --git a/java-sdk/src/main/java/io/apicurio/registry/client/auth/VertXAuthFactory.java b/java-sdk/src/main/java/io/apicurio/registry/client/auth/VertXAuthFactory.java index 95e019524f..e25432bd1e 100644 --- a/java-sdk/src/main/java/io/apicurio/registry/client/auth/VertXAuthFactory.java +++ b/java-sdk/src/main/java/io/apicurio/registry/client/auth/VertXAuthFactory.java @@ -27,14 +27,13 @@ public static WebClient buildOIDCWebClient(Vertx vertx, String tokenUrl, String String clientSecret, String scope) { WebClient webClient = WebClient.create(vertx); - OAuth2Auth oAuth2Options = OAuth2Auth.create(vertx, new OAuth2Options() - .setFlow(OAuth2FlowType.CLIENT) - .setClientId(clientId) - .setClientSecret(clientSecret) - .setTokenPath(tokenUrl)); + OAuth2Auth oAuth2Options = OAuth2Auth.create(vertx, new OAuth2Options().setFlow(OAuth2FlowType.CLIENT) + .setClientId(clientId).setClientSecret(clientSecret).setTokenPath(tokenUrl)); Oauth2Credentials oauth2Credentials = new Oauth2Credentials(); - oauth2Credentials.addScope(scope); + if (scope != null) { + oauth2Credentials.addScope(scope); + } OAuth2WebClient oauth2WebClient = OAuth2WebClient.create(webClient, oAuth2Options); oauth2WebClient.withCredentials(oauth2Credentials);