From 8c155164e9cc75c5fc789859e0e2c64e6b4b0a63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A6var=20M=C3=A1r=20Atlason?= Date: Tue, 11 Jun 2024 11:05:19 +0000 Subject: [PATCH 1/3] Open delegation settings for normal users. Also open access control settings on permissions for normal users. --- .../admin/dto/admin-patch-client.dto.ts | 9 --------- .../lib/resources/admin/admin-scope.service.ts | 2 +- .../admin/dto/admin-patch-scope.dto.ts | 18 ++++++++++-------- .../src/screens/Client/EditClient.tsx | 2 +- .../src/screens/Permission/EditPermission.tsx | 2 +- 5 files changed, 13 insertions(+), 20 deletions(-) diff --git a/libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts b/libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts index 9cb3bc59d79b..b94eb2776406 100644 --- a/libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts +++ b/libs/auth-api-lib/src/lib/clients/admin/dto/admin-patch-client.dto.ts @@ -210,15 +210,6 @@ export class AdminPatchClientDto { } export const superUserFields = [ - 'supportsCustomDelegation', - 'supportsLegalGuardians', - 'supportsProcuringHolders', - 'supportsPersonalRepresentatives', - 'supportedDelegationTypes', - 'addedDelegationTypes', - 'removedDelegationTypes', - 'promptDelegations', - 'requireApiScopes', 'requireConsent', 'allowOfflineAccess', 'requirePkce', diff --git a/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts b/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts index 54e727b675f1..82627b919bed 100644 --- a/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts +++ b/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts @@ -25,7 +25,7 @@ import { TranslatedValueDto } from '../../translation/dto/translated-value.dto' import { TranslationService } from '../../translation/translation.service' import { User } from '@island.is/auth-nest-tools' import { AdminPortalScope } from '@island.is/auth/scopes' -import { AuthDelegationProvider, AuthDelegationType } from 'delegation' +import { AuthDelegationType } from 'delegation' import { ApiScopeDelegationType } from '../models/api-scope-delegation-type.model' import { DelegationTypeModel } from '../../delegations/models/delegation-type.model' diff --git a/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts b/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts index b940c7112b04..91f7720ac038 100644 --- a/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts +++ b/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts @@ -106,11 +106,13 @@ export class AdminPatchScopeDto { removedDelegationTypes?: string[] } -export const superUserScopeFields = [ - 'grantToAuthenticatedUser', - 'grantToLegalGuardians', - 'grantToProcuringHolders', - 'allowExplicitDelegationGrant', - 'isAccessControlled', - 'grantToPersonalRepresentatives', -] +/** + * Here we can define properties that should only be editable by a super user + * + * For example: + * export const superUserScopeFields = [ + * 'isAccessControlled', + * 'grantToAuthenticatedUser', + * ] + */ +export const superUserScopeFields = [] diff --git a/libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx b/libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx index 99e6aacdb494..ccb19793efa7 100644 --- a/libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx +++ b/libs/portals/admin/ids-admin/src/screens/Client/EditClient.tsx @@ -126,7 +126,7 @@ export const EditClient = () => { - {isSuperAdmin && !isMachineApplication && ( + {!isMachineApplication && ( { + {isSuperAdmin && } - {isSuperAdmin && } From 2078ba387debcd7aab116d7def317fb808849b4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A6var=20M=C3=A1r=20Atlason?= Date: Tue, 11 Jun 2024 12:17:47 +0000 Subject: [PATCH 2/3] Update description for authenticated user and specific national ids fields on permissions. Remove isSuperAdmin check in delegation section in application. Remove unused variable. --- .../src/lib/resources/admin/admin-scope.service.ts | 3 --- .../src/lib/resources/admin/dto/admin-patch-scope.dto.ts | 2 +- libs/portals/admin/ids-admin/src/lib/messages.ts | 6 ++++-- .../ids-admin/src/screens/Client/components/Delegation.tsx | 4 ---- .../ids-admin/src/screens/Permission/EditPermission.tsx | 5 ++--- 5 files changed, 7 insertions(+), 13 deletions(-) diff --git a/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts b/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts index 82627b919bed..4d1a0b16c2b4 100644 --- a/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts +++ b/libs/auth-api-lib/src/lib/resources/admin/admin-scope.service.ts @@ -27,7 +27,6 @@ import { User } from '@island.is/auth-nest-tools' import { AdminPortalScope } from '@island.is/auth/scopes' import { AuthDelegationType } from 'delegation' import { ApiScopeDelegationType } from '../models/api-scope-delegation-type.model' -import { DelegationTypeModel } from '../../delegations/models/delegation-type.model' /** * This is a service that is used to access the admin scopes @@ -41,8 +40,6 @@ export class AdminScopeService { private readonly apiScopeUserClaim: typeof ApiScopeUserClaim, @InjectModel(ApiScopeDelegationType) private readonly apiScopeDelegationType: typeof ApiScopeDelegationType, - @InjectModel(DelegationTypeModel) - private readonly delegationTypeModel: typeof DelegationTypeModel, private readonly adminTranslationService: AdminTranslationService, private readonly translationService: TranslationService, private sequelize: Sequelize, diff --git a/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts b/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts index 91f7720ac038..374e31f454b2 100644 --- a/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts +++ b/libs/auth-api-lib/src/lib/resources/admin/dto/admin-patch-scope.dto.ts @@ -115,4 +115,4 @@ export class AdminPatchScopeDto { * 'grantToAuthenticatedUser', * ] */ -export const superUserScopeFields = [] +export const superUserScopeFields: string[] = [] diff --git a/libs/portals/admin/ids-admin/src/lib/messages.ts b/libs/portals/admin/ids-admin/src/lib/messages.ts index 47ac62817f5d..3da23113e911 100644 --- a/libs/portals/admin/ids-admin/src/lib/messages.ts +++ b/libs/portals/admin/ids-admin/src/lib/messages.ts @@ -766,7 +766,8 @@ export const m = defineMessages({ }, isAccessControlledDescription: { id: 'ap.ids-admin:is-access-controlled-description', - defaultMessage: 'Only allow specific national ids', + defaultMessage: + 'Authorize a list of national ids for this permission. Request support from island.is to manage the list.', }, grantToAuthenticatedUser: { id: 'ap.ids-admin:grant-to-authenticated-user', @@ -774,7 +775,8 @@ export const m = defineMessages({ }, grantToAuthenticatedUserDescription: { id: 'ap.ids-admin:grant-to-authenticated-user-description', - defaultMessage: 'Should the authenticated user get this scope', + defaultMessage: + 'Should the authenticated individual get this scope (uncheck if only delegated users should be allowed).', }, grantToProcuringHolders: { id: 'ap.ids-admin:grant-to-procuring-holders', diff --git a/libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx b/libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx index 8d53a6918a79..df22600df652 100644 --- a/libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx +++ b/libs/portals/admin/ids-admin/src/screens/Client/components/Delegation.tsx @@ -30,7 +30,6 @@ const Delegation = ({ selectedEnvironment, }: DelegationProps) => { const { formatMessage } = useLocale() - const { isSuperAdmin } = useSuperAdmin() const { client } = useClient() const { getDelegationProviders } = useDelegationProviders() @@ -149,7 +148,6 @@ const Delegation = ({ large name={`${FIELD_PREFIX}${delegationType.id}`} value="true" - disabled={!isSuperAdmin} checked={inputValues.supportedDelegationTypes?.includes( delegationType.id, )} @@ -172,7 +170,6 @@ const Delegation = ({ label={formatMessage(m.alwaysPromptDelegations)} backgroundColor={'blue'} large - disabled={!isSuperAdmin} name="promptDelegations" value="true" checked={inputValues.promptDelegations} @@ -188,7 +185,6 @@ const Delegation = ({ label={formatMessage(m.requirePermissions)} backgroundColor={'blue'} large - disabled={!isSuperAdmin} name="requireApiScopes" value="true" checked={inputValues.requireApiScopes} diff --git a/libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx b/libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx index bd31b61556a3..5a15827b0a67 100644 --- a/libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx +++ b/libs/portals/admin/ids-admin/src/screens/Permission/EditPermission.tsx @@ -6,12 +6,11 @@ import { PermissionAccessControl } from './components/PermissionAccessControl' import { EnvironmentProvider } from '../../context/EnvironmentContext' import { usePermission } from './PermissionContext' import { PublishPermission } from './PublishPermission/PublishPermission' -import { useSuperAdmin } from '../../hooks/useSuperAdmin' import { PermissionDelegations } from './components/PermissionDelegations' export const EditPermission = () => { const { selectedPermission, permission } = usePermission() - const { isSuperAdmin } = useSuperAdmin() + return ( { - {isSuperAdmin && } + From d509034abd27f0ecf3d8bd745dba7f09aee797e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A6var=20M=C3=A1r=20Atlason?= Date: Tue, 11 Jun 2024 21:28:15 +0000 Subject: [PATCH 3/3] Fix tests --- .../src/app/v2/clients/test/me-clients.spec.ts | 3 +-- .../src/app/v2/scopes/test/me-scopes.spec.ts | 16 ---------------- 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts b/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts index 7461e189de01..67561ff47daa 100644 --- a/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts +++ b/apps/services/auth/admin-api/src/app/v2/clients/test/me-clients.spec.ts @@ -363,14 +363,13 @@ describe('MeClientsController with auth', () => { it.each` value | typeSpecificDefaults ${'super admin fields'} | ${{ - promptDelegations: true, - requireApiScopes: true, requireConsent: false, singleSession: false, allowOfflineAccess: true, requirePkce: false, supportTokenExchange: true, accessTokenLifetime: 100, + allowedAcr: ['some-acr-value'], customClaims: [{ type: 'claim1', value: 'value1' }], }} `( diff --git a/apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts b/apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts index 35a9c061bdd7..c5ce162544b0 100644 --- a/apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts +++ b/apps/services/auth/admin-api/src/app/v2/scopes/test/me-scopes.spec.ts @@ -432,22 +432,6 @@ const patchExpectedOutput = { } const patchTestCases: Record = { - 'should not update scope since user is not a super user and input contains super user fields': - { - user: currentUser, - tenantId: TENANT_ID, - scopeName: mockedPatchApiScope.name, - input: inputPatch, - expected: { - status: 403, - body: { - detail: 'User does not have access to update admin controlled fields', - status: 403, - title: 'Forbidden', - type: 'https://httpstatuses.org/403', - }, - }, - }, 'should update scope even though user is not a super user since there are no super admin fields': { user: currentUser,