doc(FSADT1-1274): updating the authorization doc (#900)

.github/pull_request_template.md

@@ -14,6 +14,7 @@ Fixes # (issue)
 - [ ] New feature (non-breaking change which adds functionality)
 - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
 - [ ] This change requires a documentation update
+- [ ] Documentation update
 
 # How Has This Been Tested?
 
@@ -28,21 +29,22 @@ Fixes # (issue)
 - [ ] New user flow tests
 - [ ] No new tests are required
 - [ ] Manual tests (description below)
+- [ ] Updated existing tests
 
 
 ## Checklist
 
 <!-- Go over all the following points, and put an `x` in all the boxes that apply. -->
 <!-- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
 
-- [ ] I have read the [CONTRIBUTING](CONTRIBUTING.md) doc
-- [ ] I have performed a self-review of my own code
-- [ ] I have commented my code, particularly in hard-to-understand areas
-- [ ] I have made corresponding changes to the documentation
-- [ ] My changes generate no new warnings
-- [ ] I have added tests that prove my fix is effective or that my feature works
-- [ ] New and existing unit tests pass locally with my changes
-- [ ] Any dependent changes have already been accepted and merged
+- [x] I have read the [CONTRIBUTING](CONTRIBUTING.md) doc
+- [x] I have performed a self-review of my own code
+- [x] I have commented my code, particularly in hard-to-understand areas
+- [x] I have made corresponding changes to the documentation
+- [x] My changes generate no new warnings
+- [x] I have added tests that prove my fix is effective or that my feature works
+- [x] New and existing unit tests pass locally with my changes
+- [x] Any dependent changes have already been accepted and merged
 
 
 ## Further comments

backend/src/main/java/ca/bc/gov/app/security/ApiAuthorizationCustomizer.java

@@ -21,91 +21,106 @@ public class ApiAuthorizationCustomizer implements Customizer<AuthorizeExchangeS
    */
   @Override
   public void customize(AuthorizeExchangeSpec authorize) {
-    authorize
-        // Metrics and health endpoints are open to all
-        .pathMatchers("/metrics/**", "/health/**").permitAll()
-
-        // Only service users can access the email endpoint
-        .pathMatchers("/api/ches/email")
-        .hasAnyRole(
-            ApplicationConstant.USERTYPE_SERVICE_USER
-        )
-        // Only BCEID business users and BCSC users can access the duplicate endpoint
-        .pathMatchers("/api/ches/duplicate")
-        .hasAnyRole(
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER
-        )
-        // Only BCEID business users and BCSC users can access the addresses endpoint
-        .pathMatchers("/api/addresses/**")
-        .hasAnyRole(
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER
-        )
-        // IDIR users, BCEID business users, and BCSC users can access the codes endpoint
-        .pathMatchers("/api/codes/**")
-        .hasAnyRole(
-            ApplicationConstant.ROLE_VIEWER,
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN,
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER
-        )
-        // IDIR users, BCEID business users, BCSC users, and service users can access the districts endpoint
-        .pathMatchers("/api/districts/**")
-        .hasAnyRole(
-            ApplicationConstant.ROLE_VIEWER,
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN,
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER,
-            ApplicationConstant.USERTYPE_SERVICE_USER
-        )
-        // IDIR users, BCEID business users, BCSC users, and service users can access the countries endpoint
-        .pathMatchers("/api/countries/**")
-        .hasAnyRole(
-            ApplicationConstant.ROLE_VIEWER,
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN,
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER,
-            ApplicationConstant.USERTYPE_SERVICE_USER
-        )
-        // Only Editors and Admin can approve/reject submissions
-        .pathMatchers(HttpMethod.POST,"/api/clients/submissions/{id:[0-9]+}")
-        .hasAnyRole(
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN
-        )
-        // Only Editors, Viewers and Admin users can get details
-        .pathMatchers("/api/clients/submissions/{id:[0-9]+}")
-        .hasAnyRole(
-            ApplicationConstant.ROLE_VIEWER,
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN
-        )
-        // Only Editors users can access the list of submissions, and other users can create submissions
-        .pathMatchers(HttpMethod.POST, "/api/clients/submissions/**")
-        .hasAnyRole(
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER
-        )
-        .pathMatchers(HttpMethod.GET, "/api/clients/submissions/**")
-        .hasAnyRole(
-            ApplicationConstant.ROLE_VIEWER,
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN
-        )
-        // All BCSC, BCEID, and IDIR users can access the client APIs
-        .pathMatchers("/api/clients/**")
-        .hasAnyRole(
-            ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
-            ApplicationConstant.USERTYPE_BCSC_USER,
-            ApplicationConstant.ROLE_VIEWER,
-            ApplicationConstant.ROLE_EDITOR,
-            ApplicationConstant.ROLE_ADMIN
-        )
-        // All other exchanges are denied by default
-        .anyExchange().denyAll();
+    // Begin authorization rules configuration
+authorize
+
+    // Allow all access to metrics and health endpoints
+    .pathMatchers("/metrics/**", "/health/**").permitAll()
+
+    // Only service users can access the email endpoint
+    .pathMatchers("/api/ches/email")
+    .hasAnyRole(
+        ApplicationConstant.USERTYPE_SERVICE_USER
+    )
+
+    // Only BCeIdBusiness and BCSC users can access the duplicate endpoint
+    .pathMatchers("/api/ches/duplicate")
+    .hasAnyRole(
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER
+    )
+
+    // Only BCeIdBusiness and BCSC users can access the addresses endpoint
+    .pathMatchers("/api/addresses/**")
+    .hasAnyRole(
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER
+    )
+
+    // Viewer, editor, admin, BCeIdBusiness and BCSC users can access the codes endpoint
+    .pathMatchers("/api/codes/**")
+    .hasAnyRole(
+        ApplicationConstant.ROLE_VIEWER,
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN,
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER
+    )
+
+    // Viewer, editor, admin, BCeIdBusiness, BCSC and service users can access the districts endpoint
+    .pathMatchers("/api/districts/**")
+    .hasAnyRole(
+        ApplicationConstant.ROLE_VIEWER,
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN,
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER,
+        ApplicationConstant.USERTYPE_SERVICE_USER
+    )
+
+    // Viewer, editor, admin, BCeIdBusiness, BCSC and service users can access the countries endpoint
+    .pathMatchers("/api/countries/**")
+    .hasAnyRole(
+        ApplicationConstant.ROLE_VIEWER,
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN,
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER,
+        ApplicationConstant.USERTYPE_SERVICE_USER
+    )
+
+    // Only editor and admin can POST to the clients submissions endpoint with a specific id
+    .pathMatchers(HttpMethod.POST,"/api/clients/submissions/{id:[0-9]+}")
+    .hasAnyRole(
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN
+    )
+
+    // Viewer, editor and admin can access the clients submissions endpoint with a specific id
+    .pathMatchers("/api/clients/submissions/{id:[0-9]+}")
+    .hasAnyRole(
+        ApplicationConstant.ROLE_VIEWER,
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN
+    )
+
+    // Only BCeIdBusiness and BCSC users can POST to the clients submissions endpoint
+    .pathMatchers(HttpMethod.POST, "/api/clients/submissions/**")
+    .hasAnyRole(
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER
+    )
+
+    // Viewer, editor and admin can GET from the clients submissions endpoint
+    .pathMatchers(HttpMethod.GET, "/api/clients/submissions/**")
+    .hasAnyRole(
+        ApplicationConstant.ROLE_VIEWER,
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN
+    )
+
+    // BCeIdBusiness, BCSC, viewer, editor and admin users can access the clients endpoint
+    .pathMatchers("/api/clients/**")
+    .hasAnyRole(
+        ApplicationConstant.USERTYPE_BCEIDBUSINESS_USER,
+        ApplicationConstant.USERTYPE_BCSC_USER,
+        ApplicationConstant.ROLE_VIEWER,
+        ApplicationConstant.ROLE_EDITOR,
+        ApplicationConstant.ROLE_ADMIN
+    )
+
+    // Deny all other requests
+    .anyExchange().denyAll();
+
   }
 }