opexdev · Marchosiax · Jun 12, 2022 · Jun 8, 2022
diff --git a/admin/admin-app/src/main/kotlin/co/nilin/opex/admin/app/config/SecurityConfig.kt b/admin/admin-app/src/main/kotlin/co/nilin/opex/admin/app/config/SecurityConfig.kt
@@ -20,8 +20,8 @@ class SecurityConfig(private val webClient: WebClient) {
     fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
         http.csrf().disable()
             .authorizeExchange()
-            .pathMatchers("/auth/**").hasRole("SCOPE_trust", "finance-admin")
-            .pathMatchers("/system/**").hasRole("SCOPE_trust", "system-admin")
+            .pathMatchers("/auth/**").hasRole("SCOPE_trust", "admin_finance")
+            .pathMatchers("/system/**").hasRole("SCOPE_trust", "admin_system")
             .pathMatchers("/actuator/health").permitAll()
             .anyExchange().authenticated()
             .and()

diff --git a/...teway/bc-gateway-app/src/main/kotlin/co/nilin/opex/bcgateway/app/config/SecurityConfig.kt b/...teway/bc-gateway-app/src/main/kotlin/co/nilin/opex/bcgateway/app/config/SecurityConfig.kt
@@ -26,10 +26,10 @@ class SecurityConfig(@Qualifier("loadBalanced") private val webClient: WebClient
             .pathMatchers("/swagger-resources/**").permitAll()
             .pathMatchers("/wallet-sync/**").permitAll()
             .pathMatchers("/filter/**").hasAuthority("SCOPE_trust")
-            .pathMatchers("/admin/**").hasRole("SCOPE_trust", "system-admin")
+            .pathMatchers("/admin/**").hasRole("SCOPE_trust", "admin_system")
             .pathMatchers("/address/**").permitAll()
             .pathMatchers("/deposit/**").permitAll()
-            .pathMatchers("/addresses/**").hasRole("SCOPE_trust", "system-admin")
+            .pathMatchers("/addresses/**").hasRole("SCOPE_trust", "admin_system")
             .anyExchange().authenticated()
             .and()
             .oauth2ResourceServer()

diff --git a/referral/referral-app/src/main/kotlin/co/nilin/opex/referral/app/config/SecurityConfig.kt b/referral/referral-app/src/main/kotlin/co/nilin/opex/referral/app/config/SecurityConfig.kt
@@ -23,7 +23,7 @@ class SecurityConfig(private val webClient: WebClient) {
             .pathMatchers("/swagger-ui/**").permitAll()
             .pathMatchers("/swagger-resources/**").permitAll()
             .pathMatchers("/v2/api-docs").permitAll()
-            .pathMatchers("/checkouts/**", "/commissions/**", "/references").hasRole("SCOPE_trust", "finance-admin")
+            .pathMatchers("/checkouts/**", "/commissions/**", "/references").hasRole("SCOPE_trust", "admin_finance")
             .pathMatchers("/**").hasAuthority("SCOPE_trust")
             .anyExchange().authenticated()
             .and()

diff --git a/...rral/referral-app/src/main/kotlin/co/nilin/opex/referral/app/controller/CodeController.kt b/...rral/referral-app/src/main/kotlin/co/nilin/opex/referral/app/controller/CodeController.kt
@@ -155,7 +155,7 @@ class CodeController(
         return uuid?.takeIf { uuid == principal.name }?.let { id ->
             referralCodeHandler.findByReferrerUuid(id).map { ReferralCodeBody(it.uuid, it.code, it.referentCommission) }
         } ?: run {
-            val isAdmin = ((principal as Jwt).claims["roles"] as? JSONArray)?.contains("finance-admin") ?: false
+            val isAdmin = ((principal as Jwt).claims["roles"] as? JSONArray)?.contains("admin_finance") ?: false
             return if (isAdmin) referralCodeHandler.findAll()
                 .map { ReferralCodeBody(it.uuid, it.code, it.referentCommission) }
             else throw OpexException(OpexError.UnAuthorized)

diff --git a/storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/SecurityConfig.kt b/storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/SecurityConfig.kt
@@ -24,7 +24,7 @@ class SecurityConfig(private val webClient: WebClient) {
             .pathMatchers("/swagger-ui/**").permitAll()
             .pathMatchers("/swagger-resources/**").permitAll()
             .pathMatchers("/v2/api-docs").permitAll()
-            .pathMatchers("/admin/**").hasRole("SCOPE_trust", "finance-admin")
+            .pathMatchers("/admin/**").hasRole("SCOPE_trust", "admin_finance")
             .pathMatchers("/**").hasAuthority("SCOPE_trust")
             .anyExchange().authenticated()
             .and()

diff --git a/user-management/keycloak-gateway/src/main/resources/opex-realm.json b/user-management/keycloak-gateway/src/main/resources/opex-realm.json
@@ -43,16 +43,9 @@
   "roles": {
     "realm": [
       {
-        "id": "fa6b43a1-c4eb-41d9-8f6f-b7fbc3ce6579",
-        "name": "system-admin",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "opex",
-        "attributes": {}
-      },
-      {
-        "id": "fe152bae-77c5-485c-be97-a5f490b3b837",
-        "name": "finance-admin",
+        "id": "6e034724-6f49-41c2-92f4-e085959d9d04",
+        "name": "admin_finance",
+        "description": "Admin responsible for finance operations",
         "composite": true,
         "composites": {
           "realm": [
@@ -63,6 +56,24 @@
         "containerId": "opex",
         "attributes": {}
       },
+      {
+        "id": "6061c17a-30fb-4d17-9414-8e20e61520ce",
+        "name": "admin_system",
+        "description": "Admins responsible for system's settings and operations",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "opex",
+        "attributes": {}
+      },
+      {
+        "id": "470642d4-8042-4eef-8146-cd8e5dc0c346",
+        "name": "user_anonymous",
+        "description": "Anonymous user",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "opex",
+        "attributes": {}
+      },
       {
         "id": "1135b8ef-3838-4397-961e-79a77845fac2",
         "name": "impersonation",
@@ -71,6 +82,15 @@
         "containerId": "opex",
         "attributes": {}
       },
+      {
+        "id": "ddab5c6c-f54e-4369-be3d-24a4121288d3",
+        "name": "user_basic",
+        "description": "Registered user",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "opex",
+        "attributes": {}
+      },
       {
         "id": "3b6109f5-6e5a-4578-83c3-791ec3e2bf9e",
         "name": "offline_access",
@@ -80,6 +100,22 @@
         "containerId": "opex",
         "attributes": {}
       },
+      {
+        "id": "17aeb6b8-96f7-44c3-a7b7-db5a163ddec5",
+        "name": "super_admin",
+        "description": "Composition of all admin roles. Assign with caution!",
+        "composite": true,
+        "composites": {
+          "realm": [
+            "impersonation",
+            "admin_system",
+            "admin_finance"
+          ]
+        },
+        "clientRole": false,
+        "containerId": "opex",
+        "attributes": {}
+      },
       {
         "id": "0dd6a8c7-d669-4941-9ea1-521980e9c53f",
         "name": "uma_authorization",
@@ -90,16 +126,21 @@
         "attributes": {}
       },
       {
-        "id": "ca962095-7f9b-49e2-a190-e391a0d4b704",
-        "name": "user",
-        "composite": false,
+        "id": "fee989a8-c92e-4889-9507-c37809d8f876",
+        "name": "user_kyc",
+        "description": "User verified through eKYC flow",
+        "composite": true,
+        "composites": {
+          "realm": [
+            "user_basic"
+          ]
+        },
         "clientRole": false,
         "containerId": "opex",
         "attributes": {}
       }
     ],
     "client": {
-      "newClient": [],
       "ipg": [],
       "web-app": [],
       "realm-management": [
@@ -428,21 +469,14 @@
       "clientRoles": {},
       "subGroups": []
     },
-    {
-      "id": "efb76f91-62a0-409d-afea-c76a9766c6f9",
-      "name": "finance-admin",
-      "path": "/finance-admin",
-      "attributes": {},
-      "realmRoles": [],
-      "clientRoles": {},
-      "subGroups": []
-    },
     {
       "id": "8307c787-473d-41a1-ad57-f31bd32119e8",
       "name": "kyc-accepted",
       "path": "/kyc-accepted",
       "attributes": {},
-      "realmRoles": [],
+      "realmRoles": [
+        "user_kyc"
+      ],
       "clientRoles": {},
       "subGroups": []
     },
@@ -475,9 +509,9 @@
     }
   ],
   "defaultRoles": [
+    "user_basic",
     "offline_access",
-    "uma_authorization",
-    "user"
+    "uma_authorization"
   ],
   "requiredCredentials": [
     "password"
@@ -625,33 +659,24 @@
       "client": "account-console",
       "roles": [
         "offline_access",
-        "uma_authorization",
-        "user"
-      ]
-    },
-    {
-      "client": "admin-cli",
-      "roles": [
-        "system-admin",
-        "finance-admin"
+        "uma_authorization"
       ]
     },
     {
       "client": "opex-admin",
       "roles": [
-        "system-admin",
         "impersonation",
-        "finance-admin",
+        "super_admin",
         "offline_access",
-        "uma_authorization",
-        "user"
+        "uma_authorization"
       ]
     },
     {
       "client": "web-app",
       "roles": [
-        "system-admin",
-        "finance-admin"
+        "user_kyc",
+        "admin_system",
+        "admin_finance"
       ]
     },
     {
@@ -1144,71 +1169,6 @@
         "microprofile-jwt"
       ]
     },
-    {
-      "id": "b88ce206-63d6-43b6-87c9-ea09d8c02f32",
-      "clientId": "newClient",
-      "surrogateAuthRequired": false,
-      "enabled": true,
-      "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "secret": "b25cd2c3-1bbd-4988-ab6a-8439ac4e2c60",
-      "redirectUris": [
-        "http://localhost:8082/new-client/login/oauth2/code/custom",
-        "http://localhost:3000/*",
-        "http://localhost:8089/auth/redirect/",
-        "https://opex.dev/*"
-      ],
-      "webOrigins": [
-        "+"
-      ],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
-      "standardFlowEnabled": true,
-      "implicitFlowEnabled": true,
-      "directAccessGrantsEnabled": true,
-      "serviceAccountsEnabled": false,
-      "publicClient": false,
-      "frontchannelLogout": false,
-      "protocol": "openid-connect",
-      "attributes": {
-        "saml.assertion.signature": "false",
-        "saml.force.post.binding": "false",
-        "saml.multivalued.roles": "false",
-        "saml.encrypt": "false",
-        "saml.server.signature": "false",
-        "backchannel.logout.revoke.offline.tokens": "false",
-        "saml.server.signature.keyinfo.ext": "false",
-        "exclude.session.state.from.auth.response": "false",
-        "backchannel.logout.session.required": "false",
-        "client_credentials.use_refresh_token": "false",
-        "saml_force_name_id_format": "false",
-        "saml.client.signature": "false",
-        "tls.client.certificate.bound.access.tokens": "false",
-        "saml.authnstatement": "false",
-        "display.on.consent.screen": "false",
-        "saml.onetimeuse.condition": "false"
-      },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "defaultClientScopes": [
-        "trust",
-        "role_list",
-        "profile"
-      ],
-      "optionalClientScopes": [
-        "web-origins",
-        "address",
-        "read",
-        "phone",
-        "roles",
-        "offline_access",
-        "microprofile-jwt",
-        "write",
-        "email"
-      ]
-    },
     {
       "id": "fb5f91c4-42fa-4769-b45d-febef22b4976",
       "clientId": "opex-admin",
@@ -2794,13 +2754,13 @@
         "subComponents": {},
         "config": {
           "allowed-protocol-mapper-types": [
-            "oidc-usermodel-attribute-mapper",
             "saml-user-property-mapper",
-            "saml-role-list-mapper",
-            "oidc-full-name-mapper",
-            "oidc-usermodel-property-mapper",
             "saml-user-attribute-mapper",
+            "oidc-usermodel-attribute-mapper",
             "oidc-sha256-pairwise-sub-mapper",
+            "oidc-full-name-mapper",
+            "oidc-usermodel-property-mapper",
+            "saml-role-list-mapper",
             "oidc-address-mapper"
           ]
         }
@@ -2821,14 +2781,14 @@
         "subComponents": {},
         "config": {
           "allowed-protocol-mapper-types": [
-            "oidc-usermodel-property-mapper",
-            "oidc-sha256-pairwise-sub-mapper",
+            "saml-user-property-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "saml-user-attribute-mapper",
             "oidc-full-name-mapper",
             "saml-role-list-mapper",
-            "oidc-usermodel-attribute-mapper",
-            "saml-user-property-mapper",
             "oidc-address-mapper",
-            "saml-user-attribute-mapper"
+            "oidc-usermodel-property-mapper",
+            "oidc-sha256-pairwise-sub-mapper"
           ]
         }
       }

diff --git a/wallet/wallet-app/src/main/kotlin/co/nilin/opex/wallet/app/config/SecurityConfig.kt b/wallet/wallet-app/src/main/kotlin/co/nilin/opex/wallet/app/config/SecurityConfig.kt
@@ -26,7 +26,7 @@ class SecurityConfig(private val webClient: WebClient) {
             .pathMatchers("/withdraw").hasAuthority("SCOPE_trust")
             .pathMatchers("/withdraw/**").hasAuthority("SCOPE_trust")
             .pathMatchers("/transaction/**").hasAuthority("SCOPE_trust")
-            .pathMatchers("/admin/**").hasRole("SCOPE_trust","finance-admin")
+            .pathMatchers("/admin/**").hasRole("SCOPE_trust","admin_finance")
             .pathMatchers("/payment/internal/**").permitAll()
             .pathMatchers("/**").permitAll()
             .anyExchange().authenticated()