security(aria): restrict all endpoints to BCOS_ADMIN only
ARIA is an internal security intelligence tool — MSP_ADMIN users
should not have access. Replaced hasAnyRole('MSP_ADMIN','BCOS_ADMIN')
with hasRole('BCOS_ADMIN') across all four controllers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -42,7 +42,7 @@ public class DevicePostureController {
|
||||
}
|
||||
|
||||
@GetMapping
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public Page<DeviceSecurityPosture> getPostures(
|
||||
@RequestParam(required = false) DeviceSecurityPosture.OsEolStatus osEolStatus,
|
||||
@RequestParam(required = false) String scoreFilter,
|
||||
@@ -64,7 +64,7 @@ public class DevicePostureController {
|
||||
}
|
||||
|
||||
@GetMapping("/{deviceId}")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<DeviceSecurityPosture> getPosture(@PathVariable Long deviceId) {
|
||||
return postureRepository.findByDeviceId(deviceId)
|
||||
.map(ResponseEntity::ok)
|
||||
|
||||
@@ -27,7 +27,7 @@ public class PrecursorSequenceAlertController {
|
||||
private final ThreatEventRepository eventRepository;
|
||||
|
||||
@GetMapping
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public Page<PrecursorSequenceAlert> getSequences(
|
||||
@RequestParam(required = false) Boolean resolved,
|
||||
@RequestParam(required = false) PrecursorSequenceAlert.SequenceType sequenceType,
|
||||
@@ -53,7 +53,7 @@ public class PrecursorSequenceAlertController {
|
||||
}
|
||||
|
||||
@GetMapping("/{id}/events")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<List<ThreatEvent>> getSequenceEvents(@PathVariable Long id) {
|
||||
return alertRepository.findById(id)
|
||||
.map(alert -> ResponseEntity.ok(eventRepository.findBySequenceId(alert.getSequenceId())))
|
||||
@@ -61,7 +61,7 @@ public class PrecursorSequenceAlertController {
|
||||
}
|
||||
|
||||
@PostMapping("/{id}/resolve")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<PrecursorSequenceAlert> resolve(
|
||||
@PathVariable Long id,
|
||||
@AuthenticationPrincipal AriaPrincipal principal) {
|
||||
|
||||
@@ -29,7 +29,7 @@ public class ThreatEventController {
|
||||
private final DeviceSecurityPostureRepository postureRepository;
|
||||
|
||||
@GetMapping("/events")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public Page<ThreatEvent> getEvents(
|
||||
@RequestParam(required = false) ThreatEvent.ThreatSeverity severity,
|
||||
@RequestParam(required = false) String deviceAgentId,
|
||||
@@ -48,7 +48,7 @@ public class ThreatEventController {
|
||||
}
|
||||
|
||||
@GetMapping("/stats")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<Map<String, Object>> getStats() {
|
||||
long totalEvents = eventRepository.count();
|
||||
long critical24h = eventRepository.countBySeverity(ThreatEvent.ThreatSeverity.CRITICAL);
|
||||
|
||||
@@ -22,7 +22,7 @@ public class ThreatIocController {
|
||||
private final ThreatIocRepository iocRepository;
|
||||
|
||||
@GetMapping
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public List<ThreatIoc> getAll(
|
||||
@RequestParam(required = false) ThreatIoc.IocType type,
|
||||
@RequestParam(required = false, defaultValue = "true") boolean activeOnly) {
|
||||
@@ -43,7 +43,7 @@ public class ThreatIocController {
|
||||
}
|
||||
|
||||
@PostMapping
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<ThreatIoc> create(@Valid @RequestBody CreateIocRequest request) {
|
||||
ThreatIoc ioc = ThreatIoc.builder()
|
||||
.iocType(request.getIocType())
|
||||
@@ -58,7 +58,7 @@ public class ThreatIocController {
|
||||
}
|
||||
|
||||
@PutMapping("/{id}")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<ThreatIoc> update(@PathVariable Long id, @Valid @RequestBody CreateIocRequest request) {
|
||||
return iocRepository.findById(id).map(ioc -> {
|
||||
ioc.setValue(request.getValue());
|
||||
@@ -70,7 +70,7 @@ public class ThreatIocController {
|
||||
}
|
||||
|
||||
@DeleteMapping("/{id}")
|
||||
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
|
||||
@PreAuthorize("hasRole('BCOS_ADMIN')")
|
||||
public ResponseEntity<Void> deactivate(@PathVariable Long id) {
|
||||
return iocRepository.findById(id).map(ioc -> {
|
||||
ioc.setActive(false);
|
||||
|
||||
Reference in New Issue
Block a user