security(aria): restrict all endpoints to BCOS_ADMIN only
CD - Production / build-and-deploy (push) Failing after 55s
CD - Develop / build-and-deploy (push) Failing after 11m52s

ARIA is an internal security intelligence tool — MSP_ADMIN users
should not have access. Replaced hasAnyRole('MSP_ADMIN','BCOS_ADMIN')
with hasRole('BCOS_ADMIN') across all four controllers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-15 19:05:14 -04:00
parent 23a36cd824
commit 1663ec8c03
4 changed files with 11 additions and 11 deletions
@@ -42,7 +42,7 @@ public class DevicePostureController {
}
@GetMapping
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public Page<DeviceSecurityPosture> getPostures(
@RequestParam(required = false) DeviceSecurityPosture.OsEolStatus osEolStatus,
@RequestParam(required = false) String scoreFilter,
@@ -64,7 +64,7 @@ public class DevicePostureController {
}
@GetMapping("/{deviceId}")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<DeviceSecurityPosture> getPosture(@PathVariable Long deviceId) {
return postureRepository.findByDeviceId(deviceId)
.map(ResponseEntity::ok)
@@ -27,7 +27,7 @@ public class PrecursorSequenceAlertController {
private final ThreatEventRepository eventRepository;
@GetMapping
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public Page<PrecursorSequenceAlert> getSequences(
@RequestParam(required = false) Boolean resolved,
@RequestParam(required = false) PrecursorSequenceAlert.SequenceType sequenceType,
@@ -53,7 +53,7 @@ public class PrecursorSequenceAlertController {
}
@GetMapping("/{id}/events")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<List<ThreatEvent>> getSequenceEvents(@PathVariable Long id) {
return alertRepository.findById(id)
.map(alert -> ResponseEntity.ok(eventRepository.findBySequenceId(alert.getSequenceId())))
@@ -61,7 +61,7 @@ public class PrecursorSequenceAlertController {
}
@PostMapping("/{id}/resolve")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<PrecursorSequenceAlert> resolve(
@PathVariable Long id,
@AuthenticationPrincipal AriaPrincipal principal) {
@@ -29,7 +29,7 @@ public class ThreatEventController {
private final DeviceSecurityPostureRepository postureRepository;
@GetMapping("/events")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public Page<ThreatEvent> getEvents(
@RequestParam(required = false) ThreatEvent.ThreatSeverity severity,
@RequestParam(required = false) String deviceAgentId,
@@ -48,7 +48,7 @@ public class ThreatEventController {
}
@GetMapping("/stats")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<Map<String, Object>> getStats() {
long totalEvents = eventRepository.count();
long critical24h = eventRepository.countBySeverity(ThreatEvent.ThreatSeverity.CRITICAL);
@@ -22,7 +22,7 @@ public class ThreatIocController {
private final ThreatIocRepository iocRepository;
@GetMapping
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public List<ThreatIoc> getAll(
@RequestParam(required = false) ThreatIoc.IocType type,
@RequestParam(required = false, defaultValue = "true") boolean activeOnly) {
@@ -43,7 +43,7 @@ public class ThreatIocController {
}
@PostMapping
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<ThreatIoc> create(@Valid @RequestBody CreateIocRequest request) {
ThreatIoc ioc = ThreatIoc.builder()
.iocType(request.getIocType())
@@ -58,7 +58,7 @@ public class ThreatIocController {
}
@PutMapping("/{id}")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<ThreatIoc> update(@PathVariable Long id, @Valid @RequestBody CreateIocRequest request) {
return iocRepository.findById(id).map(ioc -> {
ioc.setValue(request.getValue());
@@ -70,7 +70,7 @@ public class ThreatIocController {
}
@DeleteMapping("/{id}")
@PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')")
@PreAuthorize("hasRole('BCOS_ADMIN')")
public ResponseEntity<Void> deactivate(@PathVariable Long id) {
return iocRepository.findById(id).map(ioc -> {
ioc.setActive(false);