From 1663ec8c0300d19b126ecf7c64bba99e1c3db876 Mon Sep 17 00:00:00 2001 From: Johannes Date: Mon, 15 Jun 2026 19:05:14 -0400 Subject: [PATCH] security(aria): restrict all endpoints to BCOS_ADMIN only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ARIA is an internal security intelligence tool — MSP_ADMIN users should not have access. Replaced hasAnyRole('MSP_ADMIN','BCOS_ADMIN') with hasRole('BCOS_ADMIN') across all four controllers. Co-Authored-By: Claude Sonnet 4.6 --- .../hiveops/aria/controller/DevicePostureController.java | 4 ++-- .../aria/controller/PrecursorSequenceAlertController.java | 6 +++--- .../hiveops/aria/controller/ThreatEventController.java | 4 ++-- .../com/hiveops/aria/controller/ThreatIocController.java | 8 ++++---- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/main/java/com/hiveops/aria/controller/DevicePostureController.java b/src/main/java/com/hiveops/aria/controller/DevicePostureController.java index 30c2811..53e4ae4 100644 --- a/src/main/java/com/hiveops/aria/controller/DevicePostureController.java +++ b/src/main/java/com/hiveops/aria/controller/DevicePostureController.java @@ -42,7 +42,7 @@ public class DevicePostureController { } @GetMapping - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public Page getPostures( @RequestParam(required = false) DeviceSecurityPosture.OsEolStatus osEolStatus, @RequestParam(required = false) String scoreFilter, @@ -64,7 +64,7 @@ public class DevicePostureController { } @GetMapping("/{deviceId}") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity getPosture(@PathVariable Long deviceId) { return postureRepository.findByDeviceId(deviceId) .map(ResponseEntity::ok) diff --git a/src/main/java/com/hiveops/aria/controller/PrecursorSequenceAlertController.java b/src/main/java/com/hiveops/aria/controller/PrecursorSequenceAlertController.java index bb855b9..70a7b0a 100644 --- a/src/main/java/com/hiveops/aria/controller/PrecursorSequenceAlertController.java +++ b/src/main/java/com/hiveops/aria/controller/PrecursorSequenceAlertController.java @@ -27,7 +27,7 @@ public class PrecursorSequenceAlertController { private final ThreatEventRepository eventRepository; @GetMapping - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public Page getSequences( @RequestParam(required = false) Boolean resolved, @RequestParam(required = false) PrecursorSequenceAlert.SequenceType sequenceType, @@ -53,7 +53,7 @@ public class PrecursorSequenceAlertController { } @GetMapping("/{id}/events") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity> getSequenceEvents(@PathVariable Long id) { return alertRepository.findById(id) .map(alert -> ResponseEntity.ok(eventRepository.findBySequenceId(alert.getSequenceId()))) @@ -61,7 +61,7 @@ public class PrecursorSequenceAlertController { } @PostMapping("/{id}/resolve") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity resolve( @PathVariable Long id, @AuthenticationPrincipal AriaPrincipal principal) { diff --git a/src/main/java/com/hiveops/aria/controller/ThreatEventController.java b/src/main/java/com/hiveops/aria/controller/ThreatEventController.java index 4cc4c74..aad00d8 100644 --- a/src/main/java/com/hiveops/aria/controller/ThreatEventController.java +++ b/src/main/java/com/hiveops/aria/controller/ThreatEventController.java @@ -29,7 +29,7 @@ public class ThreatEventController { private final DeviceSecurityPostureRepository postureRepository; @GetMapping("/events") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public Page getEvents( @RequestParam(required = false) ThreatEvent.ThreatSeverity severity, @RequestParam(required = false) String deviceAgentId, @@ -48,7 +48,7 @@ public class ThreatEventController { } @GetMapping("/stats") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity> getStats() { long totalEvents = eventRepository.count(); long critical24h = eventRepository.countBySeverity(ThreatEvent.ThreatSeverity.CRITICAL); diff --git a/src/main/java/com/hiveops/aria/controller/ThreatIocController.java b/src/main/java/com/hiveops/aria/controller/ThreatIocController.java index 987a60c..70ba66d 100644 --- a/src/main/java/com/hiveops/aria/controller/ThreatIocController.java +++ b/src/main/java/com/hiveops/aria/controller/ThreatIocController.java @@ -22,7 +22,7 @@ public class ThreatIocController { private final ThreatIocRepository iocRepository; @GetMapping - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public List getAll( @RequestParam(required = false) ThreatIoc.IocType type, @RequestParam(required = false, defaultValue = "true") boolean activeOnly) { @@ -43,7 +43,7 @@ public class ThreatIocController { } @PostMapping - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity create(@Valid @RequestBody CreateIocRequest request) { ThreatIoc ioc = ThreatIoc.builder() .iocType(request.getIocType()) @@ -58,7 +58,7 @@ public class ThreatIocController { } @PutMapping("/{id}") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity update(@PathVariable Long id, @Valid @RequestBody CreateIocRequest request) { return iocRepository.findById(id).map(ioc -> { ioc.setValue(request.getValue()); @@ -70,7 +70,7 @@ public class ThreatIocController { } @DeleteMapping("/{id}") - @PreAuthorize("hasAnyRole('MSP_ADMIN','BCOS_ADMIN')") + @PreAuthorize("hasRole('BCOS_ADMIN')") public ResponseEntity deactivate(@PathVariable Long id) { return iocRepository.findById(id).map(ioc -> { ioc.setActive(false);