feat(access): allow more flexible access checks

[oyo]

Description

Enable access checks with arbitrary check functions.

Why

Currently the frontend role check is only based on role name assuming the roles names are unique across clients. This assumption can be incorrect so we implemented a more flexible access check which allows to check for client id and role name. To be future-proof the mechanism now allows arbitrary checks to be executed for decision whether access is granted or not.

In the process some redundant code has been identified and removed.

Issue

657

Checklist

• [x] I have followed the contributing guidelines
• [x] I have performed a self-review of my own code
• [x] I have successfully tested my changes locally
• [x] I have added tests that prove my changes work
• [x] I have checked that new and existing tests pass locally with my changes
• [x] I have commented my code, particularly in hard-to-understand areas

[oyo]

Looks good in general but as the impact of this change could be quite huge if there was some inconsistency in which client was validated updated to now:

The logic now intersects the resourceAccess attribute from the keycloak user token with a same object securing any resource. Access is granted if the intersection is not empty which means that at least one required client+role combination has been found in the user token. Tests for this logic are here:

https://github.com/eclipse-tractusx/portal-frontend/blob/feat/657/allow-clientid-for-rolecheck/src/utils/dataUtils.test.ts#L138-L181

did you check the following?: " The following resource needs to get checked when the user access the respective page:

URL Ressource /registration/* Cl1-CX-Registration

Those URLs are from the registration app and the check must be implemented there.

/registration Cl1-CX-Registration

https://github.com/eclipse-tractusx/portal-frontend/blob/feat/657/allow-clientid-for-rolecheck/src/types/Config.tsx#L111-L112

Checked for combination of Registration client id and VIEW_REGISTRATION role - is this the correct one?

/?overlay=consent_osp Cl1-CX-Registration

Looks like this overlay is not implemented any more. https://portal.dev.demo.catena-x.net/?overlay=consent_osp There is a page with this name - but it's broken https://portal.dev.demo.catena-x.net/consent_osp @jjeroch has this logic been changed or is it broken for other reasons?

/semantichub Cl3-CX-Semantic

https://github.com/eclipse-tractusx/portal-frontend/blob/feat/657/allow-clientid-for-rolecheck/src/types/Config.tsx#L169-L175

plus two more uses of userHasSemanticHubRole in the semantic hub code

/admin-credential Cl24-CX-SSI-Credential-Issuer

https://github.com/eclipse-tractusx/portal-frontend/blob/feat/657/allow-clientid-for-rolecheck/src/types/Config.tsx#L567-L568

/usecase-participation Cl2-CX-Portal /certificate-credential Cl2-CX-Portal all others Cl2-CX-Portal

all other pages are using userHasPortalRole checking for that client id if correctly injected: https://github.com/eclipse-tractusx/portal-frontend/blob/feat/657/allow-clientid-for-rolecheck/src/services/AccessService.tsx#L97-L98

[sonarcloud[bot]]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud