Allow admins to perform operations when OBAC is enabled (#6273)

EricWittmann · web-flow · commit 7a10627ef81b · 2025-05-29T14:17:29.000-04:00
diff --git a/app/src/main/java/io/apicurio/registry/auth/AuthorizedInterceptor.java b/app/src/main/java/io/apicurio/registry/auth/AuthorizedInterceptor.java
@@ -167,9 +167,14 @@ public Object authorizeMethod(InvocationContext context) throws Exception {
         }
 
         // If Owner-only is enabled, apply ownership rules
-        if (authConfig.ownerOnlyAuthorizationEnabled.get() && !obac.isAuthorized(context)) {
-            log.warn("OBAC enabled and operation not permitted due to wrong owner.");
-            throw new ForbiddenException("User " + securityIdentity.getPrincipal().getName() + " is not authorized to perform the requested operation.");
+        if (authConfig.ownerOnlyAuthorizationEnabled.get()) {
+            if (authConfig.roleBasedAuthorizationEnabled && rbac.isAdmin()) {
+                // User is admin, that's good enough.
+            } else if (!obac.isAuthorized(context)) {
+                log.warn("OBAC enabled and operation not permitted due to wrong owner.");
+                throw new ForbiddenException("User " + securityIdentity.getPrincipal().getName()
+                        + " is not authorized to perform the requested operation.");
+            }
         }
 
         return context.proceed();
diff --git a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java
@@ -671,7 +671,7 @@ public void deleteArtifactVersionMetaData(String groupId, String artifactId, Str
      */
     @Override
     @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_ID, "2", KEY_VERSION})
-    @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write)
+    @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write)
     public Comment addArtifactVersionComment(String groupId, String artifactId, String version, NewComment data) {
         requireParameter("groupId", groupId);
         requireParameter("artifactId", artifactId);
@@ -686,7 +686,7 @@ public Comment addArtifactVersionComment(String groupId, String artifactId, Stri
      */
     @Override
     @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_ID, "2", KEY_VERSION, "3", "comment_id"})
-    @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write)
+    @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write)
     public void deleteArtifactVersionComment(String groupId, String artifactId, String version, String commentId) {
         requireParameter("groupId", groupId);
         requireParameter("artifactId", artifactId);
@@ -716,7 +716,7 @@ public List<Comment> getArtifactVersionComments(String groupId, String artifactI
      */
     @Override
     @Audited(extractParameters = {"0", KEY_GROUP_ID, "1", KEY_ARTIFACT_ID, "2", KEY_VERSION, "3", "comment_id"})
-    @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write)
+    @Authorized(style = AuthorizedStyle.GroupOnly, level = AuthorizedLevel.Write)
     public void updateArtifactVersionComment(String groupId, String artifactId, String version, String commentId, NewComment data) {
         requireParameter("groupId", groupId);
         requireParameter("artifactId", artifactId);
diff --git a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java
@@ -242,6 +242,9 @@ public void testOwnerOnlyAuthorization() throws Exception {
         Auth authDev = new OidcAuth(httpClient, JWKSMockServer.DEVELOPER_CLIENT_ID, "test1");
         RegistryClient clientDev = createClient(authDev);
 
+        Auth authDev2 = new OidcAuth(httpClient, JWKSMockServer.DEVELOPER_2_CLIENT_ID, "test1");
+        RegistryClient clientDev2 = createClient(authDev2);
+
         Auth authAdmin = new OidcAuth(httpClient, JWKSMockServer.ADMIN_CLIENT_ID, "test1");
         RegistryClient clientAdmin = createClient(authAdmin);
 
@@ -274,6 +277,25 @@ public void testOwnerOnlyAuthorization() throws Exception {
         rule.setType(RuleType.COMPATIBILITY);
         rule.setConfig(CompatibilityLevel.BACKWARD.name());
         clientAdmin.createArtifactRule(groupId, artifactId2, rule);
+
+        // Dev User will create an artifact
+        String artifactId3 = TestUtils.generateArtifactId();
+        clientDev.createArtifact(groupId, artifactId3, ArtifactType.JSON, new ByteArrayInputStream("{}".getBytes()));
+
+        // Admin user can delete the artifact (because they are an admin)
+        clientAdmin.deleteArtifact(groupId, artifactId3);
+
+        // Dev User will create another artifact
+        String artifactId4 = TestUtils.generateArtifactId();
+        clientDev.createArtifact(groupId, artifactId4, ArtifactType.JSON, new ByteArrayInputStream("{}".getBytes()));
+
+        // Dev2 User cannot delete the artifact (is **NOT** the owner)
+        Assertions.assertThrows(ForbiddenException.class, () -> {
+            clientDev2.deleteArtifact(groupId, artifactId4);
+        });
+
+        // Dev User CAN delete the artifact (is the owner)
+        clientDev.deleteArtifact(groupId, artifactId4);
     }
 
     @Test
