refactor(core): Setup decorator based RBAC (no-changelog) (#5787)

packages/cli/src/sso/saml/middleware/samlEnabledMiddleware.ts

@@ -1,24 +1,11 @@
 import type { RequestHandler } from 'express';
-import type { AuthenticatedRequest } from '@/requests';
 import { isSamlLicensed, isSamlLicensedAndEnabled } from '../samlHelpers';
 
-export const samlLicensedOwnerMiddleware: RequestHandler = (
-	req: AuthenticatedRequest,
-	res,
-	next,
-) => {
-	if (isSamlLicensed() && req.user?.globalRole.name === 'owner') {
-		next();
-	} else {
-		res.status(401).json({ status: 'error', message: 'Unauthorized' });
-	}
-};
-
 export const samlLicensedAndEnabledMiddleware: RequestHandler = (req, res, next) => {
 	if (isSamlLicensedAndEnabled()) {
 		next();
 	} else {
-		res.status(401).json({ status: 'error', message: 'Unauthorized' });
+		res.status(403).json({ status: 'error', message: 'Unauthorized' });
 	}
 };
 
@@ -26,6 +13,6 @@ export const samlLicensedMiddleware: RequestHandler = (req, res, next) => {
 	if (isSamlLicensed()) {
 		next();
 	} else {
-		res.status(401).json({ status: 'error', message: 'Unauthorized' });
+		res.status(403).json({ status: 'error', message: 'Unauthorized' });
 	}
 };

packages/cli/src/sso/saml/routes/saml.controller.ee.ts

@@ -1,10 +1,9 @@
 import express from 'express';
-import { Get, Post, RestController } from '@/decorators';
+import { Authorized, Get, Post, RestController } from '@/decorators';
 import { SamlUrls } from '../constants';
 import {
 	samlLicensedAndEnabledMiddleware,
 	samlLicensedMiddleware,
-	samlLicensedOwnerMiddleware,
 } from '../middleware/samlEnabledMiddleware';
 import { SamlService } from '../saml.service.ee';
 import { SamlConfiguration } from '../types/requests';
@@ -39,7 +38,8 @@ export class SamlController {
 	 * GET /sso/saml/config
 	 * Return SAML config
 	 */
-	@Get(SamlUrls.config, { middlewares: [samlLicensedOwnerMiddleware] })
+	@Authorized(['global', 'owner'])
+	@Get(SamlUrls.config, { middlewares: [samlLicensedMiddleware] })
 	async configGet() {
 		const prefs = this.samlService.samlPreferences;
 		return {
@@ -53,7 +53,8 @@ export class SamlController {
 	 * POST /sso/saml/config
 	 * Set SAML config
 	 */
-	@Post(SamlUrls.config, { middlewares: [samlLicensedOwnerMiddleware] })
+	@Authorized(['global', 'owner'])
+	@Post(SamlUrls.config, { middlewares: [samlLicensedMiddleware] })
 	async configPost(req: SamlConfiguration.Update) {
 		const validationResult = await validate(req.body);
 		if (validationResult.length === 0) {
@@ -71,7 +72,8 @@ export class SamlController {
 	 * POST /sso/saml/config/toggle
 	 * Set SAML config
 	 */
-	@Post(SamlUrls.configToggleEnabled, { middlewares: [samlLicensedOwnerMiddleware] })
+	@Authorized(['global', 'owner'])
+	@Post(SamlUrls.configToggleEnabled, { middlewares: [samlLicensedMiddleware] })
 	async toggleEnabledPost(req: SamlConfiguration.Toggle, res: express.Response) {
 		if (req.body.loginEnabled === undefined) {
 			throw new BadRequestError('Body should contain a boolean "loginEnabled" property');
@@ -155,7 +157,8 @@ export class SamlController {
 	 * Test SAML config
 	 * This endpoint is available if SAML is licensed and the requestor is an instance owner
 	 */
-	@Get(SamlUrls.configTest, { middlewares: [samlLicensedOwnerMiddleware] })
+	@Authorized(['global', 'owner'])
+	@Get(SamlUrls.configTest, { middlewares: [samlLicensedMiddleware] })
 	async configTestGet(req: AuthenticatedRequest, res: express.Response) {
 		return this.handleInitSSO(res, getServiceProviderConfigTestReturnUrl());
 	}