UID2-7271: add Role.CLAUDE_ACCESS for machine service-account access

pom.xml

@@ -16,7 +16,7 @@
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.12.2</micrometer.version>
         <junit-jupiter.version>5.11.2</junit-jupiter.version>
-        <uid2-shared.version>11.4.16</uid2-shared.version>
+        <uid2-shared.version>11.4.21-alpha-349-SNAPSHOT</uid2-shared.version>
         <okta-jwt.version>0.5.10</okta-jwt.version>
         <netty.version>4.1.133.Final</netty.version>
         <image.version>${project.version}</image.version>

src/main/java/com/uid2/admin/auth/OktaCustomScope.java

@@ -13,6 +13,7 @@ public enum OktaCustomScope {
     SITE_SYNC("uid2.admin.site-sync", Role.PRIVATE_OPERATOR_SYNC),
     METRICS_EXPORT("uid2.admin.metrics-export", Role.METRICS_EXPORT),
     ENCLAVE_REGISTRAR("uid2.admin.enclave-registrar", Role.ENCLAVE_REGISTRAR),
+    CLAUDE_ACCESS("uid2.admin.claude-access", Role.CLAUDE_ACCESS),
     INVALID("invalid", Role.UNKNOWN);
     private final String name;
     private final Role role;

src/main/java/com/uid2/admin/vertx/api/cstg/GetClientSideKeypairsBySite.java

@@ -27,7 +27,7 @@ public GetClientSideKeypairsBySite(IKeypairManager keypairManager) {
 
     @Path("/sites/:siteId/client-side-keypairs")
     @Method(ApiMethod.GET)
-    @Roles({Role.MAINTAINER, Role.SHARING_PORTAL})
+    @Roles({Role.MAINTAINER, Role.SHARING_PORTAL, Role.CLAUDE_ACCESS})
     public Handler<RoutingContext> getHandler() {
         return UrlParameterProviders.provideSiteId(this::handleGetClientSideKeys);
     }

src/main/java/com/uid2/admin/vertx/service/ClientKeyService.java

@@ -69,24 +69,24 @@ public ClientKeyService(JsonObject config,
     @Override
     public void setupRoutes(Router router) {
         router.get(API_CLIENT_METADATA.toString()).handler(
-            auth.handle(this::handleClientMetadata, Role.MAINTAINER));
+            auth.handle(this::handleClientMetadata, Role.MAINTAINER, Role.CLAUDE_ACCESS));
         router.post(API_CLIENT_REWRITE_METADATA.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {
                 this.handleRewriteMetadata(ctx);
             }
         }, Role.PRIVILEGED));
 
         router.get(API_CLIENT_LIST.toString()).handler(
-            auth.handle(this::handleClientList, Role.MAINTAINER, Role.METRICS_EXPORT));
+            auth.handle(this::handleClientList, Role.MAINTAINER, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS));
 
         router.get(API_CLIENT_LIST_SITEID.toString()).handler(
-            auth.handle(this::handleClientListBySite, Role.MAINTAINER, Role.SHARING_PORTAL));
+            auth.handle(this::handleClientListBySite, Role.MAINTAINER, Role.SHARING_PORTAL, Role.CLAUDE_ACCESS));
 
         router.get(API_CLIENT_KEYID.toString()).handler(
-            auth.handle(this::handleClientByKeyId, Role.MAINTAINER, Role.SHARING_PORTAL));
+            auth.handle(this::handleClientByKeyId, Role.MAINTAINER, Role.SHARING_PORTAL, Role.CLAUDE_ACCESS));
 
         router.get(API_CLIENT_CONTACT.toString()).handler(
-            auth.handle(this::handleClientByContact, Role.MAINTAINER, Role.SHARING_PORTAL));
+            auth.handle(this::handleClientByContact, Role.MAINTAINER, Role.SHARING_PORTAL, Role.CLAUDE_ACCESS));
 
         router.get(API_CLIENT_REVEAL.toString()).handler(
             auth.handle(this::handleClientReveal, Role.PRIVILEGED));

src/main/java/com/uid2/admin/vertx/service/ClientSideKeypairService.java

@@ -82,9 +82,9 @@ public void setupRoutes(Router router) {
             }
         }, new AuditParams(Collections.emptyList(), List.of("subscription_id")), Role.PRIVILEGED, Role.SHARING_PORTAL));
         router.get(API_CLIENT_SIDE_KEYPAIRS_LIST.toString()).handler(
-            auth.handle(this::handleListAllKeypairs, Role.MAINTAINER, Role.METRICS_EXPORT));
+            auth.handle(this::handleListAllKeypairs, Role.MAINTAINER, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS));
         router.get(API_CLIENT_SIDE_KEYPAIRS_SUBSCRIPTIONID.toString()).handler(
-            auth.handle(this::handleListKeypair, Role.MAINTAINER)
+            auth.handle(this::handleListKeypair, Role.MAINTAINER, Role.CLAUDE_ACCESS)
         );
     }
 

src/main/java/com/uid2/admin/vertx/service/CloudEncryptionKeyService.java

@@ -36,10 +36,10 @@ public CloudEncryptionKeyService(
     @Override
     public void setupRoutes(Router router) {
         router.get(Endpoints.CLOUD_ENCRYPTION_KEY_METADATA.toString()).handler(
-                auth.handle(this::handleMetadata, Role.MAINTAINER));
+                auth.handle(this::handleMetadata, Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         router.get(Endpoints.CLOUD_ENCRYPTION_KEY_LIST.toString()).handler(
-                auth.handle(this::handleList, Role.MAINTAINER)
+                auth.handle(this::handleList, Role.MAINTAINER, Role.CLAUDE_ACCESS)
         );
 
         router.post(Endpoints.CLOUD_ENCRYPTION_KEY_ROTATE.toString()).handler(

src/main/java/com/uid2/admin/vertx/service/EnclaveIdService.java

@@ -49,9 +49,9 @@ public EnclaveIdService(AdminAuthMiddleware auth,
     @Override
     public void setupRoutes(Router router) {
         router.get(API_ENCLAVE_METADATA.toString()).handler(
-            auth.handle(this::handleEnclaveMetadata, Role.MAINTAINER));
+            auth.handle(this::handleEnclaveMetadata, Role.MAINTAINER, Role.CLAUDE_ACCESS));
         router.get(API_ENCLAVE_LIST.toString()).handler(
-            auth.handle(this::handleEnclaveList, Role.MAINTAINER));
+            auth.handle(this::handleEnclaveList, Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         router.post(API_ENCLAVE_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {

src/main/java/com/uid2/admin/vertx/service/EncryptionKeyService.java

@@ -125,11 +125,11 @@ public EncryptionKeyService(JsonObject config,
     @Override
     public void setupRoutes(Router router) {
         router.get(API_KEY_LIST.toString()).handler(
-            auth.handle(this::handleKeyList, Role.MAINTAINER));
+            auth.handle(this::handleKeyList, Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         if(enableKeysets) {
             router.get(API_KEY_LIST_KEYSET_KEYS.toString()).handler(
-                auth.handle(this::handleKeysetKeyList, Role.MAINTAINER));
+                auth.handle(this::handleKeysetKeyList, Role.MAINTAINER, Role.CLAUDE_ACCESS));
         }
 
         router.post(API_KEY_REWRITE_METADATA.toString()).blockingHandler(auth.handle((ctx) -> {

src/main/java/com/uid2/admin/vertx/service/JobDispatcherService.java

@@ -30,7 +30,7 @@ public void setupRoutes(Router router) {
                     }
                 },
                 //can be other role
-            Role.MAINTAINER));
+            Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         router.get(API_JOB_DISPATCHER_JOB_QUEUE.toString()).blockingHandler(auth.handle((ctx) -> {
                     try {
@@ -40,6 +40,6 @@ public void setupRoutes(Router router) {
                     }
                 },
                 //can be other role
-            Role.MAINTAINER));
+            Role.MAINTAINER, Role.CLAUDE_ACCESS));
     }
 }

src/main/java/com/uid2/admin/vertx/service/KeyAclService.java

@@ -51,7 +51,7 @@ public KeyAclService(AdminAuthMiddleware auth,
     @Override
     public void setupRoutes(Router router) {
         router.get(API_KEYS_ACL_LIST.toString()).handler(
-            auth.handle(this::handleKeyAclList, Role.MAINTAINER));
+            auth.handle(this::handleKeyAclList, Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         router.post(API_KEYS_ACL_REWRITE_METADATA.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {

src/main/java/com/uid2/admin/vertx/service/OperatorKeyService.java

@@ -75,9 +75,9 @@ public OperatorKeyService(JsonObject config,
     @Override
     public void setupRoutes(Router router) {
         router.get(API_OPERATOR_METADATA.toString()).handler(
-            auth.handle(this::handleOperatorMetadata, Role.MAINTAINER));
+            auth.handle(this::handleOperatorMetadata, Role.MAINTAINER, Role.CLAUDE_ACCESS));
         router.get(API_OPERATOR_LIST.toString()).handler(
-            auth.handle(this::handleOperatorList, Role.MAINTAINER, Role.METRICS_EXPORT));
+            auth.handle(this::handleOperatorList, Role.MAINTAINER, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS));
         router.get(API_OPERATOR_REVEAL.toString()).handler(
             auth.handle(this::handleOperatorReveal, new AuditParams(List.of("name"), Collections.emptyList()), Role.MAINTAINER));
 
@@ -381,7 +381,6 @@ private void handleOperatorUpdate(RoutingContext rc) {
                 ResponseUtil.error(rc, 404, "operator name not found");
                 return;
             }
-
             boolean siteIdChanged = false;
             if (!rc.queryParam("site_id").isEmpty()) {
                 final Site site = RequestUtil.getSiteFromParam(rc, "site_id", this.siteProvider);

src/main/java/com/uid2/admin/vertx/service/PartnerConfigService.java

@@ -46,7 +46,7 @@ public void setupRoutes(Router router) {
         router.get(API_PARTNER_CONFIG_LIST.toString()).handler(
             auth.handle(this::handlePartnerConfigList, Role.MAINTAINER));
         router.get(API_PARTNER_CONFIG_GET.toString()).handler(
-            auth.handle(this::handlePartnerConfigGet, Role.MAINTAINER));
+            auth.handle(this::handlePartnerConfigGet, Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         router.post(API_PARTNER_CONFIG_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {

src/main/java/com/uid2/admin/vertx/service/SaltService.java

@@ -65,7 +65,7 @@ public SaltService(AdminAuthMiddleware auth,
     @Override
     public void setupRoutes(Router router) {
         router.get(API_SALT_SNAPSHOTS.toString()).handler(
-                auth.handle(this::handleSaltSnapshots, Role.MAINTAINER));
+                auth.handle(this::handleSaltSnapshots, Role.MAINTAINER, Role.CLAUDE_ACCESS));
 
         router.post(API_SALT_REBUILD.toString()).blockingHandler(auth.handle(ctx -> {
             synchronized (writeLock) {

src/main/java/com/uid2/admin/vertx/service/ServiceLinkService.java

@@ -50,7 +50,7 @@ public ServiceLinkService(AdminAuthMiddleware auth,
 
     @Override
     public void setupRoutes(Router router) {
-        router.get(API_SERVICE_LINK_LIST.toString()).handler(auth.handle(this::handleServiceLinkList, Role.MAINTAINER, Role.METRICS_EXPORT));
+        router.get(API_SERVICE_LINK_LIST.toString()).handler(auth.handle(this::handleServiceLinkList, Role.MAINTAINER, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS));
         router.post(API_SERVICE_LINK_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {
                 this.handleServiceLinkAdd(ctx);

src/main/java/com/uid2/admin/vertx/service/ServiceService.java

@@ -52,8 +52,8 @@ public ServiceService(AdminAuthMiddleware auth,
 
     @Override
     public void setupRoutes(Router router) {
-        router.get(API_SERVICE_LIST.toString()).handler(auth.handle(this::handleServiceListAll, Role.MAINTAINER, Role.METRICS_EXPORT));
-        router.get(API_SERVICE_LIST_SERVICE_ID.toString()).handler(auth.handle(this::handleServiceList, Role.MAINTAINER));
+        router.get(API_SERVICE_LIST.toString()).handler(auth.handle(this::handleServiceListAll, Role.MAINTAINER, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS));
+        router.get(API_SERVICE_LIST_SERVICE_ID.toString()).handler(auth.handle(this::handleServiceList, Role.MAINTAINER, Role.CLAUDE_ACCESS));
         router.post(API_SERVICE_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {
                 this.handleServiceAdd(ctx);

src/main/java/com/uid2/admin/vertx/service/SharingService.java

@@ -61,26 +61,26 @@ public SharingService(AdminAuthMiddleware auth,
     public void setupRoutes(Router router) {
         if(!enableKeysets) return;
         router.get(API_SHARING_LISTS.toString()).handler(
-            auth.handle(this::handleListAllAllowedSites, Role.MAINTAINER, Role.SHARING_PORTAL, Role.METRICS_EXPORT)
+            auth.handle(this::handleListAllAllowedSites, Role.MAINTAINER, Role.SHARING_PORTAL, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS)
         );
         router.get(API_SHARING_LIST_SITEID.toString()).handler(
-            auth.handle(this::handleListAllowedSites, Role.MAINTAINER, Role.SHARING_PORTAL)
+            auth.handle(this::handleListAllowedSites, Role.MAINTAINER, Role.SHARING_PORTAL, Role.CLAUDE_ACCESS)
         );
         router.post(API_SHARING_LIST_SITEID.toString()).handler(
             auth.handle(this::handleSetAllowedSites, new AuditParams(Collections.emptyList(), List.of("hash", "allowed_sites", "allowed_types")), Role.MAINTAINER, Role.SHARING_PORTAL)
         );
 
         router.get(API_SHARING_KEYSETS.toString()).handler(
-            auth.handle(this::handleListAllKeysets, Role.MAINTAINER)
+            auth.handle(this::handleListAllKeysets, Role.MAINTAINER, Role.CLAUDE_ACCESS)
         );
         router.post(API_SHARING_KEYSET.toString()).handler(
             auth.handle(this::handleSetKeyset, new AuditParams(Collections.emptyList(), List.of("site_id", "name", "allowed_sites", "allowed_types")), Role.MAINTAINER)
         );
         router.get(API_SHARING_KEYSET_KEYSETID.toString()).handler(
-            auth.handle(this::handleListKeyset, Role.MAINTAINER)
+            auth.handle(this::handleListKeyset, Role.MAINTAINER, Role.CLAUDE_ACCESS)
         );
         router.get(API_SHARING_KEYSETS_RELATED.toString()).handler(
-                auth.handle(this::handleListAllKeysetsRelated, Role.MAINTAINER)
+                auth.handle(this::handleListAllKeysetsRelated, Role.MAINTAINER, Role.CLAUDE_ACCESS)
         );
     }
 

src/main/java/com/uid2/admin/vertx/service/SiteService.java

@@ -62,9 +62,9 @@ public void setupRoutes(Router router) {
         }, Role.PRIVILEGED));
 
         router.get(API_SITE_LIST.toString()).handler(
-            auth.handle(this::handleSiteList, Role.MAINTAINER, Role.SHARING_PORTAL, Role.METRICS_EXPORT));
+            auth.handle(this::handleSiteList, Role.MAINTAINER, Role.SHARING_PORTAL, Role.METRICS_EXPORT, Role.CLAUDE_ACCESS));
         router.get(API_SITE_SITEID.toString()).handler(
-            auth.handle(this::handleSiteById, Role.MAINTAINER, Role.SHARING_PORTAL));
+            auth.handle(this::handleSiteById, Role.MAINTAINER, Role.SHARING_PORTAL, Role.CLAUDE_ACCESS));
         router.post(API_SITE_ADD.toString()).blockingHandler(auth.handle((ctx) -> {
             synchronized (writeLock) {
                 this.handleSiteAdd(ctx);

src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java

@@ -51,7 +51,7 @@ public void WhenANonBlockingRouteProviderIsUsed_ItIsRegisteredCorrectly() {
             router.setupSubRouter(vertxMock, routerMock);
 
             verify(routeMock).handler(handlerMock);
-            verify(authMiddlewareMock).handle(any(), eq(Role.MAINTAINER), eq(Role.SHARING_PORTAL));
+            verify(authMiddlewareMock).handle(any(), eq(Role.MAINTAINER), eq(Role.SHARING_PORTAL), eq(Role.CLAUDE_ACCESS));
         }
     }
 }