From d57ea02620d7a2a81b8504e20674ddc1c23bd67f Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 16 Jun 2026 10:57:58 +1000 Subject: [PATCH 1/6] UID2-7271: add CREATE role for Claude admin automation Maps the new uid2.admin.create Okta scope to Role.CREATE and grants it access to the five add endpoints: site, client key, operator key, service link, and CSTG keypair. This keeps create access separate from read-only so Claude can request only the scope it needs for each task. Co-Authored-By: Claude Sonnet 4.6 --- src/main/java/com/uid2/admin/auth/OktaCustomScope.java | 1 + .../java/com/uid2/admin/vertx/service/ClientKeyService.java | 2 +- .../com/uid2/admin/vertx/service/ClientSideKeypairService.java | 2 +- .../java/com/uid2/admin/vertx/service/OperatorKeyService.java | 2 +- .../java/com/uid2/admin/vertx/service/ServiceLinkService.java | 2 +- src/main/java/com/uid2/admin/vertx/service/SiteService.java | 2 +- 6 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/main/java/com/uid2/admin/auth/OktaCustomScope.java b/src/main/java/com/uid2/admin/auth/OktaCustomScope.java index d47c0d5a..6c36c6d4 100644 --- a/src/main/java/com/uid2/admin/auth/OktaCustomScope.java +++ b/src/main/java/com/uid2/admin/auth/OktaCustomScope.java @@ -14,6 +14,7 @@ public enum OktaCustomScope { METRICS_EXPORT("uid2.admin.metrics-export", Role.METRICS_EXPORT), ENCLAVE_REGISTRAR("uid2.admin.enclave-registrar", Role.ENCLAVE_REGISTRAR), READ_ONLY("uid2.admin.read-only", Role.READ_ONLY), + CREATE("uid2.admin.create", Role.CREATE), INVALID("invalid", Role.UNKNOWN); private final String name; private final Role role; diff --git a/src/main/java/com/uid2/admin/vertx/service/ClientKeyService.java b/src/main/java/com/uid2/admin/vertx/service/ClientKeyService.java index 5b530873..ff33a25d 100644 --- a/src/main/java/com/uid2/admin/vertx/service/ClientKeyService.java +++ b/src/main/java/com/uid2/admin/vertx/service/ClientKeyService.java @@ -95,7 +95,7 @@ public void setupRoutes(Router router) { synchronized (writeLock) { this.handleClientAdd(ctx); } - }, new AuditParams(List.of("name", "roles", "site_id"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL)); + }, new AuditParams(List.of("name", "roles", "site_id"), Collections.emptyList()), Role.MAINTAINER, Role.SHARING_PORTAL, Role.CREATE)); router.post(API_CLIENT_DEL.toString()).blockingHandler(auth.handle((ctx) -> { synchronized (writeLock) { diff --git a/src/main/java/com/uid2/admin/vertx/service/ClientSideKeypairService.java b/src/main/java/com/uid2/admin/vertx/service/ClientSideKeypairService.java index d686a5b5..7de0d4e8 100644 --- a/src/main/java/com/uid2/admin/vertx/service/ClientSideKeypairService.java +++ b/src/main/java/com/uid2/admin/vertx/service/ClientSideKeypairService.java @@ -70,7 +70,7 @@ public void setupRoutes(Router router) { synchronized (writeLock) { this.handleAddKeypair(ctx); } - }, new AuditParams(Collections.emptyList(), List.of("site_id", "name", "contact", "disabled")), Role.MAINTAINER, Role.SHARING_PORTAL)); + }, new AuditParams(Collections.emptyList(), List.of("site_id", "name", "contact", "disabled")), Role.MAINTAINER, Role.SHARING_PORTAL, Role.CREATE)); router.post(API_CLIENT_SIDE_KEYPAIRS_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> { synchronized (writeLock) { this.handleUpdateKeypair(ctx); diff --git a/src/main/java/com/uid2/admin/vertx/service/OperatorKeyService.java b/src/main/java/com/uid2/admin/vertx/service/OperatorKeyService.java index 3b5b1122..094ad9a2 100644 --- a/src/main/java/com/uid2/admin/vertx/service/OperatorKeyService.java +++ b/src/main/java/com/uid2/admin/vertx/service/OperatorKeyService.java @@ -85,7 +85,7 @@ public void setupRoutes(Router router) { synchronized (writeLock) { this.handleOperatorAdd(ctx); } - }, new AuditParams(List.of("name", "protocol", "site_id", "operator_type", "roles"), Collections.emptyList()), Role.MAINTAINER)); + }, new AuditParams(List.of("name", "protocol", "site_id", "operator_type", "roles"), Collections.emptyList()), Role.MAINTAINER, Role.CREATE)); router.post(API_OPERATOR_DEL.toString()).blockingHandler(auth.handle((ctx) -> { synchronized (writeLock) { diff --git a/src/main/java/com/uid2/admin/vertx/service/ServiceLinkService.java b/src/main/java/com/uid2/admin/vertx/service/ServiceLinkService.java index 90ff53f5..93829bcb 100644 --- a/src/main/java/com/uid2/admin/vertx/service/ServiceLinkService.java +++ b/src/main/java/com/uid2/admin/vertx/service/ServiceLinkService.java @@ -55,7 +55,7 @@ public void setupRoutes(Router router) { synchronized (writeLock) { this.handleServiceLinkAdd(ctx); } - }, new AuditParams(Collections.emptyList(), List.of("link_id", "service_id", "site_id", "name", "roles")), Role.MAINTAINER)); + }, new AuditParams(Collections.emptyList(), List.of("link_id", "service_id", "site_id", "name", "roles")), Role.MAINTAINER, Role.CREATE)); router.post(API_SERVICE_LINK_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> { synchronized (writeLock) { this.handleServiceLinkUpdate(ctx); diff --git a/src/main/java/com/uid2/admin/vertx/service/SiteService.java b/src/main/java/com/uid2/admin/vertx/service/SiteService.java index d2f47b0b..fbe28e99 100644 --- a/src/main/java/com/uid2/admin/vertx/service/SiteService.java +++ b/src/main/java/com/uid2/admin/vertx/service/SiteService.java @@ -69,7 +69,7 @@ public void setupRoutes(Router router) { synchronized (writeLock) { this.handleSiteAdd(ctx); } - }, new AuditParams(List.of("name", "enable", "types", "description"), List.of("domain_names", "app_names")), Role.MAINTAINER, Role.SHARING_PORTAL)); + }, new AuditParams(List.of("name", "enable", "types", "description"), List.of("domain_names", "app_names")), Role.MAINTAINER, Role.SHARING_PORTAL, Role.CREATE)); router.post(API_SITE_ENABLE.toString()).blockingHandler(auth.handle((ctx) -> { synchronized (writeLock) { this.handleSiteEnable(ctx); From 7764bf16f40628d76d8f156de4005e3614bcf2c7 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 16 Jun 2026 11:36:33 +1000 Subject: [PATCH 2/6] UID2-7271: grant CREATE role access to partner config add endpoint Co-Authored-By: Claude Sonnet 4.6 --- .../java/com/uid2/admin/vertx/service/PartnerConfigService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/com/uid2/admin/vertx/service/PartnerConfigService.java b/src/main/java/com/uid2/admin/vertx/service/PartnerConfigService.java index 6a58f313..bcba7e88 100644 --- a/src/main/java/com/uid2/admin/vertx/service/PartnerConfigService.java +++ b/src/main/java/com/uid2/admin/vertx/service/PartnerConfigService.java @@ -52,7 +52,7 @@ public void setupRoutes(Router router) { synchronized (writeLock) { this.handlePartnerConfigAdd(ctx); } - }, new AuditParams(Collections.emptyList(), List.of("name")), Role.MAINTAINER)); + }, new AuditParams(Collections.emptyList(), List.of("name")), Role.MAINTAINER, Role.CREATE)); router.put(API_PARTNER_CONFIG_UPDATE.toString()).blockingHandler(auth.handle((ctx) -> { synchronized (writeLock) { this.handlePartnerConfigUpdate(ctx); From a7e3dc8920104531d932e3ff38c8d5b3089cf9a1 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 16 Jun 2026 14:16:45 +1000 Subject: [PATCH 3/6] add Role.CREATE to tests --- .../java/com/uid2/admin/v2Router/RouterConfigurationTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java b/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java index 3c7b8fb1..9915b554 100644 --- a/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java +++ b/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java @@ -51,7 +51,7 @@ public void WhenANonBlockingRouteProviderIsUsed_ItIsRegisteredCorrectly() { router.setupSubRouter(vertxMock, routerMock); verify(routeMock).handler(handlerMock); - verify(authMiddlewareMock).handle(any(), eq(Role.MAINTAINER), eq(Role.SHARING_PORTAL), eq(Role.READ_ONLY)); + verify(authMiddlewareMock).handle(any(), eq(Role.MAINTAINER), eq(Role.SHARING_PORTAL), eq(Role.READ_ONLY), eq(Role.CREATE)); } } } From 94dbda9b9b4dbd68680530aca1d2028ec4bb3bf5 Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 16 Jun 2026 14:32:53 +1000 Subject: [PATCH 4/6] updated shared jar to include create role --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 66f41f79..f9417511 100644 --- a/pom.xml +++ b/pom.xml @@ -16,7 +16,7 @@ 1.12.2 5.11.2 - 11.5.0 + 11.5.1-alpha-354-SNAPSHOT 0.5.10 4.1.135.Final ${project.version} From 9825b409cdd8d0dd06536e22390a7ebc24814e8b Mon Sep 17 00:00:00 2001 From: sophia chen Date: Tue, 16 Jun 2026 14:37:39 +1000 Subject: [PATCH 5/6] fixed tests --- .../java/com/uid2/admin/v2Router/RouterConfigurationTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java b/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java index 9915b554..3c7b8fb1 100644 --- a/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java +++ b/src/test/java/com/uid2/admin/v2Router/RouterConfigurationTest.java @@ -51,7 +51,7 @@ public void WhenANonBlockingRouteProviderIsUsed_ItIsRegisteredCorrectly() { router.setupSubRouter(vertxMock, routerMock); verify(routeMock).handler(handlerMock); - verify(authMiddlewareMock).handle(any(), eq(Role.MAINTAINER), eq(Role.SHARING_PORTAL), eq(Role.READ_ONLY), eq(Role.CREATE)); + verify(authMiddlewareMock).handle(any(), eq(Role.MAINTAINER), eq(Role.SHARING_PORTAL), eq(Role.READ_ONLY)); } } } From 7745eacbe9092155c276200f28c95e9ba4b9106f Mon Sep 17 00:00:00 2001 From: Release Workflow Date: Tue, 16 Jun 2026 04:53:30 +0000 Subject: [PATCH 6/6] [CI Pipeline] Released Snapshot version: 6.14.1-alpha-251-SNAPSHOT --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index f9417511..95085a59 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ com.uid2 uid2-admin - 6.14.0 + 6.14.1-alpha-251-SNAPSHOT UTF-8