Example 1 with ForbiddenException
use of com.b2international.commons.exceptions.ForbiddenException in project snow-owl by b2ihealthcare.
the class AuthorizedRequest method execute.
@Override
public R execute(ServiceProvider context) {
final RequestHeaders requestHeaders = context.service(RequestHeaders.class);
final String authorizationToken = requestHeaders.header(AUTHORIZATION_HEADER);
final IdentityProvider identityProvider = context.service(IdentityProvider.class);
final Collection<Request<?, ?>> requests = getNestedRequests();
final User user;
// if there is no authentication configured
if (IdentityProvider.NOOP == identityProvider) {
// allow execution as SYSTEM user
user = User.SYSTEM;
} else if (Strings.isNullOrEmpty(authorizationToken)) {
// allow login requests in
if (requests.stream().allMatch(req -> req.getClass().isAnnotationPresent(Unprotected.class))) {
user = User.SYSTEM;
} else {
// if there is authentication configured, but no authorization token found prevent execution and throw UnauthorizedException
if (PlatformUtil.isDevVersion()) {
Request<?, ?> request = Iterables.getFirst(requests, null);
System.err.println(request);
}
throw new UnauthorizedException("Missing authorization token");
}
} else {
// verify authorization header value
user = context.service(AuthorizationHeaderVerifier.class).auth(authorizationToken);
if (user == null) {
throw new UnauthorizedException("Incorrect authorization token");
}
}
ServiceProvider userContext = context.inject().bind(User.class, user).bind(IEventBus.class, new AuthorizedEventBus(context.service(IEventBus.class), requestHeaders.headers())).build();
if (!User.SYSTEM.equals(user) && !user.isAdministrator()) {
// authorize user whether it is permitted to execute the request(s) or not
requests.stream().filter(AccessControl.class::isInstance).map(AccessControl.class::cast).flatMap(ac -> {
List<Permission> permissions = ac.getPermissions(userContext, next());
if (permissions.isEmpty()) {
context.log().warn("No permissions required to execute request '{}'.", MonitoredRequest.toJson(context, next(), Map.of()));
}
return permissions.stream();
}).forEach(permissionRequirement -> {
if (!user.hasPermission(permissionRequirement)) {
throw new ForbiddenException("Operation not permitted. '%s' permission is required. User has '%s'.", permissionRequirement.getPermission(), user.getPermissions());
}
});
}
return next(userContext);
}
Also used :
ForbiddenException(com.b2international.commons.exceptions.ForbiddenException)
IdentityProvider(com.b2international.snowowl.core.identity.IdentityProvider)
RequestHeaders(com.b2international.snowowl.core.events.util.RequestHeaders)
Iterables(com.google.common.collect.Iterables)
UnauthorizedException(com.b2international.commons.exceptions.UnauthorizedException)
Collection(java.util.Collection)
Request(com.b2international.snowowl.core.events.Request)
IEventBus(com.b2international.snowowl.eventbus.IEventBus)
Strings(com.google.common.base.Strings)
List(java.util.List)
AuthorizationHeaderVerifier(com.b2international.snowowl.core.identity.AuthorizationHeaderVerifier)
PlatformUtil(com.b2international.snowowl.core.util.PlatformUtil)
Map(java.util.Map)
ServiceProvider(com.b2international.snowowl.core.ServiceProvider)
DelegatingRequest(com.b2international.snowowl.core.events.DelegatingRequest)
Permission(com.b2international.snowowl.core.identity.Permission)
User(com.b2international.snowowl.core.identity.User)
MonitoredRequest(com.b2international.snowowl.core.monitoring.MonitoredRequest)
ForbiddenException(com.b2international.commons.exceptions.ForbiddenException)
User(com.b2international.snowowl.core.identity.User)
AuthorizationHeaderVerifier(com.b2international.snowowl.core.identity.AuthorizationHeaderVerifier)
Request(com.b2international.snowowl.core.events.Request)
DelegatingRequest(com.b2international.snowowl.core.events.DelegatingRequest)
MonitoredRequest(com.b2international.snowowl.core.monitoring.MonitoredRequest)
IdentityProvider(com.b2international.snowowl.core.identity.IdentityProvider)
ServiceProvider(com.b2international.snowowl.core.ServiceProvider)
UnauthorizedException(com.b2international.commons.exceptions.UnauthorizedException)
List(java.util.List)
RequestHeaders(com.b2international.snowowl.core.events.util.RequestHeaders)
IEventBus(com.b2international.snowowl.eventbus.IEventBus)
Aggregations
ForbiddenException (com.b2international.commons.exceptions.ForbiddenException)1
UnauthorizedException (com.b2international.commons.exceptions.UnauthorizedException)1
ServiceProvider (com.b2international.snowowl.core.ServiceProvider)1
DelegatingRequest (com.b2international.snowowl.core.events.DelegatingRequest)1
Request (com.b2international.snowowl.core.events.Request)1
RequestHeaders (com.b2international.snowowl.core.events.util.RequestHeaders)1
AuthorizationHeaderVerifier (com.b2international.snowowl.core.identity.AuthorizationHeaderVerifier)1
IdentityProvider (com.b2international.snowowl.core.identity.IdentityProvider)1
Permission (com.b2international.snowowl.core.identity.Permission)1
User (com.b2international.snowowl.core.identity.User)1
MonitoredRequest (com.b2international.snowowl.core.monitoring.MonitoredRequest)1
PlatformUtil (com.b2international.snowowl.core.util.PlatformUtil)1
IEventBus (com.b2international.snowowl.eventbus.IEventBus)1
Strings (com.google.common.base.Strings)1
Iterables (com.google.common.collect.Iterables)1
Collection (java.util.Collection)1
List (java.util.List)1
Map (java.util.Map)1
