use of com.b2international.commons.exceptions.ForbiddenException in project snow-owl by b2ihealthcare.
the class AuthorizedRequest method execute.
@Override
public R execute(ServiceProvider context) {
final RequestHeaders requestHeaders = context.service(RequestHeaders.class);
final String authorizationToken = requestHeaders.header(AUTHORIZATION_HEADER);
final IdentityProvider identityProvider = context.service(IdentityProvider.class);
final Collection<Request<?, ?>> requests = getNestedRequests();
final User user;
// if there is no authentication configured
if (IdentityProvider.NOOP == identityProvider) {
// allow execution as SYSTEM user
user = User.SYSTEM;
} else if (Strings.isNullOrEmpty(authorizationToken)) {
// allow login requests in
if (requests.stream().allMatch(req -> req.getClass().isAnnotationPresent(Unprotected.class))) {
user = User.SYSTEM;
} else {
// if there is authentication configured, but no authorization token found prevent execution and throw UnauthorizedException
if (PlatformUtil.isDevVersion()) {
Request<?, ?> request = Iterables.getFirst(requests, null);
System.err.println(request);
}
throw new UnauthorizedException("Missing authorization token");
}
} else {
// verify authorization header value
user = context.service(AuthorizationHeaderVerifier.class).auth(authorizationToken);
if (user == null) {
throw new UnauthorizedException("Incorrect authorization token");
}
}
ServiceProvider userContext = context.inject().bind(User.class, user).bind(IEventBus.class, new AuthorizedEventBus(context.service(IEventBus.class), requestHeaders.headers())).build();
if (!User.SYSTEM.equals(user) && !user.isAdministrator()) {
// authorize user whether it is permitted to execute the request(s) or not
requests.stream().filter(AccessControl.class::isInstance).map(AccessControl.class::cast).flatMap(ac -> {
List<Permission> permissions = ac.getPermissions(userContext, next());
if (permissions.isEmpty()) {
context.log().warn("No permissions required to execute request '{}'.", MonitoredRequest.toJson(context, next(), Map.of()));
}
return permissions.stream();
}).forEach(permissionRequirement -> {
if (!user.hasPermission(permissionRequirement)) {
throw new ForbiddenException("Operation not permitted. '%s' permission is required. User has '%s'.", permissionRequirement.getPermission(), user.getPermissions());
}
});
}
return next(userContext);
}
Aggregations