Search in sources :

Example 1 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class ApplicationSubscribedResource method getApiSubscribed.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List APIs subscribed by the application", notes = "User must have the APPLICATION_SUBSCRIPTION permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "Paged result of subscribed APIs", response = ApplicationEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
@Permissions({ @Permission(value = RolePermission.APPLICATION_SUBSCRIPTION, acls = RolePermissionAction.READ) })
public Collection<SubscribedApi> getApiSubscribed() {
    SubscriptionQuery subscriptionQuery = new SubscriptionQuery();
    subscriptionQuery.setApplication(application);
    Collection<SubscriptionEntity> subscriptions = subscriptionService.search(subscriptionQuery);
    return subscriptions.stream().map(SubscriptionEntity::getApi).distinct().map(api -> apiService.findById(api)).map(apiEntity -> new SubscribedApi(apiEntity.getId(), apiEntity.getName())).sorted((o1, o2) -> String.CASE_INSENSITIVE_ORDER.compare(o1.getName(), o2.getName())).collect(Collectors.toList());
}
Also used : RolePermissionAction(io.gravitee.rest.api.model.permissions.RolePermissionAction) PathParam(javax.ws.rs.PathParam) Context(javax.ws.rs.core.Context) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) Collection(java.util.Collection) SubscriptionEntity(io.gravitee.rest.api.model.SubscriptionEntity) Collectors(java.util.stream.Collectors) ApiService(io.gravitee.rest.api.service.ApiService) Permission(io.gravitee.rest.api.management.rest.security.Permission) Inject(javax.inject.Inject) SubscriptionService(io.gravitee.rest.api.service.SubscriptionService) MediaType(io.gravitee.common.http.MediaType) ResourceContext(javax.ws.rs.container.ResourceContext) io.swagger.annotations(io.swagger.annotations) SubscriptionQuery(io.gravitee.rest.api.model.subscription.SubscriptionQuery) Permissions(io.gravitee.rest.api.management.rest.security.Permissions) ApplicationEntity(io.gravitee.rest.api.model.ApplicationEntity) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) SubscriptionEntity(io.gravitee.rest.api.model.SubscriptionEntity) SubscriptionQuery(io.gravitee.rest.api.model.subscription.SubscriptionQuery) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) Permissions(io.gravitee.rest.api.management.rest.security.Permissions)

Example 2 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class ApiPagesResource method getApiPages.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List pages", notes = "User must have the READ permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "List of pages", response = PageEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public List<PageEntity> getApiPages(@HeaderParam("Accept-Language") String acceptLang, @QueryParam("homepage") Boolean homepage, @QueryParam("type") PageType type, @QueryParam("parent") String parent, @QueryParam("name") String name, @QueryParam("root") Boolean rootParent, @QueryParam("translated") boolean translated) {
    final String acceptedLocale = HttpHeadersUtil.getFirstAcceptedLocaleName(acceptLang);
    final ApiEntity apiEntity = apiService.findById(api);
    if (Visibility.PUBLIC.equals(apiEntity.getVisibility()) || hasPermission(RolePermission.API_DOCUMENTATION, api, RolePermissionAction.READ)) {
        return pageService.search(new PageQuery.Builder().api(api).homepage(homepage).type(type).parent(parent).name(name).rootParent(rootParent).build(), translated ? acceptedLocale : null, GraviteeContext.getCurrentEnvironment()).stream().filter(page -> isDisplayable(apiEntity, page)).map(page -> {
            // check if the page is used as GeneralCondition by an active Plan
            // and update the PageEntity to transfer the information to the FrontEnd
            page.setGeneralConditions(pageService.isPageUsedAsGeneralConditions(page, api));
            return page;
        }).collect(Collectors.toList());
    }
    throw new ForbiddenAccessException();
}
Also used : GraviteeContext(io.gravitee.rest.api.service.common.GraviteeContext) ApiService(io.gravitee.rest.api.service.ApiService) Inject(javax.inject.Inject) Valid(javax.validation.Valid) PageMarkdownTemplateActionException(io.gravitee.rest.api.service.exceptions.PageMarkdownTemplateActionException) PageQuery(io.gravitee.rest.api.model.documentation.PageQuery) io.gravitee.rest.api.model(io.gravitee.rest.api.model) PageService(io.gravitee.rest.api.service.PageService) io.swagger.annotations(io.swagger.annotations) HttpHeadersUtil(io.gravitee.rest.api.management.rest.utils.HttpHeadersUtil) RolePermissionAction(io.gravitee.rest.api.model.permissions.RolePermissionAction) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) Context(javax.ws.rs.core.Context) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) NotNull(javax.validation.constraints.NotNull) Collectors(java.util.stream.Collectors) Permission(io.gravitee.rest.api.management.rest.security.Permission) AccessControlService(io.gravitee.rest.api.service.AccessControlService) List(java.util.List) MediaType(io.gravitee.common.http.MediaType) javax.ws.rs(javax.ws.rs) Response(javax.ws.rs.core.Response) ResourceContext(javax.ws.rs.container.ResourceContext) PageSystemFolderActionException(io.gravitee.rest.api.service.exceptions.PageSystemFolderActionException) Permissions(io.gravitee.rest.api.management.rest.security.Permissions) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException)

Example 3 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class PermissionsFilter method filter.

protected void filter(Permissions permissions, ContainerRequestContext requestContext) {
    if (permissions != null && permissions.value().length > 0) {
        Principal principal = securityContext.getUserPrincipal();
        if (principal != null) {
            String username = principal.getName();
            for (Permission permission : permissions.value()) {
                Map<String, char[]> memberPermissions;
                switch(permission.value().getScope()) {
                    case ORGANIZATION:
                        memberPermissions = membershipService.getUserMemberPermissions(MembershipReferenceType.ORGANIZATION, GraviteeContext.getCurrentOrganization(), username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case ENVIRONMENT:
                        memberPermissions = membershipService.getUserMemberPermissions(MembershipReferenceType.ENVIRONMENT, GraviteeContext.getCurrentEnvironment(), username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case APPLICATION:
                        ApplicationEntity application = getApplication(requestContext);
                        memberPermissions = membershipService.getUserMemberPermissions(application, username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case API:
                        ApiEntity api = getApi(requestContext);
                        memberPermissions = membershipService.getUserMemberPermissions(api, username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case GROUP:
                        GroupEntity group = getGroup(requestContext);
                        memberPermissions = membershipService.getUserMemberPermissions(group, username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    default:
                        sendSecurityError();
                }
            }
        }
        sendSecurityError();
    }
}
Also used : ApplicationEntity(io.gravitee.rest.api.model.ApplicationEntity) GroupEntity(io.gravitee.rest.api.model.GroupEntity) Permission(io.gravitee.rest.api.management.rest.security.Permission) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) Principal(java.security.Principal)

Example 4 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method initApplicationMocks.

/**
 * APPLICATION Tests
 */
private ApplicationEntity initApplicationMocks() {
    ApplicationEntity application = new ApplicationEntity();
    application.setId(APPLICATION_ID);
    Principal user = () -> USERNAME;
    when(applicationService.findById(application.getId())).thenReturn(application);
    when(securityContext.getUserPrincipal()).thenReturn(user);
    Permission perm = mock(Permission.class);
    when(perm.value()).thenReturn(RolePermission.APPLICATION_ANALYTICS);
    when(perm.acls()).thenReturn(new RolePermissionAction[] { RolePermissionAction.UPDATE });
    when(permissions.value()).thenReturn(new Permission[] { perm });
    UriInfo uriInfo = mock(UriInfo.class);
    MultivaluedHashMap<String, String> map = new MultivaluedHashMap<>();
    map.put("application", Collections.singletonList(application.getId()));
    when(uriInfo.getPathParameters()).thenReturn(map);
    when(containerRequestContext.getUriInfo()).thenReturn(uriInfo);
    return application;
}
Also used : MultivaluedHashMap(javax.ws.rs.core.MultivaluedHashMap) ApplicationEntity(io.gravitee.rest.api.model.ApplicationEntity) Permission(io.gravitee.rest.api.management.rest.security.Permission) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) Principal(java.security.Principal) UriInfo(javax.ws.rs.core.UriInfo)

Example 5 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class ApiEventsResource method getApiEventsEvents.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Get API's events", notes = "User must have the MANAGE_LIFECYCLE permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "API's events"), @ApiResponse(code = 500, message = "Internal server error") })
@Permissions({ @Permission(value = RolePermission.API_EVENT, acls = RolePermissionAction.READ) })
public List<EventEntity> getApiEventsEvents(@ApiParam @DefaultValue("all") @QueryParam("type") EventTypeListParam eventTypeListParam) {
    final EventQuery query = new EventQuery();
    query.setApi(api);
    return eventService.search(query).stream().filter(event -> eventTypeListParam.getEventTypes().contains(event.getType())).sorted((e1, e2) -> e2.getCreatedAt().compareTo(e1.getCreatedAt())).collect(Collectors.toList());
}
Also used : RolePermissionAction(io.gravitee.rest.api.model.permissions.RolePermissionAction) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) Arrays(java.util.Arrays) Event(io.gravitee.repository.management.model.Event) Page(io.gravitee.common.data.domain.Page) ApiNotFoundException(io.gravitee.rest.api.service.exceptions.ApiNotFoundException) HashMap(java.util.HashMap) Collectors(java.util.stream.Collectors) Permission(io.gravitee.rest.api.management.rest.security.Permission) EventService(io.gravitee.rest.api.service.EventService) Inject(javax.inject.Inject) EventEntity(io.gravitee.rest.api.model.EventEntity) List(java.util.List) MediaType(io.gravitee.common.http.MediaType) javax.ws.rs(javax.ws.rs) EventQuery(io.gravitee.rest.api.model.EventQuery) Map(java.util.Map) io.swagger.annotations(io.swagger.annotations) EventTypeListParam(io.gravitee.rest.api.management.rest.resource.param.EventTypeListParam) Permissions(io.gravitee.rest.api.management.rest.security.Permissions) EventSearchParam(io.gravitee.rest.api.management.rest.resource.param.EventSearchParam) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) EventQuery(io.gravitee.rest.api.model.EventQuery) Permissions(io.gravitee.rest.api.management.rest.security.Permissions)

Aggregations

Permission (io.gravitee.rest.api.management.rest.security.Permission)10 RolePermission (io.gravitee.rest.api.model.permissions.RolePermission)9 MediaType (io.gravitee.common.http.MediaType)6 Permissions (io.gravitee.rest.api.management.rest.security.Permissions)6 Collectors (java.util.stream.Collectors)6 Inject (javax.inject.Inject)6 ApiEntity (io.gravitee.rest.api.model.api.ApiEntity)5 RolePermissionAction (io.gravitee.rest.api.model.permissions.RolePermissionAction)5 io.swagger.annotations (io.swagger.annotations)4 Principal (java.security.Principal)4 List (java.util.List)4 ResourceContext (javax.ws.rs.container.ResourceContext)4 Context (javax.ws.rs.core.Context)4 ApplicationEntity (io.gravitee.rest.api.model.ApplicationEntity)3 javax.ws.rs (javax.ws.rs)3 GET (javax.ws.rs.GET)3 Produces (javax.ws.rs.Produces)3 Response (javax.ws.rs.core.Response)3 UriInfo (javax.ws.rs.core.UriInfo)3 Page (io.gravitee.common.data.domain.Page)2