Examples with Permission io.gravitee.rest.api.management.rest.security.Permission used on opensource projects

Example 1 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class ApplicationSubscribedResource method getApiSubscribed.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List APIs subscribed by the application", notes = "User must have the APPLICATION_SUBSCRIPTION permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "Paged result of subscribed APIs", response = ApplicationEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
@Permissions({ @Permission(value = RolePermission.APPLICATION_SUBSCRIPTION, acls = RolePermissionAction.READ) })
public Collection<SubscribedApi> getApiSubscribed() {
    SubscriptionQuery subscriptionQuery = new SubscriptionQuery();
    subscriptionQuery.setApplication(application);
    Collection<SubscriptionEntity> subscriptions = subscriptionService.search(subscriptionQuery);
    return subscriptions.stream().map(SubscriptionEntity::getApi).distinct().map(api -> apiService.findById(api)).map(apiEntity -> new SubscribedApi(apiEntity.getId(), apiEntity.getName())).sorted((o1, o2) -> String.CASE_INSENSITIVE_ORDER.compare(o1.getName(), o2.getName())).collect(Collectors.toList());
}

Example 2 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class ApiPagesResource method getApiPages.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List pages", notes = "User must have the READ permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "List of pages", response = PageEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public List<PageEntity> getApiPages(@HeaderParam("Accept-Language") String acceptLang, @QueryParam("homepage") Boolean homepage, @QueryParam("type") PageType type, @QueryParam("parent") String parent, @QueryParam("name") String name, @QueryParam("root") Boolean rootParent, @QueryParam("translated") boolean translated) {
    final String acceptedLocale = HttpHeadersUtil.getFirstAcceptedLocaleName(acceptLang);
    final ApiEntity apiEntity = apiService.findById(api);
    if (Visibility.PUBLIC.equals(apiEntity.getVisibility()) || hasPermission(RolePermission.API_DOCUMENTATION, api, RolePermissionAction.READ)) {
        return pageService.search(new PageQuery.Builder().api(api).homepage(homepage).type(type).parent(parent).name(name).rootParent(rootParent).build(), translated ? acceptedLocale : null, GraviteeContext.getCurrentEnvironment()).stream().filter(page -> isDisplayable(apiEntity, page)).map(page -> {
            // check if the page is used as GeneralCondition by an active Plan
            // and update the PageEntity to transfer the information to the FrontEnd
            page.setGeneralConditions(pageService.isPageUsedAsGeneralConditions(page, api));
            return page;
        }).collect(Collectors.toList());
    }
    throw new ForbiddenAccessException();
}

Example 3 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class PermissionsFilter method filter.

protected void filter(Permissions permissions, ContainerRequestContext requestContext) {
    if (permissions != null && permissions.value().length > 0) {
        Principal principal = securityContext.getUserPrincipal();
        if (principal != null) {
            String username = principal.getName();
            for (Permission permission : permissions.value()) {
                Map<String, char[]> memberPermissions;
                switch(permission.value().getScope()) {
                    case ORGANIZATION:
                        memberPermissions = membershipService.getUserMemberPermissions(MembershipReferenceType.ORGANIZATION, GraviteeContext.getCurrentOrganization(), username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case ENVIRONMENT:
                        memberPermissions = membershipService.getUserMemberPermissions(MembershipReferenceType.ENVIRONMENT, GraviteeContext.getCurrentEnvironment(), username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case APPLICATION:
                        ApplicationEntity application = getApplication(requestContext);
                        memberPermissions = membershipService.getUserMemberPermissions(application, username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case API:
                        ApiEntity api = getApi(requestContext);
                        memberPermissions = membershipService.getUserMemberPermissions(api, username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    case GROUP:
                        GroupEntity group = getGroup(requestContext);
                        memberPermissions = membershipService.getUserMemberPermissions(group, username);
                        if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
                            return;
                        }
                        break;
                    default:
                        sendSecurityError();
                }
            }
        }
        sendSecurityError();
    }
}

Example 4 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method initApplicationMocks.

/**
 * APPLICATION Tests
 */
private ApplicationEntity initApplicationMocks() {
    ApplicationEntity application = new ApplicationEntity();
    application.setId(APPLICATION_ID);
    Principal user = () -> USERNAME;
    when(applicationService.findById(application.getId())).thenReturn(application);
    when(securityContext.getUserPrincipal()).thenReturn(user);
    Permission perm = mock(Permission.class);
    when(perm.value()).thenReturn(RolePermission.APPLICATION_ANALYTICS);
    when(perm.acls()).thenReturn(new RolePermissionAction[] { RolePermissionAction.UPDATE });
    when(permissions.value()).thenReturn(new Permission[] { perm });
    UriInfo uriInfo = mock(UriInfo.class);
    MultivaluedHashMap<String, String> map = new MultivaluedHashMap<>();
    map.put("application", Collections.singletonList(application.getId()));
    when(uriInfo.getPathParameters()).thenReturn(map);
    when(containerRequestContext.getUriInfo()).thenReturn(uriInfo);
    return application;
}

Example 5 with Permission

use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.

the class ApiEventsResource method getApiEventsEvents.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Get API's events", notes = "User must have the MANAGE_LIFECYCLE permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "API's events"), @ApiResponse(code = 500, message = "Internal server error") })
@Permissions({ @Permission(value = RolePermission.API_EVENT, acls = RolePermissionAction.READ) })
public List<EventEntity> getApiEventsEvents(@ApiParam @DefaultValue("all") @QueryParam("type") EventTypeListParam eventTypeListParam) {
    final EventQuery query = new EventQuery();
    query.setApi(api);
    return eventService.search(query).stream().filter(event -> eventTypeListParam.getEventTypes().contains(event.getType())).sorted((e1, e2) -> e2.getCreatedAt().compareTo(e1.getCreatedAt())).collect(Collectors.toList());
}