use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.
the class ApplicationSubscribedResource method getApiSubscribed.
@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List APIs subscribed by the application", notes = "User must have the APPLICATION_SUBSCRIPTION permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "Paged result of subscribed APIs", response = ApplicationEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
@Permissions({ @Permission(value = RolePermission.APPLICATION_SUBSCRIPTION, acls = RolePermissionAction.READ) })
public Collection<SubscribedApi> getApiSubscribed() {
SubscriptionQuery subscriptionQuery = new SubscriptionQuery();
subscriptionQuery.setApplication(application);
Collection<SubscriptionEntity> subscriptions = subscriptionService.search(subscriptionQuery);
return subscriptions.stream().map(SubscriptionEntity::getApi).distinct().map(api -> apiService.findById(api)).map(apiEntity -> new SubscribedApi(apiEntity.getId(), apiEntity.getName())).sorted((o1, o2) -> String.CASE_INSENSITIVE_ORDER.compare(o1.getName(), o2.getName())).collect(Collectors.toList());
}
use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.
the class ApiPagesResource method getApiPages.
@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List pages", notes = "User must have the READ permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "List of pages", response = PageEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public List<PageEntity> getApiPages(@HeaderParam("Accept-Language") String acceptLang, @QueryParam("homepage") Boolean homepage, @QueryParam("type") PageType type, @QueryParam("parent") String parent, @QueryParam("name") String name, @QueryParam("root") Boolean rootParent, @QueryParam("translated") boolean translated) {
final String acceptedLocale = HttpHeadersUtil.getFirstAcceptedLocaleName(acceptLang);
final ApiEntity apiEntity = apiService.findById(api);
if (Visibility.PUBLIC.equals(apiEntity.getVisibility()) || hasPermission(RolePermission.API_DOCUMENTATION, api, RolePermissionAction.READ)) {
return pageService.search(new PageQuery.Builder().api(api).homepage(homepage).type(type).parent(parent).name(name).rootParent(rootParent).build(), translated ? acceptedLocale : null, GraviteeContext.getCurrentEnvironment()).stream().filter(page -> isDisplayable(apiEntity, page)).map(page -> {
// check if the page is used as GeneralCondition by an active Plan
// and update the PageEntity to transfer the information to the FrontEnd
page.setGeneralConditions(pageService.isPageUsedAsGeneralConditions(page, api));
return page;
}).collect(Collectors.toList());
}
throw new ForbiddenAccessException();
}
use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.
the class PermissionsFilter method filter.
protected void filter(Permissions permissions, ContainerRequestContext requestContext) {
if (permissions != null && permissions.value().length > 0) {
Principal principal = securityContext.getUserPrincipal();
if (principal != null) {
String username = principal.getName();
for (Permission permission : permissions.value()) {
Map<String, char[]> memberPermissions;
switch(permission.value().getScope()) {
case ORGANIZATION:
memberPermissions = membershipService.getUserMemberPermissions(MembershipReferenceType.ORGANIZATION, GraviteeContext.getCurrentOrganization(), username);
if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
return;
}
break;
case ENVIRONMENT:
memberPermissions = membershipService.getUserMemberPermissions(MembershipReferenceType.ENVIRONMENT, GraviteeContext.getCurrentEnvironment(), username);
if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
return;
}
break;
case APPLICATION:
ApplicationEntity application = getApplication(requestContext);
memberPermissions = membershipService.getUserMemberPermissions(application, username);
if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
return;
}
break;
case API:
ApiEntity api = getApi(requestContext);
memberPermissions = membershipService.getUserMemberPermissions(api, username);
if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
return;
}
break;
case GROUP:
GroupEntity group = getGroup(requestContext);
memberPermissions = membershipService.getUserMemberPermissions(group, username);
if (roleService.hasPermission(memberPermissions, permission.value().getPermission(), permission.acls())) {
return;
}
break;
default:
sendSecurityError();
}
}
}
sendSecurityError();
}
}
use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.
the class PermissionFilterTest method initApplicationMocks.
/**
* APPLICATION Tests
*/
private ApplicationEntity initApplicationMocks() {
ApplicationEntity application = new ApplicationEntity();
application.setId(APPLICATION_ID);
Principal user = () -> USERNAME;
when(applicationService.findById(application.getId())).thenReturn(application);
when(securityContext.getUserPrincipal()).thenReturn(user);
Permission perm = mock(Permission.class);
when(perm.value()).thenReturn(RolePermission.APPLICATION_ANALYTICS);
when(perm.acls()).thenReturn(new RolePermissionAction[] { RolePermissionAction.UPDATE });
when(permissions.value()).thenReturn(new Permission[] { perm });
UriInfo uriInfo = mock(UriInfo.class);
MultivaluedHashMap<String, String> map = new MultivaluedHashMap<>();
map.put("application", Collections.singletonList(application.getId()));
when(uriInfo.getPathParameters()).thenReturn(map);
when(containerRequestContext.getUriInfo()).thenReturn(uriInfo);
return application;
}
use of io.gravitee.rest.api.management.rest.security.Permission in project gravitee-management-rest-api by gravitee-io.
the class ApiEventsResource method getApiEventsEvents.
@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "Get API's events", notes = "User must have the MANAGE_LIFECYCLE permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "API's events"), @ApiResponse(code = 500, message = "Internal server error") })
@Permissions({ @Permission(value = RolePermission.API_EVENT, acls = RolePermissionAction.READ) })
public List<EventEntity> getApiEventsEvents(@ApiParam @DefaultValue("all") @QueryParam("type") EventTypeListParam eventTypeListParam) {
final EventQuery query = new EventQuery();
query.setApi(api);
return eventService.search(query).stream().filter(event -> eventTypeListParam.getEventTypes().contains(event.getType())).sorted((e1, e2) -> e2.getCreatedAt().compareTo(e1.getCreatedAt())).collect(Collectors.toList());
}
Aggregations