Search in sources :

Example 1 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class AbstractResource method canReadApi.

protected void canReadApi(final String api) {
    if (!isAdmin()) {
        // get memberships of the current user
        List<MembershipEntity> memberships = retrieveApiMembership().collect(Collectors.toList());
        Set<String> groups = memberships.stream().filter(m -> GROUP.equals(m.getReferenceType())).map(m -> m.getReferenceId()).collect(Collectors.toSet());
        Set<String> directMembers = memberships.stream().filter(m -> API.equals(m.getReferenceType())).map(m -> m.getReferenceId()).collect(Collectors.toSet());
        // if the current user is member of the API, continue
        if (directMembers.contains(api)) {
            return;
        }
        // fetch group memberships
        final ApiQuery apiQuery = new ApiQuery();
        apiQuery.setGroups(new ArrayList<>(groups));
        apiQuery.setIds(Collections.singletonList(api));
        final Collection<String> strings = apiService.searchIds(apiQuery);
        final boolean canReadAPI = strings.contains(api);
        if (!canReadAPI) {
            throw new ForbiddenAccessException();
        }
    }
}
Also used : ApiQuery(io.gravitee.rest.api.model.api.ApiQuery) RolePermissionAction(io.gravitee.rest.api.model.permissions.RolePermissionAction) io.gravitee.rest.api.service(io.gravitee.rest.api.service) java.util(java.util) MembershipEntity(io.gravitee.rest.api.model.MembershipEntity) Context(javax.ws.rs.core.Context) USER(io.gravitee.rest.api.model.MembershipMemberType.USER) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) SecurityContext(javax.ws.rs.core.SecurityContext) API(io.gravitee.rest.api.model.MembershipReferenceType.API) RoleScope(io.gravitee.rest.api.model.permissions.RoleScope) UserDetails(io.gravitee.rest.api.idp.api.authentication.UserDetails) Collectors(java.util.stream.Collectors) Inject(javax.inject.Inject) Stream(java.util.stream.Stream) UriBuilder(javax.ws.rs.core.UriBuilder) URI(java.net.URI) UriInfo(javax.ws.rs.core.UriInfo) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) SystemRole(io.gravitee.rest.api.model.permissions.SystemRole) GROUP(io.gravitee.rest.api.model.MembershipReferenceType.GROUP) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) MembershipEntity(io.gravitee.rest.api.model.MembershipEntity) ApiQuery(io.gravitee.rest.api.model.api.ApiQuery) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException)

Example 2 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class SubscriptionsResource method createSubscription.

@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response createSubscription(@Valid @NotNull(message = "Input must not be null.") SubscriptionInput subscriptionInput) {
    if (hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionInput.getApplication(), RolePermissionAction.CREATE)) {
        NewSubscriptionEntity newSubscriptionEntity = new NewSubscriptionEntity();
        newSubscriptionEntity.setApplication(subscriptionInput.getApplication());
        newSubscriptionEntity.setPlan(subscriptionInput.getPlan());
        newSubscriptionEntity.setRequest(subscriptionInput.getRequest());
        newSubscriptionEntity.setGeneralConditionsAccepted(subscriptionInput.getGeneralConditionsAccepted());
        if (subscriptionInput.getGeneralConditionsContentRevision() != null) {
            final PageRevisionId generalConditionsContentRevision = new PageRevisionId(subscriptionInput.getGeneralConditionsContentRevision().getPageId(), subscriptionInput.getGeneralConditionsContentRevision().getRevision());
            newSubscriptionEntity.setGeneralConditionsContentRevision(generalConditionsContentRevision);
        }
        SubscriptionEntity createdSubscription = subscriptionService.create(newSubscriptionEntity);
        // For consumer convenience, fetch the keys just after the subscription has been created.
        List<Key> keys = apiKeyService.findBySubscription(createdSubscription.getId()).stream().sorted((o1, o2) -> o2.getCreatedAt().compareTo(o1.getCreatedAt())).map(keyMapper::convert).collect(Collectors.toList());
        final Subscription subscription = subscriptionMapper.convert(createdSubscription);
        subscription.setKeys(keys);
        return Response.ok(subscription).build();
    }
    throw new ForbiddenAccessException();
}
Also used : PageRevisionId(io.gravitee.rest.api.model.PageEntity.PageRevisionId) Subscription(io.gravitee.rest.api.portal.rest.model.Subscription) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) Key(io.gravitee.rest.api.portal.rest.model.Key)

Example 3 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class ApiPagesResource method getApiPages.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List pages", notes = "User must have the READ permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "List of pages", response = PageEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public List<PageEntity> getApiPages(@HeaderParam("Accept-Language") String acceptLang, @QueryParam("homepage") Boolean homepage, @QueryParam("type") PageType type, @QueryParam("parent") String parent, @QueryParam("name") String name, @QueryParam("root") Boolean rootParent, @QueryParam("translated") boolean translated) {
    final String acceptedLocale = HttpHeadersUtil.getFirstAcceptedLocaleName(acceptLang);
    final ApiEntity apiEntity = apiService.findById(api);
    if (Visibility.PUBLIC.equals(apiEntity.getVisibility()) || hasPermission(RolePermission.API_DOCUMENTATION, api, RolePermissionAction.READ)) {
        return pageService.search(new PageQuery.Builder().api(api).homepage(homepage).type(type).parent(parent).name(name).rootParent(rootParent).build(), translated ? acceptedLocale : null, GraviteeContext.getCurrentEnvironment()).stream().filter(page -> isDisplayable(apiEntity, page)).map(page -> {
            // check if the page is used as GeneralCondition by an active Plan
            // and update the PageEntity to transfer the information to the FrontEnd
            page.setGeneralConditions(pageService.isPageUsedAsGeneralConditions(page, api));
            return page;
        }).collect(Collectors.toList());
    }
    throw new ForbiddenAccessException();
}
Also used : GraviteeContext(io.gravitee.rest.api.service.common.GraviteeContext) ApiService(io.gravitee.rest.api.service.ApiService) Inject(javax.inject.Inject) Valid(javax.validation.Valid) PageMarkdownTemplateActionException(io.gravitee.rest.api.service.exceptions.PageMarkdownTemplateActionException) PageQuery(io.gravitee.rest.api.model.documentation.PageQuery) io.gravitee.rest.api.model(io.gravitee.rest.api.model) PageService(io.gravitee.rest.api.service.PageService) io.swagger.annotations(io.swagger.annotations) HttpHeadersUtil(io.gravitee.rest.api.management.rest.utils.HttpHeadersUtil) RolePermissionAction(io.gravitee.rest.api.model.permissions.RolePermissionAction) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) Context(javax.ws.rs.core.Context) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) NotNull(javax.validation.constraints.NotNull) Collectors(java.util.stream.Collectors) Permission(io.gravitee.rest.api.management.rest.security.Permission) AccessControlService(io.gravitee.rest.api.service.AccessControlService) List(java.util.List) MediaType(io.gravitee.common.http.MediaType) javax.ws.rs(javax.ws.rs) Response(javax.ws.rs.core.Response) ResourceContext(javax.ws.rs.container.ResourceContext) PageSystemFolderActionException(io.gravitee.rest.api.service.exceptions.PageSystemFolderActionException) Permissions(io.gravitee.rest.api.management.rest.security.Permissions) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException)

Example 4 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApiPermissions.

@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApiPermissions() {
    ApiEntity api = initApiMocks();
    when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
    try {
        permissionFilter.filter(permissions, containerRequestContext);
    } catch (ForbiddenAccessException e) {
        verify(apiService, times(1)).findById(api.getId());
        verify(applicationService, never()).findById(any());
        verify(roleService, times(1)).hasPermission(any(), any(), any());
        verify(membershipService, times(1)).getUserMemberPermissions(api, USERNAME);
        verify(membershipService, never()).getRoles(any(), any(), any(), any());
        throw e;
    }
    Assert.fail("Should throw a ForbiddenAccessException");
}
Also used : ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) Test(org.junit.Test)

Example 5 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApplicationPermissions.

@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApplicationPermissions() {
    ApplicationEntity application = initApplicationMocks();
    when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
    try {
        permissionFilter.filter(permissions, containerRequestContext);
    } catch (ForbiddenAccessException e) {
        verify(applicationService, times(1)).findById(application.getId());
        verify(apiService, never()).findById(any());
        verify(roleService, times(1)).hasPermission(any(), any(), any());
        verify(membershipService, times(1)).getUserMemberPermissions(application, USERNAME);
        verify(membershipService, never()).getRoles(any(), any(), any(), any());
        throw e;
    }
    Assert.fail("Should throw a ForbiddenAccessException");
}
Also used : ApplicationEntity(io.gravitee.rest.api.model.ApplicationEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) Test(org.junit.Test)

Aggregations

ForbiddenAccessException (io.gravitee.rest.api.service.exceptions.ForbiddenAccessException)11 ApiEntity (io.gravitee.rest.api.model.api.ApiEntity)4 Test (org.junit.Test)4 ApplicationEntity (io.gravitee.rest.api.model.ApplicationEntity)3 SubscriptionEntity (io.gravitee.rest.api.model.SubscriptionEntity)3 RolePermission (io.gravitee.rest.api.model.permissions.RolePermission)3 RolePermissionAction (io.gravitee.rest.api.model.permissions.RolePermissionAction)3 Subscription (io.gravitee.rest.api.portal.rest.model.Subscription)3 Collectors (java.util.stream.Collectors)3 Inject (javax.inject.Inject)3 Context (javax.ws.rs.core.Context)3 MediaType (io.gravitee.common.http.MediaType)2 SubscriptionQuery (io.gravitee.rest.api.model.subscription.SubscriptionQuery)2 Key (io.gravitee.rest.api.portal.rest.model.Key)2 io.swagger.annotations (io.swagger.annotations)2 ResourceContext (javax.ws.rs.container.ResourceContext)2 UserDetails (io.gravitee.rest.api.idp.api.authentication.UserDetails)1 Permission (io.gravitee.rest.api.management.rest.security.Permission)1 Permissions (io.gravitee.rest.api.management.rest.security.Permissions)1 HttpHeadersUtil (io.gravitee.rest.api.management.rest.utils.HttpHeadersUtil)1