Examples with ForbiddenAccessException io.gravitee.rest.api.service.exceptions.ForbiddenAccessException used on opensource projects

Example 1 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class AbstractResource method canReadApi.

protected void canReadApi(final String api) {
    if (!isAdmin()) {
        // get memberships of the current user
        List<MembershipEntity> memberships = retrieveApiMembership().collect(Collectors.toList());
        Set<String> groups = memberships.stream().filter(m -> GROUP.equals(m.getReferenceType())).map(m -> m.getReferenceId()).collect(Collectors.toSet());
        Set<String> directMembers = memberships.stream().filter(m -> API.equals(m.getReferenceType())).map(m -> m.getReferenceId()).collect(Collectors.toSet());
        // if the current user is member of the API, continue
        if (directMembers.contains(api)) {
            return;
        }
        // fetch group memberships
        final ApiQuery apiQuery = new ApiQuery();
        apiQuery.setGroups(new ArrayList<>(groups));
        apiQuery.setIds(Collections.singletonList(api));
        final Collection<String> strings = apiService.searchIds(apiQuery);
        final boolean canReadAPI = strings.contains(api);
        if (!canReadAPI) {
            throw new ForbiddenAccessException();
        }
    }
}

Example 2 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class SubscriptionsResource method createSubscription.

@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response createSubscription(@Valid @NotNull(message = "Input must not be null.") SubscriptionInput subscriptionInput) {
    if (hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionInput.getApplication(), RolePermissionAction.CREATE)) {
        NewSubscriptionEntity newSubscriptionEntity = new NewSubscriptionEntity();
        newSubscriptionEntity.setApplication(subscriptionInput.getApplication());
        newSubscriptionEntity.setPlan(subscriptionInput.getPlan());
        newSubscriptionEntity.setRequest(subscriptionInput.getRequest());
        newSubscriptionEntity.setGeneralConditionsAccepted(subscriptionInput.getGeneralConditionsAccepted());
        if (subscriptionInput.getGeneralConditionsContentRevision() != null) {
            final PageRevisionId generalConditionsContentRevision = new PageRevisionId(subscriptionInput.getGeneralConditionsContentRevision().getPageId(), subscriptionInput.getGeneralConditionsContentRevision().getRevision());
            newSubscriptionEntity.setGeneralConditionsContentRevision(generalConditionsContentRevision);
        }
        SubscriptionEntity createdSubscription = subscriptionService.create(newSubscriptionEntity);
        // For consumer convenience, fetch the keys just after the subscription has been created.
        List<Key> keys = apiKeyService.findBySubscription(createdSubscription.getId()).stream().sorted((o1, o2) -> o2.getCreatedAt().compareTo(o1.getCreatedAt())).map(keyMapper::convert).collect(Collectors.toList());
        final Subscription subscription = subscriptionMapper.convert(createdSubscription);
        subscription.setKeys(keys);
        return Response.ok(subscription).build();
    }
    throw new ForbiddenAccessException();
}

Example 3 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class ApiPagesResource method getApiPages.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List pages", notes = "User must have the READ permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "List of pages", response = PageEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public List<PageEntity> getApiPages(@HeaderParam("Accept-Language") String acceptLang, @QueryParam("homepage") Boolean homepage, @QueryParam("type") PageType type, @QueryParam("parent") String parent, @QueryParam("name") String name, @QueryParam("root") Boolean rootParent, @QueryParam("translated") boolean translated) {
    final String acceptedLocale = HttpHeadersUtil.getFirstAcceptedLocaleName(acceptLang);
    final ApiEntity apiEntity = apiService.findById(api);
    if (Visibility.PUBLIC.equals(apiEntity.getVisibility()) || hasPermission(RolePermission.API_DOCUMENTATION, api, RolePermissionAction.READ)) {
        return pageService.search(new PageQuery.Builder().api(api).homepage(homepage).type(type).parent(parent).name(name).rootParent(rootParent).build(), translated ? acceptedLocale : null, GraviteeContext.getCurrentEnvironment()).stream().filter(page -> isDisplayable(apiEntity, page)).map(page -> {
            // check if the page is used as GeneralCondition by an active Plan
            // and update the PageEntity to transfer the information to the FrontEnd
            page.setGeneralConditions(pageService.isPageUsedAsGeneralConditions(page, api));
            return page;
        }).collect(Collectors.toList());
    }
    throw new ForbiddenAccessException();
}

Example 4 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApiPermissions.

@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApiPermissions() {
    ApiEntity api = initApiMocks();
    when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
    try {
        permissionFilter.filter(permissions, containerRequestContext);
    } catch (ForbiddenAccessException e) {
        verify(apiService, times(1)).findById(api.getId());
        verify(applicationService, never()).findById(any());
        verify(roleService, times(1)).hasPermission(any(), any(), any());
        verify(membershipService, times(1)).getUserMemberPermissions(api, USERNAME);
        verify(membershipService, never()).getRoles(any(), any(), any(), any());
        throw e;
    }
    Assert.fail("Should throw a ForbiddenAccessException");
}

Example 5 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApplicationPermissions.

@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApplicationPermissions() {
    ApplicationEntity application = initApplicationMocks();
    when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
    try {
        permissionFilter.filter(permissions, containerRequestContext);
    } catch (ForbiddenAccessException e) {
        verify(applicationService, times(1)).findById(application.getId());
        verify(apiService, never()).findById(any());
        verify(roleService, times(1)).hasPermission(any(), any(), any());
        verify(membershipService, times(1)).getUserMemberPermissions(application, USERNAME);
        verify(membershipService, never()).getRoles(any(), any(), any(), any());
        throw e;
    }
    Assert.fail("Should throw a ForbiddenAccessException");
}