use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class AbstractResource method canReadApi.
protected void canReadApi(final String api) {
if (!isAdmin()) {
// get memberships of the current user
List<MembershipEntity> memberships = retrieveApiMembership().collect(Collectors.toList());
Set<String> groups = memberships.stream().filter(m -> GROUP.equals(m.getReferenceType())).map(m -> m.getReferenceId()).collect(Collectors.toSet());
Set<String> directMembers = memberships.stream().filter(m -> API.equals(m.getReferenceType())).map(m -> m.getReferenceId()).collect(Collectors.toSet());
// if the current user is member of the API, continue
if (directMembers.contains(api)) {
return;
}
// fetch group memberships
final ApiQuery apiQuery = new ApiQuery();
apiQuery.setGroups(new ArrayList<>(groups));
apiQuery.setIds(Collections.singletonList(api));
final Collection<String> strings = apiService.searchIds(apiQuery);
final boolean canReadAPI = strings.contains(api);
if (!canReadAPI) {
throw new ForbiddenAccessException();
}
}
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class SubscriptionsResource method createSubscription.
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response createSubscription(@Valid @NotNull(message = "Input must not be null.") SubscriptionInput subscriptionInput) {
if (hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionInput.getApplication(), RolePermissionAction.CREATE)) {
NewSubscriptionEntity newSubscriptionEntity = new NewSubscriptionEntity();
newSubscriptionEntity.setApplication(subscriptionInput.getApplication());
newSubscriptionEntity.setPlan(subscriptionInput.getPlan());
newSubscriptionEntity.setRequest(subscriptionInput.getRequest());
newSubscriptionEntity.setGeneralConditionsAccepted(subscriptionInput.getGeneralConditionsAccepted());
if (subscriptionInput.getGeneralConditionsContentRevision() != null) {
final PageRevisionId generalConditionsContentRevision = new PageRevisionId(subscriptionInput.getGeneralConditionsContentRevision().getPageId(), subscriptionInput.getGeneralConditionsContentRevision().getRevision());
newSubscriptionEntity.setGeneralConditionsContentRevision(generalConditionsContentRevision);
}
SubscriptionEntity createdSubscription = subscriptionService.create(newSubscriptionEntity);
// For consumer convenience, fetch the keys just after the subscription has been created.
List<Key> keys = apiKeyService.findBySubscription(createdSubscription.getId()).stream().sorted((o1, o2) -> o2.getCreatedAt().compareTo(o1.getCreatedAt())).map(keyMapper::convert).collect(Collectors.toList());
final Subscription subscription = subscriptionMapper.convert(createdSubscription);
subscription.setKeys(keys);
return Response.ok(subscription).build();
}
throw new ForbiddenAccessException();
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class ApiPagesResource method getApiPages.
@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List pages", notes = "User must have the READ permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "List of pages", response = PageEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public List<PageEntity> getApiPages(@HeaderParam("Accept-Language") String acceptLang, @QueryParam("homepage") Boolean homepage, @QueryParam("type") PageType type, @QueryParam("parent") String parent, @QueryParam("name") String name, @QueryParam("root") Boolean rootParent, @QueryParam("translated") boolean translated) {
final String acceptedLocale = HttpHeadersUtil.getFirstAcceptedLocaleName(acceptLang);
final ApiEntity apiEntity = apiService.findById(api);
if (Visibility.PUBLIC.equals(apiEntity.getVisibility()) || hasPermission(RolePermission.API_DOCUMENTATION, api, RolePermissionAction.READ)) {
return pageService.search(new PageQuery.Builder().api(api).homepage(homepage).type(type).parent(parent).name(name).rootParent(rootParent).build(), translated ? acceptedLocale : null, GraviteeContext.getCurrentEnvironment()).stream().filter(page -> isDisplayable(apiEntity, page)).map(page -> {
// check if the page is used as GeneralCondition by an active Plan
// and update the PageEntity to transfer the information to the FrontEnd
page.setGeneralConditions(pageService.isPageUsedAsGeneralConditions(page, api));
return page;
}).collect(Collectors.toList());
}
throw new ForbiddenAccessException();
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApiPermissions.
@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApiPermissions() {
ApiEntity api = initApiMocks();
when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
try {
permissionFilter.filter(permissions, containerRequestContext);
} catch (ForbiddenAccessException e) {
verify(apiService, times(1)).findById(api.getId());
verify(applicationService, never()).findById(any());
verify(roleService, times(1)).hasPermission(any(), any(), any());
verify(membershipService, times(1)).getUserMemberPermissions(api, USERNAME);
verify(membershipService, never()).getRoles(any(), any(), any(), any());
throw e;
}
Assert.fail("Should throw a ForbiddenAccessException");
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApplicationPermissions.
@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApplicationPermissions() {
ApplicationEntity application = initApplicationMocks();
when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
try {
permissionFilter.filter(permissions, containerRequestContext);
} catch (ForbiddenAccessException e) {
verify(applicationService, times(1)).findById(application.getId());
verify(apiService, never()).findById(any());
verify(roleService, times(1)).hasPermission(any(), any(), any());
verify(membershipService, times(1)).getUserMemberPermissions(application, USERNAME);
verify(membershipService, never()).getRoles(any(), any(), any(), any());
throw e;
}
Assert.fail("Should throw a ForbiddenAccessException");
}
Aggregations