Search in sources :

Example 6 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class SubscriptionKeysResource method revokeKeySubscription.

@POST
@Path("/{keyId}/_revoke")
@Produces(MediaType.APPLICATION_JSON)
public Response revokeKeySubscription(@PathParam("subscriptionId") String subscriptionId, @PathParam("keyId") String keyId) {
    SubscriptionEntity subscriptionEntity = subscriptionService.findById(subscriptionId);
    if (hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionEntity.getApplication(), RolePermissionAction.UPDATE) || hasPermission(RolePermission.API_SUBSCRIPTION, subscriptionEntity.getApi(), RolePermissionAction.UPDATE)) {
        ApiKeyEntity apiKeyEntity = apiKeyService.findByKey(keyId);
        if (apiKeyEntity.getSubscription() != null && !subscriptionId.equals(apiKeyEntity.getSubscription())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("'keyId' parameter does not correspond to the subscription").build();
        }
        apiKeyService.revoke(keyId, true);
        return Response.noContent().build();
    }
    throw new ForbiddenAccessException();
}
Also used : ApiKeyEntity(io.gravitee.rest.api.model.ApiKeyEntity) SubscriptionEntity(io.gravitee.rest.api.model.SubscriptionEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException)

Example 7 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class SubscriptionsResource method getSubscriptions.

@GET
@Produces(MediaType.APPLICATION_JSON)
public Response getSubscriptions(@QueryParam("apiId") String apiId, @QueryParam("applicationId") String applicationId, @QueryParam("statuses") List<SubscriptionStatus> statuses, @BeanParam PaginationParam paginationParam) {
    final boolean withoutPagination = paginationParam.getSize() != null && paginationParam.getSize().equals(-1);
    final SubscriptionQuery query = new SubscriptionQuery();
    query.setApi(apiId);
    query.setApplication(applicationId);
    final Map<String, Map<String, Object>> metadata = new HashMap<>();
    if (applicationId == null) {
        final Set<ApplicationListItem> applications = applicationService.findByUser(getAuthenticatedUser());
        if (applications == null || applications.isEmpty()) {
            return createListResponse(emptyList(), paginationParam, !withoutPagination);
        }
        query.setApplications(applications.stream().map(ApplicationListItem::getId).collect(toSet()));
        applications.forEach(application -> {
            final Map<String, Object> m = new HashMap<>();
            m.put("name", application.getName());
            metadata.put(application.getId(), m);
        });
    } else if (!hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, applicationId, RolePermissionAction.READ)) {
        throw new ForbiddenAccessException();
    }
    if (statuses != null && !statuses.isEmpty()) {
        query.setStatuses(statuses);
    }
    final Collection<SubscriptionEntity> subscriptions;
    if (withoutPagination) {
        subscriptions = subscriptionService.search(query);
    } else {
        final Page<SubscriptionEntity> pagedSubscriptions = subscriptionService.search(query, new PageableImpl(paginationParam.getPage(), paginationParam.getSize()));
        if (pagedSubscriptions == null) {
            subscriptions = emptyList();
        } else {
            subscriptions = pagedSubscriptions.getContent();
        }
    }
    final List<Subscription> subscriptionList = subscriptions.stream().map(subscriptionMapper::convert).collect(Collectors.toList());
    subscriptionList.forEach(subscription -> {
        final ApiEntity api = apiService.findById(subscription.getApi());
        if (api != null) {
            final Map<String, Object> m = new HashMap<>();
            m.put("name", api.getName());
            m.put("pictureUrl", apiMapper.computeApiLinks(PortalApiLinkHelper.apisURL(uriInfo.getBaseUriBuilder(), api.getId()), api.getUpdatedAt()).getPicture());
            m.put("state", api.getLifecycleState());
            m.put("version", api.getVersion());
            m.put("entrypoints", api.getEntrypoints());
            metadata.put(api.getId(), m);
        }
        final PlanEntity plan = planService.findById(subscription.getPlan());
        if (plan != null) {
            final Map<String, Object> m = new HashMap<>();
            m.put("name", plan.getName());
            metadata.put(plan.getId(), m);
        }
        final UserEntity user = userService.findById(subscription.getSubscribedBy(), true);
        if (user != null) {
            final Map<String, Object> m = new HashMap<>();
            m.put("name", user.getDisplayName());
            metadata.put(user.getId(), m);
        }
    });
    return createListResponse(subscriptionList, paginationParam, metadata, !withoutPagination);
}
Also used : PageableImpl(io.gravitee.rest.api.model.common.PageableImpl) ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) SubscriptionQuery(io.gravitee.rest.api.model.subscription.SubscriptionQuery) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) ApplicationListItem(io.gravitee.rest.api.model.application.ApplicationListItem) Subscription(io.gravitee.rest.api.portal.rest.model.Subscription)

Example 8 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class SubscriptionResource method getSubscriptionBySubscriptionId.

@GET
@Produces(MediaType.APPLICATION_JSON)
public Response getSubscriptionBySubscriptionId(@PathParam("subscriptionId") String subscriptionId, @QueryParam("include") List<String> include) {
    SubscriptionEntity subscriptionEntity = subscriptionService.findById(subscriptionId);
    if (hasPermission(RolePermission.API_SUBSCRIPTION, subscriptionEntity.getApi(), RolePermissionAction.READ) || hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionEntity.getApplication(), RolePermissionAction.READ)) {
        Subscription subscription = subscriptionMapper.convert(subscriptionEntity);
        if (include.contains(INCLUDE_KEYS)) {
            List<Key> keys = apiKeyService.findBySubscription(subscriptionId).stream().sorted((o1, o2) -> o2.getCreatedAt().compareTo(o1.getCreatedAt())).map(keyMapper::convert).collect(Collectors.toList());
            subscription.setKeys(keys);
        }
        return Response.ok(subscription).build();
    }
    throw new ForbiddenAccessException();
}
Also used : SubscriptionEntity(io.gravitee.rest.api.model.SubscriptionEntity) Subscription(io.gravitee.rest.api.portal.rest.model.Subscription) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) Key(io.gravitee.rest.api.portal.rest.model.Key)

Example 9 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class ApiSubscribersResource method getApiSubscribers.

@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List subscribers for the API", notes = "User must have the MANAGE_SUBSCRIPTIONS permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "Paged result of API subscribers", response = ApplicationEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public Collection<ApplicationEntity> getApiSubscribers() {
    if (!hasPermission(RolePermission.API_SUBSCRIPTION, api, RolePermissionAction.READ) && !hasPermission(RolePermission.API_LOG, api, RolePermissionAction.READ)) {
        throw new ForbiddenAccessException();
    }
    SubscriptionQuery subscriptionQuery = new SubscriptionQuery();
    subscriptionQuery.setApi(api);
    Collection<SubscriptionEntity> subscriptions = subscriptionService.search(subscriptionQuery);
    return subscriptions.stream().map(SubscriptionEntity::getApplication).distinct().map(application -> applicationService.findById(application)).sorted((o1, o2) -> String.CASE_INSENSITIVE_ORDER.compare(o1.getName(), o2.getName())).collect(Collectors.toList());
}
Also used : RolePermissionAction(io.gravitee.rest.api.model.permissions.RolePermissionAction) PathParam(javax.ws.rs.PathParam) Context(javax.ws.rs.core.Context) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) Collection(java.util.Collection) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) SubscriptionEntity(io.gravitee.rest.api.model.SubscriptionEntity) Collectors(java.util.stream.Collectors) Inject(javax.inject.Inject) SubscriptionService(io.gravitee.rest.api.service.SubscriptionService) MediaType(io.gravitee.common.http.MediaType) ResourceContext(javax.ws.rs.container.ResourceContext) ApplicationService(io.gravitee.rest.api.service.ApplicationService) io.swagger.annotations(io.swagger.annotations) SubscriptionQuery(io.gravitee.rest.api.model.subscription.SubscriptionQuery) ApplicationEntity(io.gravitee.rest.api.model.ApplicationEntity) RolePermission(io.gravitee.rest.api.model.permissions.RolePermission) SubscriptionEntity(io.gravitee.rest.api.model.SubscriptionEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) SubscriptionQuery(io.gravitee.rest.api.model.subscription.SubscriptionQuery) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Example 10 with ForbiddenAccessException

use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.

the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApiPermissions.

@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApiPermissions() {
    ApiEntity api = initApiMocks();
    when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
    try {
        permissionFilter.filter(permissions, containerRequestContext);
    } catch (ForbiddenAccessException e) {
        verify(apiService, times(1)).findById(api.getId());
        verify(applicationService, never()).findById(any());
        verify(roleService, times(1)).hasPermission(any(), any(), any());
        verify(membershipService, times(1)).getUserMemberPermissions(api, USERNAME);
        verify(membershipService, never()).getRoles(any(), any(), any(), any());
        throw e;
    }
    Assert.fail("Should throw a ForbiddenAccessException");
}
Also used : ApiEntity(io.gravitee.rest.api.model.api.ApiEntity) ForbiddenAccessException(io.gravitee.rest.api.service.exceptions.ForbiddenAccessException) Test(org.junit.Test)

Aggregations

ForbiddenAccessException (io.gravitee.rest.api.service.exceptions.ForbiddenAccessException)11 ApiEntity (io.gravitee.rest.api.model.api.ApiEntity)4 Test (org.junit.Test)4 ApplicationEntity (io.gravitee.rest.api.model.ApplicationEntity)3 SubscriptionEntity (io.gravitee.rest.api.model.SubscriptionEntity)3 RolePermission (io.gravitee.rest.api.model.permissions.RolePermission)3 RolePermissionAction (io.gravitee.rest.api.model.permissions.RolePermissionAction)3 Subscription (io.gravitee.rest.api.portal.rest.model.Subscription)3 Collectors (java.util.stream.Collectors)3 Inject (javax.inject.Inject)3 Context (javax.ws.rs.core.Context)3 MediaType (io.gravitee.common.http.MediaType)2 SubscriptionQuery (io.gravitee.rest.api.model.subscription.SubscriptionQuery)2 Key (io.gravitee.rest.api.portal.rest.model.Key)2 io.swagger.annotations (io.swagger.annotations)2 ResourceContext (javax.ws.rs.container.ResourceContext)2 UserDetails (io.gravitee.rest.api.idp.api.authentication.UserDetails)1 Permission (io.gravitee.rest.api.management.rest.security.Permission)1 Permissions (io.gravitee.rest.api.management.rest.security.Permissions)1 HttpHeadersUtil (io.gravitee.rest.api.management.rest.utils.HttpHeadersUtil)1