use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class SubscriptionKeysResource method revokeKeySubscription.
@POST
@Path("/{keyId}/_revoke")
@Produces(MediaType.APPLICATION_JSON)
public Response revokeKeySubscription(@PathParam("subscriptionId") String subscriptionId, @PathParam("keyId") String keyId) {
SubscriptionEntity subscriptionEntity = subscriptionService.findById(subscriptionId);
if (hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionEntity.getApplication(), RolePermissionAction.UPDATE) || hasPermission(RolePermission.API_SUBSCRIPTION, subscriptionEntity.getApi(), RolePermissionAction.UPDATE)) {
ApiKeyEntity apiKeyEntity = apiKeyService.findByKey(keyId);
if (apiKeyEntity.getSubscription() != null && !subscriptionId.equals(apiKeyEntity.getSubscription())) {
return Response.status(Response.Status.BAD_REQUEST).entity("'keyId' parameter does not correspond to the subscription").build();
}
apiKeyService.revoke(keyId, true);
return Response.noContent().build();
}
throw new ForbiddenAccessException();
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class SubscriptionsResource method getSubscriptions.
@GET
@Produces(MediaType.APPLICATION_JSON)
public Response getSubscriptions(@QueryParam("apiId") String apiId, @QueryParam("applicationId") String applicationId, @QueryParam("statuses") List<SubscriptionStatus> statuses, @BeanParam PaginationParam paginationParam) {
final boolean withoutPagination = paginationParam.getSize() != null && paginationParam.getSize().equals(-1);
final SubscriptionQuery query = new SubscriptionQuery();
query.setApi(apiId);
query.setApplication(applicationId);
final Map<String, Map<String, Object>> metadata = new HashMap<>();
if (applicationId == null) {
final Set<ApplicationListItem> applications = applicationService.findByUser(getAuthenticatedUser());
if (applications == null || applications.isEmpty()) {
return createListResponse(emptyList(), paginationParam, !withoutPagination);
}
query.setApplications(applications.stream().map(ApplicationListItem::getId).collect(toSet()));
applications.forEach(application -> {
final Map<String, Object> m = new HashMap<>();
m.put("name", application.getName());
metadata.put(application.getId(), m);
});
} else if (!hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, applicationId, RolePermissionAction.READ)) {
throw new ForbiddenAccessException();
}
if (statuses != null && !statuses.isEmpty()) {
query.setStatuses(statuses);
}
final Collection<SubscriptionEntity> subscriptions;
if (withoutPagination) {
subscriptions = subscriptionService.search(query);
} else {
final Page<SubscriptionEntity> pagedSubscriptions = subscriptionService.search(query, new PageableImpl(paginationParam.getPage(), paginationParam.getSize()));
if (pagedSubscriptions == null) {
subscriptions = emptyList();
} else {
subscriptions = pagedSubscriptions.getContent();
}
}
final List<Subscription> subscriptionList = subscriptions.stream().map(subscriptionMapper::convert).collect(Collectors.toList());
subscriptionList.forEach(subscription -> {
final ApiEntity api = apiService.findById(subscription.getApi());
if (api != null) {
final Map<String, Object> m = new HashMap<>();
m.put("name", api.getName());
m.put("pictureUrl", apiMapper.computeApiLinks(PortalApiLinkHelper.apisURL(uriInfo.getBaseUriBuilder(), api.getId()), api.getUpdatedAt()).getPicture());
m.put("state", api.getLifecycleState());
m.put("version", api.getVersion());
m.put("entrypoints", api.getEntrypoints());
metadata.put(api.getId(), m);
}
final PlanEntity plan = planService.findById(subscription.getPlan());
if (plan != null) {
final Map<String, Object> m = new HashMap<>();
m.put("name", plan.getName());
metadata.put(plan.getId(), m);
}
final UserEntity user = userService.findById(subscription.getSubscribedBy(), true);
if (user != null) {
final Map<String, Object> m = new HashMap<>();
m.put("name", user.getDisplayName());
metadata.put(user.getId(), m);
}
});
return createListResponse(subscriptionList, paginationParam, metadata, !withoutPagination);
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class SubscriptionResource method getSubscriptionBySubscriptionId.
@GET
@Produces(MediaType.APPLICATION_JSON)
public Response getSubscriptionBySubscriptionId(@PathParam("subscriptionId") String subscriptionId, @QueryParam("include") List<String> include) {
SubscriptionEntity subscriptionEntity = subscriptionService.findById(subscriptionId);
if (hasPermission(RolePermission.API_SUBSCRIPTION, subscriptionEntity.getApi(), RolePermissionAction.READ) || hasPermission(RolePermission.APPLICATION_SUBSCRIPTION, subscriptionEntity.getApplication(), RolePermissionAction.READ)) {
Subscription subscription = subscriptionMapper.convert(subscriptionEntity);
if (include.contains(INCLUDE_KEYS)) {
List<Key> keys = apiKeyService.findBySubscription(subscriptionId).stream().sorted((o1, o2) -> o2.getCreatedAt().compareTo(o1.getCreatedAt())).map(keyMapper::convert).collect(Collectors.toList());
subscription.setKeys(keys);
}
return Response.ok(subscription).build();
}
throw new ForbiddenAccessException();
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class ApiSubscribersResource method getApiSubscribers.
@GET
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(value = "List subscribers for the API", notes = "User must have the MANAGE_SUBSCRIPTIONS permission to use this service")
@ApiResponses({ @ApiResponse(code = 200, message = "Paged result of API subscribers", response = ApplicationEntity.class, responseContainer = "List"), @ApiResponse(code = 500, message = "Internal server error") })
public Collection<ApplicationEntity> getApiSubscribers() {
if (!hasPermission(RolePermission.API_SUBSCRIPTION, api, RolePermissionAction.READ) && !hasPermission(RolePermission.API_LOG, api, RolePermissionAction.READ)) {
throw new ForbiddenAccessException();
}
SubscriptionQuery subscriptionQuery = new SubscriptionQuery();
subscriptionQuery.setApi(api);
Collection<SubscriptionEntity> subscriptions = subscriptionService.search(subscriptionQuery);
return subscriptions.stream().map(SubscriptionEntity::getApplication).distinct().map(application -> applicationService.findById(application)).sorted((o1, o2) -> String.CASE_INSENSITIVE_ORDER.compare(o1.getName(), o2.getName())).collect(Collectors.toList());
}
use of io.gravitee.rest.api.service.exceptions.ForbiddenAccessException in project gravitee-management-rest-api by gravitee-io.
the class PermissionFilterTest method shouldThrowForbiddenExceptionWhenNoApiPermissions.
@Test(expected = ForbiddenAccessException.class)
public void shouldThrowForbiddenExceptionWhenNoApiPermissions() {
ApiEntity api = initApiMocks();
when(roleService.hasPermission(any(), any(), any())).thenReturn(false);
try {
permissionFilter.filter(permissions, containerRequestContext);
} catch (ForbiddenAccessException e) {
verify(apiService, times(1)).findById(api.getId());
verify(applicationService, never()).findById(any());
verify(roleService, times(1)).hasPermission(any(), any(), any());
verify(membershipService, times(1)).getUserMemberPermissions(api, USERNAME);
verify(membershipService, never()).getRoles(any(), any(), any(), any());
throw e;
}
Assert.fail("Should throw a ForbiddenAccessException");
}
Aggregations