Examples with Access org.candlepin.auth.Access used on opensource projects

Example 1 with Access

use of org.candlepin.auth.Access in project candlepin by candlepin.

the class OwnerResource method listPools.

/**
 * Retrieves a list of Pools for an Owner
 *
 * @param ownerKey id of the owner whose entitlement pools are sought.
 * @param matches Find pools matching the given pattern in a variety of fields.
 * * and ? wildcards are supported.
 * @return a list of Pool objects
 * @httpcode 400
 * @httpcode 404
 * @httpcode 200
 */
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("{owner_key}/pools")
@SuppressWarnings("checkstyle:indentation")
@ApiOperation(notes = "Retrieves a list of Pools for an Owner", value = "List Pools")
@ApiResponses({ @ApiResponse(code = 404, message = "Owner not found"), @ApiResponse(code = 400, message = "Invalid request") })
public List<PoolDTO> listPools(@PathParam("owner_key") @Verify(value = Owner.class, subResource = SubResource.POOLS) String ownerKey, @QueryParam("consumer") String consumerUuid, @QueryParam("activation_key") String activationKeyName, @QueryParam("product") String productId, @QueryParam("subscription") String subscriptionId, @ApiParam("Include pools that are not suited to the unit's facts.") @QueryParam("listall") @DefaultValue("false") boolean listAll, @ApiParam("Date to use as current time for lookup criteria. Defaults" + " to current date if not specified.") @QueryParam("activeon") @DefaultValue(DateFormat.NOW) @DateFormat Date activeOn, @ApiParam("Find pools matching the given pattern in a variety of fields;" + " * and ? wildcards are supported; may be specified multiple times") @QueryParam("matches") List<String> matches, @ApiParam("The attributes to return based on the specified types.") @QueryParam("attribute") @CandlepinParam(type = KeyValueParameter.class) List<KeyValueParameter> attrFilters, @ApiParam("When set to true, it will add future dated pools to the result, " + "based on the activeon date.") @QueryParam("add_future") @DefaultValue("false") boolean addFuture, @ApiParam("When set to true, it will return only future dated pools to the result, " + "based on the activeon date.") @QueryParam("only_future") @DefaultValue("false") boolean onlyFuture, @ApiParam("Will only return pools with a start date after the supplied date. " + "Overrides the activeOn date.") @QueryParam("after") @DateFormat Date after, @ApiParam("One or more pool IDs to use to filter the output; only pools with IDs matching " + "those provided will be returned; may be specified multiple times") @QueryParam("poolid") List<String> poolIds, @Context Principal principal, @Context PageRequest pageRequest) {
    Owner owner = findOwnerByKey(ownerKey);
    Consumer c = null;
    if (consumerUuid != null) {
        c = consumerCurator.findByUuid(consumerUuid);
        if (c == null) {
            throw new NotFoundException(i18n.tr("Unit: {0} not found", consumerUuid));
        }
        if (!c.getOwnerId().equals(owner.getId())) {
            throw new BadRequestException("Consumer specified does not belong to owner on path");
        }
        if (!principal.canAccess(c, SubResource.NONE, Access.READ_ONLY)) {
            throw new ForbiddenException(i18n.tr("User {0} cannot access consumer {1}", principal.getPrincipalName(), c.getUuid()));
        }
    }
    ActivationKey key = null;
    if (activationKeyName != null) {
        key = activationKeyCurator.lookupForOwner(activationKeyName, owner);
        if (key == null) {
            throw new BadRequestException(i18n.tr("ActivationKey with id {0} could not be found.", activationKeyName));
        }
    }
    if (addFuture && onlyFuture) {
        throw new BadRequestException(i18n.tr("The flags add_future and only_future cannot be used at the same time."));
    }
    if (after != null && (addFuture || onlyFuture)) {
        throw new BadRequestException(i18n.tr("The flags add_future and only_future cannot be used with the parameter after."));
    }
    if (after != null) {
        activeOn = null;
    }
    // Process the filters passed for the attributes
    PoolFilterBuilder poolFilters = new PoolFilterBuilder();
    for (KeyValueParameter filterParam : attrFilters) {
        poolFilters.addAttributeFilter(filterParam.key(), filterParam.value());
    }
    if (matches != null) {
        matches.stream().filter(elem -> elem != null && !elem.isEmpty()).forEach(elem -> poolFilters.addMatchesFilter(elem));
    }
    if (poolIds != null && !poolIds.isEmpty()) {
        poolFilters.addIdFilters(poolIds);
    }
    Page<List<Pool>> page = poolManager.listAvailableEntitlementPools(c, key, owner.getId(), productId, subscriptionId, activeOn, listAll, poolFilters, pageRequest, addFuture, onlyFuture, after);
    List<Pool> poolList = page.getPageData();
    calculatedAttributesUtil.setCalculatedAttributes(poolList, activeOn);
    calculatedAttributesUtil.setQuantityAttributes(poolList, c, activeOn);
    // Store the page for the LinkHeaderResponseFilter
    ResteasyProviderFactory.pushContext(Page.class, page);
    List<PoolDTO> poolDTOs = new ArrayList<>();
    for (Pool pool : poolList) {
        poolDTOs.add(translator.translate(pool, PoolDTO.class));
    }
    return poolDTOs;
}

Example 2 with Access

use of org.candlepin.auth.Access in project candlepin by candlepin.

the class VerifyAuthorizationFilter method runFilter.

@Override
public void runFilter(ContainerRequestContext requestContext) {
    HttpRequest request = ResteasyProviderFactory.getContextData(HttpRequest.class);
    Principal principal = (Principal) requestContext.getSecurityContext().getUserPrincipal();
    ResourceInfo resourceInfo = ResteasyProviderFactory.getContextData(ResourceInfo.class);
    Method method = resourceInfo.getResourceMethod();
    if (log.isDebugEnabled()) {
        log.debug("Authorization check for {} mapping to {}.{}", requestContext.getUriInfo().getPath(), method.getDeclaringClass().getName(), method.getName());
    }
    Map<Verify, Object> argMap = getArguments(request, method);
    // Couldn't find a match in Resteasy for method
    if (argMap.isEmpty()) {
        /* It would also be possible to get here if a super-admin only method
             * were inadvertently being filtered through this filter.  Normally the
             * AuthorizationFeature takes care of sending methods without any @Verify
             * annotations through the SuperAdminAuthorizationFilter */
        throw new IseException("Could not get parameters for " + method);
    }
    Access defaultAccess = getDefaultAccess(method);
    if (!hasAccess(argMap, principal, defaultAccess)) {
        denyAccess(principal, method);
    }
}

Example 3 with Access

use of org.candlepin.auth.Access in project candlepin by candlepin.

the class VerifyAuthorizationFilter method hasAccess.

protected boolean hasAccess(Map<Verify, Object> argMap, Principal principal, Access defaultAccess) {
    boolean hasAccess = false;
    Owner owner = null;
    for (Map.Entry<Verify, Object> entry : argMap.entrySet()) {
        List<Persisted> accessedObjects = new ArrayList<>();
        Object obj = entry.getValue();
        Verify verify = entry.getKey();
        Class<? extends Persisted> verifyType = verify.value();
        accessedObjects.addAll(getAccessedEntities(verify, obj));
        Access requiredAccess = defaultAccess;
        if (verify.require() != Access.NONE) {
            requiredAccess = verify.require();
        }
        log.debug("Verifying {} access to {}: {}", requiredAccess, verifyType, obj);
        SubResource subResource = verify.subResource();
        for (Persisted entity : accessedObjects) {
            if (!principal.canAccess(entity, subResource, requiredAccess)) {
                hasAccess = false;
                break;
            }
            hasAccess = true;
            Owner entityOwner = ((EntityStore) storeFactory.getFor(verifyType)).getOwner(entity);
            if (entityOwner != null) {
                if (owner != null && !owner.equals(entityOwner)) {
                    log.error("Found entities from multiple orgs in a single request");
                    throw new IseException("Found entities from multiple orgs in a single request");
                }
                owner = entityOwner;
            }
        }
        // Stop all further checking with any authorization failure
        if (!hasAccess) {
            break;
        }
    }
    if (hasAccess && owner != null) {
        MDC.put("org", owner.getKey());
        if (owner.getLogLevel() != null) {
            MDC.put("orgLogLevel", owner.getLogLevel());
        }
    }
    return hasAccess;
}