Search in sources :

Example 31 with ForbiddenException

use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.

the class ConsumerResource method getHost.

@ApiOperation(notes = "Retrieves a Host Consumer of a Consumer", value = "getHost")
@ApiResponses({ @ApiResponse(code = 404, message = "") })
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/{consumer_uuid}/host")
public ConsumerDTO getHost(@PathParam("consumer_uuid") @Verify(Consumer.class) String consumerUuid, @Context Principal principal) {
    Consumer consumer = consumerCurator.verifyAndLookupConsumer(consumerUuid);
    if (consumer.getFact("virt.uuid") == null || consumer.getFact("virt.uuid").trim().equals("")) {
        throw new BadRequestException(i18n.tr("The system with UUID {0} is not a virtual guest.", consumer.getUuid()));
    }
    Consumer host = consumerCurator.getHost(consumer);
    Owner hostOwner = ownerCurator.findOwnerById(host.getOwnerId());
    // current organization.
    if (host == null || principal.canAccess(hostOwner, SubResource.CONSUMERS, Access.READ_ONLY)) {
        return translator.translate(host, ConsumerDTO.class);
    }
    throw new ForbiddenException(i18n.tr("This host is under a different organization that you do not have access to"));
}
Also used : Owner(org.candlepin.model.Owner) ForbiddenException(org.candlepin.common.exceptions.ForbiddenException) DeletedConsumer(org.candlepin.model.DeletedConsumer) Consumer(org.candlepin.model.Consumer) BadRequestException(org.candlepin.common.exceptions.BadRequestException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 32 with ForbiddenException

use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.

the class OwnerProductResource method removeBatchContent.

@ApiOperation(notes = "Adds one or more Content entities to a Product", value = "addBatchContent")
@DELETE
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path("/{product_id}/batch_content")
@Transactional
public ProductDTO removeBatchContent(@PathParam("owner_key") String ownerKey, @PathParam("product_id") String productId, @ApiParam(name = "content", required = true) List<String> contentIds) {
    Owner owner = this.getOwnerByKey(ownerKey);
    Product product = this.fetchProduct(owner, productId);
    if (product.isLocked()) {
        throw new ForbiddenException(i18n.tr("product \"{0}\" is locked", product.getId()));
    }
    this.productCurator.lock(product);
    ProductDTO pdto = this.translator.translate(product, ProductDTO.class);
    // Impl note:
    // This is a wholely inefficient way of doing this. When we return to using ID-based linking
    // and we're not linking the universe with our model, we can just attach the IDs directly
    // without needing all this DTO conversion back and forth.
    // Alternatively, we can shut off Hibernate's auto-commit junk and get in the habit of
    // calling commit methods as necessary so we don't have to work with DTOs internally.
    boolean changed = false;
    for (String contentId : contentIds) {
        changed |= pdto.removeContent(contentId);
    }
    if (changed) {
        product = this.productManager.updateProduct(pdto, owner, true);
    }
    return this.translator.translate(product, ProductDTO.class);
}
Also used : Owner(org.candlepin.model.Owner) ForbiddenException(org.candlepin.common.exceptions.ForbiddenException) Product(org.candlepin.model.Product) ProductDTO(org.candlepin.dto.api.v1.ProductDTO) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) ApiOperation(io.swagger.annotations.ApiOperation) Transactional(com.google.inject.persist.Transactional)

Example 33 with ForbiddenException

use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.

the class OwnerProductResource method updateProduct.

@ApiOperation(notes = "Updates a Product", value = "updateProduct")
@ApiResponses({ @ApiResponse(code = 400, message = "") })
@PUT
@Path("/{product_id}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@Transactional
public ProductDTO updateProduct(@PathParam("owner_key") String ownerKey, @PathParam("product_id") String productId, @ApiParam(name = "update", required = true) ProductDTO update) {
    if (StringUtils.isEmpty(update.getId())) {
        update.setId(productId);
    } else if (!StringUtils.equals(update.getId(), productId)) {
        throw new BadRequestException(i18n.tr("Contradictory ids in update request: {0}, {1}", productId, update.getId()));
    }
    Owner owner = this.getOwnerByKey(ownerKey);
    Product existing = this.fetchProduct(owner, productId);
    if (existing.isLocked()) {
        throw new ForbiddenException(i18n.tr("product \"{0}\" is locked", existing.getId()));
    }
    this.productCurator.lock(existing);
    Product updated = this.productManager.updateProduct(update, owner, true);
    return this.translator.translate(updated, ProductDTO.class);
}
Also used : Owner(org.candlepin.model.Owner) ForbiddenException(org.candlepin.common.exceptions.ForbiddenException) BadRequestException(org.candlepin.common.exceptions.BadRequestException) Product(org.candlepin.model.Product) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) Consumes(javax.ws.rs.Consumes) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses) PUT(javax.ws.rs.PUT) Transactional(com.google.inject.persist.Transactional)

Example 34 with ForbiddenException

use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.

the class PoolResource method list.

/**
 * @deprecated Use the method on /owners
 * @return List of pools
 */
@ApiOperation(notes = "Retrieves a list of Pools @deprecated Use the method on /owners", value = "")
@ApiResponses({ @ApiResponse(code = 400, message = "if both consumer(unit) and owner are given, or if a" + " product id is specified without a consumer(unit) or owner"), @ApiResponse(code = 404, message = "if a specified consumer(unit) or owner is not found"), @ApiResponse(code = 403, message = "") })
@GET
@Produces(MediaType.APPLICATION_JSON)
@Wrapped(element = "pools")
@Deprecated
@SecurityHole
public List<PoolDTO> list(@QueryParam("owner") String ownerId, @QueryParam("consumer") String consumerUuid, @QueryParam("product") String productId, @ApiParam("Use with consumerUuid to list all pools available to the consumer. " + "This will include pools which would otherwise be omitted due to a rules" + " warning. (i.e. not recommended) Pools that trigger an error however will" + " still be omitted. (no entitlements available, consumer type mismatch, etc)") @QueryParam("listall") @DefaultValue("false") boolean listAll, @ApiParam("Uses ISO 8601 format") @QueryParam("activeon") String activeOn, @Context Principal principal, @Context PageRequest pageRequest) {
    // Make sure we were given sane query parameters:
    if (consumerUuid != null && ownerId != null) {
        throw new BadRequestException(i18n.tr("Cannot filter on both owner and unit"));
    }
    if (consumerUuid == null && ownerId == null && productId != null) {
        throw new BadRequestException(i18n.tr("A unit or owner is needed to filter on product"));
    }
    Date activeOnDate = activeOn != null ? ResourceDateParser.parseDateString(activeOn) : new Date();
    Consumer c = null;
    String oId = null;
    if (consumerUuid != null) {
        c = consumerCurator.findByUuid(consumerUuid);
        if (c == null) {
            throw new NotFoundException(i18n.tr("Unit: {0} not found", consumerUuid));
        }
        // Now that we have a consumer, check that this principal can access it:
        if (!principal.canAccess(c, SubResource.NONE, Access.READ_ONLY)) {
            throw new ForbiddenException(i18n.tr("User {0} cannot access unit {1}", principal.getPrincipalName(), consumerUuid));
        }
        if (listAll) {
            oId = c.getOwnerId();
        }
    }
    if (ownerId != null) {
        Owner o = ownerCurator.secureFind(ownerId);
        if (o == null) {
            throw new NotFoundException(i18n.tr("owner: {0}", ownerId));
        }
        oId = o.getId();
        // Now that we have an owner, check that this principal can access it:
        if (!principal.canAccess(o, SubResource.POOLS, Access.READ_ONLY)) {
            throw new ForbiddenException(i18n.tr("User {0} cannot access owner {1}", principal.getPrincipalName(), o.getKey()));
        }
    }
    // the system).
    if (consumerUuid == null && ownerId == null && !principal.hasFullAccess()) {
        throw new ForbiddenException(i18n.tr("User {0} cannot access all pools.", principal.getPrincipalName()));
    }
    Page<List<Pool>> page = poolManager.listAvailableEntitlementPools(c, null, oId, productId, null, activeOnDate, listAll, new PoolFilterBuilder(), pageRequest, false, false, null);
    List<Pool> poolList = page.getPageData();
    calculatedAttributesUtil.setCalculatedAttributes(poolList, activeOnDate);
    calculatedAttributesUtil.setQuantityAttributes(poolList, c, activeOnDate);
    // Store the page for the LinkHeaderResponseFilter
    ResteasyProviderFactory.pushContext(Page.class, page);
    List<PoolDTO> poolDTOs = new ArrayList<>();
    for (Pool pool : poolList) {
        poolDTOs.add(translator.translate(pool, PoolDTO.class));
    }
    return poolDTOs;
}
Also used : ForbiddenException(org.candlepin.common.exceptions.ForbiddenException) Owner(org.candlepin.model.Owner) ArrayList(java.util.ArrayList) NotFoundException(org.candlepin.common.exceptions.NotFoundException) PoolDTO(org.candlepin.dto.api.v1.PoolDTO) Date(java.util.Date) Consumer(org.candlepin.model.Consumer) BadRequestException(org.candlepin.common.exceptions.BadRequestException) PoolFilterBuilder(org.candlepin.model.PoolFilterBuilder) List(java.util.List) ArrayList(java.util.ArrayList) Pool(org.candlepin.model.Pool) SecurityHole(org.candlepin.common.auth.SecurityHole) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) Wrapped(org.jboss.resteasy.annotations.providers.jaxb.Wrapped) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Example 35 with ForbiddenException

use of org.candlepin.common.exceptions.ForbiddenException in project candlepin by candlepin.

the class PoolResource method getPool.

@ApiOperation(notes = "Retrieves a single Pool", value = "getPool")
@ApiResponses({ @ApiResponse(code = 404, message = "if the pool with the specified id is not found"), @ApiResponse(code = 404, message = "") })
@GET
@Path("/{pool_id}")
@Produces(MediaType.APPLICATION_JSON)
public PoolDTO getPool(@PathParam("pool_id") @Verify(Pool.class) String id, @QueryParam("consumer") String consumerUuid, @ApiParam("Uses ISO 8601 format") @QueryParam("activeon") String activeOn, @Context Principal principal) {
    Pool toReturn = poolManager.find(id);
    Consumer c = null;
    if (consumerUuid != null) {
        c = consumerCurator.findByUuid(consumerUuid);
        if (c == null) {
            throw new NotFoundException(i18n.tr("consumer: {0} not found", consumerUuid));
        }
        if (!principal.canAccess(c, SubResource.NONE, Access.READ_ONLY)) {
            throw new ForbiddenException(i18n.tr("User {0} cannot access consumer {1}", principal.getPrincipalName(), c.getUuid()));
        }
    }
    if (toReturn != null) {
        Date activeOnDate = new Date();
        if (activeOn != null) {
            activeOnDate = ResourceDateParser.parseDateString(activeOn);
        }
        toReturn.setCalculatedAttributes(calculatedAttributesUtil.buildCalculatedAttributes(toReturn, activeOnDate));
        calculatedAttributesUtil.setQuantityAttributes(toReturn, c, activeOnDate);
        return translator.translate(toReturn, PoolDTO.class);
    }
    throw new NotFoundException(i18n.tr("Subscription Pool with ID \"{0}\" could not be found.", id));
}
Also used : ForbiddenException(org.candlepin.common.exceptions.ForbiddenException) Consumer(org.candlepin.model.Consumer) NotFoundException(org.candlepin.common.exceptions.NotFoundException) Pool(org.candlepin.model.Pool) Date(java.util.Date) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation) ApiResponses(io.swagger.annotations.ApiResponses)

Aggregations

ForbiddenException (org.candlepin.common.exceptions.ForbiddenException)37 Owner (org.candlepin.model.Owner)22 Consumer (org.candlepin.model.Consumer)19 Test (org.junit.Test)15 BadRequestException (org.candlepin.common.exceptions.BadRequestException)13 Product (org.candlepin.model.Product)13 ApiOperation (io.swagger.annotations.ApiOperation)12 Produces (javax.ws.rs.Produces)12 Pool (org.candlepin.model.Pool)12 ArrayList (java.util.ArrayList)11 Path (javax.ws.rs.Path)11 NotFoundException (org.candlepin.common.exceptions.NotFoundException)9 Transactional (com.google.inject.persist.Transactional)8 ApiResponses (io.swagger.annotations.ApiResponses)8 Content (org.candlepin.model.Content)7 HashMap (java.util.HashMap)6 Consumes (javax.ws.rs.Consumes)6 ConsumerInstalledProduct (org.candlepin.model.ConsumerInstalledProduct)6 ActivationKey (org.candlepin.model.activationkeys.ActivationKey)6 DELETE (javax.ws.rs.DELETE)5