Search in sources :

Example 1 with MCRAccessControlSystem

use of org.mycore.access.mcrimpl.MCRAccessControlSystem in project mycore by MyCoRe-Org.

the class MCRRestAPIUtil method checkRestAPIAccess.

/**
 * checks if the given REST API operation is allowed
 * @param request - the HTTP request
 * @param permission "read" or "write"
 * @param path - the REST API path, e.g. /v1/messages
 *
 * @throws MCRRestAPIException if access is restricted
 */
public static void checkRestAPIAccess(HttpServletRequest request, MCRRestAPIACLPermission permission, String path) throws MCRRestAPIException {
    // save the current user and set REST API user into session,
    // because ACL System can only validate the current user in session.
    MCRUserInformation oldUser = MCRSessionMgr.getCurrentSession().getUserInformation();
    try {
        String userID = MCRJSONWebTokenUtil.retrieveUsernameFromAuthenticationToken(request);
        if (userID != null) {
            if (MCRSystemUserInformation.getGuestInstance().getUserID().equals(userID)) {
                MCRSessionMgr.getCurrentSession().setUserInformation(MCRSystemUserInformation.getGuestInstance());
            } else {
                MCRSessionMgr.getCurrentSession().setUserInformation(MCRUserManager.getUser(userID));
            }
        }
        MCRIPAddress theIP = new MCRIPAddress(MCRFrontendUtil.getRemoteAddr(request));
        String thePath = path.startsWith("/") ? path : "/" + path;
        boolean hasAPIAccess = ((MCRAccessControlSystem) MCRAccessControlSystem.instance()).checkAccess("restapi:/", permission.toString(), userID, theIP);
        if (hasAPIAccess) {
            MCRAccessRule rule = (MCRAccessRule) MCRAccessControlSystem.instance().getAccessRule("restapi:" + thePath, permission.toString());
            if (rule != null) {
                if (rule.checkAccess(userID, new Date(), theIP)) {
                    return;
                }
            } else {
                return;
            }
        }
    } catch (UnknownHostException e) {
    // ignore
    } finally {
        MCRSessionMgr.getCurrentSession().setUserInformation(oldUser);
    }
    throw new MCRRestAPIException(Status.FORBIDDEN, new MCRRestAPIError(MCRRestAPIError.CODE_ACCESS_DENIED, "REST-API action is not allowed.", "Check access right '" + permission + "' on ACLs 'restapi:/' and 'restapi:" + path + "'!"));
}
Also used : MCRIPAddress(org.mycore.access.mcrimpl.MCRIPAddress) MCRRestAPIException(org.mycore.restapi.v1.errors.MCRRestAPIException) UnknownHostException(java.net.UnknownHostException) MCRRestAPIError(org.mycore.restapi.v1.errors.MCRRestAPIError) MCRAccessRule(org.mycore.access.mcrimpl.MCRAccessRule) MCRAccessControlSystem(org.mycore.access.mcrimpl.MCRAccessControlSystem) MCRUserInformation(org.mycore.common.MCRUserInformation) Date(java.util.Date)

Aggregations

UnknownHostException (java.net.UnknownHostException)1 Date (java.util.Date)1 MCRAccessControlSystem (org.mycore.access.mcrimpl.MCRAccessControlSystem)1 MCRAccessRule (org.mycore.access.mcrimpl.MCRAccessRule)1 MCRIPAddress (org.mycore.access.mcrimpl.MCRIPAddress)1 MCRUserInformation (org.mycore.common.MCRUserInformation)1 MCRRestAPIError (org.mycore.restapi.v1.errors.MCRRestAPIError)1 MCRRestAPIException (org.mycore.restapi.v1.errors.MCRRestAPIException)1