Search in sources :

Example 1 with Authority

use of org.pmiops.workbench.model.Authority in project workbench by all-of-us.

the class AuthInterceptor method hasRequiredAuthority.

boolean hasRequiredAuthority(Method controllerMethod, User user) {
    String controllerMethodName = controllerMethod.getDeclaringClass().getName() + "." + controllerMethod.getName();
    AuthorityRequired req = controllerMethod.getAnnotation(AuthorityRequired.class);
    if (req != null) {
        if (user == null) {
            throw new BadRequestException("User is not initialized; please register");
        }
        // Fetch the user with authorities, since they aren't loaded during normal
        user = userDao.findUserWithAuthorities(user.getUserId());
        Collection<Authority> granted = user.getAuthorities();
        if (granted.containsAll(Arrays.asList(req.value()))) {
            return true;
        } else {
            log.log(Level.INFO, "{0} required authorities {1} but user had only {2}.", new Object[] { controllerMethodName, Arrays.toString(req.value()), Arrays.toString(granted.toArray()) });
            return false;
        }
    }
    // No @AuthorityRequired annotation found at runtime, default to allowed.
    return true;
}
Also used : Authority(org.pmiops.workbench.model.Authority) AuthorityRequired(org.pmiops.workbench.annotations.AuthorityRequired) BadRequestException(org.pmiops.workbench.exceptions.BadRequestException)

Example 2 with Authority

use of org.pmiops.workbench.model.Authority in project workbench by all-of-us.

the class AuthInterceptorTest method authorityCheckPermitsWhenUserHasAuthority.

@Test
public void authorityCheckPermitsWhenUserHasAuthority() throws Exception {
    User userWithAuthorities = new User();
    Set<Authority> required = new HashSet<Authority>();
    required.add(Authority.REVIEW_RESEARCH_PURPOSE);
    userWithAuthorities.setAuthorities(required);
    when(userDao.findUserWithAuthorities(USER_ID)).thenReturn(userWithAuthorities);
    Method apiControllerMethod = FakeApiController.class.getMethod("handle");
    assertThat(interceptor.hasRequiredAuthority(apiControllerMethod, user)).isTrue();
}
Also used : User(org.pmiops.workbench.db.model.User) Authority(org.pmiops.workbench.model.Authority) HandlerMethod(org.springframework.web.method.HandlerMethod) Method(java.lang.reflect.Method) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

Authority (org.pmiops.workbench.model.Authority)2 Method (java.lang.reflect.Method)1 HashSet (java.util.HashSet)1 Test (org.junit.Test)1 AuthorityRequired (org.pmiops.workbench.annotations.AuthorityRequired)1 User (org.pmiops.workbench.db.model.User)1 BadRequestException (org.pmiops.workbench.exceptions.BadRequestException)1 HandlerMethod (org.springframework.web.method.HandlerMethod)1