Commit 0c3c1f0d authored by michael.simon's avatar michael.simon
Browse files

Check service admin roles for access

parent 5c57038a
......@@ -32,4 +32,8 @@ public interface RoleDao extends BaseDao<RoleEntity, Long> {
void deleteUserRole(Long userId, String roleName);
Boolean checkUserInRole(Long userId, String roleName);
Boolean checkAdminUserInRole(Long userId, String roleName);
}
......@@ -61,6 +61,24 @@ public class JpaRoleDao extends JpaBaseDao<RoleEntity, Long> implements RoleDao
.setParameter("userId", userId).getResultList();
}
@SuppressWarnings("unchecked")
@Override
public Boolean checkUserInRole(Long userId, String roleName) {
List<RoleEntity> roleList = em.createQuery("select r.role from UserRoleEntity r where r.user.id = :userId and r.role.name = :roleName")
.setParameter("userId", userId).setParameter("roleName", roleName).getResultList();
return (roleList.size() > 0 ? Boolean.TRUE : Boolean.FALSE);
}
@SuppressWarnings("unchecked")
@Override
public Boolean checkAdminUserInRole(Long userId, String roleName) {
List<RoleEntity> roleList = em.createQuery("select u.roles from AdminUserEntity u where u.id = :userId")
.setParameter("userId", userId).getResultList();
List<RoleEntity> roleList2 = em.createQuery("select r from RoleEntity r where r.name = :roleName and r in :roleList")
.setParameter("roleList", roleList).setParameter("roleName", roleName).getResultList();
return (roleList2.size() > 0 ? Boolean.TRUE : Boolean.FALSE);
}
@Override
public RoleEntity findWithUsers(Long id) {
CriteriaBuilder builder = em.getCriteriaBuilder();
......
......@@ -29,4 +29,8 @@ public interface RoleService extends BaseService<RoleEntity, Long> {
void removeUserFromRole(UserEntity user, String roleName);
Boolean checkUserInRole(Long userId, String roleName);
Boolean checkAdminUserInRole(Long userId, String roleName);
}
......@@ -54,6 +54,16 @@ public class RoleServiceImpl extends BaseServiceImpl<RoleEntity, Long> implement
return dao.findByUserId(userId);
}
@Override
public Boolean checkUserInRole(Long userId, String roleName) {
return dao.checkUserInRole(userId, roleName);
}
@Override
public Boolean checkAdminUserInRole(Long userId, String roleName) {
return dao.checkAdminUserInRole(userId, roleName);
}
@Override
public RoleEntity findWithUsers(Long id) {
return dao.findWithUsers(id);
......
......@@ -23,10 +23,15 @@ import javax.ws.rs.core.Context;
import edu.kit.scc.webreg.dto.entity.RegistryEntityDto;
import edu.kit.scc.webreg.dto.service.RegistryDtoService;
import edu.kit.scc.webreg.entity.RoleEntity;
import edu.kit.scc.webreg.entity.ServiceEntity;
import edu.kit.scc.webreg.entity.UserEntity;
import edu.kit.scc.webreg.rest.exc.NoItemFoundException;
import edu.kit.scc.webreg.rest.exc.UnauthorizedException;
import edu.kit.scc.webreg.sec.SecurityFilter;
import edu.kit.scc.webreg.service.AdminUserService;
import edu.kit.scc.webreg.service.RegistryService;
import edu.kit.scc.webreg.service.RoleService;
import edu.kit.scc.webreg.service.ServiceService;
import edu.kit.scc.webreg.service.UserService;
......@@ -42,6 +47,12 @@ public class ServiceAdminController {
@Inject
private UserService userService;
@Inject
private AdminUserService adminUserService;
@Inject
private RoleService roleService;
@Inject
private ServiceService serviceService;
......@@ -49,15 +60,27 @@ public class ServiceAdminController {
@Produces({"application/json"})
@GET
public List<RegistryEntityDto> list(@PathParam("ssn") String ssn, @Context HttpServletRequest request)
throws IOException, NoItemFoundException {
throws IOException, UnauthorizedException {
ServiceEntity serviceEntity = serviceService.findByShortName(ssn);
System.out.println("" + request.getAttribute(SecurityFilter.ADMIN_USER_ID));
System.out.println("" + request.getAttribute(SecurityFilter.USER_ID));
List<RegistryEntityDto> deproList = registryDtoService.findRegistriesForDepro(serviceEntity.getShortName());
return deproList;
if (request.getAttribute(SecurityFilter.USER_ID) != null &&
request.getAttribute(SecurityFilter.USER_ID) instanceof Long) {
Long userId = (Long) request.getAttribute(SecurityFilter.USER_ID);
Boolean check = roleService.checkUserInRole(userId, serviceEntity.getAdminRole().getName());
if (! check)
throw new UnauthorizedException("No access");
}
else if (request.getAttribute(SecurityFilter.ADMIN_USER_ID) != null &&
request.getAttribute(SecurityFilter.ADMIN_USER_ID) instanceof Long) {
Long adminUserId = (Long) request.getAttribute(SecurityFilter.ADMIN_USER_ID);
Boolean check = roleService.checkAdminUserInRole(adminUserId, serviceEntity.getAdminRole().getName());
if (! check)
throw new UnauthorizedException("No access");
}
List<RegistryEntityDto> deproList = registryDtoService.findRegistriesForDepro(serviceEntity.getShortName());
return deproList;
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.rest.exc;
public class UnauthorizedException extends RestInterfaceException {
private static final long serialVersionUID = 1L;
public UnauthorizedException(String message) {
super(message);
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.rest.exc;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.ExceptionMapper;
import javax.ws.rs.ext.Provider;
@Provider
public class UnauthorizedExceptionMapper implements ExceptionMapper<UnauthorizedException> {
@Override
public Response toResponse(UnauthorizedException ex) {
return Response.status(401).entity(ex.getMessage())
.type(MediaType.TEXT_PLAIN).build();
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment