From d7a35d13cd691e6821f774b624e4203a404e67d9 Mon Sep 17 00:00:00 2001
From: Roberto Sánchez <roberto.sanchez@curisit.net>
Date: Tue, 21 Jan 2014 10:16:13 +0000
Subject: [PATCH] #396 feature - Added authorization management

---
 securis/src/main/java/net/curisit/securis/services/OrganizationResource.java |   43 +++++++++++++++++++++++++++++++++++++------
 1 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/securis/src/main/java/net/curisit/securis/services/OrganizationResource.java b/securis/src/main/java/net/curisit/securis/services/OrganizationResource.java
index 71b5441..e13bd7b 100644
--- a/securis/src/main/java/net/curisit/securis/services/OrganizationResource.java
+++ b/securis/src/main/java/net/curisit/securis/services/OrganizationResource.java
@@ -4,6 +4,7 @@
 import java.util.Date;
 import java.util.List;
 
+import javax.annotation.security.RolesAllowed;
 import javax.inject.Inject;
 import javax.inject.Provider;
 import javax.persistence.EntityManager;
@@ -27,8 +28,11 @@
 import net.curisit.securis.SecurisErrorHandler;
 import net.curisit.securis.db.Organization;
 import net.curisit.securis.db.User;
+import net.curisit.securis.security.BasicSecurityContext;
+import net.curisit.securis.security.Securable;
 import net.curisit.securis.utils.TokenHelper;
 
+import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -45,10 +49,7 @@
 	private static final Logger log = LoggerFactory.getLogger(OrganizationResource.class);
 
 	@Inject
-	TokenHelper tokenHelper;
-
-	@Inject
-	Provider<EntityManager> emProvider;
+	private Provider<EntityManager> emProvider;
 
 	public OrganizationResource() {
 	}
@@ -61,11 +62,30 @@
 	@Path("/")
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
-	public Response index() {
+	@Securable
+	// @RolesAllowed(SecurityContextWrapper.ROL_ADVANCE)
+	public Response index(@Context BasicSecurityContext bsc) {
 		log.info("Getting organizations list ");
 
+		// log.info("User orgs: {}", request.getAttribute("oser_orgs"));
+		BasicSecurityContext bsc2 = ResteasyProviderFactory.getContextData(BasicSecurityContext.class);
+		log.info("bsc: {}", bsc);
+		log.info("bsc2: {}", bsc2);
+		// log.info("securityContext: {}", scw);
+		log.info("securityContext ROL_ADMIN?: {}", bsc.isUserInRole(BasicSecurityContext.ROL_ADMIN));
 		EntityManager em = emProvider.get();
-		TypedQuery<Organization> q = em.createNamedQuery("list-organizations", Organization.class);
+		TypedQuery<Organization> q;
+		if (bsc.isUserInRole(BasicSecurityContext.ROL_ADMIN)) {
+			log.info("GEtting all orgs for user: " + bsc.getUserPrincipal());
+			q = em.createNamedQuery("list-organizations", Organization.class);
+		} else {
+			q = em.createNamedQuery("list-organizations", Organization.class);
+			// if (securityContext.getOrganizationsIds() == null)
+			// Response.ok().build();
+			// log.info("Getting only {} orgs for user: {}", securityContext.getOrganizationsIds(), securityContext.getUserPrincipal());
+			// q = em.createNamedQuery("list-organizations-by-ids", Organization.class);
+			// q.setParameter("list_ids", securityContext.getOrganizationsIds());
+		}
 
 		List<Organization> list = q.getResultList();
 
@@ -80,12 +100,17 @@
 	@Path("/{orgid}")
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
+	@Securable
 	public Response get(@PathParam("orgid") String orgid, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
 		log.info("Getting organization data for id: {}: ", orgid);
 		if (orgid == null || orgid.equals("")) {
 			log.error("Organization ID is mandatory");
 			return Response.status(Status.NOT_FOUND).build();
 		}
+		// if (!securityContext.isOrgAccesible(Integer.parseInt(orgid))) {
+		// log.error("Organization with id {} not accessible for user: {}", orgid, securityContext.getUserPrincipal());
+		// return Response.status(Status.UNAUTHORIZED).build();
+		// }
 
 		EntityManager em = emProvider.get();
 		Organization lt = em.find(Organization.class, Integer.parseInt(orgid));
@@ -111,6 +136,8 @@
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
 	@Transactional
+	@Securable
+	@RolesAllowed(BasicSecurityContext.ROL_ADMIN)
 	public Response create(Organization org, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
 		log.info("Creating new organization");
 		EntityManager em = emProvider.get();
@@ -151,6 +178,8 @@
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
+	@Securable
+	@RolesAllowed(BasicSecurityContext.ROL_ADMIN)
 	public Response modify(Organization org, @PathParam("orgid") String orgid, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
 		log.info("Modifying organization with id: {}", orgid);
 		EntityManager em = emProvider.get();
@@ -201,6 +230,8 @@
 	@Transactional
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
+	@Securable
+	@RolesAllowed(BasicSecurityContext.ROL_ADMIN)
 	public Response delete(@PathParam("orgid") String orgid, @Context HttpServletRequest request) {
 		log.info("Deleting organization with id: {}", orgid);
 		EntityManager em = emProvider.get();

--
Gitblit v1.3.2