From 79121484b7e6f721f5435a102018152a164ed655 Mon Sep 17 00:00:00 2001
From: Roberto Sánchez <roberto.sanchez@curisit.net>
Date: Wed, 22 Jan 2014 18:55:29 +0000
Subject: [PATCH] #395 feature - Implemented pack section

---
 securis/src/main/java/net/curisit/securis/services/PackResource.java |   59 ++++++++++++++++++++++++++++++++++++++++-------------------
 1 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/securis/src/main/java/net/curisit/securis/services/PackResource.java b/securis/src/main/java/net/curisit/securis/services/PackResource.java
index 313732f..c6927a2 100644
--- a/securis/src/main/java/net/curisit/securis/services/PackResource.java
+++ b/securis/src/main/java/net/curisit/securis/services/PackResource.java
@@ -1,8 +1,10 @@
 package net.curisit.securis.services;
 
+import java.security.Principal;
 import java.util.Date;
 import java.util.List;
 
+import javax.annotation.security.RolesAllowed;
 import javax.inject.Inject;
 import javax.inject.Provider;
 import javax.persistence.EntityManager;
@@ -23,10 +25,10 @@
 import javax.ws.rs.core.Response.Status;
 
 import net.curisit.integrity.commons.Utils;
-import net.curisit.integrity.exception.CurisException;
 import net.curisit.securis.DefaultExceptionHandler;
 import net.curisit.securis.db.Pack;
-import net.curisit.securis.db.User;
+import net.curisit.securis.security.BasicSecurityContext;
+import net.curisit.securis.security.Securable;
 import net.curisit.securis.utils.TokenHelper;
 
 import org.slf4j.Logger;
@@ -59,17 +61,35 @@
 	 */
 	@GET
 	@Path("/")
+	@Securable
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
-	public Response index() {
+	public Response index(@Context BasicSecurityContext bsc) {
 		log.info("Getting packs list ");
 
 		EntityManager em = emProvider.get();
-		TypedQuery<Pack> q = em.createNamedQuery("list-packs-by-orgs", Pack.class);
+		// TypedQuery<Pack> q = em.createNamedQuery("list-packs-by-orgs", Pack.class);
+
+		TypedQuery<Pack> q;
+		if (bsc.isUserInRole(BasicSecurityContext.ROL_ADMIN)) {
+			log.info("Getting all packs for user: " + bsc.getUserPrincipal());
+			q = em.createNamedQuery("list-packs", Pack.class);
+		} else {
+			q = em.createNamedQuery("list-packs-by-orgs", Pack.class);
+			if (bsc.getOrganizationsIds() == null)
+				Response.ok().build();
+			// log.info("Getting only {} orgs for user: {}", securityContext.getOrganizationsIds(), securityContext.getUserPrincipal());
+			q.setParameter("list_ids", bsc.getOrganizationsIds());
+		}
 
 		List<Pack> list = q.getResultList();
 
 		return Response.ok(list).build();
+	}
+
+	private Response generateErrorUnathorizedAccess(Pack pack, Principal user) {
+		log.error("Pack with id {} not accesible by user {}", pack, user);
+		return Response.status(Status.UNAUTHORIZED).header(DefaultExceptionHandler.ERROR_MESSAGE_HEADER, "Unathorized access to pack").build();
 	}
 
 	/**
@@ -78,9 +98,10 @@
 	 */
 	@GET
 	@Path("/{packId}")
+	@Securable
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
-	public Response get(@PathParam("packId") String packId, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
+	public Response get(@PathParam("packId") String packId, @Context BasicSecurityContext bsc) {
 		log.info("Getting pack data for id: {}: ", packId);
 		if (packId == null || packId.equals("")) {
 			log.error("Pack ID is mandatory");
@@ -88,16 +109,23 @@
 		}
 
 		EntityManager em = emProvider.get();
-		Pack lt = em.find(Pack.class, Integer.parseInt(packId));
-		if (lt == null) {
+		Pack pack = em.find(Pack.class, Integer.parseInt(packId));
+		if (pack == null) {
 			log.error("Pack with id {} not found in DB", packId);
 			return Response.status(Status.NOT_FOUND).build();
 		}
-		return Response.ok(lt).build();
+		if (bsc.isUserInRole(BasicSecurityContext.ROL_ADVANCE)) {
+			if (bsc.getOrganizationsIds() == null || !bsc.getOrganizationsIds().contains(pack.getOrgId())) {
+				return generateErrorUnathorizedAccess(pack, bsc.getUserPrincipal());
+			}
+		}
+		return Response.ok(pack).build();
 	}
 
 	@POST
 	@Path("/")
+	@Securable
+	@RolesAllowed(BasicSecurityContext.ROL_ADMIN)
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
@@ -112,21 +140,12 @@
 		return Response.ok(pack).build();
 	}
 
-	private User getUser(String username, EntityManager em) throws CurisException {
-		User user = null;
-		if (username != null) {
-			user = em.find(User.class, username);
-			if (user == null) {
-				throw new CurisException("User not found");
-			}
-		}
-		return user;
-	}
-
 	@PUT
 	@POST
 	@Path("/{packId}")
 	@Transactional
+	@Securable
+	@RolesAllowed(BasicSecurityContext.ROL_ADMIN)
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Produces(
 		{ MediaType.APPLICATION_JSON })
@@ -141,6 +160,8 @@
 
 	@DELETE
 	@Path("/{packId}")
+	@Securable
+	@RolesAllowed(BasicSecurityContext.ROL_ADMIN)
 	@Transactional
 	@Produces(
 		{ MediaType.APPLICATION_JSON })

--
Gitblit v1.3.2