@GET
 public String userInfo() {
   if (securityContext == null) {
     throw new NotAuthorizedException("Acesso não autorizado");
   }
   String name = securityContext.getUserPrincipal().getName();
   if (securityContext.isUserInRole("admin")) {
     return "Você é um administrador: " + name;
   }
   if (securityContext.isUserInRole("user")) {
     return "Você é um usuário: " + name;
   }
   return "Nenhum dos dois";
 }
Example #2
0
  @POST()
  @Path("New")
  public Response New(
      String siteInfo,
      @Context HttpServletResponse servletResponse,
      @Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    Response response;

    try {
      Gson gson = new Gson();
      String json = siteInfo.split("=")[1];
      Site site = gson.fromJson(json, Site.class);
      SitesController.getInstance().NewSite(site);

      response = Response.status(200).entity(GeoRedConstants.SITE_SUCCESSFULY_ADDED).build();
    } catch (Exception e) {
      response = Response.status(500).entity(e.getMessage()).build();
    }

    return response;
  }
Example #3
0
  // crear comentario. recibe un Comment.
  @POST()
  @Path("Comments/New")
  public Response CommentsNew(
      String commentInfo,
      @Context HttpServletResponse servletResponse,
      @Context SecurityContext context) {
    // si no es un usuario registrado, devolver error 500 de acceso denegado
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    // crear comentario
    try {
      Gson gson = new Gson();
      commentInfo = commentInfo.split("=")[1];
      Comment comment = gson.fromJson(commentInfo, Comment.class);
      SitesController.getInstance().newComment(comment);

      return Response.status(200).entity(GeoRedConstants.COMMENT_SUCCESSFULY_ADDED).build();
    }

    // si salta una excepción, devolver error
    catch (Exception ex) {
      return Response.status(500).entity(ex.getMessage()).build();
    }
  }
Example #4
0
  // obtener datos de una visita.
  // recibe un String con el id, y devuelve un Site.
  @GET()
  @Produces("text/plain")
  @Path("GetById")
  public Response GetById(
      @QueryParam("siteId") String siteId,
      @Context HttpServletResponse servletResponse,
      @Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    // obtener visita
    try {
      Gson gson = new Gson();

      Site site = SitesController.getInstance().getById(siteId);

      return Response.status(200).entity(gson.toJson(site)).build();
    }

    // si salta una excepción, devolver error
    catch (Exception ex) {
      return Response.status(500).entity(ex.getMessage()).build();
    }
  }
Example #5
0
  @PUT
  @Path("/{id}/password")
  @PermitAll
  public Response updatePassword(@PathParam("id") final Long id, final String body) {
    logger.debug("Updating the password for user {}", id);

    if (!securityContext.isUserInRole(Roles.ADMINISTRATOR.name())) {
      if (!isLoggedUser(id)) {
        return Response.status(HttpCode.FORBIDDEN.getCode()).build();
      }
    }

    HttpCode httpCode = HttpCode.OK;
    OperationResult result;
    try {
      userService.updatePassword(id, getPasswordFromJson(body));
      result = OperationResult.success();
    } catch (UserNotFoundException e) {
      httpCode = HttpCode.NOT_FOUND;
      logger.error("No user found for the given id", e);
      result = getOperationResultNotFound(RESOURCE_MESSAGE);
    }

    logger.debug("Returning the operation result after updating user password: {}", result);
    return Response.status(httpCode.getCode())
        .entity(OperationResultJsonWriter.toJson(result))
        .build();
  }
 private boolean checkRoles(String[] rolesAllowed) {
   for (String role : rolesAllowed) {
     if (securityContext.isUserInRole(role)) {
       return true;
     }
   }
   return false;
 }
  public User securityCheck(SecurityContext sec, Roles role) {
    if (sec == null) {
      throw new NullPointerException();
    }

    if (!sec.isUserInRole(role.name())) {
      throw new WebApplicationException(forbiddenResponse(role, sec));
    }

    return (User) sec.getUserPrincipal();
  }
Example #8
0
  /**
   * Allow to check if current user has a given role or not. status <b>200</b> and {@link
   * UserInRoleDescriptor} is returned by indicating if role is granted or not
   *
   * @param role role to search (like admin or manager)
   * @param scope the optional scope like system, workspace, account.(default scope is system)
   * @param scopeId an optional scopeID used by the scope like the workspace ID if scope is
   *     workspace.
   * @return {UserInRoleDescriptor} which indicates if role is granted or not
   * @throws org.eclipse.che.api.core.ForbiddenException with an uknown scope
   * @throws ServerException when unable to perform the check
   */
  @ApiOperation(
      value = "Check role for the authenticated user",
      notes =
          "Check if user has a role in given scope (default is system) and with an optional scope id. Roles allowed: user, system/admin, system/manager.",
      response = UserInRoleDescriptor.class,
      position = 7)
  @ApiResponses({
    @ApiResponse(code = 200, message = "OK"),
    @ApiResponse(code = 403, message = "Unable to check for the given scope"),
    @ApiResponse(code = 500, message = "Internal Server Error")
  })
  @GET
  @Path("/inrole")
  @GenerateLink(rel = LINK_REL_INROLE)
  @RolesAllowed({"user", "system/admin", "system/manager"})
  @Produces(APPLICATION_JSON)
  @Beta
  public UserInRoleDescriptor inRole(
      @Required @Description("role inside a scope") @QueryParam("role") String role,
      @DefaultValue("system")
          @Description("scope of the role (like system, workspace)")
          @QueryParam("scope")
          String scope,
      @DefaultValue("")
          @Description("id used by the scope, like workspaceId for workspace scope")
          @QueryParam("scopeId")
          String scopeId,
      @Context SecurityContext context)
      throws NotFoundException, ServerException, ForbiddenException {

    // handle scope
    boolean isInRole;
    if ("system".equals(scope)) {
      String roleToCheck;
      if ("user".equals(role) || "temp_user".equals(role)) {
        roleToCheck = role;
      } else {
        roleToCheck = "system/" + role;
      }

      // check role
      isInRole = context.isUserInRole(roleToCheck);
    } else {
      throw new ForbiddenException(
          String.format("Only system scope is handled for now. Provided scope is %s", scope));
    }

    return DtoFactory.getInstance()
        .createDto(UserInRoleDescriptor.class)
        .withIsInRole(isInRole)
        .withRoleName(role)
        .withScope(scope)
        .withScopeId(scopeId);
  }
Example #9
0
  // obtener sitios, por pagina
  @GET()
  @Produces("text/plain")
  @Path("GetPage")
  public Response GetPaged(
      @QueryParam("from") Integer from,
      @QueryParam("count") Integer count,
      @Context HttpServletResponse servletResponse,
      @Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    if (count == null) count = 15;
    if (from == null) from = 0;

    Gson gson = new Gson();
    List<Site> sites = SitesController.getInstance().getSites(from, count);
    return Response.status(200).entity(gson.toJson(sites)).build();
  }
Example #10
0
  // obtener comentarios del usuario
  @GET()
  @Produces("text/plain")
  @Path("Comments/GetByUser")
  public Response CommentsGetByUser(@Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    // obtener comentarios del usuario
    try {
      Gson gson = new Gson();
      List<Comment> comments = SitesController.getInstance().getCommentsByUser();
      return Response.status(200).entity(gson.toJson(comments)).build();
    }

    // si salta una excepción, devolver error
    catch (Exception ex) {
      return Response.status(500).entity(ex.getMessage()).build();
    }
  }
Example #11
0
  // obtener sitios
  @GET()
  @Produces("text/plain")
  @Path("Get")
  public Response Get(@Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    // obtener sitios
    try {
      Gson gson = new Gson();
      List<Site> sites = SitesController.getInstance().getSites();
      return Response.status(200).entity(gson.toJson(sites)).build();
    }

    // si salta una excepción, devolver error
    catch (Exception ex) {
      return Response.status(500).entity(ex.getMessage()).build();
    }
  }
Example #12
0
  // obtener visitas del usuario, sistema paginado
  @GET()
  @Produces("text/plain")
  @Path("Visits/GetByUserPage")
  public Response VisitsGetByUserPage(
      @QueryParam("pageNumber") Integer pageNumber, @Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    // obtener visitas del usuario
    try {
      Gson gson = new Gson();
      List<Visit> visits = SitesController.getInstance().getVisitsByUser(pageNumber);
      return Response.status(200).entity(gson.toJson(visits)).build();
    }

    // si salta una excepción, devolver error
    catch (Exception ex) {
      return Response.status(500).entity(ex.getMessage()).build();
    }
  }
Example #13
0
  @GET()
  @Produces("text/plain")
  @Path("GetByLocation")
  public Response GetByLocation(
      @QueryParam("bottomLeftLatitude") Integer bottomLeftLatitude,
      @QueryParam("bottomLeftLongitude") Integer bottomLeftLongitud,
      @QueryParam("topRightLatitude") Integer topRightLatitude,
      @QueryParam("topRightLongitude") Integer topRightLongitude,
      @Context SecurityContext context) {
    if (!context.isUserInRole(Roles.REG_USER)) {
      return Response.status(500).entity(GeoRedConstants.ACCESS_DENIED).build();
    }

    Gson gson = new Gson();
    List<Site> sites =
        SitesController.getInstance()
            .getSitesByPosition(
                bottomLeftLatitude, bottomLeftLongitud, topRightLatitude, topRightLongitude);

    return Response.status(200).entity(gson.toJson(sites)).build();
  }
Example #14
0
  /**
   * Creates new user and profile.
   *
   * <p>When current user is in 'system/admin' role then {@code newUser} parameter will be used for
   * user creation, otherwise method uses {@code token} and {@link #tokenValidator}.
   *
   * @param token authentication token
   * @param isTemporary if it is {@code true} creates temporary user
   * @return entity of created user
   * @throws UnauthorizedException when token is {@code null}
   * @throws ConflictException when token is not valid
   * @throws ServerException when some error occurred while persisting user or user profile
   * @see UserDescriptor
   * @see #getCurrent(SecurityContext)
   * @see #updatePassword(String)
   * @see #getById(String, SecurityContext)
   * @see #getByEmail(String, SecurityContext)
   * @see #remove(String)
   */
  @ApiOperation(
      value = "Create a new user",
      notes = "Create a new user in the system",
      response = UserDescriptor.class,
      position = 1)
  @ApiResponses({
    @ApiResponse(code = 201, message = "Created"),
    @ApiResponse(code = 401, message = "Missed token parameter"),
    @ApiResponse(code = 409, message = "Invalid token"),
    @ApiResponse(code = 403, message = "Invalid or absent request parameters"),
    @ApiResponse(code = 500, message = "Internal Server Error")
  })
  @POST
  @Path("/create")
  @Consumes(APPLICATION_JSON)
  @Produces(APPLICATION_JSON)
  @GenerateLink(rel = LINK_REL_CREATE_USER)
  public Response create(
      @ApiParam(value = "New user") NewUser newUser,
      @ApiParam(value = "Authentication token") @QueryParam("token") String token,
      @ApiParam(value = "User type") @QueryParam("temporary") @DefaultValue("false")
          Boolean isTemporary,
      @Context SecurityContext context)
      throws ApiException {
    final User user = context.isUserInRole("system/admin") ? fromEntity(newUser) : fromToken(token);

    userDao.create(
        user.withId(generate("user", ID_LENGTH))
            .withPassword(firstNonNull(user.getPassword(), generate("", PASSWORD_LENGTH))));

    profileDao.create(new Profile(user.getId()));

    final Map<String, String> preferences = new HashMap<>(4);
    preferences.put("temporary", Boolean.toString(isTemporary));
    preferences.put("codenvy:created", Long.toString(System.currentTimeMillis()));
    preferenceDao.setPreferences(user.getId(), preferences);

    return status(CREATED).entity(toDescriptor(user, context)).build();
  }
Example #15
0
  @PUT
  @Path("/{id}")
  @PermitAll
  public Response update(@PathParam("id") final Long id, final String body) {
    logger.debug("Updating the user {} with body {}", id, body);

    if (!securityContext.isUserInRole(Roles.ADMINISTRATOR.name())) {
      if (!isLoggedUser(id)) {
        return Response.status(HttpCode.FORBIDDEN.getCode()).build();
      }
    }

    final User user = userJsonConverter.convertFrom(body);
    user.setId(id);

    HttpCode httpCode = HttpCode.OK;
    OperationResult result;
    try {
      userService.update(user);
      result = OperationResult.success();
    } catch (FieldNotValidException e) {
      httpCode = HttpCode.VALIDATION_ERROR;
      logger.error("One of the fields of the user is not valid", e);
      result = getOperationResultInvalidField(RESOURCE_MESSAGE, e);
    } catch (UserExistException e) {
      httpCode = HttpCode.VALIDATION_ERROR;
      logger.error("There is already an user for the given email", e);
      result = getOperationResultExists(RESOURCE_MESSAGE, "email");
    } catch (UserNotFoundException e) {
      httpCode = HttpCode.NOT_FOUND;
      logger.error("No user found for the given id", e);
      result = getOperationResultNotFound(RESOURCE_MESSAGE);
    }

    logger.debug("Returning the operation result after updating user: {}", result);
    return Response.status(httpCode.getCode())
        .entity(OperationResultJsonWriter.toJson(result))
        .build();
  }
  @PUT
  @Path("{id}")
  @Consumes(MediaType.APPLICATION_JSON)
  @Transaction
  public Response put(
      Dataset requestDataset, @PathParam("id") UUID datasetId, @Context SecurityContext sc) {

    // override the url in json with the id in the url, in case a
    // malicious client has changed it
    requestDataset.setDatasetId(datasetId);

    /*
     * Checks that
     * - user has write authorization for the session
     * - the session contains this dataset
     */
    Session session = sessionResource.getSessionForWriting(sc, sessionId);
    Dataset dbDataset = getHibernate().session().get(Dataset.class, datasetId);
    if (dbDataset == null || dbDataset.getSession().getSessionId() != session.getSessionId()) {
      throw new NotFoundException("dataset doesn't exist");
    }

    if (!sc.isUserInRole(Role.FILE_BROKER)) {
      checkFileModification(requestDataset, getHibernate().session());
    }

    if (requestDataset.getFile() == null || requestDataset.getFile().isEmpty()) {
      // if the client doesn't care about the File, simply keep the db version
      requestDataset.setFile(dbDataset.getFile());
    }

    // make sure a hostile client doesn't set the session
    requestDataset.setSession(session);

    update(requestDataset, getHibernate().session());

    return Response.noContent().build();
  }
Example #17
0
 private UserDescriptor toDescriptor(User user, SecurityContext context) {
   final List<Link> links = new LinkedList<>();
   final UriBuilder uriBuilder = getServiceContext().getServiceUriBuilder();
   if (context.isUserInRole("user")) {
     links.add(
         LinksHelper.createLink(
             HttpMethod.GET,
             getServiceContext()
                 .getBaseUriBuilder()
                 .path(UserProfileService.class)
                 .path(UserProfileService.class, "getCurrent")
                 .build()
                 .toString(),
             null,
             APPLICATION_JSON,
             LINK_REL_GET_CURRENT_USER_PROFILE));
     links.add(
         LinksHelper.createLink(
             HttpMethod.GET,
             uriBuilder.clone().path(getClass(), "getCurrent").build().toString(),
             null,
             APPLICATION_JSON,
             LINK_REL_GET_CURRENT_USER));
     links.add(
         LinksHelper.createLink(
             HttpMethod.POST,
             uriBuilder.clone().path(getClass(), "updatePassword").build().toString(),
             APPLICATION_FORM_URLENCODED,
             null,
             LINK_REL_UPDATE_PASSWORD));
   }
   if (context.isUserInRole("system/admin") || context.isUserInRole("system/manager")) {
     links.add(
         LinksHelper.createLink(
             HttpMethod.GET,
             uriBuilder.clone().path(getClass(), "getById").build(user.getId()).toString(),
             null,
             APPLICATION_JSON,
             LINK_REL_GET_USER_BY_ID));
     links.add(
         LinksHelper.createLink(
             HttpMethod.GET,
             getServiceContext()
                 .getBaseUriBuilder()
                 .path(UserProfileService.class)
                 .path(UserProfileService.class, "getById")
                 .build(user.getId())
                 .toString(),
             null,
             APPLICATION_JSON,
             LINK_REL_GET_USER_PROFILE_BY_ID));
     if (user.getEmail() != null) {
       links.add(
           LinksHelper.createLink(
               HttpMethod.GET,
               uriBuilder
                   .clone()
                   .path(getClass(), "getByEmail")
                   .queryParam("email", user.getEmail())
                   .build()
                   .toString(),
               null,
               APPLICATION_JSON,
               LINK_REL_GET_USER_BY_EMAIL));
     }
   }
   if (context.isUserInRole("system/admin")) {
     links.add(
         LinksHelper.createLink(
             HttpMethod.DELETE,
             uriBuilder.clone().path(getClass(), "remove").build(user.getId()).toString(),
             null,
             null,
             LINK_REL_REMOVE_USER_BY_ID));
   }
   return DtoFactory.getInstance()
       .createDto(UserDescriptor.class)
       .withId(user.getId())
       .withEmail(user.getEmail())
       .withName(user.getName())
       .withAliases(user.getAliases())
       .withPassword("<none>")
       .withLinks(links);
 }