Commit 1057893e authored by redmitry@list.ru's avatar redmitry@list.ru

protect Privilege collection

parent b8c0564e
......@@ -38,8 +38,11 @@ import java.io.UnsupportedEncodingException;
import java.io.Writer;
import java.net.URLDecoder;
import java.security.Principal;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.security.PermitAll;
import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;
......@@ -58,6 +61,10 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.StreamingOutput;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessToken.Access;
/**
* @author Dmitry Repchevsky
......@@ -123,7 +130,7 @@ public class OpenEBenchService {
StreamingOutput stream = (OutputStream out) -> {
try (Writer writer = new BufferedWriter(new OutputStreamWriter(out, "UTF-8"))) {
dao.write(writer, "Privilege");
dao.getPrivileges(writer, sc);
} catch(Exception ex) {
Logger.getLogger(OpenEBenchService.class.getName()).log(Level.SEVERE, null, ex);
}
......@@ -132,6 +139,29 @@ public class OpenEBenchService {
}
@GET
@Path("/Privilege/{id : .*}")
@PermitAll
@Produces(MediaType.APPLICATION_JSON)
public Response getPrivilege(@Context SecurityContext sc,
@PathParam("id")
@Parameter(description = "privilege id",
example = "OEBC00200001FO")
@Encoded final String id) {
final String privilege = dao.getPrivilege(id, sc);
if (privilege == null) {
return Response.status(Status.NOT_FOUND).build();
}
if ("{}".equals(privilege)) {
return Response.status(Status.UNAUTHORIZED).build();
}
return Response.ok(privilege, MediaType.APPLICATION_JSON).build();
}
@GET
@Path("/{collection}")
@PermitAll
......
......@@ -68,13 +68,11 @@ public class Database {
private MongoClientURI uri;
private MongoClient mc;
private Jsonb jsonb;
@PostConstruct
protected void init() {
uri = new MongoClientURI(ctx.getInitParameter("mongodb.url"));
mc = new MongoClient(uri);
jsonb = JsonbBuilder.create();
}
@PreDestroy
......@@ -197,6 +195,60 @@ public class Database {
}
}
public String getPrivilege(final String id, final SecurityContext sc) {
try {
final MongoDatabase mdb = mc.getDatabase(uri.getDatabase());
final MongoCollection<Document> privileges = mdb.getCollection("Privilege");
final Document privilege = privileges.find(Filters.eq("_id", id)).first();
if (privilege != null && checkPrivilegeAccess(privilege, sc)) {
return privilege.toJson();
}
return "{}";
} catch(Exception ex) {
Logger.getLogger(Database.class.getName()).log(Level.SEVERE, null, ex);
}
return null;
}
public void getPrivileges(final Writer writer, final SecurityContext sc) {
try {
MongoDatabase mdb = mc.getDatabase(uri.getDatabase());
final MongoCollection<Document> privileges = mdb.getCollection("Privilege");
final JsonWriter jwriter = new ReusableJsonWriter(writer);
try {
jwriter.writeStartArray();
final DocumentCodec codec = new DocumentCodec() {
@Override
public void encode(BsonWriter writer,
Document document,
EncoderContext encoderContext) {
super.encode(jwriter, document, encoderContext);
}
};
FindIterable<Document> iter = privileges.find();
try (MongoCursor<Document> cursor = iter.iterator()) {
loop:
while (cursor.hasNext()) {
final Document privilege = cursor.next();
if (checkPrivilegeAccess(privilege, sc)) {
privilege.toJson(codec);
}
}
}
} finally {
jwriter.writeEndArray();
jwriter.close();
}
} catch(Exception ex) {
Logger.getLogger(Database.class.getName()).log(Level.SEVERE, null, ex);
}
}
public String getChallenge(final String id, final SecurityContext sc) {
try {
final MongoDatabase mdb = mc.getDatabase(uri.getDatabase());
......@@ -325,6 +377,15 @@ public class Database {
}
}
private boolean checkPrivilegeAccess(final Document privilege, final SecurityContext sc) {
if (sc.isUserInRole(Roles.ADMIN)) {
return true;
}
return false;
}
private boolean checkChallengeAccess(final Document challenge, final SecurityContext sc,
final MongoCollection<Document> events) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment