protect Privilege collection

src/main/java/es/bsc/inb/elixir/openebench/rest/OpenEBenchService.java

@@ -38,8 +38,11 @@ import java.io.UnsupportedEncodingException;
 import java.io.Writer;
 import java.net.URLDecoder;
 import java.security.Principal;
+import java.util.List;
+import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.annotation.PostConstruct;
 import javax.annotation.security.PermitAll;
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
@@ -58,6 +61,10 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.StreamingOutput;
+import org.keycloak.KeycloakPrincipal;
+import org.keycloak.KeycloakSecurityContext;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.AccessToken.Access;
 
 /**
  * @author Dmitry Repchevsky
@@ -123,7 +130,7 @@ public class OpenEBenchService {
 
         StreamingOutput stream = (OutputStream out) -> {
             try (Writer writer = new BufferedWriter(new OutputStreamWriter(out, "UTF-8"))) {
-                dao.write(writer, "Privilege");
+                dao.getPrivileges(writer, sc);
             } catch(Exception ex) {
                 Logger.getLogger(OpenEBenchService.class.getName()).log(Level.SEVERE, null, ex);
             }
@@ -132,6 +139,29 @@ public class OpenEBenchService {
 
     }
 
+    @GET
+    @Path("/Privilege/{id : .*}")
+    @PermitAll
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response getPrivilege(@Context SecurityContext sc,
+                                 @PathParam("id")
+                                 @Parameter(description = "privilege id",
+                                            example = "OEBC00200001FO")
+                                 @Encoded final String id) {
+        
+        final String privilege = dao.getPrivilege(id, sc);
+        
+        if (privilege == null) {
+            return Response.status(Status.NOT_FOUND).build();
+        }
+        
+        if ("{}".equals(privilege)) {
+            return Response.status(Status.UNAUTHORIZED).build();
+        }
+        
+        return Response.ok(privilege, MediaType.APPLICATION_JSON).build();
+    }
+
     @GET
     @Path("/{collection}")
     @PermitAll

src/main/java/es/bsc/inb/elixir/openebench/rest/dao/Database.java

@@ -68,13 +68,11 @@ public class Database {
     
     private MongoClientURI uri;
     private MongoClient mc;
-    private Jsonb jsonb;
 
     @PostConstruct
     protected void init() {
         uri = new MongoClientURI(ctx.getInitParameter("mongodb.url"));
         mc = new MongoClient(uri);
-        jsonb = JsonbBuilder.create();
     }
     
     @PreDestroy
@@ -197,6 +195,60 @@ public class Database {
         }
     }
 
+    public String getPrivilege(final String id, final SecurityContext sc) {
+        try {
+            final MongoDatabase mdb = mc.getDatabase(uri.getDatabase());
+            final MongoCollection<Document> privileges = mdb.getCollection("Privilege");
+            
+            final Document privilege = privileges.find(Filters.eq("_id", id)).first();
+            if (privilege != null && checkPrivilegeAccess(privilege, sc)) {
+                return privilege.toJson();
+            }
+            return "{}";
+        } catch(Exception ex) {
+            Logger.getLogger(Database.class.getName()).log(Level.SEVERE, null, ex);
+        }        
+        
+        return null;
+    }
+
+    public void getPrivileges(final Writer writer, final SecurityContext sc) {
+        try {
+            MongoDatabase mdb = mc.getDatabase(uri.getDatabase());
+            final MongoCollection<Document> privileges = mdb.getCollection("Privilege");
+
+            final JsonWriter jwriter = new ReusableJsonWriter(writer);
+            try {
+                jwriter.writeStartArray();
+                
+                final DocumentCodec codec = new DocumentCodec() {
+                    @Override
+                    public void encode(BsonWriter writer,
+                       Document document,
+                       EncoderContext encoderContext) {
+                            super.encode(jwriter, document, encoderContext);
+                    }
+                };
+                
+                FindIterable<Document> iter = privileges.find();
+                try (MongoCursor<Document> cursor = iter.iterator()) {
+                    loop:
+                    while (cursor.hasNext()) {
+                        final Document privilege = cursor.next();
+                        if (checkPrivilegeAccess(privilege, sc)) {
+                            privilege.toJson(codec);
+                        }
+                    }
+                }
+            } finally {
+                jwriter.writeEndArray();
+                jwriter.close();
+            }
+        } catch(Exception ex) {
+            Logger.getLogger(Database.class.getName()).log(Level.SEVERE, null, ex);
+        }
+    }
+
     public String getChallenge(final String id, final SecurityContext sc) {
         try {
             final MongoDatabase mdb = mc.getDatabase(uri.getDatabase());
@@ -325,6 +377,15 @@ public class Database {
         }
     }
 
+    private boolean checkPrivilegeAccess(final Document privilege, final SecurityContext sc) {
+        
+        if (sc.isUserInRole(Roles.ADMIN)) {
+            return true;
+        }
+
+        return false;
+    }
+
     private boolean checkChallengeAccess(final Document challenge, final SecurityContext sc, 
             final MongoCollection<Document> events) {