Source code

001/*******************************************************************************
002 * Copyright 2017 The MIT Internet Trust Consortium
003 *
004 * Portions copyright 2011-2013 The MITRE Corporation
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License");
007 * you may not use this file except in compliance with the License.
008 * You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 *******************************************************************************/
018/**
019 *
020 */
021package org.mitre.openid.connect.web;
022
023import java.security.Principal;
024import java.util.Collection;
025
026import org.mitre.openid.connect.model.ApprovedSite;
027import org.mitre.openid.connect.service.ApprovedSiteService;
028import org.mitre.openid.connect.view.HttpCodeView;
029import org.mitre.openid.connect.view.JsonApprovedSiteView;
030import org.mitre.openid.connect.view.JsonEntityView;
031import org.mitre.openid.connect.view.JsonErrorView;
032import org.slf4j.Logger;
033import org.slf4j.LoggerFactory;
034import org.springframework.beans.factory.annotation.Autowired;
035import org.springframework.http.HttpStatus;
036import org.springframework.http.MediaType;
037import org.springframework.security.access.prepost.PreAuthorize;
038import org.springframework.stereotype.Controller;
039import org.springframework.ui.ModelMap;
040import org.springframework.web.bind.annotation.PathVariable;
041import org.springframework.web.bind.annotation.RequestMapping;
042import org.springframework.web.bind.annotation.RequestMethod;
043
044/**
045 * @author jricher
046 *
047 */
048@Controller
049@RequestMapping("/" + ApprovedSiteAPI.URL)
050@PreAuthorize("hasRole('ROLE_USER')")
051public class ApprovedSiteAPI {
052
053        public static final String URL = RootController.API_URL + "/approved";
054
055        @Autowired
056        private ApprovedSiteService approvedSiteService;
057
058        /**
059         * Logger for this class
060         */
061        private static final Logger logger = LoggerFactory.getLogger(ApprovedSiteAPI.class);
062
063        /**
064         * Get a list of all of this user's approved sites
065         * @param m
066         * @return
067         */
068        @RequestMapping(method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
069        public String getAllApprovedSites(ModelMap m, Principal p) {
070
071                Collection<ApprovedSite> all = approvedSiteService.getByUserId(p.getName());
072
073                m.put(JsonEntityView.ENTITY, all);
074
075                return JsonApprovedSiteView.VIEWNAME;
076        }
077
078        /**
079         * Delete an approved site
080         *
081         */
082        @RequestMapping(value="/{id}", method = RequestMethod.DELETE)
083        public String deleteApprovedSite(@PathVariable("id") Long id, ModelMap m, Principal p) {
084                ApprovedSite approvedSite = approvedSiteService.getById(id);
085
086                if (approvedSite == null) {
087                        logger.error("deleteApprovedSite failed; no approved site found for id: " + id);
088                        m.put(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
089                        m.put(JsonErrorView.ERROR_MESSAGE, "Could not delete approved site. The requested approved site with id: " + id + " could not be found.");
090                        return JsonErrorView.VIEWNAME;
091                } else if (!approvedSite.getUserId().equals(p.getName())) {
092                        logger.error("deleteApprovedSite failed; principal "
093                                        + p.getName() + " does not own approved site" + id);
094                        m.put(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
095                        m.put(JsonErrorView.ERROR_MESSAGE, "You do not have permission to delete this approved site. The approved site decision will not be deleted.");
096                        return JsonErrorView.VIEWNAME;
097                } else {
098                        m.put(HttpCodeView.CODE, HttpStatus.OK);
099                        approvedSiteService.remove(approvedSite);
100                }
101
102                return HttpCodeView.VIEWNAME;
103        }
104
105        /**
106         * Get a single approved site
107         */
108        @RequestMapping(value="/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
109        public String getApprovedSite(@PathVariable("id") Long id, ModelMap m, Principal p) {
110                ApprovedSite approvedSite = approvedSiteService.getById(id);
111                if (approvedSite == null) {
112                        logger.error("getApprovedSite failed; no approved site found for id: " + id);
113                        m.put(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
114                        m.put(JsonErrorView.ERROR_MESSAGE, "The requested approved site with id: " + id + " could not be found.");
115                        return JsonErrorView.VIEWNAME;
116                } else if (!approvedSite.getUserId().equals(p.getName())) {
117                        logger.error("getApprovedSite failed; principal "
118                                        + p.getName() + " does not own approved site" + id);
119                        m.put(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
120                        m.put(JsonErrorView.ERROR_MESSAGE, "You do not have permission to view this approved site.");
121                        return JsonErrorView.VIEWNAME;
122                } else {
123                        m.put(JsonEntityView.ENTITY, approvedSite);
124                        return JsonApprovedSiteView.VIEWNAME;
125                }
126
127        }
128
129}