usergrid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mru...@apache.org
Subject usergrid git commit: Add additional functionality in REST layer for checking permissions.
Date Sat, 05 Dec 2015 01:43:56 GMT
Repository: usergrid
Updated Branches:
  refs/heads/release 29bba2433 -> fdc0d8081


Add additional functionality in REST layer for checking permissions.


Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/fdc0d808
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/fdc0d808
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/fdc0d808

Branch: refs/heads/release
Commit: fdc0d80814c7a69615964c5c85429ede003b6dbf
Parents: 29bba24
Author: Michael Russo <michaelarusso@gmail.com>
Authored: Fri Dec 4 17:43:19 2015 -0800
Committer: Michael Russo <michaelarusso@gmail.com>
Committed: Fri Dec 4 17:43:19 2015 -0800

----------------------------------------------------------------------
 .../shard/impl/NodeShardAllocationImpl.java     |   2 +-
 .../rest/applications/ApplicationResource.java  |   1 +
 .../rest/applications/AuthResource.java         |  10 +-
 .../applications/assets/AssetsResource.java     |   8 +-
 .../rest/applications/queues/QueueResource.java |  10 ++
 .../queues/QueueSubscriberResource.java         |   5 +
 .../queues/QueueSubscriptionResource.java       |   5 +
 .../queues/QueueTransactionsResource.java       |   3 +
 .../security/SecuredResourceFilterFactory.java  |  75 ++++++++++--
 .../annotations/CheckPermissionsForPath.java    |  32 ++++++
 .../usergrid/rest/applications/SecurityIT.java  | 113 +++++++++++++++++++
 11 files changed, 249 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/corepersistence/graph/src/main/java/org/apache/usergrid/persistence/graph/serialization/impl/shard/impl/NodeShardAllocationImpl.java
----------------------------------------------------------------------
diff --git a/stack/corepersistence/graph/src/main/java/org/apache/usergrid/persistence/graph/serialization/impl/shard/impl/NodeShardAllocationImpl.java
b/stack/corepersistence/graph/src/main/java/org/apache/usergrid/persistence/graph/serialization/impl/shard/impl/NodeShardAllocationImpl.java
index d52f807..62274ec 100644
--- a/stack/corepersistence/graph/src/main/java/org/apache/usergrid/persistence/graph/serialization/impl/shard/impl/NodeShardAllocationImpl.java
+++ b/stack/corepersistence/graph/src/main/java/org/apache/usergrid/persistence/graph/serialization/impl/shard/impl/NodeShardAllocationImpl.java
@@ -199,7 +199,7 @@ public class NodeShardAllocationImpl implements NodeShardAllocation {
 
 
         if ( !edges.hasNext() ) {
-            LOG.warn(
+            LOG.trace(
                 "Tried to allocate a new shard for edge meta data {}, " + "but no max value
could be found in that row",
                 directedEdgeMeta );
             return false;

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/ApplicationResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/ApplicationResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/ApplicationResource.java
index 162565f..cfcc9b6 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/ApplicationResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/ApplicationResource.java
@@ -113,6 +113,7 @@ public class ApplicationResource extends ServiceResource {
     }
 
 
+    @RequireApplicationAccess
     @Path("auth")
     public AuthResource getAuthResource() throws Exception {
         return getSubResource( AuthResource.class );

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/AuthResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/AuthResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/AuthResource.java
index 46e97c7..d90a44c 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/AuthResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/AuthResource.java
@@ -30,6 +30,7 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.usergrid.rest.security.annotations.CheckPermissionsForPath;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -84,9 +85,8 @@ public class AuthResource extends AbstractContextResource {
         }
     }
 
-    // TODO add auth for Ping Identity
-
 
+    @CheckPermissionsForPath
     @POST
     @Path("facebook")
     @Consumes(APPLICATION_FORM_URLENCODED)
@@ -100,6 +100,7 @@ public class AuthResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @GET
     @Path("pingident")
     public Response authPingIdent( @Context UriInfo ui, @QueryParam("ping_access_token")
String pingToken,
@@ -132,6 +133,7 @@ public class AuthResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @POST
     @Path("pingident")
     public Response authPingIdentPost( @Context UriInfo ui, @QueryParam("ping_access_token")
String pingToken,
@@ -169,7 +171,7 @@ public class AuthResource extends AbstractContextResource {
                        .entity( wrapJSONPResponse( callback, response.getBody() ) ).build();
     }
 
-
+    @CheckPermissionsForPath
     @GET
     @Path("facebook")
     public Response authFB( @Context UriInfo ui, @QueryParam("fb_access_token") String fb_access_token,
@@ -204,6 +206,7 @@ public class AuthResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @POST
     @Path("foursquare")
     @Consumes(APPLICATION_FORM_URLENCODED)
@@ -217,6 +220,7 @@ public class AuthResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @GET
     @Path("foursquare")
     public Response authFQ( @Context UriInfo ui, @QueryParam("fq_access_token") String fq_access_token,

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/assets/AssetsResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/assets/AssetsResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/assets/AssetsResource.java
index fedffc4..f748ee9 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/assets/AssetsResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/assets/AssetsResource.java
@@ -24,6 +24,7 @@ import org.apache.usergrid.persistence.EntityManager;
 import org.apache.usergrid.persistence.entities.Asset;
 import org.apache.usergrid.rest.AbstractContextResource;
 import org.apache.usergrid.rest.applications.ServiceResource;
+import org.apache.usergrid.rest.security.annotations.CheckPermissionsForPath;
 import org.apache.usergrid.rest.security.annotations.RequireApplicationAccess;
 import org.apache.usergrid.services.assets.data.AssetUtils;
 import org.apache.usergrid.services.assets.data.AwsSdkS3BinaryStore;
@@ -103,8 +104,8 @@ public class AssetsResource extends ServiceResource {
     }
 
 
+    @CheckPermissionsForPath
     @POST
-    @RequireApplicationAccess
     @Consumes(MediaType.MULTIPART_FORM_DATA)
     @Path("{entityId: [A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}}/data")
     public Response uploadData( @FormDataParam("file") InputStream uploadedInputStream,
@@ -133,8 +134,8 @@ public class AssetsResource extends ServiceResource {
     }
 
 
+    @CheckPermissionsForPath
     @PUT
-    @RequireApplicationAccess
     @Consumes(MediaType.APPLICATION_OCTET_STREAM)
     @Path("{entityId: [A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}}/data")
     public Response uploadDataStreamPut( @PathParam("entityId") PathSegment entityId, InputStream
uploadedInputStream )
@@ -143,8 +144,8 @@ public class AssetsResource extends ServiceResource {
     }
 
 
+    @CheckPermissionsForPath
     @POST
-    @RequireApplicationAccess
     @Consumes(MediaType.APPLICATION_OCTET_STREAM)
     @Path("{entityId: [A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}}/data")
     public Response uploadDataStream( @PathParam("entityId") PathSegment entityId, InputStream
uploadedInputStream )
@@ -169,6 +170,7 @@ public class AssetsResource extends ServiceResource {
     }
 
 
+    @CheckPermissionsForPath
     @GET
     @Path("{entityId: [A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}}/data")
     public Response findAsset( @Context UriInfo ui, @QueryParam("callback") @DefaultValue("callback")
String callback,

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueResource.java
index 67498cd..de71073 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueResource.java
@@ -35,6 +35,7 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.usergrid.rest.security.annotations.CheckPermissionsForPath;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Scope;
@@ -86,6 +87,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("subscribers")
     public QueueSubscriberResource getSubscribers( @Context UriInfo ui ) throws Exception
{
 
@@ -95,6 +97,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("subscriptions")
     public QueueSubscriptionResource getSubscriptions( @Context UriInfo ui ) throws Exception
{
 
@@ -104,6 +107,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("properties")
     @GET
     public JSONWithPadding getProperties( @Context UriInfo ui,
@@ -116,6 +120,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("properties")
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
@@ -129,6 +134,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @GET
     public JSONWithPadding executeGet( @Context UriInfo ui, @QueryParam("start") String firstQueuePath,
                                        @QueryParam("limit") @DefaultValue("10") int limit,
@@ -149,6 +155,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @SuppressWarnings("unchecked")
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
@@ -173,6 +180,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
     public JSONWithPadding executePut( @Context UriInfo ui, Map<String, Object> json,
@@ -187,6 +195,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @DELETE
     public JSONWithPadding executeDelete( @Context UriInfo ui,
                                           @QueryParam("callback") @DefaultValue("callback")
String callback )
@@ -195,6 +204,7 @@ public class QueueResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("transactions")
     public QueueTransactionsResource getTransactions( @Context UriInfo ui ) throws Exception
{
 

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriberResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriberResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriberResource.java
index 12db937..7f32be0 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriberResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriberResource.java
@@ -34,6 +34,7 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.usergrid.rest.security.annotations.CheckPermissionsForPath;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Scope;
@@ -92,6 +93,7 @@ public class QueueSubscriberResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @GET
     public JSONWithPadding executeGet( @Context UriInfo ui, @QueryParam("start") String firstSubscriberQueuePath,
                                        @QueryParam("limit") @DefaultValue("10") int limit,
@@ -106,6 +108,7 @@ public class QueueSubscriberResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
     public JSONWithPadding executePost( @Context UriInfo ui, EntityHolder<Map<String,
Object>> body,
@@ -118,6 +121,7 @@ public class QueueSubscriberResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
     public JSONWithPadding executePut( @Context UriInfo ui, EntityHolder<Map<String,
Object>> body,
@@ -143,6 +147,7 @@ public class QueueSubscriberResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @DELETE
     public JSONWithPadding executeDelete( @Context UriInfo ui,
                                           @QueryParam("callback") @DefaultValue("callback")
String callback )

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriptionResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriptionResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriptionResource.java
index a822b1e..c488095 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriptionResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueSubscriptionResource.java
@@ -34,6 +34,7 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.usergrid.rest.security.annotations.CheckPermissionsForPath;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Scope;
@@ -94,6 +95,7 @@ public class QueueSubscriptionResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @GET
     public JSONWithPadding executeGet( @Context UriInfo ui, @QueryParam("start") String firstSubscriptionQueuePath,
                                        @QueryParam("limit") @DefaultValue("10") int limit,
@@ -108,6 +110,7 @@ public class QueueSubscriptionResource extends AbstractContextResource
{
     }
 
 
+    @CheckPermissionsForPath
     @POST
     @Consumes(MediaType.APPLICATION_JSON)
     public JSONWithPadding executePost( @Context UriInfo ui, EntityHolder<Map<String,
Object>> body,
@@ -120,6 +123,7 @@ public class QueueSubscriptionResource extends AbstractContextResource
{
     }
 
 
+    @CheckPermissionsForPath
     @PUT
     @Consumes(MediaType.APPLICATION_JSON)
     public JSONWithPadding executePut( @Context UriInfo ui, EntityHolder<Map<String,
Object>> body,
@@ -145,6 +149,7 @@ public class QueueSubscriptionResource extends AbstractContextResource
{
     }
 
 
+    @CheckPermissionsForPath
     @DELETE
     public JSONWithPadding executeDelete( @Context UriInfo ui,
                                           @QueryParam("callback") @DefaultValue("callback")
String callback )

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueTransactionsResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueTransactionsResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueTransactionsResource.java
index 2f9819d..56cca2c 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueTransactionsResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/applications/queues/QueueTransactionsResource.java
@@ -30,6 +30,7 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.usergrid.rest.security.annotations.CheckPermissionsForPath;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Scope;
@@ -70,6 +71,7 @@ public class QueueTransactionsResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("{id}")
     @PUT
     public JSONWithPadding updateTransaction( @Context UriInfo ui, @PathParam("id") UUID
transactionId,
@@ -84,6 +86,7 @@ public class QueueTransactionsResource extends AbstractContextResource {
     }
 
 
+    @CheckPermissionsForPath
     @Path("{id}")
     @DELETE
     public JSONWithPadding removeTransaction( @Context UriInfo ui, @PathParam("id") UUID
transactionId,

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
index 6f7d698..d867e1b 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
@@ -26,6 +26,8 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.shiro.subject.Subject;
+import org.apache.usergrid.rest.security.annotations.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -37,10 +39,6 @@ import org.apache.usergrid.persistence.EntityManager;
 import org.apache.usergrid.persistence.EntityManagerFactory;
 import org.apache.usergrid.persistence.index.query.Identifier;
 import org.apache.usergrid.rest.exceptions.SecurityException;
-import org.apache.usergrid.rest.security.annotations.RequireAdminUserAccess;
-import org.apache.usergrid.rest.security.annotations.RequireApplicationAccess;
-import org.apache.usergrid.rest.security.annotations.RequireOrganizationAccess;
-import org.apache.usergrid.rest.security.annotations.RequireSystemAccess;
 import org.apache.usergrid.rest.utils.PathingUtils;
 import org.apache.usergrid.security.shiro.utils.SubjectUtils;
 import org.apache.usergrid.services.ServiceManagerFactory;
@@ -54,11 +52,8 @@ import com.sun.jersey.spi.container.ResourceFilterFactory;
 
 import static org.apache.commons.lang.StringUtils.isNotEmpty;
 import static org.apache.usergrid.rest.exceptions.SecurityException.mappableSecurityException;
-import static org.apache.usergrid.security.shiro.utils.SubjectUtils.isPermittedAccessToApplication;
-import static org.apache.usergrid.security.shiro.utils.SubjectUtils.isPermittedAccessToOrganization;
-import static org.apache.usergrid.security.shiro.utils.SubjectUtils.isUser;
-import static org.apache.usergrid.security.shiro.utils.SubjectUtils.loginApplicationGuest;
 import static org.apache.usergrid.security.shiro.Realm.ROLE_SERVICE_ADMIN;
+import static org.apache.usergrid.security.shiro.utils.SubjectUtils.*;
 
 
 @Component
@@ -132,6 +127,9 @@ public class SecuredResourceFilterFactory implements ResourceFilterFactory
{
         else if ( am.isAnnotationPresent( RequireAdminUserAccess.class ) ) {
             return Collections.<ResourceFilter>singletonList( new AdminUserFilter()
);
         }
+        else if ( am.isAnnotationPresent( CheckPermissionsForPath.class ) ) {
+            return Collections.<ResourceFilter>singletonList( new PathPermissionsFilter()
);
+        }
         return null;
     }
 
@@ -331,4 +329,65 @@ public class SecuredResourceFilterFactory implements ResourceFilterFactory
{
             }
         }
     }
+
+    // This filter is created in REST from logic in org.apache.usergrid.services.AbstractService.checkPermissionsForPath
+    public class PathPermissionsFilter extends AbstractFilter {
+
+        public PathPermissionsFilter() {}
+
+
+        @Override
+        public void authorize( ContainerRequest request ) {
+            if(logger.isDebugEnabled()){
+                logger.debug( "PathPermissionsFilter.authorize" );
+            }
+
+            final String PATH_MSG =
+                "---- Checked permissions for path --------------------------------------------\n"
+ "Requested path: {} \n"
+                    + "Requested action: {} \n" + "Requested permission: {} \n" + "Permitted:
{} \n";
+
+            ApplicationInfo application;
+
+            try {
+
+                application = management.getApplicationInfo( getApplicationIdentifier() );
+                EntityManager em = emf.getEntityManager( application.getId() );
+                Subject currentUser = SubjectUtils.getSubject();
+
+                if ( currentUser == null ) {
+                    return;
+                }
+                String applicationName = application.getName().toLowerCase();
+                String operation = request.getMethod().toLowerCase();
+                String path = request.getPath().toLowerCase().replace(applicationName, "");
+                String perm =  getPermissionFromPath( em.getApplicationRef().getUuid(), operation,
path );
+
+                boolean permitted = currentUser.isPermitted( perm );
+                if ( logger.isDebugEnabled() ) {
+                    logger.debug( PATH_MSG, new Object[] { path, operation, perm, permitted
} );
+                }
+
+                if(!permitted){
+                    // throwing this so we can raise a proper mapped REST exception
+                    throw new Exception("Subject not permitted");
+                }
+
+
+                SubjectUtils.checkPermission( perm );
+                Subject subject = SubjectUtils.getSubject();
+
+                if ( logger.isDebugEnabled() ) {
+                    logger.debug("Checked subject {} for perm {}", subject != null ? subject.toString()
: "", perm);
+                    logger.debug("------------------------------------------------------------------------------");
+                }
+
+
+            } catch (Exception e){
+                throw mappableSecurityException( "unauthorized",
+                    "Subject does not have permission to access this resource" );
+            }
+
+        }
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/main/java/org/apache/usergrid/rest/security/annotations/CheckPermissionsForPath.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/annotations/CheckPermissionsForPath.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/security/annotations/CheckPermissionsForPath.java
new file mode 100644
index 0000000..5f0e00d
--- /dev/null
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/annotations/CheckPermissionsForPath.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.usergrid.rest.security.annotations;
+
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+
+/** Requires that the current Shiro security subject be the user specified in the current
REST request path. */
+@Retention(value = RUNTIME)
+@Target(value = { METHOD })
+public @interface CheckPermissionsForPath {
+
+}

http://git-wip-us.apache.org/repos/asf/usergrid/blob/fdc0d808/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java
b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java
new file mode 100644
index 0000000..c5b06b5
--- /dev/null
+++ b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.usergrid.rest.applications;
+
+
+import com.sun.jersey.api.client.UniformInterfaceException;
+import org.apache.usergrid.rest.test.resource.AbstractRestIT;
+import org.apache.usergrid.rest.test.resource.model.ApiResponse;
+import org.apache.usergrid.utils.UUIDUtils;
+import org.junit.Test;
+
+import java.util.UUID;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * These tests will execute requests against certain paths (with or without credentials)
to ensure access is being
+ * allowed according to the REST and Services permissions defined for the resource.
+ */
+public class SecurityIT extends AbstractRestIT {
+
+    public SecurityIT() throws Exception {}
+
+    @Test
+    public void testAssetsNoCredentials(){
+
+        final UUID uuid = UUIDUtils.newTimeUUID();
+        try {
+            //use false in get() for no token
+            this.pathResource(getOrgAppPath("assets/" + uuid + "/data")).get(ApiResponse.class,
false);
+
+        } catch (UniformInterfaceException ui){
+            assertEquals(401, ui.getResponse().getStatus());
+        }
+    }
+
+
+    @Test
+    public void testFacebookAuthNoCredentials(){
+
+        int responseStatus = 0;
+        try {
+            //use false in get() for no token
+            this.pathResource(getOrgAppPath("auth/facebook")).get(ApiResponse.class, false);
+
+        } catch (UniformInterfaceException ui){
+            responseStatus = ui.getResponse().getStatus();
+
+        }
+        assertEquals(401, responseStatus);
+    }
+
+    @Test
+    public void testPingIdentityAuthNoCredentials(){
+
+        int responseStatus = 0;
+        try {
+            //use false in get() for no token
+            this.pathResource(getOrgAppPath("auth/pingident")).get(ApiResponse.class, false);
+
+        } catch (UniformInterfaceException ui){
+            responseStatus = ui.getResponse().getStatus();
+        }
+        assertEquals(401, responseStatus);
+
+    }
+
+    @Test
+    public void testFoursquareAuthNoCredentials(){
+
+        int responseStatus = 0;
+        try {
+            //use false in get() for no token
+            this.pathResource(getOrgAppPath("auth/foursquare")).get(ApiResponse.class, false);
+
+        } catch (UniformInterfaceException ui){
+            responseStatus = ui.getResponse().getStatus();
+        }
+        assertEquals(401, responseStatus);
+
+    }
+
+    @Test
+    public void testQueuesNoCredentials(){
+
+        int responseStatus = 0;
+        try {
+            //use false in get() for no token
+            this.pathResource(getOrgAppPath("queues")).get(ApiResponse.class, false);
+
+        } catch (UniformInterfaceException ui){
+            responseStatus = ui.getResponse().getStatus();
+        }
+        assertEquals(401, responseStatus);
+
+    }
+
+
+}


Mime
View raw message