Java tutorial
/* * Copyright 2010-2013 Ning, Inc. * * Ning licenses this file to you under the Apache License, version 2.0 * (the "License"); you may not use this file except in compliance with the * License. You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations * under the License. */ package org.killbill.billing.jaxrs.resources; import java.util.List; import java.util.Set; import javax.inject.Singleton; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; import javax.ws.rs.GET; import javax.ws.rs.HeaderParam; import javax.ws.rs.POST; import javax.ws.rs.PUT; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; import javax.ws.rs.core.UriInfo; import org.apache.shiro.SecurityUtils; import org.apache.shiro.subject.Subject; import org.killbill.billing.account.api.AccountUserApi; import org.killbill.billing.jaxrs.json.RoleDefinitionJson; import org.killbill.billing.jaxrs.json.SubjectJson; import org.killbill.billing.jaxrs.json.UserRolesJson; import org.killbill.billing.jaxrs.util.Context; import org.killbill.billing.jaxrs.util.JaxrsUriBuilder; import org.killbill.billing.payment.api.PaymentApi; import org.killbill.billing.security.Permission; import org.killbill.billing.security.SecurityApiException; import org.killbill.billing.security.api.SecurityApi; import org.killbill.billing.util.api.AuditUserApi; import org.killbill.billing.util.api.CustomFieldUserApi; import org.killbill.billing.util.api.TagUserApi; import org.killbill.billing.util.callcontext.TenantContext; import org.killbill.clock.Clock; import org.killbill.commons.metrics.TimedResource; import com.google.common.base.Functions; import com.google.common.collect.ImmutableList; import com.google.common.collect.Iterables; import com.google.inject.Inject; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; import io.swagger.annotations.ApiResponses; import static javax.ws.rs.core.MediaType.APPLICATION_JSON; @Singleton @Path(JaxrsResource.SECURITY_PATH) @Api(value = JaxrsResource.SECURITY_PATH, description = "Information about RBAC") public class SecurityResource extends JaxRsResourceBase { private final SecurityApi securityApi; @Inject public SecurityResource(final SecurityApi securityApi, final JaxrsUriBuilder uriBuilder, final TagUserApi tagUserApi, final CustomFieldUserApi customFieldUserApi, final AuditUserApi auditUserApi, final AccountUserApi accountUserApi, final PaymentApi paymentApi, final Clock clock, final Context context) { super(uriBuilder, tagUserApi, customFieldUserApi, auditUserApi, accountUserApi, paymentApi, null, clock, context); this.securityApi = securityApi; } @TimedResource @GET @Path("/permissions") @Produces(APPLICATION_JSON) @ApiOperation(value = "List user permissions", response = String.class, responseContainer = "List") @ApiResponses(value = {}) public Response getCurrentUserPermissions(@javax.ws.rs.core.Context final HttpServletRequest request) { // The getCurrentUserPermissions takes a TenantContext which is not used because permissions are cross tenants (at this point) final TenantContext nullTenantContext = null; final Set<Permission> permissions = securityApi.getCurrentUserPermissions(nullTenantContext); final List<String> json = ImmutableList .<String>copyOf(Iterables.<Permission, String>transform(permissions, Functions.toStringFunction())); return Response.status(Status.OK).entity(json).build(); } @TimedResource @GET @Path("/subject") @Produces(APPLICATION_JSON) @ApiOperation(value = "Get user information", response = SubjectJson.class) @ApiResponses(value = {}) public Response getCurrentUserSubject(@javax.ws.rs.core.Context final HttpServletRequest request) { final Subject subject = SecurityUtils.getSubject(); final SubjectJson subjectJson = new SubjectJson(subject); return Response.status(Status.OK).entity(subjectJson).build(); } @TimedResource @POST @Path("/users") @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @ApiOperation(value = "Add a new user with roles (to make api requests)") public Response addUserRoles(final UserRolesJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.addUserRoles(json.getUsername(), json.getPassword(), json.getRoles(), context.createContext(createdBy, reason, comment, request)); return Response.status(Status.CREATED).build(); } @TimedResource @PUT @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}/password") @ApiOperation(value = "Update a user password") public Response updateUserPassword(final UserRolesJson json, @PathParam("username") final String username, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.updateUserPassword(username, json.getPassword(), context.createContext(createdBy, reason, comment, request)); return Response.status(Status.OK).build(); } @TimedResource @GET @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}/roles") @ApiOperation(value = "Get roles associated to a user") public Response getUserRoles(@PathParam("username") final String username, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { final List<String> roles = securityApi.getUserRoles(username, context.createContext(request)); final UserRolesJson userRolesJson = new UserRolesJson(username, null, roles); return Response.status(Status.OK).entity(userRolesJson).build(); } @TimedResource @PUT @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}/roles") @ApiOperation(value = "Update roles associated to a user") public Response updateUserRoles(final UserRolesJson json, @PathParam("username") final String username, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.updateUserRoles(username, json.getRoles(), context.createContext(createdBy, reason, comment, request)); return Response.status(Status.OK).build(); } @TimedResource @DELETE @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @Path("/users/{username:" + ANYTHING_PATTERN + "}") @ApiOperation(value = "Invalidate an existing user") public Response invalidateUser(@PathParam("username") final String username, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.invalidateUser(username, context.createContext(createdBy, reason, comment, request)); return Response.status(Status.NO_CONTENT).build(); } @TimedResource @POST @Path("/roles") @Consumes(APPLICATION_JSON) @Produces(APPLICATION_JSON) @ApiOperation(value = "Add a new role definition)") public Response addRoleDefinition(final RoleDefinitionJson json, @HeaderParam(HDR_CREATED_BY) final String createdBy, @HeaderParam(HDR_REASON) final String reason, @HeaderParam(HDR_COMMENT) final String comment, @javax.ws.rs.core.Context final HttpServletRequest request, @javax.ws.rs.core.Context final UriInfo uriInfo) throws SecurityApiException { securityApi.addRoleDefinition(json.getRole(), json.getPermissions(), context.createContext(createdBy, reason, comment, request)); return Response.status(Status.CREATED).build(); } }