Secure the endpoints

Former-commit-id: 4352b1c2

Secure the endpoints
81540292 · Martin Weise · 8ff897c5 · 81540292 · 81540292 · 81540292
Commit 81540292 authored Feb 6, 2022 by Martin Weise
--- a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java
+++ b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java
@@ -12,7 +12,7 @@ import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.validation.Valid;
@@ -37,7 +37,6 @@ public class ContainerEndpoint {
        this.containerService = containerService;
    }
-    @Transactional
    @GetMapping
    @ApiOperation(value = "List all containers", notes = "Lists the containers in the metadata database.")
    @ApiResponses({
@@ -52,7 +51,6 @@ public class ContainerEndpoint {
                        .collect(Collectors.toList()));
    }
-    @Transactional
    @PostMapping
    @ApiOperation(value = "Creates a new container", notes = "Creates a new container whose image is registered in the metadata database too.")
    @ApiResponses({
@@ -69,9 +67,8 @@ public class ContainerEndpoint {
                .body(response);
    }
-    @Transactional
    @GetMapping("/{id}")
-    @ApiOperation(value = "Get all informations about a container", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.")
+    @ApiOperation(value = "Get all information about a container", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.")
    @ApiResponses({
            @ApiResponse(code = 200, message = "Get information about container."),
            @ApiResponse(code = 401, message = "Not authorized to get information about a container."),
@@ -84,7 +81,6 @@ public class ContainerEndpoint {
                .body(containerMapper.containerToContainerDto(container));
    }
-    @Transactional
    @PutMapping("/{id}")
    @ApiOperation(value = "Change the state of a container", notes = "The new state can only be one of START/STOP.")
    @ApiResponses({
@@ -93,7 +89,8 @@ public class ContainerEndpoint {
            @ApiResponse(code = 401, message = "Not authorized to modify a container."),
            @ApiResponse(code = 404, message = "No container found with this id in metadata database."),
    })
-    public ResponseEntity<ContainerBriefDto> modify(@NotNull @PathVariable Long id, @Valid @RequestBody ContainerChangeDto changeDto)
+    public ResponseEntity<ContainerBriefDto> modify(@NotNull @PathVariable Long id,
+                                                    @Valid @RequestBody ContainerChangeDto changeDto)
            throws ContainerNotFoundException, DockerClientException {
        final Container container;
        if (changeDto.getAction().equals(ContainerActionTypeDto.START)) {
@@ -107,6 +104,7 @@ public class ContainerEndpoint {
    @DeleteMapping("/{id}")
    @ApiOperation(value = "Delete a container")
+    @PreAuthorize("hasRole('ROLE_DATA_STEWARD')")
    @ApiResponses({
            @ApiResponse(code = 200, message = "Deleted the container."),
            @ApiResponse(code = 401, message = "Not authorized to delete a container."),

--- a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java
+++ b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java
@@ -18,7 +18,7 @@ import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.validation.Valid;
@@ -42,7 +42,6 @@ public class ImageEndpoint {
        this.imageMapper = imageMapper;
    }
-    @Transactional
    @GetMapping
    @ApiOperation(value = "List all images", notes = "Lists the images in the metadata database.")
    @ApiResponses({
@@ -57,8 +56,8 @@ public class ImageEndpoint {
                        .collect(Collectors.toList()));
    }
-    @Transactional
    @PostMapping
+    @PreAuthorize("hasRole('DEVELOPER')")
    @ApiOperation(value = "Creates a new image", notes = "Creates a new image in the metadata database.")
    @ApiResponses({
            @ApiResponse(code = 201, message = "Successfully created a new image."),
@@ -73,7 +72,6 @@ public class ImageEndpoint {
                .body(imageMapper.containerImageToImageDto(image));
    }
-    @Transactional
    @GetMapping("/{id}")
    @ApiOperation(value = "Get all informations about a image", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.")
    @ApiResponses({
@@ -87,8 +85,8 @@ public class ImageEndpoint {
                .body(imageMapper.containerImageToImageDto(image));
    }
-    @Transactional
    @PutMapping("/{id}")
+    @PreAuthorize("hasRole('DEVELOPER')")
    @ApiOperation(value = "Update image information", notes = "Polls new information about an image")
    @ApiResponses({
            @ApiResponse(code = 202, message = "Updated the information of a image."),
@@ -102,6 +100,7 @@ public class ImageEndpoint {
    }
    @DeleteMapping("/{id}")
+    @PreAuthorize("hasRole('DEVELOPER')")
    @ApiOperation(value = "Delete a image")
    @ApiResponses({
            @ApiResponse(code = 200, message = "Deleted the image."),

--- a/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java
+++ b/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java
@@ -14,7 +14,7 @@ import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.transaction.annotation.Transactional;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 import javax.validation.Valid;
@@ -37,7 +37,6 @@ public class ContainerDatabaseEndpoint {
        this.databaseService = databaseService;
    }
-    @Transactional
    @GetMapping
    @ApiOperation(value = "List all databases", notes = "Currently a container supports only databases of the same image, e.g. there is one PostgreSQL engine running with multiple databases inside a container.")
    @ApiResponses({
@@ -52,7 +51,6 @@ public class ContainerDatabaseEndpoint {
        return ResponseEntity.ok(databases);
    }
-    @Transactional
    @PostMapping
    @ApiOperation(value = "Creates a new database in a container", notes = "Creates a new database in a container. Note that the backend distincts between numerical (req: categories), nominal (req: max_length) and categorical (req: max_length, siUnit, min, max, mean, median, standard_deviation, histogram) column types.")
    @ApiResponses({
@@ -71,9 +69,8 @@ public class ContainerDatabaseEndpoint {
                .body(databaseMapper.databaseToDatabaseDto(database));
    }
-    @Transactional
    @GetMapping("/{databaseId}")
-    @ApiOperation(value = "Get all informations about a database")
+    @ApiOperation(value = "Get all information about a database")
    @ApiResponses({
            @ApiResponse(code = 200, message = "The database information is displayed."),
            @ApiResponse(code = 400, message = "The payload contains invalid data."),
@@ -84,7 +81,8 @@ public class ContainerDatabaseEndpoint {
        return ResponseEntity.ok(databaseMapper.databaseToDatabaseDto(databaseService.findById(id, databaseId)));
    }
-    @DeleteMapping("/{id}")
+    @DeleteMapping("/{databaseId}")
+    @PreAuthorize("hasRole('ROLE_DEVELOPER') or hasRole('ROLE_DATA_STEWARD')")
    @ApiOperation(value = "Delete a database")
    @ApiResponses({
            @ApiResponse(code = 202, message = "The database was successfully deleted."),

--- a/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java
+++ b/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java
@@ -57,8 +57,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        /* set permissions on endpoints */
        http.authorizeRequests()
                /* our public endpoints */
-                .antMatchers(HttpMethod.GET, "/api/container/**").permitAll()
+                .antMatchers(HttpMethod.GET, "container/**/database/**").permitAll()
-                .antMatchers(HttpMethod.GET, "/api/image/**").permitAll()
                /* our private endpoints */
                .anyRequest().authenticated();
        /* add JWT token filter */