diff --git a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java index 5eec2b16c58e0de6de43737cec4f0c1abea98b03..12612c22e05806d2f4dd3d2dbf3e248b9268489f 100644 --- a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java +++ b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerEndpoint.java @@ -12,7 +12,7 @@ import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; -import org.springframework.transaction.annotation.Transactional; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import javax.validation.Valid; @@ -37,7 +37,6 @@ public class ContainerEndpoint { this.containerService = containerService; } - @Transactional @GetMapping @ApiOperation(value = "List all containers", notes = "Lists the containers in the metadata database.") @ApiResponses({ @@ -52,7 +51,6 @@ public class ContainerEndpoint { .collect(Collectors.toList())); } - @Transactional @PostMapping @ApiOperation(value = "Creates a new container", notes = "Creates a new container whose image is registered in the metadata database too.") @ApiResponses({ @@ -69,9 +67,8 @@ public class ContainerEndpoint { .body(response); } - @Transactional @GetMapping("/{id}") - @ApiOperation(value = "Get all informations about a container", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.") + @ApiOperation(value = "Get all information about a container", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.") @ApiResponses({ @ApiResponse(code = 200, message = "Get information about container."), @ApiResponse(code = 401, message = "Not authorized to get information about a container."), @@ -84,7 +81,6 @@ public class ContainerEndpoint { .body(containerMapper.containerToContainerDto(container)); } - @Transactional @PutMapping("/{id}") @ApiOperation(value = "Change the state of a container", notes = "The new state can only be one of START/STOP.") @ApiResponses({ @@ -93,7 +89,8 @@ public class ContainerEndpoint { @ApiResponse(code = 401, message = "Not authorized to modify a container."), @ApiResponse(code = 404, message = "No container found with this id in metadata database."), }) - public ResponseEntity<ContainerBriefDto> modify(@NotNull @PathVariable Long id, @Valid @RequestBody ContainerChangeDto changeDto) + public ResponseEntity<ContainerBriefDto> modify(@NotNull @PathVariable Long id, + @Valid @RequestBody ContainerChangeDto changeDto) throws ContainerNotFoundException, DockerClientException { final Container container; if (changeDto.getAction().equals(ContainerActionTypeDto.START)) { @@ -107,6 +104,7 @@ public class ContainerEndpoint { @DeleteMapping("/{id}") @ApiOperation(value = "Delete a container") + @PreAuthorize("hasRole('ROLE_DATA_STEWARD')") @ApiResponses({ @ApiResponse(code = 200, message = "Deleted the container."), @ApiResponse(code = 401, message = "Not authorized to delete a container."), diff --git a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java index 53eb0de4b110ddf4ea40bd540b4efbc27339dd88..09f7591ea9cb5e06fe4f189865c82b30a9e1ce48 100644 --- a/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java +++ b/fda-container-service/rest-service/src/main/java/at/tuwien/endpoints/ImageEndpoint.java @@ -18,7 +18,7 @@ import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; -import org.springframework.transaction.annotation.Transactional; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import javax.validation.Valid; @@ -42,7 +42,6 @@ public class ImageEndpoint { this.imageMapper = imageMapper; } - @Transactional @GetMapping @ApiOperation(value = "List all images", notes = "Lists the images in the metadata database.") @ApiResponses({ @@ -57,8 +56,8 @@ public class ImageEndpoint { .collect(Collectors.toList())); } - @Transactional @PostMapping + @PreAuthorize("hasRole('DEVELOPER')") @ApiOperation(value = "Creates a new image", notes = "Creates a new image in the metadata database.") @ApiResponses({ @ApiResponse(code = 201, message = "Successfully created a new image."), @@ -73,7 +72,6 @@ public class ImageEndpoint { .body(imageMapper.containerImageToImageDto(image)); } - @Transactional @GetMapping("/{id}") @ApiOperation(value = "Get all informations about a image", notes = "Since we follow the REST-principle, this method provides more information than the findAll method.") @ApiResponses({ @@ -87,8 +85,8 @@ public class ImageEndpoint { .body(imageMapper.containerImageToImageDto(image)); } - @Transactional @PutMapping("/{id}") + @PreAuthorize("hasRole('DEVELOPER')") @ApiOperation(value = "Update image information", notes = "Polls new information about an image") @ApiResponses({ @ApiResponse(code = 202, message = "Updated the information of a image."), @@ -102,6 +100,7 @@ public class ImageEndpoint { } @DeleteMapping("/{id}") + @PreAuthorize("hasRole('DEVELOPER')") @ApiOperation(value = "Delete a image") @ApiResponses({ @ApiResponse(code = 200, message = "Deleted the image."), diff --git a/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java b/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java index d30e25c8b248391f4c91d68a2905e477e1e7e292..cca4dca86db0a4864872943ded15141b355deea5 100644 --- a/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java +++ b/fda-database-service/rest-service/src/main/java/at/tuwien/endpoints/ContainerDatabaseEndpoint.java @@ -14,7 +14,7 @@ import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; -import org.springframework.transaction.annotation.Transactional; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import javax.validation.Valid; @@ -37,7 +37,6 @@ public class ContainerDatabaseEndpoint { this.databaseService = databaseService; } - @Transactional @GetMapping @ApiOperation(value = "List all databases", notes = "Currently a container supports only databases of the same image, e.g. there is one PostgreSQL engine running with multiple databases inside a container.") @ApiResponses({ @@ -52,7 +51,6 @@ public class ContainerDatabaseEndpoint { return ResponseEntity.ok(databases); } - @Transactional @PostMapping @ApiOperation(value = "Creates a new database in a container", notes = "Creates a new database in a container. Note that the backend distincts between numerical (req: categories), nominal (req: max_length) and categorical (req: max_length, siUnit, min, max, mean, median, standard_deviation, histogram) column types.") @ApiResponses({ @@ -63,7 +61,7 @@ public class ContainerDatabaseEndpoint { @ApiResponse(code = 405, message = "Unable to connect to database within container."), }) public ResponseEntity<DatabaseDto> create(@NotBlank @PathVariable("id") Long id, - @Valid @RequestBody DatabaseCreateDto createDto) + @Valid @RequestBody DatabaseCreateDto createDto) throws ImageNotSupportedException, ContainerNotFoundException, DatabaseMalformedException, AmqpException, ContainerConnectionException { final Database database = databaseService.create(id, createDto); @@ -71,9 +69,8 @@ public class ContainerDatabaseEndpoint { .body(databaseMapper.databaseToDatabaseDto(database)); } - @Transactional @GetMapping("/{databaseId}") - @ApiOperation(value = "Get all informations about a database") + @ApiOperation(value = "Get all information about a database") @ApiResponses({ @ApiResponse(code = 200, message = "The database information is displayed."), @ApiResponse(code = 400, message = "The payload contains invalid data."), @@ -84,7 +81,8 @@ public class ContainerDatabaseEndpoint { return ResponseEntity.ok(databaseMapper.databaseToDatabaseDto(databaseService.findById(id, databaseId))); } - @DeleteMapping("/{id}") + @DeleteMapping("/{databaseId}") + @PreAuthorize("hasRole('ROLE_DEVELOPER') or hasRole('ROLE_DATA_STEWARD')") @ApiOperation(value = "Delete a database") @ApiResponses({ @ApiResponse(code = 202, message = "The database was successfully deleted."), diff --git a/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java b/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java index 84aa080940b6685d609e1f09dd72d1b23a500851..6eca39eaf54418806f17aeb53e16d4c8f7bbf9f3 100644 --- a/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java +++ b/fda-database-service/services/src/main/java/at/tuwien/config/WebSecurityConfig.java @@ -57,8 +57,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { /* set permissions on endpoints */ http.authorizeRequests() /* our public endpoints */ - .antMatchers(HttpMethod.GET, "/api/container/**").permitAll() - .antMatchers(HttpMethod.GET, "/api/image/**").permitAll() + .antMatchers(HttpMethod.GET, "container/**/database/**").permitAll() /* our private endpoints */ .anyRequest().authenticated(); /* add JWT token filter */