Encryption API: Use a representer to render the response along with l…

…inks. (#3031)
gocd · Dec 23, 2016 · 467cf5f · 467cf5f
1 parent 875252a
commit 467cf5f
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 4 deletions.
diff --git a/server/webapp/WEB-INF/applicationContext-acegi-security.xml b/server/webapp/WEB-INF/applicationContext-acegi-security.xml
@@ -265,6 +265,7 @@
                 /api/admin/internal/repository_check_connection=ROLE_SUPERVISOR, ROLE_GROUP_SUPERVISOR
                 /api/admin/pipelines=ROLE_SUPERVISOR,ROLE_GROUP_SUPERVISOR
                 /api/admin/pipelines/*=ROLE_SUPERVISOR,ROLE_GROUP_SUPERVISOR
+                /api/admin/encrypt=ROLE_SUPERVISOR, ROLE_GROUP_SUPERVISOR, ROLE_TEMPLATE_SUPERVISOR
                 /api/admin/scms/**=ROLE_SUPERVISOR, ROLE_GROUP_SUPERVISOR
                 /api/admin/repositories/**=ROLE_SUPERVISOR, ROLE_GROUP_SUPERVISOR
                 /api/admin/packages/**=ROLE_SUPERVISOR, ROLE_GROUP_SUPERVISOR

diff --git a/server/webapp/WEB-INF/rails.new/app/controllers/api_v1/admin/encryption_controller.rb b/server/webapp/WEB-INF/rails.new/app/controllers/api_v1/admin/encryption_controller.rb
@@ -17,12 +17,13 @@
 module ApiV1
   module Admin
     class EncryptionController < ApiV1::BaseController
-      before_action :check_admin_user_or_group_admin_user_and_401
+      before_action :check_any_admin_user_and_401
 
       @@go_cipher = GoCipher.new
 
       def encrypt_value
-        render DEFAULT_FORMAT => {encrypted_value: @@go_cipher.encrypt(params[:value])}
+        encrypted_value = @@go_cipher.encrypt(params[:value])
+        render DEFAULT_FORMAT => ApiV1::EncryptedValueRepresenter.new(encrypted_value).to_hash(url_builder: self)
       rescue
         render_message("An error occurred while encrypting the value. Please check the logs for more details.", :internal_server_error)
       end

diff --git a/server/webapp/WEB-INF/rails.new/app/helpers/api_v1/authentication_helper.rb b/server/webapp/WEB-INF/rails.new/app/helpers/api_v1/authentication_helper.rb
@@ -70,6 +70,14 @@ def check_admin_user_or_group_admin_user_and_401
       end
     end
 
+    def check_any_admin_user_and_401
+      return unless security_service.isSecurityEnabled()
+      if !(security_service.isUserAdmin(current_user) || security_service.isUserGroupAdmin(current_user) || security_service.isAuthorizedToViewAndEditTemplates(current_user))
+        Rails.logger.info("User '#{current_user.getUsername}' attempted to perform an unauthorized action!")
+        render_unauthorized_error
+      end
+    end
+
     def check_pipeline_group_admin_user_and_401
       groupName = params[:group] || go_config_service.findGroupNameByPipeline(com.thoughtworks.go.config.CaseInsensitiveString.new(params[:pipeline_name]))
       return unless security_service.isSecurityEnabled()

diff --git a/server/webapp/WEB-INF/rails.new/app/presenters/api_v1/encrypted_value_representer.rb b/server/webapp/WEB-INF/rails.new/app/presenters/api_v1/encrypted_value_representer.rb
@@ -0,0 +1,35 @@
+##########################################################################
+# Copyright 2016 ThoughtWorks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+module ApiV1
+  class EncryptedValueRepresenter < ApiV1::BaseRepresenter
+
+    link :self do |opts|
+      opts[:url_builder].apiv1_admin_encrypt_url
+    end
+
+    link :doc do |opts|
+      'https://api.go.cd/#encryption'
+    end
+
+    property :encrypted_value, exec_context: :decorator
+
+    def encrypted_value
+      represented
+    end
+
+  end
+end
diff --git a/server/webapp/WEB-INF/rails.new/spec/controllers/api_v1/admin/encryption_controller_spec.rb b/server/webapp/WEB-INF/rails.new/spec/controllers/api_v1/admin/encryption_controller_spec.rb
@@ -45,6 +45,11 @@
       login_as_group_admin
       expect(controller).to allow_action(:post, :encrypt_value)
     end
+
+    it 'should allow template admin users, with security enabled' do
+      login_as_template_admin
+      expect(controller).to allow_action(:post, :encrypt_value)
+    end
   end
 
   describe :route do
@@ -70,8 +75,8 @@
       login_as_admin
       post_with_api_header :encrypt_value, {value: 'foo'}
 
-      expect(response.status).to eq(200)
-      expect(actual_response).to eq({encrypted_value: GoCipher.new.encrypt('foo')})
+      expect(response).to be_ok
+      expected_response(GoCipher.new.encrypt('foo'), ApiV1::EncryptedValueRepresenter)
     end
   end
 end
diff --git a/server/webapp/WEB-INF/rails.new/spec/presenters/api_v1/encrypted_value_representer_spec.rb b/server/webapp/WEB-INF/rails.new/spec/presenters/api_v1/encrypted_value_representer_spec.rb
@@ -0,0 +1,28 @@
+##########################################################################
+# Copyright 2016 ThoughtWorks, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##########################################################################
+
+require 'spec_helper'
+
+describe ApiV1::EncryptedValueRepresenter do
+  it 'should render encrypted value with hal representation' do
+    actual_json = ApiV1::EncryptedValueRepresenter.new("encrypted_string").to_hash(url_builder: UrlBuilder.new)
+    expect(actual_json).to have_link(:self).with_url(UrlBuilder.new.apiv1_admin_encrypt_url)
+    expect(actual_json).to have_link(:doc).with_url('https://api.go.cd/#encryption')
+    actual_json.delete(:_links)
+
+    expect(actual_json).to eq({encrypted_value: "encrypted_string"})
+  end
+end
diff --git a/server/webapp/WEB-INF/rails.new/spec/support/api_spec_helper.rb b/server/webapp/WEB-INF/rails.new/spec/support/api_spec_helper.rb
@@ -97,6 +97,7 @@ def login_as_template_admin
     enable_security
     controller.stub(:current_user).and_return(@user = Username.new(CaseInsensitiveString.new(SecureRandom.hex)))
     @security_service.stub(:isUserAdmin).with(@user).and_return(false)
+    @security_service.stub(:isUserGroupAdmin).with(@user).and_return(false)
     @security_service.stub(:isAuthorizedToViewAndEditTemplates).with(@user).and_return(true)
     @security_service.stub(:isAuthorizedToEditTemplate).with(anything, anything).and_return(true)
   end