filter all requests to admin endpoints

a-peyrard · a-peyrard · commit 418811f25b57 · 2016-02-10T09:10:24.000+01:00
The user must be authenticated, and have the admin role.
Some requests are excluded from the filter, permitting to serve
the static contents (html/js/css...) for the admin ui.
diff --git a/restx-admin/src/main/java/restx/admin/AdminModule.java b/restx-admin/src/main/java/restx/admin/AdminModule.java
@@ -5,8 +5,21 @@
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.hash.Hashing;
+
+import java.io.IOException;
+import java.util.regex.Pattern;
+import restx.RestxContext;
+import restx.RestxFilter;
+import restx.RestxHandler;
+import restx.RestxHandlerMatch;
+import restx.RestxRequest;
+import restx.RestxRequestMatch;
+import restx.RestxResponse;
+import restx.StdRestxRequestMatch;
+import restx.WebException;
 import restx.factory.Module;
 import restx.factory.Provides;
+import restx.http.HttpStatus;
 import restx.security.*;
 
 import javax.inject.Named;
@@ -57,4 +70,33 @@ public String getName() {
             return "admin";
         }
     }
+
+    @Provides
+    public RestxFilter adminRoleFilter() {
+        return new RestxFilter() {
+            final Pattern privatePath = Pattern.compile("^/@/(?!(ui|webjars)/).*$");
+
+            @Override
+            public Optional<RestxHandlerMatch> match(RestxRequest req) {
+                if (privatePath.matcher(req.getRestxPath()).find()) {
+                    return Optional.of(new RestxHandlerMatch(
+                            new StdRestxRequestMatch("/@/*", req.getRestxPath()),
+                            new RestxHandler() {
+                                @Override
+                                public void handle(RestxRequestMatch match, RestxRequest req, RestxResponse resp, RestxContext ctx) throws IOException {
+                                    final RestxSession current = RestxSession.current();
+                                    if (current.getPrincipal().isPresent() &&
+                                            Permissions.hasRole(RESTX_ADMIN_ROLE).has(current.getPrincipal().get(), req).isPresent()) {
+                                        ctx.nextHandlerMatch().handle(req, resp, ctx);
+                                    } else {
+                                        throw new WebException(HttpStatus.UNAUTHORIZED);
+                                    }
+                                }
+                            }
+                    ));
+                }
+                return Optional.absent();
+            }
+        };
+    }
 }
