Permalink
Browse files

[breaking] Considering a StdEntityRoute should *always* bring a permi…

…ssionFactory at construction time

Deprecated RestxRouter.Builder.addRoute() with no permissionFactory in order to avoid
NPEs when checking for security permissions
  • Loading branch information...
fcamblor committed Feb 13, 2016
1 parent 5f95297 commit 4f61fd22761c0137c9db1d586be3eb4d38221972
@@ -34,10 +34,9 @@
public ErrorDescriptorsRoute(Iterable<ErrorDescriptor> errorDescriptors,
@Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter objectWriter,
RestxSecurityManager securityManager,
PermissionFactory permissionFactory) {
super("ErrorDescriptorsRoute", ImmutableCollection.class, objectWriter, new StdRestxRequestMatcher("GET", "/@/errors/descriptors"));
this.permissionFactory = permissionFactory;
PermissionFactory permissionFactory
) {
super("ErrorDescriptorsRoute", ImmutableCollection.class, objectWriter, new StdRestxRequestMatcher("GET", "/@/errors/descriptors"), permissionFactory);
Map<String, ErrorDescriptor> map = Maps.newLinkedHashMap();
for (ErrorDescriptor errorDescriptor : errorDescriptors) {
if (map.containsKey(errorDescriptor.getErrorCode())) {
@@ -50,7 +50,7 @@
@Inject
public ApiDeclarationRoute(@Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter writer,
Factory factory, RestxSecurityManager securityManager, PermissionFactory permissionFactory) {
super("ApiDeclarationRoute", Map.class, writer, new StdRestxRequestMatcher("GET", "/@/api-docs/{router}"));
super("ApiDeclarationRoute", Map.class, writer, new StdRestxRequestMatcher("GET", "/@/api-docs/{router}"), permissionFactory);
this.factory = factory;
this.securityManager = securityManager;
this.permissionFactory = permissionFactory;
@@ -14,6 +14,7 @@
import restx.jackson.StdJsonProducerEntityRoute;
import restx.security.PermissionFactory;
import restx.security.RestxSecurityManager;
import restx.security.PermissionFactory;
import javax.inject.Inject;
import javax.inject.Named;
@@ -44,23 +45,20 @@
public class ApiDocsIndexRoute extends StdJsonProducerEntityRoute {
private final Factory factory;
private final RestxSecurityManager securityManager;
private PermissionFactory permissionFactory;
@Inject
public ApiDocsIndexRoute(@Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter writer,
Factory factory,
RestxSecurityManager securityManager,
PermissionFactory permissionFactory) {
super("ApiDocsIndexRoute", Map.class, writer, new StdRestxRequestMatcher("GET", "/@/api-docs"));
super("ApiDocsIndexRoute", Map.class, writer, new StdRestxRequestMatcher("GET", "/@/api-docs"), permissionFactory);
this.factory = factory;
this.securityManager = securityManager;
this.permissionFactory = permissionFactory;
}
@Override
protected Optional<?> doRoute(RestxRequest restxRequest, RestxRequestMatch match, Object i) throws IOException {
securityManager.check(restxRequest, match, permissionFactory.hasRole(AdminModule.RESTX_ADMIN_ROLE));
securityManager.check(restxRequest, match, hasRole(AdminModule.RESTX_ADMIN_ROLE));
return Optional.of(ImmutableMap.builder()
.put("apiVersion", "0.1") // TODO
.put("swaggerVersion", "1.1")
@@ -9,9 +9,9 @@
import restx.entity.MatchedEntityRoute;
import restx.jackson.JsonEntityRouteBuilder;
import restx.jackson.StdJsonProducerEntityRoute;
import restx.security.PermissionFactory;
import java.io.IOException;
import java.lang.reflect.Type;
import java.util.List;
import static com.google.common.base.Preconditions.checkNotNull;
@@ -88,8 +88,16 @@ public Builder addRoute(RestxRoute route) {
return addRoute(path, new StdRestxRequestMatcher(method, path), outputType, route);
}
/**
* @deprecated Prefer to use addRoute(String, RestxRequestMatcher, PermissionFactory, Class<O>, MatchedEntityRoute<Void, O>)
* in order to avoid NPEs when checking permissions through permissionFactory
*/
public <O> Builder addRoute(String name, RestxRequestMatcher matcher, Class<O> outputType, final MatchedEntityRoute<Void, O> route) {
routes.add(new StdJsonProducerEntityRoute<O>(name, outputType, writer.withType(outputType), matcher) {
return addRoute(name, matcher, null, outputType, route);
}
public <O> Builder addRoute(String name, RestxRequestMatcher matcher, PermissionFactory permissionFactory, Class<O> outputType, final MatchedEntityRoute<Void, O> route) {
routes.add(new StdJsonProducerEntityRoute<O>(name, outputType, writer.withType(outputType), matcher, permissionFactory) {
@Override
protected Optional<O> doRoute(RestxRequest restxRequest, RestxRequestMatch match, Void i) throws IOException {
return route.route(restxRequest, match, i);
@@ -32,6 +32,7 @@
protected RestxRequestMatcher matcher;
protected HttpStatus successStatus = HttpStatus.OK;
protected RestxLogLevel logLevel = RestxLogLevel.DEFAULT;
protected PermissionFactory permissionFactory;
protected MatchedEntityRoute<I,O> matchedEntityRoute;
public Builder<I,O> entityRequestBodyReader(final EntityRequestBodyReader<I> entityRequestBodyReader) {
@@ -49,6 +50,11 @@
return this;
}
public Builder<I,O> permissionFactory(final PermissionFactory permissionFactory) {
this.permissionFactory = permissionFactory;
return this;
}
public Builder<I,O> matcher(final RestxRequestMatcher matcher) {
this.matcher = matcher;
return this;
@@ -74,7 +80,7 @@
return new StdEntityRoute<I, O>(
name, entityRequestBodyReader == null ? voidBodyReader() : entityRequestBodyReader,
entityResponseWriter,
matcher, successStatus, logLevel) {
matcher, successStatus, logLevel, permissionFactory) {
@Override
protected Optional<O> doRoute(RestxRequest restxRequest, RestxRequestMatch match, I i) throws IOException {
return matchedEntityRoute.route(restxRequest, match, i);
@@ -102,16 +108,6 @@
private final RestxLogLevel logLevel;
private final PermissionFactory permissionFactory;
public StdEntityRoute(String name,
EntityRequestBodyReader<I> entityRequestBodyReader,
EntityResponseWriter<O> entityResponseWriter,
RestxRequestMatcher matcher,
HttpStatus successStatus,
RestxLogLevel logLevel
) {
this(name, entityRequestBodyReader, entityResponseWriter, matcher, successStatus, logLevel, null);
}
public StdEntityRoute(String name,
EntityRequestBodyReader<I> entityRequestBodyReader,
EntityResponseWriter<O> entityResponseWriter,
@@ -6,6 +6,7 @@
import restx.entity.StdEntityRoute;
import restx.entity.VoidContentTypeModule;
import restx.http.HttpStatus;
import restx.security.PermissionFactory;
import java.lang.reflect.Type;
@@ -14,11 +15,11 @@
* Time: 11:06
*/
public abstract class StdJsonProducerEntityRoute<O> extends StdEntityRoute<Void,O> {
public StdJsonProducerEntityRoute(String name, Type type, ObjectWriter writer, RestxRequestMatcher matcher) {
public StdJsonProducerEntityRoute(String name, Type type, ObjectWriter writer, RestxRequestMatcher matcher, PermissionFactory permissionFactory) {
super(name,
VoidContentTypeModule.VoidEntityRequestBodyReader.INSTANCE,
JsonEntityResponseWriter.<O>using(type, writer),
matcher,
HttpStatus.OK, RestxLogLevel.DEFAULT);
HttpStatus.OK, RestxLogLevel.DEFAULT, permissionFactory);
}
}

0 comments on commit 4f61fd2

Please sign in to comment.