add a security check to all admin endpoints

Either using the `@RoleAllowed` annotation, or by calling the
`RestxSecurityManager`

restx-admin/src/main/java/restx/config/ConfigResource.java

@@ -1,10 +1,12 @@
package restx.config;

import restx.admin.AdminModule;
import restx.annotations.GET;
import restx.annotations.RestxResource;
import restx.common.ConfigElement;
import restx.common.RestxConfig;
import restx.factory.Component;
import restx.security.RolesAllowed;

/**
 */
@@ -16,6 +18,7 @@ public ConfigResource(RestxConfig config) {
        this.config = config;
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/config/elements")
    public Iterable<ConfigElement> findConfigElements() {
        return config.elements();

restx-admin/src/main/java/restx/exceptions/ErrorDescriptorsRoute.java

@@ -1,5 +1,8 @@
package restx.exceptions;

import static restx.security.Permissions.hasRole;


import com.fasterxml.jackson.databind.ObjectWriter;
import com.google.common.base.Optional;
import com.google.common.collect.ImmutableCollection;
@@ -8,9 +11,11 @@
import restx.RestxRequest;
import restx.RestxRequestMatch;
import restx.StdRestxRequestMatcher;
import restx.admin.AdminModule;
import restx.factory.Component;
import restx.jackson.FrontObjectMapperFactory;
import restx.jackson.StdJsonProducerEntityRoute;
import restx.security.RestxSecurityManager;

import javax.inject.Named;
import java.io.IOException;
@@ -25,9 +30,12 @@
public class ErrorDescriptorsRoute extends StdJsonProducerEntityRoute {

    private final ImmutableMap<String, ErrorDescriptor> errorDescriptors;
    private final RestxSecurityManager securityManager;

    public ErrorDescriptorsRoute(Iterable<ErrorDescriptor> errorDescriptors,
                                 @Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter objectWriter) {
                                 @Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter objectWriter,
                                 RestxSecurityManager securityManager) {

        super("ErrorDescriptorsRoute", ImmutableCollection.class, objectWriter, new StdRestxRequestMatcher("GET", "/@/errors/descriptors"));
        Map<String, ErrorDescriptor> map = Maps.newLinkedHashMap();
        for (ErrorDescriptor errorDescriptor : errorDescriptors) {
@@ -37,10 +45,12 @@ public ErrorDescriptorsRoute(Iterable<ErrorDescriptor> errorDescriptors,
            map.put(errorDescriptor.getErrorCode(), errorDescriptor);
        }
        this.errorDescriptors = ImmutableMap.copyOf(map);
        this.securityManager = securityManager;
    }

    @Override
    protected Optional<?> doRoute(RestxRequest restxRequest, RestxRequestMatch match, Object i) throws IOException {
        securityManager.check(restxRequest, hasRole(AdminModule.RESTX_ADMIN_ROLE));
        return Optional.of(errorDescriptors.values());
    }
}

restx-apidocs/src/main/java/restx/apidocs/ApiDeclarationRoute.java

@@ -5,20 +5,23 @@
import com.google.common.base.Optional;
import com.google.common.collect.*;
import restx.*;
import restx.admin.AdminModule;
import restx.description.*;
import restx.factory.Component;
import restx.factory.Factory;
import restx.factory.Name;
import restx.factory.NamedComponent;
import restx.jackson.FrontObjectMapperFactory;
import restx.jackson.StdJsonProducerEntityRoute;
import restx.security.RestxSecurityManager;

import javax.inject.Inject;
import javax.inject.Named;
import java.io.IOException;
import java.util.*;

import static restx.apidocs.ApiDocsIndexRoute.getRouterApiPath;
import static restx.security.Permissions.hasRole;

/**
 * Serves the swagger api declaration of one router, which looks like that:
@@ -41,16 +44,19 @@
@Component
public class ApiDeclarationRoute extends StdJsonProducerEntityRoute {
    private final Factory factory;
    private final RestxSecurityManager securityManager;

    @Inject
    public ApiDeclarationRoute(@Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter writer,
                               Factory factory) {
            Factory factory, RestxSecurityManager securityManager) {
        super("ApiDeclarationRoute", Map.class, writer, new StdRestxRequestMatcher("GET", "/@/api-docs/{router}"));
        this.factory = factory;
        this.securityManager = securityManager;
    }

    @Override
    protected Optional<?> doRoute(RestxRequest restxRequest, RestxRequestMatch match, Object body) throws IOException {
        securityManager.check(restxRequest, hasRole(AdminModule.RESTX_ADMIN_ROLE));
        String routerName = match.getPathParam("router");
        Optional<NamedComponent<RestxRouter>> router = getRouterByName(factory, routerName);

restx-apidocs/src/main/java/restx/apidocs/ApiDocsIndexRoute.java

@@ -1,17 +1,21 @@
package restx.apidocs;

import com.fasterxml.jackson.databind.ObjectMapper;
import static restx.security.Permissions.hasRole;


import com.fasterxml.jackson.databind.ObjectWriter;
import com.google.common.base.CaseFormat;
import com.google.common.base.Optional;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import restx.*;
import restx.admin.AdminModule;
import restx.factory.Component;
import restx.factory.Factory;
import restx.factory.NamedComponent;
import restx.jackson.FrontObjectMapperFactory;
import restx.jackson.StdJsonProducerEntityRoute;
import restx.security.RestxSecurityManager;

import javax.inject.Inject;
import javax.inject.Named;
@@ -41,15 +45,21 @@
@Component
public class ApiDocsIndexRoute extends StdJsonProducerEntityRoute {
    private final Factory factory;
    private final RestxSecurityManager securityManager;

    @Inject
    public ApiDocsIndexRoute(@Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter writer, Factory factory) {
    public ApiDocsIndexRoute(@Named(FrontObjectMapperFactory.WRITER_NAME) ObjectWriter writer,
                             Factory factory,
                             RestxSecurityManager securityManager) {

        super("ApiDocsIndexRoute", Map.class, writer, new StdRestxRequestMatcher("GET", "/@/api-docs"));
        this.factory = factory;
        this.securityManager = securityManager;
    }

    @Override
    protected Optional<?> doRoute(RestxRequest restxRequest, RestxRequestMatch match, Object i) throws IOException {
        securityManager.check(restxRequest, hasRole(AdminModule.RESTX_ADMIN_ROLE));
        return Optional.of(ImmutableMap.builder()
                .put("apiVersion", "0.1") // TODO
                .put("swaggerVersion", "1.1")

restx-apidocs/src/main/java/restx/apidocs/JsonSchemaResource.java

@@ -6,11 +6,13 @@
import com.fasterxml.jackson.module.jsonSchema.JsonSchema;
import com.fasterxml.jackson.module.jsonSchema.factories.SchemaFactoryWrapper;
import restx.WebException;
import restx.admin.AdminModule;
import restx.annotations.GET;
import restx.annotations.RestxResource;
import restx.factory.Component;
import restx.http.HttpStatus;
import restx.jackson.FrontObjectMapperFactory;
import restx.security.RolesAllowed;

import javax.inject.Named;

@@ -27,6 +29,7 @@ public JsonSchemaResource(@Named(FrontObjectMapperFactory.MAPPER_NAME) ObjectMap
    }

    @GET("/@/api-docs/schemas/{fqcn}")
    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    public String getJsonSchema(String fqcn) {
        SchemaFactoryWrapper visitor = new SchemaFactoryWrapper();
        try {

restx-apidocs/src/main/java/restx/apidocs/SpecsResource.java

@@ -2,10 +2,13 @@

import com.google.common.base.Charsets;
import com.google.common.base.Optional;

import restx.admin.AdminModule;
import restx.annotations.GET;
import restx.annotations.PUT;
import restx.annotations.RestxResource;
import restx.factory.Component;
import restx.security.RolesAllowed;
import restx.specs.RestxSpec;
import restx.specs.RestxSpecRepository;
import restx.specs.ThenHttpResponse;
@@ -30,11 +33,13 @@ public SpecsResource(RestxSpecRepository repository, RestxSpec.StorageSettings s
        storage = RestxSpec.Storage.with(storageSettings);
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/specs")
    public Iterable<String> findSpecsForOperation(String httpMethod, String path) {
        return repository.findSpecsByOperation(httpMethod, path);
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/specs/{id}")
    public Optional<RestxSpec> getSpecById(String id) {
        try {
@@ -49,6 +54,7 @@ public SpecsResource(RestxSpecRepository repository, RestxSpec.StorageSettings s
        }
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @PUT("/@/specs/{id}/wts/{wtsIndex}/then")
    public Optional<ThenHttpResponse> updateSpecThenHttp(String id, int wtsIndex, ThenHttpResponse response) throws IOException {
        try {

restx-factory-admin/src/main/java/restx/factory/FactoryDumpRoute.java

@@ -1,22 +1,30 @@
package restx.factory;

import static restx.security.Permissions.hasRole;


import restx.*;
import restx.admin.AdminModule;
import restx.security.RestxSecurityManager;

import javax.inject.Inject;
import java.io.IOException;

@Component
public class FactoryDumpRoute extends StdRoute {
    private final Factory factory;
    private final RestxSecurityManager securityManager;

    @Inject
    public FactoryDumpRoute(Factory factory) {
    public FactoryDumpRoute(Factory factory, RestxSecurityManager securityManager) {
        super("FactoryRoute", new StdRestxRequestMatcher("GET", "/@/factory"));
        this.factory = factory;
        this.securityManager = securityManager;
    }

    @Override
    public void handle(RestxRequestMatch match, RestxRequest req, RestxResponse resp, RestxContext ctx) throws IOException {
        securityManager.check(req, hasRole(AdminModule.RESTX_ADMIN_ROLE));
        resp.setContentType("text/plain");
        resp.getWriter().println(factory.dump());
    }

restx-factory-admin/src/main/java/restx/factory/WarehouseRoute.java

@@ -1,9 +1,14 @@
package restx.factory;

import static restx.security.Permissions.hasRole;


import com.google.common.base.Joiner;
import com.google.common.collect.Lists;
import restx.*;
import restx.admin.AdminModule;
import restx.annotations.RestxResource;
import restx.security.RestxSecurityManager;

import javax.inject.Inject;
import java.io.IOException;
@@ -13,19 +18,22 @@
@Component
public class WarehouseRoute extends StdRoute {
    private final Warehouse warehouse;
    private final RestxSecurityManager securityManager;

    @Inject
    public WarehouseRoute(Factory factory) {
        this(factory.getWarehouse());
    public WarehouseRoute(Factory factory, RestxSecurityManager securityManager) {
        this(factory.getWarehouse(), securityManager);
    }

    public WarehouseRoute(Warehouse warehouse) {
    public WarehouseRoute(Warehouse warehouse, RestxSecurityManager securityManager) {
        super("WarehouseRoute", new StdRestxRequestMatcher("GET", "/@/warehouse"));
        this.warehouse = warehouse;
        this.securityManager = securityManager;
    }

    @Override
    public void handle(RestxRequestMatch match, RestxRequest req, RestxResponse resp, RestxContext ctx) throws IOException {
        securityManager.check(req, hasRole(AdminModule.RESTX_ADMIN_ROLE));
        resp.setContentType("application/json");

        List<String> nodesCode = Lists.newArrayList();

restx-i18n-admin/src/main/java/restx/i18n/admin/MessagesAdminResource.java

@@ -1,12 +1,14 @@
package restx.i18n.admin;

import restx.admin.AdminModule;
import restx.annotations.GET;
import restx.annotations.POST;
import restx.annotations.RestxResource;
import restx.factory.Component;
import restx.i18n.Messages;
import restx.i18n.MutableMessages;
import restx.i18n.SupportedLocale;
import restx.security.RolesAllowed;

import javax.inject.Named;
import java.io.IOException;
@@ -27,11 +29,13 @@ public MessagesAdminResource(@Named("Messages") Messages messages, Collection<Su
        this.supportedLocales = supportedLocales;
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/i18n/keys")
    public Iterable<String> keys() {
        return messages.keys();
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/i18n/locales")
    public Iterable<String> locales() {
        Collection<String> locales = new ArrayList<>();
@@ -42,6 +46,7 @@ public MessagesAdminResource(@Named("Messages") Messages messages, Collection<Su
        return locales;
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/i18n/messages/{locale}")
    public Map<String, String> messages(String locale) {
        Locale l = toLocale(locale);
@@ -52,6 +57,7 @@ public MessagesAdminResource(@Named("Messages") Messages messages, Collection<Su
        return m;
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @POST("/@/i18n/messages/{locale}")
    public void setMessage(String locale, Map<String, String> entries) {
        if (!(messages instanceof MutableMessages)) {

restx-log-admin/src/main/java/restx/log/admin/LogAdminResource.java

@@ -8,11 +8,13 @@
import org.slf4j.ILoggerFactory;
import org.slf4j.LoggerFactory;
import restx.WebException;
import restx.admin.AdminModule;
import restx.annotations.GET;
import restx.annotations.PUT;
import restx.annotations.RestxResource;
import restx.common.MorePreconditions;
import restx.factory.Component;
import restx.security.RolesAllowed;

import java.io.File;
import java.io.IOException;
@@ -39,6 +41,7 @@ public Logger(String name, String level) {
        }
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/logs")
    public String getLogs() {
        // quick and dirty basic implementation to get logs from the default log file.
@@ -64,6 +67,7 @@ public String getLogs() {
        }
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @GET("/@/loggers")
    public Iterable<Logger> getLoggers() {
        ILoggerFactory loggerFactory = LoggerFactory.getILoggerFactory();
@@ -81,6 +85,7 @@ public String getLogs() {
        }
    }

    @RolesAllowed(AdminModule.RESTX_ADMIN_ROLE)
    @PUT("/@/loggers/{name}")
    public Logger updateLogger(String name, Logger logger) {
        logger.name = name;