From db102f75e44dee80c55afa262381671928443c2f Mon Sep 17 00:00:00 2001 From: tommi27 Date: Mon, 20 Apr 2020 16:41:11 +0200 Subject: [PATCH] light and room controller routes check for guest authorization --- .../controller/DimmableLightController.java | 35 +++++++++-- .../controller/RegularLightController.java | 33 +++++++++-- .../smarthut/controller/RoomController.java | 58 +++++++++++++++++-- .../sa4/sanmarinoes/smarthut/models/Room.java | 1 - 4 files changed, 108 insertions(+), 19 deletions(-) diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/DimmableLightController.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/DimmableLightController.java index cb7cc00..9a36125 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/DimmableLightController.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/DimmableLightController.java @@ -8,6 +8,7 @@ import ch.usi.inf.sa4.sanmarinoes.smarthut.error.NotFoundException; import ch.usi.inf.sa4.sanmarinoes.smarthut.models.*; import java.security.Principal; import java.util.List; +import java.util.Optional; import javax.validation.Valid; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; @@ -18,6 +19,8 @@ import org.springframework.web.bind.annotation.*; @RequestMapping("/dimmableLight") public class DimmableLightController { + @Autowired private UserRepository userRepository; + @Autowired private RoomRepository roomRepository; @Autowired private DimmableLightRepository dimmableLightService; @Autowired private SceneRepository sceneRepository; @Autowired private StateRepository> stateRepository; @@ -47,13 +50,33 @@ public class DimmableLightController { @PutMapping public DimmableLight update( - @Valid @RequestBody DimmableSaveRequest sp, final Principal principal) + @Valid @RequestBody DimmableSaveRequest sp, + final Principal principal, + Optional guestId) throws NotFoundException { - return save( - dimmableLightService - .findByIdAndUsername(sp.getId(), principal.getName()) - .orElseThrow(NotFoundException::new), - sp); + + /** + * Extremely verbose check through various repositories to control user/guest authorization. + */ + if (guestId.isPresent() + && userRepository + .findById( + roomRepository + .findById(sp.getRoomId().longValue()) + .get() + .getUserId() + .longValue()) + .get() + .getGuests() + .contains(userRepository.findById(guestId.get().longValue()))) { + return save( + dimmableLightService + .findByIdAndUsername(sp.getId(), principal.getName()) + .orElseThrow(NotFoundException::new), + sp); + } else { + throw new Error("401: Unauthorized user. Not a guest."); + } } @DeleteMapping("/{id}") diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RegularLightController.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RegularLightController.java index ac0fd47..7016030 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RegularLightController.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RegularLightController.java @@ -8,6 +8,7 @@ import ch.usi.inf.sa4.sanmarinoes.smarthut.error.NotFoundException; import ch.usi.inf.sa4.sanmarinoes.smarthut.models.*; import java.security.Principal; import java.util.List; +import java.util.Optional; import javax.validation.Valid; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; @@ -26,6 +27,8 @@ import org.springframework.web.bind.annotation.RestController; @RequestMapping("/regularLight") public class RegularLightController { + @Autowired private UserRepository userRepository; + @Autowired private RoomRepository roomRepository; @Autowired private RegularLightRepository regularLightService; @Autowired private SceneRepository sceneRepository; @Autowired private StateRepository> stateRepository; @@ -55,13 +58,31 @@ public class RegularLightController { @PutMapping public RegularLight update( - @Valid @RequestBody SwitchableSaveRequest rl, final Principal principal) + @Valid @RequestBody SwitchableSaveRequest rl, + final Principal principal, + Optional guestId) throws NotFoundException { - return save( - regularLightService - .findByIdAndUsername(rl.getId(), principal.getName()) - .orElseThrow(NotFoundException::new), - rl); + + /** Extremely verbose check for guest/user authorization */ + if (guestId.isPresent() + && userRepository + .findById( + roomRepository + .findById(rl.getRoomId()) + .get() + .getUserId() + .longValue()) + .get() + .getGuests() + .contains(userRepository.findById(guestId.get().longValue()))) { + return save( + regularLightService + .findByIdAndUsername(rl.getId(), principal.getName()) + .orElseThrow(NotFoundException::new), + rl); + } else { + throw new Error("401: Unauthorized user. Not a guest."); + } } @DeleteMapping("/{id}") diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RoomController.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RoomController.java index 9474fd4..734ecce 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RoomController.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/controller/RoomController.java @@ -33,13 +33,38 @@ public class RoomController { @Autowired private ThermostatService thermostatService; @GetMapping - public List findAll() { - return toList(roomRepository.findAll()); + public List findAll(Optional guestId) { + + List rooms = toList(roomRepository.findAll()); + + if (guestId.isPresent() + && !rooms.isEmpty() + && userRepository + .findById(rooms.get(0).getUserId()) + .get() + .getGuests() + .contains(userRepository.findById(guestId.get().longValue()))) { + return rooms; + } else { + throw new Error("401: Unauthorized user. Not a guest."); + } } @GetMapping("/{id}") - public @ResponseBody Room findById(@PathVariable("id") long id) throws NotFoundException { - return roomRepository.findById(id).orElseThrow(NotFoundException::new); + public @ResponseBody Room findById(@PathVariable("id") long id, Optional guestId) + throws NotFoundException { + Room room = roomRepository.findById(id).orElseThrow(NotFoundException::new); + + if (guestId.isPresent() + && userRepository + .findById(room.getUserId().longValue()) + .get() + .getGuests() + .contains(userRepository.findById(guestId.get()))) { + return room; + } else { + throw new Error("401: Unauthorized user. Not a guest."); + } } @PostMapping @@ -101,13 +126,34 @@ public class RoomController { * id). */ @GetMapping(path = "/{roomId}/devices") - public List getDevices(@PathVariable("roomId") long roomid) { + public List getDevices(@PathVariable("roomId") long roomid, Optional guestId) { Iterable devices = deviceRepository.findByRoomId(roomid); for (Device d : devices) { if (d instanceof Thermostat) { thermostatService.populateMeasuredTemperature((Thermostat) d); } } - return toList(devices); + List dl = toList(devices); + + /** + * Extremely verbose method calls to find the current user and check if the optional user is + * one of their guests + */ + if (guestId.isPresent() + && !dl.isEmpty() + && userRepository + .findById( + roomRepository + .findById(dl.get(0).getRoomId().longValue()) + .get() + .getUserId() + .longValue()) + .get() + .getGuests() + .contains(userRepository.findById(guestId.get().longValue()))) { + return dl; + } else { + throw new Error("401: Unauthorized user. Not a guest."); + } } } diff --git a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/Room.java b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/Room.java index 4f0f592..34f3824 100644 --- a/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/Room.java +++ b/src/main/java/ch/usi/inf/sa4/sanmarinoes/smarthut/models/Room.java @@ -145,7 +145,6 @@ public class Room { */ @NotNull @Column(name = "user_id", nullable = false) - @GsonExclude private Long userId; /** The user given name of this room (e.g. 'Master bedroom') */