From c308b0b11e32a413c5e5a0077cfb321ec2228a49 Mon Sep 17 00:00:00 2001
From: Gustavo Martin Morcuende <gu.martinm@gmail.com>
Date: Mon, 3 Oct 2016 16:43:00 +0200
Subject: [PATCH] Pages authorization

---
 .../persistence/dao/AuthorizationDao.java          | 46 ++++++++++++++++++++++
 .../services/impl/AuthorizationServicesImpl.java   | 24 +++++++++++
 .../database/impl/DataBaseAccessImpl.java          |  1 -
 .../core/context/security/handle/PagesHandler.java | 11 +++++-
 src/main/resources/liquibase/dml.sql               |  7 +++-
 5 files changed, 85 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/com/prueba/authorization/persistence/dao/AuthorizationDao.java
 create mode 100644 src/main/java/com/prueba/authorization/services/impl/AuthorizationServicesImpl.java

diff --git a/src/main/java/com/prueba/authorization/persistence/dao/AuthorizationDao.java b/src/main/java/com/prueba/authorization/persistence/dao/AuthorizationDao.java
new file mode 100644
index 0000000..947c206
--- /dev/null
+++ b/src/main/java/com/prueba/authorization/persistence/dao/AuthorizationDao.java
@@ -0,0 +1,46 @@
+package com.prueba.authorization.persistence.dao;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.sql.DataSource;
+
+import com.prueba.core.context.integration.database.impl.DataBaseAccessImpl;
+import com.prueba.core.context.web.application.ApplicationWebContext;
+
+public class AuthorizationDao {
+	public static final String URL_PATTERN = "URL_PATTERN";
+	public static final String HTTP_METHOD = "HTTP_METHOD";
+
+	public List<Map<String, String>> findURLsByUserName(String userName) {
+		final DataSource dataSource = ApplicationWebContext.getInstance().getDataSource();
+		final DataBaseAccessImpl dataBaseAccess = new DataBaseAccessImpl(dataSource);
+		
+		return dataBaseAccess.executeQuery(""
+				+ "SELECT APP_RES.URL_PATTERN, APP_RES.HTTP_METHOD FROM APPLICATION_ROLE APP_ROLE "
+				+ "INNER JOIN APPLICATION_RESOURCE_APPLICATION_ROLE APP_RES_APP_ROLE ON APP_ROLE.CODE = APP_RES_APP_ROLE.APPLICATION_ROLE_CODE "
+				+ "INNER JOIN APPLICATION_RESOURCE APP_RES ON APP_RES.URL_PATTERN = APP_RES_APP_ROLE.APPLICATION_RESOURCE_URL_PATTERN "
+				+ "INNER JOIN ACCOUNT ACC ON ACC.APPLICATION_ROLE_CODE = APP_ROLE.CODE "
+				+ "WHERE ACC.CODE = ? ",
+				answer ->
+              	{
+              		final List<Map<String, String>> result = new ArrayList<>();
+              		while (answer.next()) {
+              			final Map<String, String> row = new HashMap<>();
+              			String urlPatternValue = answer.getString(URL_PATTERN);
+              			String httpMethodValue = answer.getString(HTTP_METHOD);
+              			row.put(URL_PATTERN, urlPatternValue);
+              			row.put(HTTP_METHOD, httpMethodValue);
+              			result.add(row);
+              		}
+              
+              		return result;
+              	},
+              	preparedStatement -> {
+              		preparedStatement.setString(1, userName);
+              	});
+	}
+}
+
diff --git a/src/main/java/com/prueba/authorization/services/impl/AuthorizationServicesImpl.java b/src/main/java/com/prueba/authorization/services/impl/AuthorizationServicesImpl.java
new file mode 100644
index 0000000..9e6d726
--- /dev/null
+++ b/src/main/java/com/prueba/authorization/services/impl/AuthorizationServicesImpl.java
@@ -0,0 +1,24 @@
+package com.prueba.authorization.services.impl;
+
+import java.util.List;
+import java.util.Map;
+
+import com.prueba.authorization.persistence.dao.AuthorizationDao;
+
+public class AuthorizationServicesImpl {
+
+	public boolean isAuthorized(String httpMethod, String url, String userName) {
+		final AuthorizationDao dao = new AuthorizationDao();
+		
+		final List<Map<String, String>> urls = dao.findURLsByUserName(userName);
+		
+		return urls.stream().anyMatch(urlMap ->
+		{
+			String urlPatternValue = urlMap.get(AuthorizationDao.URL_PATTERN);
+			String httpMethodValue = urlMap.get(AuthorizationDao.HTTP_METHOD);
+			
+			return urlPatternValue.equals(url) && httpMethodValue.equals(httpMethod);
+		});
+		
+	}
+}
diff --git a/src/main/java/com/prueba/core/context/integration/database/impl/DataBaseAccessImpl.java b/src/main/java/com/prueba/core/context/integration/database/impl/DataBaseAccessImpl.java
index 287a653..46bc785 100644
--- a/src/main/java/com/prueba/core/context/integration/database/impl/DataBaseAccessImpl.java
+++ b/src/main/java/com/prueba/core/context/integration/database/impl/DataBaseAccessImpl.java
@@ -13,7 +13,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.prueba.core.context.integration.database.DataBaseAccess;
-import com.prueba.core.context.integration.datasource.impl.DoDataSourceContext;
 
 public class DataBaseAccessImpl implements DataBaseAccess {
 	private static final Logger LOGGER = LoggerFactory.getLogger(DataBaseAccessImpl.class);
diff --git a/src/main/java/com/prueba/core/context/security/handle/PagesHandler.java b/src/main/java/com/prueba/core/context/security/handle/PagesHandler.java
index ce27e95..8b0d175 100644
--- a/src/main/java/com/prueba/core/context/security/handle/PagesHandler.java
+++ b/src/main/java/com/prueba/core/context/security/handle/PagesHandler.java
@@ -3,6 +3,7 @@ package com.prueba.core.context.security.handle;
 import java.io.IOException;
 import java.net.URI;
 
+import com.prueba.authorization.services.impl.AuthorizationServicesImpl;
 import com.prueba.core.context.security.persistence.SessionInfo;
 import com.prueba.core.context.security.persistence.Sessions;
 import com.prueba.resources.controllers.PagesController;
@@ -17,6 +18,7 @@ public class PagesHandler implements HttpHandler {
 	private static final String SERVER_ADDRESS = "http://localhost:8080";
 		
 	private final PagesController pagesController = new PagesController();
+	private final AuthorizationServicesImpl authorizationService = new AuthorizationServicesImpl();
 	private final HttpHandler sessionHandler;
 	
 	public PagesHandler(HttpHandler sessionHandler) {
@@ -30,7 +32,14 @@ public class PagesHandler implements HttpHandler {
 		final SessionInfo sessionInfo = SessionHandler.getLocalSession();
 		if (Sessions.getInstance().isValidSession(httpExchange)) {
 			
-			pagesController.handle(httpExchange);
+			if(authorizationService.isAuthorized(httpExchange.getRequestMethod(),
+					httpExchange.getRequestURI().toString(), sessionInfo.getUsername())) {
+				
+				pagesController.handle(httpExchange);
+				
+			} else {
+				httpExchange.sendResponseHeaders(403, 0);
+			}
 			
 			Sessions.getInstance().refreshSession(sessionInfo.getUUID(), sessionInfo.getUsername());
 		} else {
diff --git a/src/main/resources/liquibase/dml.sql b/src/main/resources/liquibase/dml.sql
index 9fd254c..81f8125 100644
--- a/src/main/resources/liquibase/dml.sql
+++ b/src/main/resources/liquibase/dml.sql
@@ -19,6 +19,9 @@ INSERT INTO APPLICATION_RESOURCE_APPLICATION_ROLE (APPLICATION_RESOURCE_URL_PATT
 ('/app/pages/page_1.html', 'GET', 'ROLE_APP_PAGE_1'),
 ('/app/pages/page_2.html', 'GET', 'ROLE_APP_PAGE_2'),
 ('/app/pages/page_3.html', 'GET', 'ROLE_APP_PAGE_3'),
+('/app/pages/page_1.html', 'GET', 'ROLE_APP_ADMIN'),
+('/app/pages/page_2.html', 'GET', 'ROLE_APP_ADMIN'),
+('/app/pages/page_3.html', 'GET', 'ROLE_APP_ADMIN'),
 ('/app/api/{username}', 'GET', 'ROLE_APP_PAGE_1'),
 ('/app/api/{username}', 'GET', 'ROLE_APP_PAGE_2'),
 ('/app/api/{username}', 'GET', 'ROLE_APP_PAGE_3'),
@@ -29,6 +32,6 @@ INSERT INTO APPLICATION_RESOURCE_APPLICATION_ROLE (APPLICATION_RESOURCE_URL_PATT
 
 INSERT INTO ACCOUNT (CODE, NAME, SURNAME, PASSWORD, APPLICATION_ROLE_CODE) values
 ('GUMARTIN', 'Gustavo', 'Martin Morcuende', 'lame', 'ROLE_APP_ADMIN'),
-('USER1', 'Gustavo', 'Martin Morcuende', 'god', 'ROLE_APP_PAG_1'),
-('USER2', 'Gustavo', 'Martin Morcuende', 'root', 'ROLE_APP_PAG_2');
+('USER1', 'Gustavo', 'Martin Morcuende', 'god', 'ROLE_APP_PAGE_1'),
+('USER2', 'Gustavo', 'Martin Morcuende', 'root', 'ROLE_APP_PAGE_2');
 
-- 
2.1.4