[SHIBUI-1058]

Added security checks so only Admins can set serviceEnabled to true.
Still need unit tests. Also need JJ's feedback on the XML-related
endpoints.

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java

@@ -79,6 +79,11 @@ public ResponseEntity<?> create(@RequestBody EntityDescriptorRepresentation edRe
             return existingEntityDescriptorConflictResponse;
         }
 
+        ResponseEntity<?> entityDescriptorEnablingDeniedResponse = entityDescriptorEnablePermissionsCheck(edRepresentation.isServiceEnabled());
+        if (entityDescriptorEnablingDeniedResponse != null) {
+            return entityDescriptorEnablingDeniedResponse;
+        }
+
         EntityDescriptor ed = (EntityDescriptor) entityDescriptorService.createDescriptorFromRepresentation(edRepresentation);
 
         EntityDescriptor persistedEd = entityDescriptorRepository.save(ed);
@@ -89,11 +94,13 @@ public ResponseEntity<?> create(@RequestBody EntityDescriptorRepresentation edRe
 
     @PostMapping(value = "/EntityDescriptor", consumes = "application/xml")
     public ResponseEntity<?> upload(@RequestBody byte[] entityDescriptorXml, @RequestParam String spName) throws Exception {
+        //TODO: Do we want security checks here?
         return handleUploadingEntityDescriptorXml(entityDescriptorXml, spName);
     }
 
     @PostMapping(value = "/EntityDescriptor", consumes = "application/x-www-form-urlencoded")
     public ResponseEntity<?> upload(@RequestParam String metadataUrl, @RequestParam String spName) throws Exception {
+        //TODO: Do we want security checks here?
         try {
             byte[] xmlContents = this.restTemplate.getForObject(metadataUrl, byte[].class);
             return handleUploadingEntityDescriptorXml(xmlContents, spName);
@@ -119,6 +126,11 @@ public ResponseEntity<?> update(@RequestBody EntityDescriptorRepresentation edRe
                     return new ResponseEntity<Void>(HttpStatus.CONFLICT);
                 }
 
+                ResponseEntity<?> entityDescriptorEnablingDeniedResponse = entityDescriptorEnablePermissionsCheck(edRepresentation.isServiceEnabled());
+                if (entityDescriptorEnablingDeniedResponse != null) {
+                    return entityDescriptorEnablingDeniedResponse;
+                }
+
                 EntityDescriptor updatedEd =
                         EntityDescriptor.class.cast(entityDescriptorService.createDescriptorFromRepresentation(edRepresentation));
 
@@ -211,6 +223,17 @@ private ResponseEntity<?> existingEntityDescriptorCheck(String entityId) {
         return null;
     }
 
+    private ResponseEntity<?> entityDescriptorEnablePermissionsCheck(boolean serviceEnabled) {
+        User user = userService.getCurrentUser();
+        if (user != null) {
+            if (serviceEnabled && !user.getRole().equals("ROLE_ADMIN")) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN)
+                        .body(new ErrorResponse(HttpStatus.FORBIDDEN, "You do not have the permissions necessary to enable this service."));
+            }
+        }
+        return null;
+    }
+
     private ResponseEntity<?> handleUploadingEntityDescriptorXml(byte[] rawXmlBytes, String spName) throws Exception {
         final EntityDescriptor ed = EntityDescriptor.class.cast(openSamlObjects.unmarshalFromXml(rawXmlBytes));