diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java index e76749c06..aeac1fca2 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java @@ -79,6 +79,11 @@ public ResponseEntity create(@RequestBody EntityDescriptorRepresentation edRe return existingEntityDescriptorConflictResponse; } + ResponseEntity entityDescriptorEnablingDeniedResponse = entityDescriptorEnablePermissionsCheck(edRepresentation.isServiceEnabled()); + if (entityDescriptorEnablingDeniedResponse != null) { + return entityDescriptorEnablingDeniedResponse; + } + EntityDescriptor ed = (EntityDescriptor) entityDescriptorService.createDescriptorFromRepresentation(edRepresentation); EntityDescriptor persistedEd = entityDescriptorRepository.save(ed); @@ -89,11 +94,13 @@ public ResponseEntity create(@RequestBody EntityDescriptorRepresentation edRe @PostMapping(value = "/EntityDescriptor", consumes = "application/xml") public ResponseEntity upload(@RequestBody byte[] entityDescriptorXml, @RequestParam String spName) throws Exception { + //TODO: Do we want security checks here? return handleUploadingEntityDescriptorXml(entityDescriptorXml, spName); } @PostMapping(value = "/EntityDescriptor", consumes = "application/x-www-form-urlencoded") public ResponseEntity upload(@RequestParam String metadataUrl, @RequestParam String spName) throws Exception { + //TODO: Do we want security checks here? try { byte[] xmlContents = this.restTemplate.getForObject(metadataUrl, byte[].class); return handleUploadingEntityDescriptorXml(xmlContents, spName); @@ -119,6 +126,11 @@ public ResponseEntity update(@RequestBody EntityDescriptorRepresentation edRe return new ResponseEntity(HttpStatus.CONFLICT); } + ResponseEntity entityDescriptorEnablingDeniedResponse = entityDescriptorEnablePermissionsCheck(edRepresentation.isServiceEnabled()); + if (entityDescriptorEnablingDeniedResponse != null) { + return entityDescriptorEnablingDeniedResponse; + } + EntityDescriptor updatedEd = EntityDescriptor.class.cast(entityDescriptorService.createDescriptorFromRepresentation(edRepresentation)); @@ -211,6 +223,17 @@ private ResponseEntity existingEntityDescriptorCheck(String entityId) { return null; } + private ResponseEntity entityDescriptorEnablePermissionsCheck(boolean serviceEnabled) { + User user = userService.getCurrentUser(); + if (user != null) { + if (serviceEnabled && !user.getRole().equals("ROLE_ADMIN")) { + return ResponseEntity.status(HttpStatus.FORBIDDEN) + .body(new ErrorResponse(HttpStatus.FORBIDDEN, "You do not have the permissions necessary to enable this service.")); + } + } + return null; + } + private ResponseEntity handleUploadingEntityDescriptorXml(byte[] rawXmlBytes, String spName) throws Exception { final EntityDescriptor ed = EntityDescriptor.class.cast(openSamlObjects.unmarshalFromXml(rawXmlBytes));