adding check for admin permission

ab96c364 · shishir suman · c193be7c · ab96c364 · ab96c364 · ab96c364
Commit ab96c364 authored 1 year ago by shishir suman
Hide whitespace changes
Inline Side-by-side

Showing

with 19 additions and 8 deletions
+19 -8
--- a/src/main/java/com/tarento/upsmf/examsAndAdmissions/RequestInterceptor.java
+++ b/src/main/java/com/tarento/upsmf/examsAndAdmissions/RequestInterceptor.java
@@ -49,7 +49,7 @@ public class RequestInterceptor extends BaseController implements HandlerInterce
 		}
 		// authentication
 		System.out.println("request_token :"+ authToken);
-		String userId = verifyRequestData(authToken);
+		String userId = verifyRequestData(authToken, request.getRequestURI());
 		//String userId = "userId";

 		System.out.println("userId :"+ userId);
@@ -63,9 +63,9 @@ public class RequestInterceptor extends BaseController implements HandlerInterce
 		return Boolean.TRUE;
 	}

-	private String verifyRequestData(String accessToken) {
+	private String verifyRequestData(String accessToken, String uri) {
 		System.out.println("verifyRequestData () "+accessToken);
-		String clientAccessTokenId = accessTokenValidator.verifyUserToken(accessToken, true);
+		String clientAccessTokenId = accessTokenValidator.verifyUserToken(accessToken, true, uri);
 		System.out.println("verifyRequestData clientAccessTokenId (): "+clientAccessTokenId);
 		return StringUtils.isBlank(clientAccessTokenId) ? Constants.Parameters.UNAUTHORIZED : clientAccessTokenId;
 	}

--- a/src/main/java/com/tarento/upsmf/examsAndAdmissions/util/AccessTokenValidator.java
+++ b/src/main/java/com/tarento/upsmf/examsAndAdmissions/util/AccessTokenValidator.java
@@ -34,6 +34,9 @@ public class AccessTokenValidator {
 	@Value("${api.user.details}")
 	private String userInfoUrl;

+	@Value("${admin.allowed.endpoints}")
+	private String adminAllowedEndpoints;
+
 	@Value("${user.roles}")
 	private String userRoles;

@@ -43,7 +46,7 @@ public class AccessTokenValidator {
 	@Autowired
 	private RedisUtil redisUtil;

-	public String verifyUserToken(String token, boolean checkActive) {
+	public String verifyUserToken(String token, boolean checkActive, String uri) {
 		String userId = Constants.Parameters.UNAUTHORIZED;
 		try {
 			Map<String, Object> payload = validateToken(token, checkActive);
@@ -53,7 +56,7 @@ public class AccessTokenValidator {
 				if (StringUtils.isNotBlank(userId)) {
 					int pos = userId.lastIndexOf(":");
 					userId = userId.substring(pos + 1);
-					return matchUserRole(userId);
+					return matchUserRole(userId, uri);
 				}
 			}
 		} catch (Exception ex) {
@@ -62,7 +65,7 @@ public class AccessTokenValidator {
 		return userId;
 	}

-	private String matchUserRole(String userId) {
+	private String matchUserRole(String userId, String uri) {
 		List<String> roles = redisUtil.getRolesByUserId(userId);
 		if(roles.isEmpty()) {
 			log.error("Missing Appropriate Roles.");
@@ -73,6 +76,13 @@ public class AccessTokenValidator {
 		log.debug("Role matched - {}", roleMatches);
 		if(roleMatches) {
 			log.info("Role matched for userId - {}", userId);
+			boolean isAdmin = roles.stream().anyMatch(x -> "admin".contains(x.toLowerCase()));
+			if(isAdmin) {
+				List<String> adminEndpoints = Arrays.asList(adminAllowedEndpoints.split(","));
+				if(!adminEndpoints.contains(uri)) {
+					return Constants.Parameters.UNAUTHORIZED;
+				}
+			}
 			return userId;
 		}
 		return Constants.Parameters.UNAUTHORIZED;

--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -107,5 +107,6 @@ spring.redis.host=localhost
 spring.redis.port=6379
 #spring.redis.password=mypass
 spring.redis.timeout=60000
-user.redis.hash.key=1
-user.roles=admin_superadmin,exams_admin,exams_institute,exams_student
\ No newline at end of file
+user.redis.hash.key=USER
+user.roles=admin_superadmin,exams_admin,exams_institute,exams_student
+admin.allowed.endpoints=/payment
\ No newline at end of file