Restcomm 1645

restcomm/restcomm.application/src/main/webapp/WEB-INF/web.xml

@@ -64,7 +64,7 @@
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>restAPI</web-resource-name>
-            <url-pattern>/2012-04-24/Profiles/*</url-pattern>
+            <url-pattern>/2012-04-24/*</url-pattern>
         </web-resource-collection>
     </security-constraint> 
     <login-config>

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/AccountsEndpoint.java

@@ -179,7 +179,6 @@ public LinkHeader composeLink(Sid targetSid, UriInfo info) {
     }
 
     protected Response getAccount(final String accountSid, final MediaType responseType, UriInfo info) {
-        checkAuthenticatedAccount();
         //First check if the account has the required permissions in general, this way we can fail fast and avoid expensive DAO operations
         Account account = null;
         checkPermission("RestComm:Read:Accounts");
@@ -347,7 +346,6 @@ private void removeIncomingPhoneNumbers(Sid accountSid, IncomingPhoneNumbersDao
 
 
     protected Response getAccounts(final UriInfo info, final MediaType responseType) {
-        checkAuthenticatedAccount();
         //First check if the account has the required permissions in general, this way we can fail fast and avoid expensive DAO operations
         checkPermission("RestComm:Read:Accounts");
         final Account account = userIdentityContext.getEffectiveAccount();
@@ -389,7 +387,6 @@ protected Response getAccounts(final UriInfo info, final MediaType responseType)
     }
 
     protected Response putAccount(final MultivaluedMap<String, String> data, final MediaType responseType) {
-        checkAuthenticatedAccount();
         //First check if the account has the required permissions in general, this way we can fail fast and avoid expensive DAO operations
         checkPermission("RestComm:Create:Accounts");
         // check account level depth. If we're already at third level no sub-accounts are allowed to be created
@@ -561,7 +558,6 @@ private Account prepareAccountForUpdate(final Account account, final Multivalued
 
     protected Response updateAccount(final String identifier, final MultivaluedMap<String, String> data,
             final MediaType responseType) {
-        checkAuthenticatedAccount();
         // First check if the account has the required permissions in general, this way we can fail fast and avoid expensive DAO
         // operations
         checkPermission("RestComm:Modify:Accounts");
@@ -666,11 +662,6 @@ private Organization getOrganization(final MultivaluedMap<String, String> data)
     protected Response migrateAccountOrganization(final String identifier, final MultivaluedMap<String, String> data,
                                               final MediaType responseType) {
 
-        //Validation 1 - Only SuperAdmin is allowed to migrate organization for an Account
-        if (!isSuperAdmin()) {
-            throw new InsufficientPermission();
-        }
-
         Organization organization = getOrganization(data);
         //Validation 2 - Check if data contains Organization (either SID or domain name)
         if (organization == null) {

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/AccountsJsonEndpoint.java

@@ -21,7 +21,9 @@
 
 import static javax.ws.rs.core.MediaType.APPLICATION_FORM_URLENCODED;
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
 import javax.ws.rs.OPTIONS;
@@ -101,6 +103,7 @@ public Response updateAccountAsJsonPut(@PathParam("accountSid") final String acc
     @Path("/migrate/{accountSid}")
     @Consumes(APPLICATION_FORM_URLENCODED)
     @POST
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response migrateAccount(@PathParam("accountSid") final String accountSid, final MultivaluedMap<String, String> data) {
         return migrateAccountOrganization(accountSid, data, APPLICATION_JSON_TYPE);
     }

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/AccountsXmlEndpoint.java

@@ -34,6 +34,9 @@
 
 import static javax.ws.rs.core.MediaType.APPLICATION_FORM_URLENCODED;
 import static javax.ws.rs.core.MediaType.APPLICATION_XML_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
+
+import javax.annotation.security.RolesAllowed;
 
 /**
  * @author quintana.thomas@gmail.com (Thomas Quintana)
@@ -92,6 +95,7 @@ public Response updateAccountAsXmlPut(@PathParam("accountSid") final String acco
     @Path("/migrate/{accountSid}")
     @Consumes(APPLICATION_FORM_URLENCODED)
     @POST
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response migrateAccount(@PathParam("accoutSid") final String accountSid, final MultivaluedMap<String, String> data) {
         return migrateAccountOrganization(accountSid, data, APPLICATION_XML_TYPE);
     }

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/ExtensionsConfigurationEndpoint.java

@@ -33,7 +33,6 @@
 import org.restcomm.connect.extension.api.ExtensionConfiguration;
 import org.restcomm.connect.http.converter.ExtensionConfigurationConverter;
 import org.restcomm.connect.http.converter.RestCommResponseConverter;
-import org.restcomm.connect.http.exceptions.InsufficientPermission;
 
 import javax.annotation.PostConstruct;
 import javax.ws.rs.core.MediaType;
@@ -78,8 +77,6 @@ void init() {
         xstream.registerConverter(converter);
         xstream.registerConverter(new ExtensionConfigurationConverter(configuration));
         xstream.registerConverter(new RestCommResponseConverter(configuration));
-        // Make sure there is an authenticated account present when this endpoint is used
-        checkAuthenticatedAccount();
     }
 
     /**
@@ -90,9 +87,6 @@ void init() {
      */
     protected Response getConfiguration(final String extensionId, final Sid accountSid, final MediaType responseType) {
         //Parameter "extensionId" could be the extension Sid or extension name.
-        if (!isSuperAdmin()) {
-            throw new InsufficientPermission();
-        }
 
         ExtensionConfiguration extensionConfiguration = null;
         ExtensionConfiguration extensionAccountConfiguration = null;
@@ -173,9 +167,6 @@ private ExtensionConfiguration createFrom(final MultivaluedMap<String, String> d
     }
 
     protected Response postConfiguration(final MultivaluedMap<String, String> data, final MediaType responseType) {
-        if (!isSuperAdmin()) {
-            throw new InsufficientPermission();
-        }
 
         Sid accountSid = null;
 
@@ -221,9 +212,6 @@ protected Response postConfiguration(final MultivaluedMap<String, String> data,
     }
 
     protected Response updateConfiguration(String extensionSid, MultivaluedMap<String, String> data, MediaType responseType) {
-        if (!isSuperAdmin()) {
-            throw new InsufficientPermission();
-        }
 
         if (!Sid.pattern.matcher(extensionSid).matches()) {
             return status(BAD_REQUEST).build();

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/ExtensionsConfigurationJsonEndpoint.java

@@ -30,11 +30,15 @@
 import org.restcomm.connect.commons.dao.Sid;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
+
+import javax.annotation.security.RolesAllowed;
 
 /**
  * Created by gvagenas on 12/10/2016.
  */
 @Path("/ExtensionsConfiguration.json")
+@RolesAllowed(SUPER_ADMIN_ROLE)
 public class ExtensionsConfigurationJsonEndpoint extends ExtensionsConfigurationEndpoint {
 
     @Path("/{extensionId}")

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/ExtensionsConfigurationXmlEndpoint.java

@@ -34,8 +34,12 @@
 import org.restcomm.connect.commons.dao.Sid;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_XML_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
+
+import javax.annotation.security.RolesAllowed;
 
 @Path("/ExtensionsConfiguration")
+@RolesAllowed(SUPER_ADMIN_ROLE)
 public class ExtensionsConfigurationXmlEndpoint extends ExtensionsConfigurationEndpoint {
 
     @Path("/{extensionId}")

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/GatewaysEndpoint.java

@@ -92,10 +92,6 @@ private Gateway createFrom(final MultivaluedMap<String, String> data) {
     }
 
     protected Response getGateway(final String accountSid, final String sid, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Read:Gateways");
         final Gateway gateway = dao.getGateway(new Sid(sid));
         if (gateway == null) {
             return status(NOT_FOUND).build();
@@ -112,10 +108,6 @@ protected Response getGateway(final String accountSid, final String sid, final M
     }
 
     protected Response getGateways(final String accountSid, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Read:Gateways");
         final List<Gateway> gateways = dao.getGateways();
         if (APPLICATION_XML_TYPE == responseType) {
             final RestCommResponse response = new RestCommResponse(new GatewayList(gateways));
@@ -128,10 +120,7 @@ protected Response getGateways(final String accountSid, final MediaType response
     }
 
     protected Response putGateway(final String accountSid, final MultivaluedMap<String, String> data, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Create:Gateways");
+
         try {
             validate(data);
         } catch (final RuntimeException exception) {
@@ -154,10 +143,7 @@ protected Response putGateway(final String accountSid, final MultivaluedMap<Stri
     }
 
     protected Response updateGateway(final String accountSid, final String sid, final MultivaluedMap<String, String> data, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Modify:Gateways");
+
         Gateway gateway = dao.getGateway(new Sid(sid));
         if (gateway == null) {
             return status(NOT_FOUND).build();

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/GatewaysJsonEndpoint.java

@@ -20,7 +20,9 @@
 package org.restcomm.connect.http;
 
 import static javax.ws.rs.core.MediaType.*;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
@@ -35,6 +37,7 @@
  */
 @Path("/Accounts/{accountSid}/Management/Gateways.json")
 @ThreadSafe
+@RolesAllowed(SUPER_ADMIN_ROLE)
 public class GatewaysJsonEndpoint extends GatewaysEndpoint {
     public GatewaysJsonEndpoint() {
         super();

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/GatewaysXmlEndpoint.java

@@ -21,7 +21,9 @@
 
 import static javax.ws.rs.core.MediaType.*;
 import static javax.ws.rs.core.Response.*;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -39,6 +41,7 @@
  */
 @Path("/Accounts/{accountSid}/Management/Gateways")
 @ThreadSafe
+@RolesAllowed(SUPER_ADMIN_ROLE)
 public final class GatewaysXmlEndpoint extends GatewaysEndpoint {
     public GatewaysXmlEndpoint() {
         super();

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/IncomingPhoneNumbersEndpoint.java

@@ -660,7 +660,6 @@ public static org.restcomm.connect.provisioning.number.api.PhoneNumber convertIn
     protected Response migrateIncomingPhoneNumbers(String targetAccountSid, MultivaluedMap<String, String> data, MediaType responseType) {
         Account effectiveAccount = userIdentityContext.getEffectiveAccount();
         secure(effectiveAccount, "RestComm:Modify:IncomingPhoneNumbers");
-        allowOnlySuperAdmin();
         try{
             Account targetAccount = accountsDao.getAccount(targetAccountSid);
             // this is to avoid if mistakenly provided super admin account as targetAccountSid

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/IncomingPhoneNumbersXmlEndpoint.java

@@ -21,7 +21,9 @@
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE;
 import static javax.ws.rs.core.MediaType.APPLICATION_XML_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -212,13 +214,15 @@ public Response putIncomingMobilePhoneNumberAsJSon(@PathParam("accountSid") fina
 
     @Path("/migrate")
     @POST
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response migrateIncomingPhoneNumbersAsXml(@PathParam("accountSid") final String accountSid,
             final MultivaluedMap<String, String> data) {
         return migrateIncomingPhoneNumbers(accountSid, data, APPLICATION_XML_TYPE);
     }
 
     @Path("/migrate.json")
     @POST
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response migrateIncomingPhoneNumbersAsJson(@PathParam("accountSid") final String accountSid,
             final MultivaluedMap<String, String> data) {
         return migrateIncomingPhoneNumbers(accountSid, data, APPLICATION_JSON_TYPE);

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/OrganizationsEndpoint.java

@@ -141,7 +141,6 @@ public LinkHeader composeLink(Sid targetSid, UriInfo info) {
      */
     protected Response getOrganization(final String organizationSid, final MediaType responseType,
              UriInfo info) {
-        checkAuthenticatedAccount();
         //First check if the account has the required permissions in general, this way we can fail fast and avoid expensive DAO operations
         checkPermission("RestComm:Read:Organizations");
         Organization organization = null;
@@ -191,9 +190,6 @@ protected Response getOrganization(final String organizationSid, final MediaType
      * @return
      */
     protected Response getOrganizations(UriInfo info, final MediaType responseType) {
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-
         List<Organization> organizations = null;
 
         String status = info.getQueryParameters().getFirst("Status");
@@ -228,8 +224,6 @@ protected Response putOrganization(String domainName, final UriInfo info,
         if(domainName == null){
             return status(BAD_REQUEST).entity(MSG_EMPTY_DOMAIN_NAME ).build();
         }else{
-            checkAuthenticatedAccount();
-            allowOnlySuperAdmin();
 
             //Character verification
             if(!pattern.matcher(domainName).matches()){

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/OrganizationsJsonEndpoint.java

@@ -20,7 +20,9 @@
 package org.restcomm.connect.http;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.GET;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -49,12 +51,14 @@ public Response getOrganizationAsJson(@PathParam("organizationSid") final String
     }
 
     @GET
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response getOrganizations(@Context UriInfo info) {
         return getOrganizations(info, APPLICATION_JSON_TYPE);
     }
 
     @Path("/{domainName}")
     @PUT
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response putOrganizationPut(@PathParam("domainName") final String domainName, @Context UriInfo info) {
         return putOrganization(domainName, info, APPLICATION_JSON_TYPE);
     }

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/OrganizationsXmlEndpoint.java

@@ -20,7 +20,9 @@
 package org.restcomm.connect.http;
 
 import static javax.ws.rs.core.MediaType.APPLICATION_XML_TYPE;
+import static org.restcomm.connect.http.security.AccountPrincipal.SUPER_ADMIN_ROLE;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.GET;
 import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
@@ -36,6 +38,7 @@
  */
 @Path("/Organizations")
 @ThreadSafe
+@RolesAllowed(SUPER_ADMIN_ROLE)
 public final class OrganizationsXmlEndpoint extends OrganizationsEndpoint {
     public OrganizationsXmlEndpoint() {
         super();
@@ -49,12 +52,14 @@ public Response getOrganizationAsXml(@PathParam("organizationSid") final String
     }
 
     @GET
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response getOrganizations(@Context UriInfo info) {
         return getOrganizations(info, APPLICATION_XML_TYPE);
     }
 
     @Path("/{domainName}")
     @PUT
+    @RolesAllowed(SUPER_ADMIN_ROLE)
     public Response putOrganizationPut(@PathParam("domainName") final String domainName, @Context UriInfo info) {
         return putOrganization(domainName, info, APPLICATION_XML_TYPE);
     }

restcomm/restcomm.http/src/main/java/org/restcomm/connect/http/OutboundProxyEndpoint.java

@@ -89,10 +89,6 @@ public void init() {
     }
 
     protected Response getProxies(final String accountSid, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Read:OutboundProxies");
 
         Map<String, String> proxies;
 
@@ -115,10 +111,6 @@ protected Response getProxies(final String accountSid, final MediaType responseT
     }
 
     protected Response switchProxy(final String accountSid, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Read:OutboundProxies");
 
         Map<String, String> proxyAfterSwitch;
 
@@ -141,10 +133,6 @@ protected Response switchProxy(final String accountSid, final MediaType response
     }
 
     protected Response getActiveProxy(final String accountSid, final MediaType responseType) {
-        //following 2 things are enough to grant access: 1. a valid authentication token is present. 2 it is a super admin.
-        checkAuthenticatedAccount();
-        allowOnlySuperAdmin();
-//        secure(accountsDao.getAccount(accountSid), "RestComm:Read:OutboundProxies");
 
         Map<String, String> activeProxy;