Merge branch 'develop' of https://github.com/Cumulocity-IoT/cumulocit…

…y-dynamic-mapper into develop merge animated
Cumulocity-IoT · Jan 15, 2025 · 09a7354 · 09a7354
2 parents d83c32a + e71949b
commit 09a7354
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/...mic-mapping-service/src/main/java/dynamic/mapping/controller/HttpConnectorController.java b/...mic-mapping-service/src/main/java/dynamic/mapping/controller/HttpConnectorController.java
@@ -24,6 +24,9 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+
+import com.cumulocity.microservice.context.credentials.Credentials;
+import com.cumulocity.microservice.security.service.SecurityUserDetails;
 import jakarta.servlet.http.HttpServletRequest;
 import dynamic.mapping.configuration.ConnectorConfigurationComponent;
 import dynamic.mapping.configuration.ServiceConfigurationComponent;
@@ -32,12 +35,17 @@
 import dynamic.mapping.connector.core.registry.ConnectorRegistryException;
 import dynamic.mapping.connector.http.HttpClient;
 import dynamic.mapping.core.*;
+import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
@@ -87,7 +95,7 @@ public class HttpConnectorController {
     private String mappingCreateRole;
 
     @Value("${APP.mappingHttpConnectorRole}")
-    public String mappingHttpConnectorRole;
+    private String mappingHttpConnectorRole;
 
     @RequestMapping(value = { "/httpConnector",
             "/httpConnector/**" }, method = { RequestMethod.POST, RequestMethod.PUT }, consumes = MediaType.ALL_VALUE)
@@ -126,6 +134,18 @@ public ResponseEntity<?> processGenericMessage(HttpServletRequest request) {
         }
     }
 
+    @ExceptionHandler(value = {AccessDeniedException.class})
+    public void handleAccessDeniedException(HttpServletRequest request, HttpServletResponse response,
+                                            AccessDeniedException accessDeniedException) throws IOException {
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        SecurityUserDetails securityUserDetails = ((SecurityUserDetails)auth.getPrincipal());
+
+        String tenant = securityUserDetails.getTenant();
+        String user = securityUserDetails.getUsername();
+        log.warn("Tenant {} - User {} tried to access HTTPConnectorEndpoint but does not have the required '{}' role", tenant, user, this.mappingHttpConnectorRole);
+        response.sendError(403, "Authenticated user does not have the required role: " + this.mappingHttpConnectorRole);
+    }
+
     private byte[] readBody(HttpServletRequest request) throws IOException {
         try (InputStream inputStream = request.getInputStream();
                 ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {