From b99ddf02bdb7151fe97c6f6c1324dbbdc6596e77 Mon Sep 17 00:00:00 2001
From: Kevin McAnoy <kmcanoy@redhat.com>
Date: Mon, 16 Aug 2021 14:43:39 -0700
Subject: [PATCH] Location (#163)

* apache license

* change location of post to uuid. cleanup
---
 .../lodestar/resource/EngagementResource.java | 27 +++++++++++--------
 .../lodestar/service/EngagementService.java   | 11 ++++----
 .../redhat/labs/lodestar/util/JWTUtils.java   |  2 +-
 src/main/resources/application.properties     |  4 ++-
 src/test/resources/application.properties     |  1 +
 5 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/src/main/java/com/redhat/labs/lodestar/resource/EngagementResource.java b/src/main/java/com/redhat/labs/lodestar/resource/EngagementResource.java
index dfe5d3f9..eb7c798e 100644
--- a/src/main/java/com/redhat/labs/lodestar/resource/EngagementResource.java
+++ b/src/main/java/com/redhat/labs/lodestar/resource/EngagementResource.java
@@ -302,6 +302,7 @@ public Response uniqueSubdomain(@PathParam("subdomain") String subdomain) {
     @POST
     @SecurityRequirement(name = "jwt", scopes = {})
     @APIResponses(value = { @APIResponse(responseCode = "401", description = "Missing or Invalid JWT"),
+            @APIResponse(responseCode = "403", description = "Not authorized for engagement type"),
             @APIResponse(responseCode = "409", description = "Engagement resource already exists"),
             @APIResponse(responseCode = "201", description = "Engagement stored in database") })
     @Operation(summary = "Creates the engagement resource in the database.")
@@ -311,8 +312,7 @@ public Response post(@Valid Engagement engagement, @Context UriInfo uriInfo) {
         
         boolean writer = jwtUtils.isAllowedToWriteEngagement(jwt, configService.getPermission(engagement.getType()));
         if(!writer) {
-            String message = String.format("{\"message\": \"You cannot modify %s engagements\"}", engagement.getType());
-            return Response.status(403).entity(message).build();
+            return forbiddenResponse(engagement.getType());
         }
 
         // pull user info from token
@@ -324,7 +324,7 @@ public Response post(@Valid Engagement engagement, @Context UriInfo uriInfo) {
 
         // build location response
         UriBuilder builder = uriInfo.getAbsolutePathBuilder();
-        builder.path("/customers/" + created.getCustomerName() + "/projects/" + created.getProjectName());
+        builder.path("/" + engagement.getUuid());
         return Response.created(builder.build()).entity(created).build();
 
     }
@@ -338,6 +338,7 @@ public Response post(@Valid Engagement engagement, @Context UriInfo uriInfo) {
     @SecurityRequirement(name = "jwt", scopes = {})
     @Path("/customers/{customerName}/projects/{projectName}")
     @APIResponses(value = { @APIResponse(responseCode = "401", description = "Missing or Invalid JWT"),
+            @APIResponse(responseCode = "403", description = "Not authorized for engagement type"),
             @APIResponse(responseCode = "404", description = "Engagement resource not found to update"),
             @APIResponse(responseCode = "200", description = "Engagement updated in the database") })
     @Operation(deprecated = true, summary = "Updates the engagement resource in the database.")
@@ -348,8 +349,7 @@ public Response put(@PathParam("customerName") String customerName, @PathParam("
         
         boolean writer = jwtUtils.isAllowedToWriteEngagement(jwt, configService.getPermission(engagement.getType()));
         if(!writer) {
-            String message = String.format("{\"message\": \"You cannot modify %s engagements\"}", engagement.getType());
-            return Response.status(403).entity(message).build();
+            return forbiddenResponse(engagement.getType());
         }
 
         // pull user info from token
@@ -364,6 +364,7 @@ public Response put(@PathParam("customerName") String customerName, @PathParam("
     @SecurityRequirement(name = "jwt", scopes = {})
     @Path("/{id}")
     @APIResponses(value = { @APIResponse(responseCode = "401", description = "Missing or Invalid JWT"),
+            @APIResponse(responseCode = "403", description = "Not authorized for engagement type"),
             @APIResponse(responseCode = "404", description = "Engagement resource not found to update"),
             @APIResponse(responseCode = "200", description = "Engagement updated in the database") })
     @Operation(summary = "Updates the engagement resource in the database.")
@@ -373,8 +374,7 @@ public Response put(@PathParam("id") String uuid, @Valid Engagement engagement)
 
         boolean writer = jwtUtils.isAllowedToWriteEngagement(jwt, configService.getPermission(engagement.getType()));
         if(!writer) {
-            String message = String.format("{\"message\": \"You cannot modify %s engagements\"}", engagement.getType());
-            return Response.status(403).entity(message).build();
+            return forbiddenResponse(engagement.getType());
         }
         
         // pull user info from token
@@ -389,6 +389,7 @@ public Response put(@PathParam("id") String uuid, @Valid Engagement engagement)
     @Path("/launch")
     @SecurityRequirement(name = "jwt", scopes = {})
     @APIResponses(value = { @APIResponse(responseCode = "401", description = "Missing or Invalid JWT"),
+            @APIResponse(responseCode = "403", description = "Not authorized for engagement type"),
             @APIResponse(responseCode = "200", description = "Launch data added to engagement resource and persisted to git") })
     @Operation(summary = "Adds launch data to the engagement resource and immediately persists it to git.")
     @Counted(name = "engagement-put-launch-counted")
@@ -397,8 +398,7 @@ public Response launch(@Valid Engagement engagement) {
         
         boolean writer = jwtUtils.isAllowedToWriteEngagement(jwt, configService.getPermission(engagement.getType()));
         if(!writer) {
-            String message = String.format("{\"message\": \"You cannot modify %s engagements\"}", engagement.getType());
-            return Response.status(403).entity(message).build();
+            return forbiddenResponse(engagement.getType());
         }
 
         // pull user info from token
@@ -433,6 +433,7 @@ public Response setUuids() {
     @SecurityRequirement(name = "jwt", scopes = {})
     @Path("/{id}")
     @APIResponses(value = { @APIResponse(responseCode = "401", description = "Missing or Invalid JWT"),
+            @APIResponse(responseCode = "403", description = "Not authorized for engagement type"),
             @APIResponse(responseCode = "404", description = "Engagement resource not found to delete"),
             @APIResponse(responseCode = "400", description = "Engagement resource has already been launched"),
             @APIResponse(responseCode = "202", description = "Engagement deleted in the database and sent to Git for processing") })
@@ -444,14 +445,18 @@ public Response delete(@PathParam("id") String uuid) {
         Engagement engagement = engagementService.getByUuid(uuid, new FilterOptions());
         boolean writer = jwtUtils.isAllowedToWriteEngagement(jwt, configService.getPermission(engagement.getType()));
         if(!writer) {
-            String message = String.format("{\"message\": \"You cannot modify %s engagements\"}", engagement.getType());
-            return Response.status(403).entity(message).build();
+            return forbiddenResponse(engagement.getType());
         }
         
         engagementService.deleteEngagement(uuid);
         return Response.accepted().build();
 
     }
+    
+    private Response forbiddenResponse(String type) {
+        String message = String.format("{\"message\": \"You cannot modify %s engagements\"}", type);
+        return Response.status(403).entity(message).build();
+    }
 
     private void setDefaultPagingFilterOptions(ListFilterOptions options) {
 
diff --git a/src/main/java/com/redhat/labs/lodestar/service/EngagementService.java b/src/main/java/com/redhat/labs/lodestar/service/EngagementService.java
index 1e70a069..b921529c 100644
--- a/src/main/java/com/redhat/labs/lodestar/service/EngagementService.java
+++ b/src/main/java/com/redhat/labs/lodestar/service/EngagementService.java
@@ -4,7 +4,6 @@
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.util.EnumMap;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -14,11 +13,8 @@
 
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
-import javax.json.JsonArray;
-import javax.json.JsonObject;
 import javax.json.bind.Jsonb;
 import javax.ws.rs.WebApplicationException;
-import javax.ws.rs.core.Response;
 
 import org.apache.http.HttpStatus;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
@@ -71,6 +67,9 @@ public class EngagementService {
 
     @ConfigProperty(name = "commit.msg.filter.list", defaultValue = "not.set")
     List<String> commitFilteredMessages;
+    
+    @ConfigProperty(name = "v2.enabled")
+    boolean v2Enabled;
 
     @Inject
     Jsonb jsonb;
@@ -233,11 +232,11 @@ public Engagement update(Engagement engagement) {
         
         String message = String.format("%s,%s,%s", engagement.getUuid(), engagement.getLastUpdateByEmail(), engagement.getLastUpdateByName());
 
-        if(commitMessageContains(copy, "engagement_users")) {
+        if(v2Enabled && commitMessageContains(copy, "engagement_users")) {
             eventBus.sendAndForget(EventType.UPDATE_PARTICIPANTS_EVENT_ADDESS, message);
         }
         
-        if(commitMessageContains(copy, "artifacts")) {
+        if(v2Enabled && commitMessageContains(copy, "artifacts")) {
             eventBus.sendAndForget(EventType.UPDATE_ARTIFACTS_EVENT_ADDRESS, message);
         }
 
diff --git a/src/main/java/com/redhat/labs/lodestar/util/JWTUtils.java b/src/main/java/com/redhat/labs/lodestar/util/JWTUtils.java
index ad55bcbf..a4791508 100644
--- a/src/main/java/com/redhat/labs/lodestar/util/JWTUtils.java
+++ b/src/main/java/com/redhat/labs/lodestar/util/JWTUtils.java
@@ -52,7 +52,7 @@ public String getUserEmailFromToken(JsonWebToken jwt) {
     }
     
     public boolean isAllowedToWriteEngagement(JsonWebToken jwt, List<String> allowedGroups) {
-        return jwt.getGroups().stream().filter(allowedGroups::contains).findAny().isPresent();
+        return jwt.getGroups().stream().anyMatch(allowedGroups::contains);
     }
 
     public Optional<String> claimIsValid(JsonWebToken jwt, String claimName) {
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index f7eb6983..69f7344e 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -95,4 +95,6 @@ event.max.retries=${EVENT_MAX_RETRIES:-1}
 event.retry.delay.factor=${EVENT_RETRY_DELAY_FACTOR:2}
 event.retry.max.delay=${EVENT_RETRY_MAX_DELAY:60}
 # event get engagements per page setting
-get.engagement.per.page=${EVENT_GET_PER_PAGE:20}
\ No newline at end of file
+get.engagement.per.page=${EVENT_GET_PER_PAGE:20}
+
+v2.enabled=${V2_ENABLED:false}
\ No newline at end of file
diff --git a/src/test/resources/application.properties b/src/test/resources/application.properties
index 3ee72d40..2c83b86b 100644
--- a/src/test/resources/application.properties
+++ b/src/test/resources/application.properties
@@ -46,3 +46,4 @@ lodestar.status.api/mp-rest/url=http://lodestar-status:8080
 commit.watch.files=engagement.json,participants.json,artifacts.json
 
 quarkus.cache.enabled=false
+v2.enabled=false