Fix authz 500 Internal Server error when not authorized; DataPackageManager: Change exception from 401 Unauthorized to 403 Forbidden in DataPackageManagerResource (#165)

Author: servilla

DataPackageManager/src/edu/lternet/pasta/datapackagemanager/DataPackageManager.java

@@ -28,6 +28,7 @@
 import edu.lternet.pasta.common.eml.DataPackage.DataDescendant;
 import edu.lternet.pasta.common.eml.DataPackage.DataSource;
 import edu.lternet.pasta.common.eml.EMLParser;
+import edu.lternet.pasta.common.security.access.ForbiddenException;
 import edu.lternet.pasta.common.security.access.UnauthorizedException;
 import edu.lternet.pasta.common.security.authorization.AccessMatrix;
 import edu.lternet.pasta.common.security.authorization.Rule;
@@ -1675,11 +1676,13 @@ public Integer getOldestRevision(String scope, Integer identifier)
 	 * @param permission
 	 *          The requested permission for accessing the resource (e.g., READ).
 	 * @return The boolean result of the request.
-	 * @throws IllegalArgumentException, UnauthorizedException
+	 * @throws IllegalArgumentException, ForbiddenException
 	 */
-	public Boolean isAuthorized(AuthToken authToken, String resourceId,
-	    Rule.Permission permission) throws IllegalArgumentException,
-	    UnauthorizedException {
+	public Boolean isAuthorized(
+            AuthToken authToken,
+            String resourceId,
+            Rule.Permission permission
+    ) throws IllegalArgumentException, ForbiddenException {
 
 		Boolean isAuthorized = null;
 		DataPackageRegistry dpr = null;
@@ -1692,34 +1695,21 @@ public Boolean isAuthorized(AuthToken authToken, String resourceId,
 
     try {
 	    dpr = new DataPackageRegistry(dbDriver, dbURL, dbUser, dbPassword);
-    } catch (ClassNotFoundException e) {
+    } catch (ClassNotFoundException | SQLException e) {
 	    logger.error(e.getMessage());
-	    e.printStackTrace();
-    } catch (SQLException e) {
-	    logger.error(e.getMessage());
-	    e.printStackTrace();
     }
-    
-		Authorizer authorizer = new Authorizer(dpr);
-		try {
-	    isAuthorized = authorizer.isAuthorized(authToken, resourceId, permission);
-	    
-			if (!isAuthorized) {
-				String gripe = "User \"" + userId + "\" is not authorized to "
-				    + permission + " this " + resourceId + " resource!";
-				throw new UnauthorizedException(gripe);
-			}
-	    
-    } catch (ClassNotFoundException e) {
-	    logger.error(e.getMessage());
-	    e.printStackTrace();
-    } catch (SQLException e) {
+
+    Authorizer authorizer = new Authorizer(dpr);
+    try {
+        isAuthorized = authorizer.isAuthorized(authToken, resourceId, permission);
+        if (!isAuthorized) {
+            String msg = String.format("User %s is not authorized at the requested level to %s", userId, resourceId);
+            throw new ForbiddenException(msg);
+        }
+    } catch (ClassNotFoundException | SQLException e) {
 	    logger.error(e.getMessage());
-	    e.printStackTrace();
     }
-		
-		return isAuthorized;
-		
+        return isAuthorized;
 	}
 
 

DataPackageManager/src/edu/lternet/pasta/datapackagemanager/DataPackageManagerResource.java

@@ -30,6 +30,7 @@
 import edu.lternet.pasta.common.audit.AuditRecord;
 import edu.lternet.pasta.common.eml.DataPackage;
 import edu.lternet.pasta.common.eml.EMLParser;
+import edu.lternet.pasta.common.security.access.ForbiddenException;
 import edu.lternet.pasta.common.security.access.UnauthorizedException;
 import edu.lternet.pasta.common.security.authorization.AccessMatrix;
 import edu.lternet.pasta.common.security.authorization.InvalidPermissionException;
@@ -1997,12 +1998,10 @@ public Response appendProvenance(@Context HttpHeaders headers,
 		 }
 		 */
 
-		/**
-		 * <strong>Is Authorized</strong> (to <em>READ</em> resource) operation,
-		 * determines whether the user as defined in the authentication token has
-		 * permission to access the specified data package resource. Allowed permissions
-         * are "read", "write", or "changePermission" and must be verbatim.
-		 *
+        /**
+         * <strong>Is Authorized</strong> operation, determines whether the user as, defined in the
+         * authentication token, has the provided permission (read, write, or changePermission) on the
+         * specified data package resource.		 *
 		 * <h4>Requests:</h4>
 		 * <table border="1" cellspacing="0" cellpadding="3">
 		 * <tr>
@@ -2097,6 +2096,7 @@ public Response isAuthorized (
         ) {
 
 		AuthToken authToken = null;
+
 		String entryText = String.format("/package/authz?resourceId=%s&permission=%s", resourceId, permission);
 		ResponseBuilder responseBuilder = null;
 		Response response = null;
@@ -2107,37 +2107,32 @@ public Response isAuthorized (
 		authToken = getAuthToken(headers);
 		String userId = authToken.getUserId();
 
-		// Is user authorized to run the service method?
-		boolean serviceMethodAuthorized =
-				isServiceMethodAuthorized(serviceMethodName, servicePermission, authToken);
-		if (!serviceMethodAuthorized) {
-			throw new UnauthorizedException(
-					"User " + userId + " is not authorized to execute service method " +
-							serviceMethodName);
-		}
-
 		try {
+            // Is user authorized to run the service method?
+            boolean serviceMethodAuthorized = isServiceMethodAuthorized(serviceMethodName, servicePermission, authToken);
+            if (!serviceMethodAuthorized) {
+                String msg = String.format("User %s is not authorized to execute service method %s", userId, serviceMethodName);
+                throw new ForbiddenException(msg);
+            }
 
 			DataPackageManager dpm = new DataPackageManager();
-			Boolean isAuthorized = dpm.isAuthorized(authToken, resourceId, resourcePermission);
+			dpm.isAuthorized(authToken, resourceId, resourcePermission);
 
-			if (isAuthorized != null && isAuthorized) {
-				responseBuilder = Response.ok(resourceId);
-				response = responseBuilder.build();
-			}
+            responseBuilder = Response.ok(resourceId);
+            response = responseBuilder.build();
 		} catch (IllegalArgumentException e) {
 			entryText = e.getMessage();
 			response = WebExceptionFactory.makeBadRequest(e).getResponse();
 		} catch (UnauthorizedException e) {
 			entryText = e.getMessage();
 			response = WebExceptionFactory.makeUnauthorized(e).getResponse();
+        } catch (ForbiddenException e) {
+            entryText = e.getMessage();
+            response = WebExceptionFactory.makeForbidden(e).getResponse();
 		} catch (ResourceNotFoundException e) {
 			entryText = e.getMessage();
 			response = WebExceptionFactory.makeNotFound(e).getResponse();
-		} catch (ResourceDeletedException e) {
-			entryText = e.getMessage();
-			response = WebExceptionFactory.makeConflict(e).getResponse();
-		} catch (ResourceExistsException e) {
+		} catch (ResourceDeletedException | ResourceExistsException e) {
 			entryText = e.getMessage();
 			response = WebExceptionFactory.makeConflict(e).getResponse();
 		} catch (UserErrorException e) {