Merge pull request #10 from Graylog2/opt-out-extension

Secure opt-out JAX-RS resource

Author: joschi

src/main/java/org/graylog/plugins/usagestatistics/UsageStatsOptOutResource.java

@@ -29,15 +29,21 @@
 import javax.validation.constraints.NotNull;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
+import javax.ws.rs.NotFoundException;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 
+import static org.graylog2.shared.security.RestPermissions.CLUSTER_CONFIG_ENTRY_CREATE;
+import static org.graylog2.shared.security.RestPermissions.CLUSTER_CONFIG_ENTRY_READ;
+
 @RequiresAuthentication
 @Api(value = "Usage Statistics Opt-Out", description = "Anonymous usage statistics opt-out state of this Graylog setup")
 @Path("/opt-out")
 public class UsageStatsOptOutResource extends RestResource implements PluginRestResource {
+    private static final String CLUSTER_CONFIG_INSTANCE = UsageStatsOptOutState.class.getCanonicalName();
+
     private final UsageStatsOptOutService usageStatsOptOutService;
 
     @Inject
@@ -50,10 +56,19 @@ public UsageStatsOptOutResource(UsageStatsOptOutService usageStatsOptOutService)
     @Timed
     @ApiOperation(value = "Get opt-out status")
     @ApiResponses(value = {
+            @ApiResponse(code = 404, message = "Opt-out status does not exist"),
             @ApiResponse(code = 500, message = "Internal Server Error")
     })
     public UsageStatsOptOutState getOptOutState() {
-        return usageStatsOptOutService.getOptOutState();
+        checkPermission(CLUSTER_CONFIG_ENTRY_READ, CLUSTER_CONFIG_INSTANCE);
+
+        final UsageStatsOptOutState optOutState = usageStatsOptOutService.getOptOutState();
+
+        if (optOutState == null) {
+            throw new NotFoundException();
+        }
+
+        return optOutState;
     }
 
     @POST
@@ -66,6 +81,8 @@ public UsageStatsOptOutState getOptOutState() {
             @ApiResponse(code = 500, message = "Internal Server Error")
     })
     public void setOptOutState(@Valid @NotNull UsageStatsOptOutState optOutState) {
+        checkPermission(CLUSTER_CONFIG_ENTRY_CREATE, CLUSTER_CONFIG_INSTANCE);
+
         usageStatsOptOutService.setOptOutState(optOutState);
     }
 }

src/main/java/org/graylog/plugins/usagestatistics/UsageStatsOptOutService.java

@@ -60,8 +60,9 @@ public UsageStatsOptOutService(ClusterConfigService clusterConfigService,
         this.objectMapper = objectMapper;
     }
 
+    @Nullable
     public UsageStatsOptOutState getOptOutState() {
-        return clusterConfigService.getOrDefault(UsageStatsOptOutState.class, UsageStatsOptOutState.create(false));
+        return clusterConfigService.get(UsageStatsOptOutState.class);
     }
 
     public void setOptOutState(final UsageStatsOptOutState optOutState) {

src/test/java/org/graylog/plugins/usagestatistics/UsageStatsOptOutServiceTest.java

@@ -84,7 +84,7 @@ public void tearDown() throws Exception {
     @Test
     public void testGetOptOutState() throws Exception {
         clusterConfigService.clear();
-        assertThat(optOutService.getOptOutState().isOptOut()).isFalse();
+        assertThat(optOutService.getOptOutState()).isNull();
 
         clusterConfigService.write(UsageStatsOptOutState.create(false));
         assertThat(optOutService.getOptOutState().isOptOut()).isFalse();