4680: Added resource endpoint for limiting access to instant book interactive slide

Author: tuj

CHANGELOG.md

@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+- [#244](https://github.com/os2display/display-api-service/pull/244)
+  - Added resource endpoint for limiting access to instant book interactive slide.
 - [#243](https://github.com/os2display/display-api-service/pull/243)
   - Changed resource name in calendar api feed type resource selector.
 - [#242](https://github.com/os2display/display-api-service/pull/242)

src/InteractiveSlide/InstantBook.php

@@ -15,6 +15,7 @@
 use Psr\Cache\CacheItemInterface;
 use Psr\Cache\InvalidArgumentException;
 use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
 use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -36,6 +37,7 @@ class InstantBook implements InteractiveSlideInterface
     private const string SCOPE = 'https://graph.microsoft.com/.default';
     private const string GRANT_TYPE = 'password';
     private const string CACHE_PREFIX = 'MS-INSTANT-BOOK';
+    private const string CACHE_ALLOWED_RESOURCES_PREFIX = 'INSTANT-BOOK-ALLOWED-RESOURCES-';
     private const string CACHE_KEY_TOKEN_PREFIX = self::CACHE_PREFIX.'-TOKEN-';
     private const string CACHE_KEY_OPTIONS_PREFIX = self::CACHE_PREFIX.'-OPTIONS-';
     private const string CACHE_PREFIX_SPAM_PROTECT_PREFIX = self::CACHE_PREFIX.'-SPAM-PROTECT-';
@@ -75,6 +77,10 @@ public function getConfigOptions(): array
                 'required' => true,
                 'description' => 'The key in the KeyVault for the password of the user.',
             ],
+            'resourceEndpoint' => [
+                'required' => false,
+                'description' => 'The key in the KeyVault for the resources endpoint. This should supply a json list of resources that can be booked. The resources should have ResourceMail and allowInstantBooking ("True"/"False") properties set.',
+            ],
         ];
     }
 
@@ -83,7 +89,7 @@ public function performAction(UserInterface $user, Slide $slide, InteractionSlid
         return match ($interactionRequest->action) {
             self::ACTION_GET_QUICK_BOOK_OPTIONS => $this->getQuickBookOptions($slide, $interactionRequest),
             self::ACTION_QUICK_BOOK => $this->quickBook($slide, $interactionRequest),
-            default => throw new InteractiveSlideException('Action not allowed'),
+            default => throw new BadRequestHttpException('Action not allowed'),
         };
     }
 
@@ -98,7 +104,7 @@ private function authenticate(array $configuration): array
         $password = $this->keyValueService->getValue($configuration['password']);
 
         if (4 !== count(array_filter([$tenantId, $clientId, $username, $password]))) {
-            throw new \Exception('tenantId, clientId, username, password must all be set.');
+            throw new BadRequestHttpException('tenantId, clientId, username, password must all be set.');
         }
 
         $url = self::LOGIN_ENDPOINT.$tenantId.self::OAUTH_PATH;
@@ -124,7 +130,7 @@ private function getToken(Tenant $tenant, InteractiveSlide $interactive): string
         $configuration = $interactive->getConfiguration();
 
         if (null === $configuration) {
-            throw new \Exception('InteractiveNoConfiguration');
+            throw new BadRequestHttpException('Interactive no configuration');
         }
 
         return $this->interactiveSlideCache->get(
@@ -164,6 +170,9 @@ function (CacheItemInterface $item) use ($slide, $resource, $interactionRequest)
                     throw new \Exception('InteractiveNotFound');
                 }
 
+                // Optional limiting of available resources.
+                $this->checkPermission($interactive, $resource);
+
                 $feed = $slide->getFeed();
 
                 if (null === $feed) {
@@ -273,25 +282,28 @@ function (CacheItemInterface $item) use ($now): \DateTime {
         $interactive = $this->interactiveService->getInteractiveSlide($tenant, $interactionRequest->implementationClass);
 
         if (null === $interactive) {
-            throw new \Exception('InteractiveNotFound');
+            throw new BadRequestHttpException('Interactive not found');
         }
 
+        // Optional limiting of available resources.
+        $this->checkPermission($interactive, $resource);
+
         $feed = $slide->getFeed();
 
         if (null === $feed) {
-            throw new \Exception('Slide.feed not set.');
+            throw new BadRequestHttpException('Slide.feed not set.');
         }
 
         if (!in_array($resource, $feed->getConfiguration()['resources'] ?? [])) {
-            throw new \Exception('Resource not in feed resources');
+            throw new BadRequestHttpException('Resource not in feed resources');
         }
 
         $token = $this->getToken($tenant, $interactive);
 
         $configuration = $interactive->getConfiguration();
 
         if (null === $configuration) {
-            throw new \Exception('InteractiveNoConfiguration');
+            throw new BadRequestHttpException('InteractiveNoConfiguration');
         }
 
         $username = $this->keyValueService->getValue($configuration['username']);
@@ -411,13 +423,13 @@ private function getValueFromInterval(string $key, InteractionSlideRequest $inte
         $interval = $interactionRequest->data['interval'] ?? null;
 
         if (null === $interval) {
-            throw new \Exception('interval not set.');
+            throw new BadRequestHttpException('interval not set.');
         }
 
         $value = $interval[$key] ?? null;
 
         if (null === $value) {
-            throw new \Exception("interval.'.$key.' not set.");
+            throw new BadRequestHttpException("interval.'.$key.' not set.");
         }
 
         return $value;
@@ -431,4 +443,39 @@ private function getHeaders(string $token): array
             'Accept' => 'application/json',
         ];
     }
+
+    private function checkPermission(InteractiveSlide $interactive, string $resource): void
+    {
+        // Optional limiting of available resources.
+        if (!empty($interactive->getConfiguration()['resourceEndpoint'])) {
+            $allowedResources = $this->getAllowedResources($interactive);
+
+            if (!in_array($resource, $allowedResources)) {
+                throw new \Exception('Not allowed');
+            }
+        }
+    }
+
+    private function getAllowedResources(InteractiveSlide $interactive): array
+    {
+        return $this->interactiveSlideCache->get(self::CACHE_ALLOWED_RESOURCES_PREFIX . $interactive->getId(), function (CacheItemInterface $item) use ($interactive) {
+            $item->expiresAfter(60 * 60);
+
+            $configuration = $interactive->getConfiguration();
+            $resourceEndpoint = $this->keyValueService->getValue($configuration['resourceEndpoint']);
+
+            $response = $this->client->request('GET', $resourceEndpoint);
+            $content = $response->toArray();
+
+            $allowedResources = [];
+
+            foreach ($content as $resource) {
+                if ($resource["allowInstantBooking"] === 'True') {
+                    $allowedResources[] = $resource["ResourceMail"];
+                }
+            }
+
+            return $allowedResources;
+        });
+    }
 }