From c0e0c377ce8fe32dfc373a294e73192b526160f1 Mon Sep 17 00:00:00 2001
From: Jan <jan.weber@avatic.de>
Date: Sat, 13 Dec 2025 10:22:02 +0100
Subject: [PATCH] Remove unused `AzureMapsController`, clean up commented
 decode logic, and introduce `@PreAuthorize` annotations in controllers to
 enforce role-based access controls.

---
 .../calculation/DashboardController.java      |  2 +
 .../calculation/PremiseController.java        |  2 -
 .../configuration/AppsController.java         |  5 +-
 .../CalculationDumpController.java            |  3 ++
 .../controller/maps/AzureMapsController.java  | 48 -------------------
 5 files changed, 9 insertions(+), 51 deletions(-)
 delete mode 100644 src/main/java/de/avatic/lcc/controller/maps/AzureMapsController.java

diff --git a/src/main/java/de/avatic/lcc/controller/calculation/DashboardController.java b/src/main/java/de/avatic/lcc/controller/calculation/DashboardController.java
index e61e41d..7b1386d 100644
--- a/src/main/java/de/avatic/lcc/controller/calculation/DashboardController.java
+++ b/src/main/java/de/avatic/lcc/controller/calculation/DashboardController.java
@@ -3,6 +3,7 @@ package de.avatic.lcc.controller.calculation;
 import de.avatic.lcc.dto.calculation.execution.CalculationProcessingOverviewDTO;
 import de.avatic.lcc.service.calculation.execution.CalculationJobProcessorManagementService;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -18,6 +19,7 @@ public class DashboardController {
     }
 
     @GetMapping({"/", ""})
+    @PreAuthorize("hasAnyRole('SUPER', 'CALCULATION')")
     public ResponseEntity<CalculationProcessingOverviewDTO> getDashboardData() {
         return ResponseEntity.ok(calculationJobProcessorManagementService.getCalculationOverview());
     }
diff --git a/src/main/java/de/avatic/lcc/controller/calculation/PremiseController.java b/src/main/java/de/avatic/lcc/controller/calculation/PremiseController.java
index a649ada..21eb49c 100644
--- a/src/main/java/de/avatic/lcc/controller/calculation/PremiseController.java
+++ b/src/main/java/de/avatic/lcc/controller/calculation/PremiseController.java
@@ -83,7 +83,6 @@ public class PremiseController {
     public ResponseEntity<PremiseSearchResultDTO> findMaterialsAndSuppliers(@RequestParam String search) {
 
         try {
-//            String decodedValue = URLDecoder.decode(search, StandardCharsets.UTF_8);
             return ResponseEntity.ok(premiseSearchStringAnalyzerService.findMaterialAndSuppliers(search));
         } catch (Exception e) {
             throw new BadRequestException("Bad string encoding", "Unable to decode request", e);
@@ -217,5 +216,4 @@ public class PremiseController {
     }
 
 
-
 }
diff --git a/src/main/java/de/avatic/lcc/controller/configuration/AppsController.java b/src/main/java/de/avatic/lcc/controller/configuration/AppsController.java
index 3880a60..e96dc2f 100644
--- a/src/main/java/de/avatic/lcc/controller/configuration/AppsController.java
+++ b/src/main/java/de/avatic/lcc/controller/configuration/AppsController.java
@@ -4,6 +4,7 @@ import com.azure.core.annotation.BodyParam;
 import de.avatic.lcc.dto.configuration.apps.AppDTO;
 import de.avatic.lcc.service.apps.AppsService;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -16,21 +17,23 @@ public class AppsController {
     private final AppsService appsService;
 
     public AppsController(AppsService appsService) {
-
         this.appsService = appsService;
     }
 
     @GetMapping({"", "/"})
+    @PreAuthorize("hasRole('SERVICE')")
     public ResponseEntity<List<AppDTO>> listApps() {
         return ResponseEntity.ok(appsService.listApps());
     }
 
     @PostMapping({"", "/"})
+    @PreAuthorize("hasRole('SERVICE')")
     public ResponseEntity<AppDTO> updateApp(@RequestBody AppDTO dto) {
         return ResponseEntity.ok(appsService.updateApp(dto));
     }
 
     @DeleteMapping({"/{id}", "/{id}/"})
+    @PreAuthorize("hasRole('SERVICE')")
     public ResponseEntity<Void> deleteApp(@PathVariable Integer id) {
         appsService.deleteApp(id);
         return ResponseEntity.ok().build();
diff --git a/src/main/java/de/avatic/lcc/controller/configuration/CalculationDumpController.java b/src/main/java/de/avatic/lcc/controller/configuration/CalculationDumpController.java
index 01ebff1..627d538 100644
--- a/src/main/java/de/avatic/lcc/controller/configuration/CalculationDumpController.java
+++ b/src/main/java/de/avatic/lcc/controller/configuration/CalculationDumpController.java
@@ -5,6 +5,7 @@ import de.avatic.lcc.repositories.error.DumpRepository;
 import de.avatic.lcc.repositories.pagination.SearchQueryPagination;
 import jakarta.validation.constraints.Min;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -20,11 +21,13 @@ public class CalculationDumpController {
     }
 
     @GetMapping({"/dump/{id}", "/dump/{id}/"})
+    @PreAuthorize("hasRole('SERVICE')")
     public ResponseEntity<CalculationJobDumpDTO> getDump(@PathVariable Integer id) {
         return ResponseEntity.ok(dumpRepository.getDump(id));
     }
 
     @GetMapping({"/dump/", "/dump"})
+    @PreAuthorize("hasRole('SERVICE')")
     public ResponseEntity<List<CalculationJobDumpDTO>> listDumps(
             @RequestParam(defaultValue = "20") @Min(1) int limit,
             @RequestParam(defaultValue = "1") @Min(1) int page) {
diff --git a/src/main/java/de/avatic/lcc/controller/maps/AzureMapsController.java b/src/main/java/de/avatic/lcc/controller/maps/AzureMapsController.java
deleted file mode 100644
index a6ce88b..0000000
--- a/src/main/java/de/avatic/lcc/controller/maps/AzureMapsController.java
+++ /dev/null
@@ -1,48 +0,0 @@
-package de.avatic.lcc.controller.maps;
-
-import com.azure.core.credential.AccessToken;
-import com.azure.identity.DefaultAzureCredentialBuilder;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-import java.time.OffsetDateTime;
-import java.util.HashMap;
-import java.util.Map;
-
-@RestController
-@RequestMapping("/api/maps")
-public class AzureMapsController {
-
-    @Value("${azure.maps.client.id}")
-    private String mapsClientId;
-
-    @Value("${azure.maps.subscription.key}")
-    private String mapsSubscriptionKey;
-
-    @GetMapping("/token")
-    @PreAuthorize("isAuthenticated()")
-    public ResponseEntity<Map<String, Object>> getAzureMapsToken() {
-        try {
-            // Verwende die DefaultAzureCredential für die Authentifizierung
-            var credential = new DefaultAzureCredentialBuilder().build();
-
-            // Fordere ein Token für Azure Maps an
-            AccessToken token = credential.getToken(
-                    new com.azure.core.credential.TokenRequestContext()
-                            .addScopes("https://atlas.microsoft.com/.default")
-            ).block();
-
-            Map<String, Object> response = new HashMap<>();
-            response.put("token", token.getToken());
-            response.put("expiresOn", token.getExpiresAt().toEpochSecond());
-
-            return ResponseEntity.ok(response);
-        } catch (Exception e) {
-            return ResponseEntity.internalServerError().build();
-        }
-    }
-}
\ No newline at end of file