use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-nucleus by aws-greengrass.
the class AuthorizationHandler method isAuthorized.
/**
* Check if the combination of destination, principal, operation and resource is allowed.
* A scenario where this method is called is for a request which originates from {@code principal}
* component destined for {@code destination} component, which needs access to {@code resource}
* using API {@code operation}.
*
* @param destination Destination component which is being accessed.
* @param permission container for principal, operation and resource.
* @param resourceLookupPolicy whether to match MQTT wildcards or not.
* @return whether the input combination is a valid flow.
* @throws AuthorizationException when flow is not authorized.
*/
public boolean isAuthorized(String destination, Permission permission, ResourceLookupPolicy resourceLookupPolicy) throws AuthorizationException {
String principal = permission.getPrincipal();
String operation = permission.getOperation();
String resource = permission.getResource();
// If the operation is not registered with the destination component, then fail
isOperationValid(destination, operation);
// Lookup all possible allow configurations starting from most specific to least
// This helps for access logs, as customer can figure out which policy is being hit.
String[][] combinations = { { destination, principal, operation, resource }, { destination, principal, ANY_REGEX, resource }, { destination, ANY_REGEX, operation, resource }, { destination, ANY_REGEX, ANY_REGEX, resource } };
try (LockScope scope = LockScope.lock(rwLock.readLock())) {
for (String[] combination : combinations) {
if (authModule.isPresent(combination[0], Permission.builder().principal(combination[1]).operation(combination[2]).resource(combination[3]).build(), resourceLookupPolicy)) {
logger.atDebug().log("Hit policy with principal {}, operation {}, resource {}", combination[1], combination[2], combination[3]);
return true;
}
}
}
throw new AuthorizationException(String.format("Principal %s is not authorized to perform %s:%s on resource %s", principal, destination, operation, resource));
}
use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-cli by aws-greengrass.
the class CLIEventStreamAgentTest method setup.
@BeforeEach
void setup() throws AuthorizationException {
when(mockContext.getContinuation()).thenReturn(mock(ServerConnectionContinuation.class));
when(mockContext.getAuthenticationData()).thenReturn(() -> String.format(GREENGRASS_CLI_CLIENT_ID_FMT, "abc"));
lenient().when(authorizationHandler.isAuthorized(eq(CLI_SERVICE), any())).thenThrow(new AuthorizationException("bad"));
}
use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-nucleus by aws-greengrass.
the class LifecycleIPCEventStreamAgentTest method GIVEN_resume_component_request_WHEN_unauthorized_THEN_return_auth_error.
@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_resume_component_request_WHEN_unauthorized_THEN_return_auth_error() throws AuthorizationException, ServiceException {
when(authorizationHandler.isAuthorized(any(), any())).thenThrow(new AuthorizationException("Unauthorized"));
ResumeComponentRequest request = new ResumeComponentRequest();
request.setComponentName(TEST_TARGET_COMPONENT);
assertThrows(UnauthorizedError.class, () -> lifecycleIPCEventStreamAgent.getResumeComponentHandler(mockContext).handleRequest(request));
ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
Permission permission = permissionArg.getValue();
assertThat(permission.getOperation(), is(GreengrassCoreIPCService.RESUME_COMPONENT));
assertThat(permission.getPrincipal(), is(TEST_SERVICE));
assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
verify(kernel, never()).locate(TEST_TARGET_COMPONENT);
verify(targetComponent, never()).isPaused();
verify(targetComponent, never()).resume();
}
use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-nucleus by aws-greengrass.
the class LifecycleIPCEventStreamAgentTest method GIVEN_pause_component_request_WHEN_unauthorized_THEN_return_auth_error.
@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_pause_component_request_WHEN_unauthorized_THEN_return_auth_error() throws AuthorizationException, ServiceException {
when(authorizationHandler.isAuthorized(any(), any())).thenThrow(new AuthorizationException("Unauthorized"));
PauseComponentRequest request = new PauseComponentRequest();
request.setComponentName(TEST_TARGET_COMPONENT);
assertThrows(UnauthorizedError.class, () -> lifecycleIPCEventStreamAgent.getPauseComponentHandler(mockContext).handleRequest(request));
ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
Permission permission = permissionArg.getValue();
assertThat(permission.getOperation(), is(GreengrassCoreIPCService.PAUSE_COMPONENT));
assertThat(permission.getPrincipal(), is(TEST_SERVICE));
assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
verify(kernel, never()).locate(TEST_TARGET_COMPONENT);
verify(targetComponent, never()).getState();
verify(targetComponent, never()).pause();
}
Aggregations