Search in sources :

Example 1 with AuthorizationException

use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-nucleus by aws-greengrass.

the class AuthorizationHandler method isAuthorized.

/**
 * Check if the combination of destination, principal, operation and resource is allowed.
 * A scenario where this method is called is for a request which originates from {@code principal}
 * component destined for {@code destination} component, which needs access to {@code resource}
 * using API {@code operation}.
 *
 * @param destination Destination component which is being accessed.
 * @param permission  container for principal, operation and resource.
 * @param resourceLookupPolicy whether to match MQTT wildcards or not.
 * @return whether the input combination is a valid flow.
 * @throws AuthorizationException when flow is not authorized.
 */
public boolean isAuthorized(String destination, Permission permission, ResourceLookupPolicy resourceLookupPolicy) throws AuthorizationException {
    String principal = permission.getPrincipal();
    String operation = permission.getOperation();
    String resource = permission.getResource();
    // If the operation is not registered with the destination component, then fail
    isOperationValid(destination, operation);
    // Lookup all possible allow configurations starting from most specific to least
    // This helps for access logs, as customer can figure out which policy is being hit.
    String[][] combinations = { { destination, principal, operation, resource }, { destination, principal, ANY_REGEX, resource }, { destination, ANY_REGEX, operation, resource }, { destination, ANY_REGEX, ANY_REGEX, resource } };
    try (LockScope scope = LockScope.lock(rwLock.readLock())) {
        for (String[] combination : combinations) {
            if (authModule.isPresent(combination[0], Permission.builder().principal(combination[1]).operation(combination[2]).resource(combination[3]).build(), resourceLookupPolicy)) {
                logger.atDebug().log("Hit policy with principal {}, operation {}, resource {}", combination[1], combination[2], combination[3]);
                return true;
            }
        }
    }
    throw new AuthorizationException(String.format("Principal %s is not authorized to perform %s:%s on resource %s", principal, destination, operation, resource));
}
Also used : AuthorizationException(com.aws.greengrass.authorization.exceptions.AuthorizationException) LockScope(com.aws.greengrass.util.LockScope)

Example 2 with AuthorizationException

use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-cli by aws-greengrass.

the class CLIEventStreamAgentTest method setup.

@BeforeEach
void setup() throws AuthorizationException {
    when(mockContext.getContinuation()).thenReturn(mock(ServerConnectionContinuation.class));
    when(mockContext.getAuthenticationData()).thenReturn(() -> String.format(GREENGRASS_CLI_CLIENT_ID_FMT, "abc"));
    lenient().when(authorizationHandler.isAuthorized(eq(CLI_SERVICE), any())).thenThrow(new AuthorizationException("bad"));
}
Also used : AuthorizationException(com.aws.greengrass.authorization.exceptions.AuthorizationException) ServerConnectionContinuation(software.amazon.awssdk.crt.eventstream.ServerConnectionContinuation) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 3 with AuthorizationException

use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-nucleus by aws-greengrass.

the class LifecycleIPCEventStreamAgentTest method GIVEN_resume_component_request_WHEN_unauthorized_THEN_return_auth_error.

@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_resume_component_request_WHEN_unauthorized_THEN_return_auth_error() throws AuthorizationException, ServiceException {
    when(authorizationHandler.isAuthorized(any(), any())).thenThrow(new AuthorizationException("Unauthorized"));
    ResumeComponentRequest request = new ResumeComponentRequest();
    request.setComponentName(TEST_TARGET_COMPONENT);
    assertThrows(UnauthorizedError.class, () -> lifecycleIPCEventStreamAgent.getResumeComponentHandler(mockContext).handleRequest(request));
    ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
    verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
    Permission permission = permissionArg.getValue();
    assertThat(permission.getOperation(), is(GreengrassCoreIPCService.RESUME_COMPONENT));
    assertThat(permission.getPrincipal(), is(TEST_SERVICE));
    assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
    verify(kernel, never()).locate(TEST_TARGET_COMPONENT);
    verify(targetComponent, never()).isPaused();
    verify(targetComponent, never()).resume();
}
Also used : AuthorizationException(com.aws.greengrass.authorization.exceptions.AuthorizationException) Permission(com.aws.greengrass.authorization.Permission) ResumeComponentRequest(software.amazon.awssdk.aws.greengrass.model.ResumeComponentRequest) EnabledOnOs(org.junit.jupiter.api.condition.EnabledOnOs) Test(org.junit.jupiter.api.Test)

Example 4 with AuthorizationException

use of com.aws.greengrass.authorization.exceptions.AuthorizationException in project aws-greengrass-nucleus by aws-greengrass.

the class LifecycleIPCEventStreamAgentTest method GIVEN_pause_component_request_WHEN_unauthorized_THEN_return_auth_error.

@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_pause_component_request_WHEN_unauthorized_THEN_return_auth_error() throws AuthorizationException, ServiceException {
    when(authorizationHandler.isAuthorized(any(), any())).thenThrow(new AuthorizationException("Unauthorized"));
    PauseComponentRequest request = new PauseComponentRequest();
    request.setComponentName(TEST_TARGET_COMPONENT);
    assertThrows(UnauthorizedError.class, () -> lifecycleIPCEventStreamAgent.getPauseComponentHandler(mockContext).handleRequest(request));
    ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
    verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
    Permission permission = permissionArg.getValue();
    assertThat(permission.getOperation(), is(GreengrassCoreIPCService.PAUSE_COMPONENT));
    assertThat(permission.getPrincipal(), is(TEST_SERVICE));
    assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
    verify(kernel, never()).locate(TEST_TARGET_COMPONENT);
    verify(targetComponent, never()).getState();
    verify(targetComponent, never()).pause();
}
Also used : PauseComponentRequest(software.amazon.awssdk.aws.greengrass.model.PauseComponentRequest) AuthorizationException(com.aws.greengrass.authorization.exceptions.AuthorizationException) Permission(com.aws.greengrass.authorization.Permission) EnabledOnOs(org.junit.jupiter.api.condition.EnabledOnOs) Test(org.junit.jupiter.api.Test)

Aggregations

AuthorizationException (com.aws.greengrass.authorization.exceptions.AuthorizationException)4 Permission (com.aws.greengrass.authorization.Permission)2 Test (org.junit.jupiter.api.Test)2 EnabledOnOs (org.junit.jupiter.api.condition.EnabledOnOs)2 LockScope (com.aws.greengrass.util.LockScope)1 BeforeEach (org.junit.jupiter.api.BeforeEach)1 PauseComponentRequest (software.amazon.awssdk.aws.greengrass.model.PauseComponentRequest)1 ResumeComponentRequest (software.amazon.awssdk.aws.greengrass.model.ResumeComponentRequest)1 ServerConnectionContinuation (software.amazon.awssdk.crt.eventstream.ServerConnectionContinuation)1