Example 1 with ConqueryPermission
use of com.bakdata.conquery.models.auth.permissions.ConqueryPermission in project conquery by bakdata.
the class FormConfigProcessor method deleteConfig.
/**
* Deletes a configuration from the storage and all permissions, that have this configuration as target.
*/
public void deleteConfig(Subject subject, FormConfig config) {
User user = storage.getUser(subject.getId());
user.authorize(config, Ability.DELETE);
storage.removeFormConfig(config.getId());
// Delete corresponding permissions (Maybe better to put it into a slow job)
for (ConqueryPermission permission : user.getPermissions()) {
WildcardPermission wpermission = (WildcardPermission) permission;
if (!wpermission.getDomains().contains(FormConfigPermission.DOMAIN.toLowerCase())) {
continue;
}
if (!wpermission.getInstances().contains(config.getId().toString().toLowerCase())) {
continue;
}
if (!wpermission.getInstances().isEmpty()) {
// Create new permission if it was a composite permission
Set<String> instancesCleared = new HashSet<>(wpermission.getInstances());
instancesCleared.remove(config.getId().toString());
WildcardPermission clearedPermission = new WildcardPermission(List.of(wpermission.getDomains(), wpermission.getAbilities(), instancesCleared), Instant.now());
user.addPermission(clearedPermission);
}
user.removePermission(wpermission);
}
}
Also used :
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
User(com.bakdata.conquery.models.auth.entities.User)
WildcardPermission(com.bakdata.conquery.models.auth.permissions.WildcardPermission)
HashSet(java.util.HashSet)
Example 2 with ConqueryPermission
use of com.bakdata.conquery.models.auth.permissions.ConqueryPermission in project conquery by bakdata.
the class RoleUITest method execute.
@Override
public void execute(StandaloneSupport conquery) throws Exception {
MetaStorage storage = conquery.getMetaStorage();
Role mandator = new Role("testMandatorName", "testMandatorLabel", storage);
RoleId mandatorId = mandator.getId();
User user = new User("testUser@test.de", "testUserName", storage);
UserId userId = user.getId();
try {
ConqueryPermission permission = DatasetPermission.onInstance(Ability.READ.asSet(), new DatasetId("testDatasetId"));
storage.addRole(mandator);
storage.addUser(user);
// override permission object, because it might have changed by the subject
// owning the permission
mandator.addPermission(permission);
user.addRole(mandator);
URI classBase = HierarchyHelper.hierarchicalPath(conquery.defaultAdminURIBuilder(), RoleUIResource.class, "getRole").buildFromMap(Map.of(ROLE_ID, mandatorId.toString()));
Response response = conquery.getClient().target(classBase).request().get();
assertThat(response.getStatus()).isEqualTo(200);
// Check for Freemarker Errors
assertThat(response.readEntity(String.class).toLowerCase()).doesNotContain(List.of("freemarker", "debug"));
} finally {
storage.removeRole(mandatorId);
storage.removeUser(userId);
}
}
Also used :
Role(com.bakdata.conquery.models.auth.entities.Role)
Response(javax.ws.rs.core.Response)
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
User(com.bakdata.conquery.models.auth.entities.User)
MetaStorage(com.bakdata.conquery.io.storage.MetaStorage)
UserId(com.bakdata.conquery.models.identifiable.ids.specific.UserId)
RoleUIResource(com.bakdata.conquery.resources.admin.ui.RoleUIResource)
RoleId(com.bakdata.conquery.models.identifiable.ids.specific.RoleId)
URI(java.net.URI)
DatasetId(com.bakdata.conquery.models.identifiable.ids.specific.DatasetId)
Example 3 with ConqueryPermission
use of com.bakdata.conquery.models.auth.permissions.ConqueryPermission in project conquery by bakdata.
the class ConceptPermissionTest method execute.
@Override
public void execute(StandaloneSupport conquery) throws Exception {
final MetaStorage storage = conquery.getMetaStorage();
final Dataset dataset = conquery.getDataset();
final String testJson = In.resource("/tests/query/SIMPLE_TREECONCEPT_QUERY/SIMPLE_TREECONCEPT_Query.test.json").withUTF8().readAll();
final QueryTest test = (QueryTest) JsonIntegrationTest.readJson(dataset.getId(), testJson);
final QueryProcessor processor = new QueryProcessor(conquery.getDatasetRegistry(), storage, conquery.getConfig());
final User user = new User("testUser", "testUserLabel", storage);
// Manually import data, so we can do our own work.
{
ValidatorHelper.failOnError(log, conquery.getValidator().validate(test));
importSecondaryIds(conquery, test.getContent().getSecondaryIds());
conquery.waitUntilWorkDone();
LoadingUtil.importTables(conquery, test.getContent().getTables());
conquery.waitUntilWorkDone();
LoadingUtil.importConcepts(conquery, test.getRawConcepts());
conquery.waitUntilWorkDone();
LoadingUtil.importTableContents(conquery, test.getContent().getTables());
conquery.waitUntilWorkDone();
storage.addUser(user);
user.addPermission(DatasetPermission.onInstance(Ability.READ, dataset.getId()));
}
// Query cannot be deserialized without Namespace set up
final Query query = IntegrationUtils.parseQuery(conquery, test.getRawQuery());
// Id of the lone concept that is used in the test.
Concept<?> conceptId = conquery.getNamespace().getStorage().getAllConcepts().iterator().next();
IntegrationUtils.assertQueryResult(conquery, query, -1, ExecutionState.FAILED, user, 403);
// Add the necessary Permission
{
final ConqueryPermission permission = conceptId.createPermission(Ability.READ.asSet());
log.info("Adding the Permission[{}] to User[{}]", permission, user);
user.addPermission(permission);
}
// Only assert permissions
IntegrationUtils.assertQueryResult(conquery, query, -1, ExecutionState.DONE, user, 201);
conquery.waitUntilWorkDone();
// Clean up
{
storage.removeUser(user.getId());
}
}
Also used :
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
User(com.bakdata.conquery.models.auth.entities.User)
Query(com.bakdata.conquery.apiv1.query.Query)
QueryTest(com.bakdata.conquery.integration.json.QueryTest)
MetaStorage(com.bakdata.conquery.io.storage.MetaStorage)
Dataset(com.bakdata.conquery.models.datasets.Dataset)
QueryProcessor(com.bakdata.conquery.apiv1.QueryProcessor)
Example 4 with ConqueryPermission
use of com.bakdata.conquery.models.auth.permissions.ConqueryPermission in project conquery by bakdata.
the class PermissionCleanupTask method deleteQueryPermissionsWithMissingRef.
/**
* Deletes permission that reference non-existing executions.
*
* @return The number of deleted permissions.
*/
public static int deleteQueryPermissionsWithMissingRef(MetaStorage storage, Iterable<? extends PermissionOwner<?>> owners) {
int countDeleted = 0;
// Do the loop-di-loop
for (PermissionOwner<?> owner : owners) {
Set<ConqueryPermission> permissions = owner.getPermissions();
for (Permission permission : permissions) {
WildcardPermission wpermission = getAsWildcardPermission(permission);
if (wpermission == null) {
continue;
}
if (!wpermission.getDomains().contains(ExecutionPermission.DOMAIN.toLowerCase())) {
// Skip Permissions that do not reference an Execution/Query
continue;
}
// Handle multiple references to instances
Set<String> validRef = new HashSet<>();
for (String sId : wpermission.getInstances()) {
ManagedExecutionId mId = ManagedExecutionId.Parser.INSTANCE.parse(sId);
if (storage.getExecution(mId) != null) {
// Execution exists -- it is a valid reference
validRef.add(mId.toString());
}
}
if (!validRef.isEmpty()) {
if (wpermission.getInstances().size() == validRef.size()) {
// All are valid, nothing changed proceed with the next permission
continue;
}
// Create a new Permission that only contains valid references
WildcardPermission reducedPermission = new WildcardPermission(List.of(wpermission.getDomains(), wpermission.getAbilities(), validRef), wpermission.getCreationTime());
owner.addPermission(reducedPermission);
}
// Delete the old permission that containes both valid and invalid references
owner.removePermission(wpermission);
countDeleted++;
}
}
return countDeleted;
}
Also used :
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
Permission(org.apache.shiro.authz.Permission)
WildcardPermission(com.bakdata.conquery.models.auth.permissions.WildcardPermission)
ExecutionPermission(com.bakdata.conquery.models.auth.permissions.ExecutionPermission)
FormConfigPermission(com.bakdata.conquery.models.auth.permissions.FormConfigPermission)
ManagedExecutionId(com.bakdata.conquery.models.identifiable.ids.specific.ManagedExecutionId)
WildcardPermission(com.bakdata.conquery.models.auth.permissions.WildcardPermission)
HashSet(java.util.HashSet)
Example 5 with ConqueryPermission
use of com.bakdata.conquery.models.auth.permissions.ConqueryPermission in project conquery by bakdata.
the class PermissionCleanupTask method deletePermissionsOfOwnedInstances.
/**
* Deletes permission that are unnecessary because the user is the owner of the referenced instance
*
* @return The number of deleted permissions.
*/
public static <E extends IdentifiableImpl<ID> & Owned, ID extends IId<E>> int deletePermissionsOfOwnedInstances(MetaStorage storage, String permissionDomain, IId.Parser<ID> idParser, Function<ID, E> instanceStorageExtractor) {
int countDeleted = 0;
for (User user : storage.getAllUsers()) {
Set<ConqueryPermission> permissions = user.getPermissions();
for (Permission permission : permissions) {
WildcardPermission wpermission = getAsWildcardPermission(permission);
if (wpermission == null) {
continue;
}
if (!wpermission.getDomains().contains(permissionDomain)) {
// Skip Permissions that do not reference an Execution/Query
continue;
}
if (wpermission.getInstances().size() != 1) {
log.trace("Skipping permission {} because it refers to multiple instances.", wpermission);
}
ID executionId = null;
try {
executionId = idParser.parse(wpermission.getInstances().iterator().next());
} catch (Exception e) {
log.warn("Unable to parse an id from permission instance. Permission was: {}", wpermission);
continue;
}
E execution = instanceStorageExtractor.apply(executionId);
if (execution == null) {
log.trace("The execution referenced in permission {} does not exist. Skipping permission");
continue;
}
if (!user.isOwner(execution)) {
log.trace("The user is not owner of the instance. Keeping the permission. User: {}, Owner: {}, Instance: {}, Permission: {}", user.getId(), execution.getOwner(), execution.getId(), wpermission);
continue;
}
log.trace("User owns the instance. Deleting the permission");
user.removePermission(wpermission);
countDeleted++;
}
}
return countDeleted;
}
Also used :
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
User(com.bakdata.conquery.models.auth.entities.User)
ConqueryPermission(com.bakdata.conquery.models.auth.permissions.ConqueryPermission)
Permission(org.apache.shiro.authz.Permission)
WildcardPermission(com.bakdata.conquery.models.auth.permissions.WildcardPermission)
ExecutionPermission(com.bakdata.conquery.models.auth.permissions.ExecutionPermission)
FormConfigPermission(com.bakdata.conquery.models.auth.permissions.FormConfigPermission)
WildcardPermission(com.bakdata.conquery.models.auth.permissions.WildcardPermission)
Aggregations
ConqueryPermission (com.bakdata.conquery.models.auth.permissions.ConqueryPermission)9
User (com.bakdata.conquery.models.auth.entities.User)5
WildcardPermission (com.bakdata.conquery.models.auth.permissions.WildcardPermission)3
HashSet (java.util.HashSet)3
MetaStorage (com.bakdata.conquery.io.storage.MetaStorage)2
ExecutionPermission (com.bakdata.conquery.models.auth.permissions.ExecutionPermission)2
FormConfigPermission (com.bakdata.conquery.models.auth.permissions.FormConfigPermission)2
RoleId (com.bakdata.conquery.models.identifiable.ids.specific.RoleId)2
UserId (com.bakdata.conquery.models.identifiable.ids.specific.UserId)2
Permission (org.apache.shiro.authz.Permission)2
QueryProcessor (com.bakdata.conquery.apiv1.QueryProcessor)1
ProtoUser (com.bakdata.conquery.apiv1.auth.ProtoUser)1
Query (com.bakdata.conquery.apiv1.query.Query)1
QueryTest (com.bakdata.conquery.integration.json.QueryTest)1
Role (com.bakdata.conquery.models.auth.entities.Role)1
Dataset (com.bakdata.conquery.models.datasets.Dataset)1
DatasetId (com.bakdata.conquery.models.identifiable.ids.specific.DatasetId)1
ManagedExecutionId (com.bakdata.conquery.models.identifiable.ids.specific.ManagedExecutionId)1
RoleUIResource (com.bakdata.conquery.resources.admin.ui.RoleUIResource)1
URI (java.net.URI)1
