Examples with StorageOSUser com.emc.storageos.security.authentication.StorageOSUser used on opensource projects

Example 51 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class CatalogServiceService method createCatalogService.

/**
 * Creates a new catalog service
 *
 * @param createParam
 *            the parameter to create a new catalog service
 * @prereq none
 * @brief Create Catalog Service
 * @return none
 */
@POST
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@CheckPermission(roles = { Role.TENANT_ADMIN }, acls = { ACL.OWN })
@Path("")
public CatalogServiceRestRep createCatalogService(CatalogServiceCreateParam createParam) {
    StorageOSUser user = getUserFromContext();
    CatalogCategory parentCatalogCategory = catalogCategoryManager.getCatalogCategoryById(createParam.getCatalogCategory());
    verifyAuthorizedInTenantOrg(uri(parentCatalogCategory.getTenant()), user);
    validateParam(createParam, null);
    CatalogService catalogService = createNewObject(createParam, parentCatalogCategory);
    List<CatalogServiceField> catalogServiceFields = createNewObjectList(catalogService, createParam.getCatalogServiceFields());
    catalogServiceManager.createCatalogService(catalogService, catalogServiceFields);
    auditOpSuccess(OperationTypeEnum.CREATE_CATALOG_SERVICE, catalogService.auditParameters());
    // Refresh Objects
    catalogService = catalogServiceManager.getCatalogServiceById(catalogService.getId());
    catalogServiceFields = catalogServiceManager.getCatalogServiceFields(catalogService.getId());
    ServiceDescriptor serviceDescriptor = getServiceDescriptor(catalogService);
    return map(catalogService, serviceDescriptor, catalogServiceFields);
}

Example 52 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class ApprovalService method updateApproval.

/**
 * Update approval
 *
 * @param param Approval update parameters
 * @param id the URN the approval
 * @prereq none
 * @brief Update Approval
 * @return No data returned in response body
 */
@PUT
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}")
@CheckPermission(roles = { Role.TENANT_APPROVER })
public ApprovalRestRep updateApproval(@PathParam("id") URI id, ApprovalUpdateParam param) {
    ApprovalRequest approval = getApprovalById(id, true);
    StorageOSUser user = getUserFromContext();
    verifyAuthorizedInTenantOrg(uri(approval.getTenant()), user);
    Order order = orderManager.getOrderById(approval.getOrderId());
    if (order.getSubmittedByUserId().equals(user.getUserName()) && param.getApprovalStatus().equals(ApprovalStatus.APPROVED.toString())) {
        throw APIException.badRequests.updateApprovalBySameUser(user.getUserName());
    }
    validateParam(param, approval);
    updateObject(approval, param);
    approvalManager.updateApproval(approval, user);
    if (approval.getOrderId() != null) {
        if (order != null) {
            orderManager.processOrder(order);
        }
    }
    auditOpSuccess(OperationTypeEnum.UPDATE_APPROVAL, approval.auditParameters());
    approval = approvalManager.getApprovalById(approval.getId());
    return map(approval);
}

Example 53 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class CatalogCategoryService method updateCatalogCategory.

/**
 * Update info for catalog category
 *
 * @param catalogCategoryUpdate Catalog Category update parameters
 * @param id the URN of a Catalog Category
 * @prereq none
 * @brief Update Catalog Category
 * @return No data returned in response body
 */
@PUT
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}")
@CheckPermission(roles = { Role.TENANT_ADMIN }, acls = { ACL.OWN })
public CatalogCategoryRestRep updateCatalogCategory(@PathParam("id") URI id, CatalogCategoryUpdateParam catalogCategoryUpdate) {
    CatalogCategory catalogCategory = getCatalogCategoryById(id, true);
    StorageOSUser user = getUserFromContext();
    verifyAuthorizedInTenantOrg(uri(catalogCategory.getTenant()), user);
    URI parentCategoryId = getTargetParentCategoryId(catalogCategory, catalogCategoryUpdate);
    validateCatalogCategoryParam(parentCategoryId, catalogCategoryUpdate, catalogCategory);
    CatalogCategory parentCatalogCategory = parentCategoryId != null ? queryResource(parentCategoryId) : null;
    updateCatalogCategoryObject(parentCatalogCategory, catalogCategory, catalogCategoryUpdate);
    catalogCategoryManager.updateCatalogCategory(catalogCategory);
    auditOpSuccess(OperationTypeEnum.UPDATE_CATALOG_CATEGORY, catalogCategory.auditParameters());
    catalogCategory = catalogCategoryManager.getCatalogCategoryById(catalogCategory.getId());
    return map(catalogCategory);
}

Example 54 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class ConfigService method getProperties.

/**
 * Get system configuration properties
 *
 * @brief Get system properties
 * @prereq none
 * @param category - type of properties to return: all, config, ovf, mutated, secrets (require SecurityAdmin role)
 *            or obsolete
 * @return Properties Information if success. Error response, if error./**
 */
@GET
@Path("properties/")
@CheckPermission(roles = { Role.SECURITY_ADMIN, Role.SYSTEM_MONITOR })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public PropertyInfoRestRep getProperties(@DefaultValue("all") @QueryParam("category") String category) throws Exception {
    switch(PropCategory.valueOf(category.toUpperCase())) {
        case ALL:
            return getTargetPropsCommon();
        case CONFIG:
            return new PropertyInfoRestRep(getConfigProperties());
        case OVF:
            return new PropertyInfoRestRep(getPropertiesOvf());
        case REDEPLOY:
            Map<String, String> props = getPropertiesOvf();
            props.remove(MODE);
            props.remove(NODE_ID);
            Map<String, String> clusterInfo = new HashMap();
            Set<Map.Entry<String, String>> ovfProps = props.entrySet();
            for (Map.Entry<String, String> ovfProp : ovfProps) {
                String parameter = propertyToParameters.get(ovfProp.getKey());
                if (parameter == null) {
                    continue;
                }
                clusterInfo.put(parameter, ovfProp.getValue());
            }
            // Add ipsec key
            clusterInfo.put(IPSEC_KEY, ipsecConfig.getPreSharedKey());
            // Add version info
            RepositoryInfo info = _coordinator.getTargetInfo(RepositoryInfo.class);
            clusterInfo.put(VERSION, info.getCurrentVersion().toString());
            _log.info("clusterInfo={}", clusterInfo);
            return new PropertyInfoRestRep(clusterInfo);
        case MUTATED:
            return new PropertyInfoRestRep(getMutatedProps());
        case SECRETS:
            StorageOSUser user = getUserFromContext();
            if (!user.getRoles().contains(Role.SECURITY_ADMIN.toString())) {
                throw APIException.forbidden.onlySecurityAdminsCanGetSecrets();
            }
            return getTargetPropsCommon(false);
        case OBSOLETE:
            return new PropertyInfoRestRep(getObsoleteProperties());
        default:
            throw APIException.badRequests.invalidParameter("category", category);
    }
}

Example 55 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class AbstractPermissionFilter method filter.

/**
 * ContainerRequestFilter - checks to see if one of the specified
 * permissions exists for the user, if not throws
 * APIException.forbidden.insufficientPermissionsForUser
 *
 * @param request
 * @return ContainerRequest
 */
@Override
public ContainerRequest filter(ContainerRequest request) {
    Principal p = request.getUserPrincipal();
    if (!(p instanceof StorageOSUser)) {
        throw APIException.forbidden.invalidSecurityContext();
    }
    StorageOSUser user = (StorageOSUser) p;
    if (_blockProxies && user.isProxied()) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
    boolean good = false;
    // Step 1: Roles check - see if the user has one of the allowed roles
    Set<String> tenantRoles = null;
    for (Role role : _roles) {
        if (user.getRoles().contains(role.toString())) {
            good = true;
            break;
        }
        if (_permissionsHelper.isRoleTenantLevel(role.toString())) {
            if (tenantRoles == null) {
                try {
                    URI tenantId = getTenantIdFromURI(getUriInfo());
                    tenantRoles = _permissionsHelper.getTenantRolesForUser(user, tenantId, isIdEmbeddedInURL(tenantId));
                    if (CollectionUtils.isEmpty(tenantRoles)) {
                        tenantRoles = getTenantRolesFromResource(user);
                    }
                } catch (DatabaseException ex) {
                    throw APIException.forbidden.failedReadingTenantRoles(ex);
                }
            }
            if (tenantRoles != null && tenantRoles.contains(role.toString())) {
                good = true;
                break;
            }
        }
    }
    // Step 2: if we are still not good, start checking for acls
    if (!good && _acls.length > 0) {
        // grab all acls from the resource
        Set<String> acls = new HashSet<String>();
        URI projectId = getProjectIdFromURI(getUriInfo());
        if (projectId != null) {
            try {
                acls = _permissionsHelper.getProjectACLsForUser(user, projectId, isIdEmbeddedInURL(projectId));
            } catch (DatabaseException ex) {
                throw APIException.forbidden.failedReadingProjectACLs(ex);
            }
        } else {
            /* other resource acls */
            // these acls are assigned to tenant, so enhanced to check not only user's home tenant,
            // but also need to take into consideration of subtenants, which user has tenant roles.
            acls = getUsageAclsFromURI(user.getTenantId(), getUriInfo());
            for (String subtenantId : _permissionsHelper.getSubtenantsForUser(user)) {
                Set<String> subTenantAcls = getUsageAclsFromURI(subtenantId, getUriInfo());
                if (acls == null) {
                    acls = subTenantAcls;
                } else if (subTenantAcls != null) {
                    acls.addAll(subTenantAcls);
                }
            }
        }
        // see if we got any and we got a hit
        if (acls != null) {
            for (ACL acl : _acls) {
                if (acl.equals(ACL.ANY) && (acls.contains(ACL.OWN.toString()) || acls.contains(ACL.BACKUP.toString()) || acls.contains(ACL.ALL.toString()))) {
                    good = true;
                    break;
                } else if (acls.contains(acl.toString())) {
                    good = true;
                    break;
                }
            }
        }
    }
    // still not good, its not allowed
    if (!good) {
        throw APIException.forbidden.insufficientPermissionsForUser(user.getName());
    }
    return request;
}