Examples with StorageOSUser com.emc.storageos.security.authentication.StorageOSUser used on opensource projects

Example 96 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VirtualArrayService method userTenantHasPermissionForVirtualPool.

/**
 * Determines if the VirtualPool with the passed id is accessible to
 * the user's tenant (includes the subtenants user has TenantAdmin role) .
 *
 * @param vpoolId The VirtualPool id.
 *
 * @return true if the VirtualPool is accessible to the user's tenant, false otherwise.
 */
private boolean userTenantHasPermissionForVirtualPool(String vpoolId) {
    VirtualPool vpool = _dbClient.queryObject(VirtualPool.class, URI.create(vpoolId));
    if (vpool == null) {
        _log.error("VirtualPool {} could not be found in the database", vpoolId);
        return false;
    }
    StorageOSUser user = getUserFromContext();
    URI tenantURI = URI.create(user.getTenantId());
    // check user's home tenant
    if (_permissionsHelper.tenantHasUsageACL(tenantURI, vpool)) {
        _log.debug("Home tenant {} has usage ACL for VirtualPool {}", tenantURI, vpoolId);
        return true;
    }
    // check user's subtenant
    for (String subtenantId : _permissionsHelper.getSubtenantsForUser(user)) {
        if (_permissionsHelper.tenantHasUsageACL(URI.create(subtenantId), vpool)) {
            _log.debug("Subtenant {} has usage ACL for VirtualPool {}", tenantURI, vpoolId);
            return true;
        }
    }
    return false;
}

Example 97 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VolumeGroupService method getVolumeGroups.

/**
 * List volume groups.
 *
 * @brief List all volume groups
 * @return A reference to VolumeGroupList.
 */
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public VolumeGroupList getVolumeGroups() {
    VolumeGroupList volumeGroupList = new VolumeGroupList();
    List<URI> ids = _dbClient.queryByType(VolumeGroup.class, true);
    Iterator<VolumeGroup> iter = _dbClient.queryIterativeObjects(VolumeGroup.class, ids);
    StorageOSUser user = getUserFromContext();
    if (_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_MONITOR, Role.TENANT_ADMIN, Role.SECURITY_ADMIN)) {
        while (iter.hasNext()) {
            VolumeGroup vg = iter.next();
            volumeGroupList.getVolumeGroups().add(toNamedRelatedResource(vg));
        }
    } else {
        log.info("checking tenant");
        // otherwise, filter by only authorized to use
        URI tenant = URI.create(user.getTenantId());
        while (iter.hasNext()) {
            VolumeGroup vg = iter.next();
            List<Volume> volumes = ControllerUtils.getVolumeGroupVolumes(_dbClient, vg);
            if (volumes == null || volumes.isEmpty()) {
                // if no volume in the application yet, the application is visible to all tenants
                volumeGroupList.getVolumeGroups().add(toNamedRelatedResource(vg));
            } else {
                Volume firstVol = volumes.get(0);
                URI volTenant = firstVol.getTenant().getURI();
                if (volTenant.equals(tenant)) {
                    volumeGroupList.getVolumeGroups().add(toNamedRelatedResource(vg));
                }
            }
        }
    }
    return volumeGroupList;
}

Example 98 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VolumeGroupService method getVolumeGroup.

/**
 * List a volume group
 *
 * @param id volume group Id
 * @brief Show details for a volume group
 * @return ApplicationRestRep
 */
@GET
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}")
public VolumeGroupRestRep getVolumeGroup(@PathParam("id") URI id) {
    ArgValidator.checkFieldUriType(id, VolumeGroup.class, "id");
    VolumeGroup volumeGroup = (VolumeGroup) queryResource(id);
    StorageOSUser user = getUserFromContext();
    if (!_permissionsHelper.userHasGivenRole(user, null, Role.SYSTEM_MONITOR, Role.TENANT_ADMIN, Role.SECURITY_ADMIN)) {
        // Check if the application tenant is the same as the user tenant
        List<Volume> volumes = ControllerUtils.getVolumeGroupVolumes(_dbClient, volumeGroup);
        if (volumes != null && !volumes.isEmpty()) {
            URI tenant = URI.create(user.getTenantId());
            Volume firstVol = volumes.get(0);
            URI volTenant = firstVol.getTenant().getURI();
            if (!volTenant.equals(tenant)) {
                APIException.forbidden.insufficientPermissionsForUser(user.getName());
            }
        }
    }
    VolumeGroupRestRep resp = DbObjectMapper.map(volumeGroup);
    resp.setReplicationGroupNames(CopyVolumeGroupUtils.getReplicationGroupNames(volumeGroup, _dbClient));
    resp.setVirtualArrays(CopyVolumeGroupUtils.getVirtualArrays(volumeGroup, _dbClient));
    return resp;
}

Example 99 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class VirtualDataCenterService method blockRoot.

private void blockRoot() {
    Principal principal = sc.getUserPrincipal();
    if (!(principal instanceof StorageOSUser)) {
        throw APIException.forbidden.invalidSecurityContext();
    }
    StorageOSUser user = (StorageOSUser) principal;
    if (user.getName().equalsIgnoreCase(ROOT)) {
        throw APIException.forbidden.insufficientPermissionsForUser(ROOT);
    }
}

Example 100 with StorageOSUser

use of com.emc.storageos.security.authentication.StorageOSUser in project coprhd-controller by CoprHD.

the class AuthenticationResource method tryLogin.

/**
 * See if the user is already logged in or try to login the user
 * if credentials were supplied. Return authentication status
 *
 * @param httpRequest
 * @param service
 * @param setCookie
 * @param servletResponse
 * @param tokenOnly false if either token or credentials can be used to attempt the login. True if only token is accepted.
 * @return LoginStatus of the user.
 * @throws UnsupportedEncodingException
 * @throws IOException
 */
private LoginStatus tryLogin(HttpServletRequest httpRequest, String service, boolean setCookie, HttpServletResponse servletResponse, boolean tokenOnly) throws UnsupportedEncodingException, IOException {
    String newToken = null;
    String userName = null;
    _log.debug("Logging in");
    UsernamePasswordCredentials credentials = tokenOnly ? null : getCredentials(httpRequest);
    if (credentials == null) {
        // check if we already have a user context
        StorageOSUser user = getUserFromContext();
        if (user != null) {
            newToken = user.getToken();
            userName = user.getName();
            _log.debug("Logged in with user from context");
        }
    } else {
        StorageOSUserDAO user = authenticateUser(credentials);
        if (user != null) {
            validateLocalUserExpiration(credentials);
            newToken = _tokenManager.getToken(user);
            if (newToken == null) {
                _log.error("Could not generate token for user: {}", user.getUserName());
                throw new IllegalStateException(MessageFormat.format("Could not generate token for user: {}", user.getUserName()));
            }
            userName = user.getUserName();
            auditOp(URI.create(user.getTenantId()), URI.create(user.getUserName()), OperationTypeEnum.AUTHENTICATION, true, null, credentials.getUserName());
        } else {
            auditOp(null, null, OperationTypeEnum.AUTHENTICATION, false, null, credentials.getUserName());
        }
    }
    return new LoginStatus(userName, newToken, null != credentials);
}