Example 1 with StorageOSPrincipal
use of com.emc.storageos.security.validator.StorageOSPrincipal in project coprhd-controller by CoprHD.
the class TenantsService method isValidMapping.
/**
* Validate an attribute string
*
* @param userMapping
* attribute string to validate
* @return True if the attribute string is valid
*/
public boolean isValidMapping(UserMapping userMapping) {
if (CollectionUtils.isEmpty(userMapping.getGroups())) {
return true;
}
for (String group : userMapping.getGroups()) {
if (StringUtils.isBlank(group)) {
_log.warn("Invalid group in the user mapping groups list");
continue;
}
StorageOSPrincipal groupPrincipal = new StorageOSPrincipal();
groupPrincipal.setType(StorageOSPrincipal.Type.Group);
// First add the group with "@domain" suffix and after that
// if we find that the group is a userGroup reset the
// name to just the group name without "@domain" suffix.
groupPrincipal.setName(group + "@" + userMapping.getDomain());
List<UserGroup> userGroupList = _permissionsHelper.getAllUserGroupByLabel(group);
if (!CollectionUtils.isEmpty(userGroupList)) {
for (UserGroup userGroup : userGroupList) {
// in order to treat the group as UserGroup.
if (userGroup != null && userGroup.getDomain().equalsIgnoreCase(userMapping.getDomain())) {
_log.debug("Group {} is considered as user group", group);
groupPrincipal.setName(group);
}
}
}
if (!Validator.isValidPrincipal(groupPrincipal, null)) {
return false;
}
}
return true;
}
Also used :
StorageOSPrincipal(com.emc.storageos.security.validator.StorageOSPrincipal)
UserGroup(com.emc.storageos.db.client.model.UserGroup)
Example 2 with StorageOSPrincipal
use of com.emc.storageos.security.validator.StorageOSPrincipal in project coprhd-controller by CoprHD.
the class ProjectService method updateProject.
/**
* Update info for project including project name and owner
*
* @param projectUpdate Project update parameters
* @param id the URN of a ViPR Project
* @prereq none
* @brief Update project
* @return No data returned in response body
*/
@PUT
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Path("/{id}")
@CheckPermission(roles = { Role.TENANT_ADMIN }, acls = { ACL.OWN })
public Response updateProject(@PathParam("id") URI id, ProjectUpdateParam projectUpdate) {
Project project = getProjectById(id, true);
if (null != projectUpdate.getName() && !projectUpdate.getName().isEmpty() && !project.getLabel().equalsIgnoreCase(projectUpdate.getName())) {
// check if any filepolicies are assigned to project
if ((project.getFilePolicies() != null) && !(project.getFilePolicies().isEmpty())) {
_log.error(String.format("Failed to update the name of project %s as a policy is assigned", project.getLabel()));
throw APIException.badRequests.cannotUpdateProjectNameAssignedFilePolicy(project.getLabel());
}
checkForDuplicateName(projectUpdate.getName(), Project.class, project.getTenantOrg().getURI(), "tenantOrg", _dbClient);
project.setLabel(projectUpdate.getName());
NamedURI tenant = project.getTenantOrg();
if (tenant != null) {
tenant.setName(projectUpdate.getName());
project.setTenantOrg(tenant);
}
}
if (null != projectUpdate.getOwner() && !projectUpdate.getOwner().isEmpty() && !projectUpdate.getOwner().equalsIgnoreCase(project.getOwner())) {
StringBuilder error = new StringBuilder();
if (!Validator.isValidPrincipal(new StorageOSPrincipal(projectUpdate.getOwner(), StorageOSPrincipal.Type.User), project.getTenantOrg().getURI(), error)) {
throw APIException.forbidden.specifiedOwnerIsNotValidForProjectTenant(error.toString());
}
// in GEO scenario, root can't be assigned as project owner
boolean isRootInGeo = (projectUpdate.getOwner().equalsIgnoreCase("root") && !VdcUtil.isLocalVdcSingleSite());
if (isRootInGeo) {
throw APIException.forbidden.specifiedOwnerIsNotValidForProjectTenant("in GEO scenario, root can't be assigned as project owner");
}
// set owner acl
project.removeAcl(new PermissionsKey(PermissionsKey.Type.SID, project.getOwner(), project.getTenantOrg().getURI()).toString(), ACL.OWN.toString());
project.setOwner(projectUpdate.getOwner());
// set owner acl
project.addAcl(new PermissionsKey(PermissionsKey.Type.SID, project.getOwner(), project.getTenantOrg().getURI()).toString(), ACL.OWN.toString());
}
_dbClient.updateAndReindexObject(project);
recordOperation(OperationTypeEnum.UPDATE_PROJECT, true, project);
return Response.ok().build();
}
Also used :
MapProject(com.emc.storageos.api.mapper.functions.MapProject)
Project(com.emc.storageos.db.client.model.Project)
NamedURI(com.emc.storageos.db.client.model.NamedURI)
PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey)
StorageOSPrincipal(com.emc.storageos.security.validator.StorageOSPrincipal)
Path(javax.ws.rs.Path)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
PUT(javax.ws.rs.PUT)
CheckPermission(com.emc.storageos.security.authorization.CheckPermission)
Example 3 with StorageOSPrincipal
use of com.emc.storageos.security.validator.StorageOSPrincipal in project coprhd-controller by CoprHD.
the class CatalogACLInputFilter method getPermissionKeyForEntry.
@Override
protected PermissionsKey getPermissionKeyForEntry(ACLEntry entry) throws InternalException {
PermissionsKey key;
StorageOSPrincipal principal = new StorageOSPrincipal();
if (entry.getGroup() != null) {
String group = entry.getGroup();
key = new PermissionsKey(PermissionsKey.Type.GROUP, group, this.tenantId);
principal.setName(group);
principal.setType(StorageOSPrincipal.Type.Group);
} else if (entry.getSubjectId() != null) {
key = new PermissionsKey(PermissionsKey.Type.SID, entry.getSubjectId(), this.tenantId);
principal.setName(entry.getSubjectId());
principal.setType(StorageOSPrincipal.Type.User);
} else {
throw APIException.badRequests.invalidEntryForCatalogServiceACL();
}
return key;
}
Also used :
PermissionsKey(com.emc.storageos.security.authorization.PermissionsKey)
StorageOSPrincipal(com.emc.storageos.security.validator.StorageOSPrincipal)
Example 4 with StorageOSPrincipal
use of com.emc.storageos.security.validator.StorageOSPrincipal in project coprhd-controller by CoprHD.
the class ACLUtils method isValidPrincipal.
public static boolean isValidPrincipal(RoleAssignmentType type, String name) {
StorageOSPrincipal principal = new StorageOSPrincipal();
principal.setName(name);
if (RoleAssignmentType.GROUP.equals(type)) {
principal.setType(StorageOSPrincipal.Type.Group);
} else if (RoleAssignmentType.USER.equals(type)) {
principal.setType(StorageOSPrincipal.Type.User);
}
String tenant = Models.currentAdminTenant();
return Validator.isValidPrincipal(principal, URI.create(tenant));
}
Also used :
StorageOSPrincipal(com.emc.storageos.security.validator.StorageOSPrincipal)
Aggregations
StorageOSPrincipal (com.emc.storageos.security.validator.StorageOSPrincipal)4
PermissionsKey (com.emc.storageos.security.authorization.PermissionsKey)2
MapProject (com.emc.storageos.api.mapper.functions.MapProject)1
NamedURI (com.emc.storageos.db.client.model.NamedURI)1
Project (com.emc.storageos.db.client.model.Project)1
UserGroup (com.emc.storageos.db.client.model.UserGroup)1
CheckPermission (com.emc.storageos.security.authorization.CheckPermission)1
Consumes (javax.ws.rs.Consumes)1
PUT (javax.ws.rs.PUT)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
