Examples with DockerAuthorizationException - com.epam.pipeline.exception.docker.DockerAuthorizationException

Example 1 with DockerAuthorizationException

use of com.epam.pipeline.exception.docker.DockerAuthorizationException in project cloud-pipeline by epam.

the class DockerRegistryManager method issueTokenForDockerRegistry.

/**
 * Checks permissions for a requested docker registry and issues a valid JWT token,
 * if action is allowed. Otherwise 401 code will be returned to registry. See documentation
 * for details https://docs.docker.com/registry/spec/auth/token/#requesting-a-token
 * @param userName  requesting permission
 * @param token     provided by docker client, should be a valid Cloud Pipeline token
 * @param dockerRegistryHost    id of docker registry
 * @param scope     requested action in format
 *                  'scope=repository:samalba/my-app:push,repository:samalba/my-test:push'
 * @return
 */
public JwtRawToken issueTokenForDockerRegistry(String userName, String token, String dockerRegistryHost, String scope) {
    LOGGER.debug("Processing authorization request from registry {} for user {} and scope {}", dockerRegistryHost, userName, scope);
    UserContext user = dockerAuthService.verifyTokenForDocker(userName, token, dockerRegistryHost);
    DockerRegistry dockerRegistry = loadByNameOrId(dockerRegistryHost);
    if (dockerRegistry == null) {
        throw new DockerAuthorizationException(dockerRegistryHost, messageHelper.getMessage(MessageConstants.ERROR_REGISTRY_NOT_FOUND, dockerRegistryHost));
    }
    try {
        List<DockerRegistryClaim> claims = parseAndValidateScope(userName, dockerRegistry, scope);
        JwtRawToken jwtRawToken = dockerAuthService.issueDockerToken(user, dockerRegistryHost, claims);
        LOGGER.debug("Successfully issued JWT token for registry {} user {} and scope {}", dockerRegistry, userName, scope);
        return jwtRawToken;
    } catch (IllegalArgumentException e) {
        throw new DockerAuthorizationException(dockerRegistryHost, e.getMessage());
    }
}

Also used : DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) UserContext(com.epam.pipeline.security.UserContext) DockerAuthorizationException(com.epam.pipeline.exception.docker.DockerAuthorizationException) JwtRawToken(com.epam.pipeline.entity.security.JwtRawToken)

Example 2 with DockerAuthorizationException

use of com.epam.pipeline.exception.docker.DockerAuthorizationException in project cloud-pipeline by epam.

the class DockerRegistryManager method parseAndValidateScope.

// expected format: repository:group/image:push
private List<DockerRegistryClaim> parseAndValidateScope(String userName, DockerRegistry registry, String scope) {
    if (StringUtils.isBlank(scope)) {
        // read permission for at least one child in the registry is required
        if (!permissionManager.isActionAllowedForUser(registry, userName, AclPermission.READ)) {
            DockerRegistry fullTree = getDockerRegistryTree(registry.getId());
            permissionManager.filterTree(userName, fullTree, AclPermission.READ);
            if (CollectionUtils.isEmpty(fullTree.getChildren())) {
                throw new DockerAuthorizationException(registry.getPath(), messageHelper.getMessage(MessageConstants.ERROR_REGISTRY_IS_NOT_ALLOWED, userName, registry.getPath()));
            }
        }
        return Collections.emptyList();
    }
    List<DockerRegistryClaim> claims = DockerRegistryClaim.parseClaims(scope);
    claims.forEach(claim -> {
        AbstractSecuredEntity entity = registry;
        List<Permission> permissions = claim.getRequestedPermissions();
        boolean toolRequired = !permissions.contains(AclPermission.WRITE);
        try {
            ToolGroup toolGroup = toolGroupManager.loadToolGroupByImage(registry.getPath(), claim.getImageName());
            entity = toolGroup;
            Optional<Tool> tool = toolManager.loadToolInGroup(claim.getImageName(), toolGroup.getId());
            entity = tool.orElseThrow(() -> new IllegalArgumentException(messageHelper.getMessage(MessageConstants.ERROR_TOOL_IMAGE_UNAVAILABLE, claim.getImageName())));
        } catch (IllegalArgumentException e) {
            LOGGER.trace(e.getMessage(), e);
            if (toolRequired) {
                throw new IllegalArgumentException(messageHelper.getMessage(MessageConstants.ERROR_TOOL_IMAGE_UNAVAILABLE, claim.getImageName()));
            }
        }
        if (!permissionManager.isActionAllowedForUser(entity, userName, permissions)) {
            throw new DockerAuthorizationException(registry.getPath(), messageHelper.getMessage(MessageConstants.ERROR_REGISTRY_ACTION_IS_NOT_ALLOWED, scope, userName, registry.getPath()));
        }
    });
    return claims;
}

Also used : DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) ToolGroup(com.epam.pipeline.entity.pipeline.ToolGroup) DockerAuthorizationException(com.epam.pipeline.exception.docker.DockerAuthorizationException) AclPermission(com.epam.pipeline.security.acl.AclPermission) Permission(org.springframework.security.acls.model.Permission) AbstractSecuredEntity(com.epam.pipeline.entity.AbstractSecuredEntity) Tool(com.epam.pipeline.entity.pipeline.Tool)

Aggregations

DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)2 DockerAuthorizationException (com.epam.pipeline.exception.docker.DockerAuthorizationException)2 AbstractSecuredEntity (com.epam.pipeline.entity.AbstractSecuredEntity)1 Tool (com.epam.pipeline.entity.pipeline.Tool)1 ToolGroup (com.epam.pipeline.entity.pipeline.ToolGroup)1 JwtRawToken (com.epam.pipeline.entity.security.JwtRawToken)1 UserContext (com.epam.pipeline.security.UserContext)1 AclPermission (com.epam.pipeline.security.acl.AclPermission)1 Permission (org.springframework.security.acls.model.Permission)1