use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.
the class GrantPermissionManager method clearWriteExecutePermissions.
private void clearWriteExecutePermissions(AbstractSecuredEntity entity) {
int readBits = AclPermission.READ.getMask() | AclPermission.NO_READ.getMask();
MutableAcl acl = aclService.getOrCreateObjectIdentity(entity);
List<AccessControlEntry> newAces = new ArrayList<>();
List<AccessControlEntry> aces = acl.getEntries();
for (int i = 0; i < aces.size(); i++) {
AccessControlEntry ace = aces.get(i);
if (permissionsService.isPermissionSet(ace.getPermission().getMask(), (AclPermission) AclPermission.READ)) {
Permission updated = permissionFactory.buildFromMask(ace.getPermission().getMask() & readBits);
AccessControlEntry newAce = new AccessControlEntryImpl(ace.getId(), ace.getAcl(), ace.getSid(), updated, true, false, false);
newAces.add(newAce);
}
}
clearAces(acl);
for (int i = 0; i < newAces.size(); i++) {
AccessControlEntry newAce = newAces.get(i);
acl.insertAce(i, newAce.getPermission(), newAce.getSid(), true);
}
aclService.updateAcl(acl);
if (entity instanceof AbstractHierarchicalEntity) {
AbstractHierarchicalEntity tree = (AbstractHierarchicalEntity) entity;
if (!CollectionUtils.isEmpty(tree.getChildren())) {
tree.getChildren().forEach(this::clearWriteExecutePermissions);
}
if (!CollectionUtils.isEmpty(tree.getLeaves())) {
tree.getLeaves().forEach(this::clearWriteExecutePermissions);
}
}
}
use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.
the class PermissionsService method mergeMask.
public Integer mergeMask(int extendedMask, List<AclPermission> basicPermissions) {
int result = 0;
for (AclPermission p : basicPermissions) {
int grantingMask = p.getMask();
int denyingMask = p.getDenyPermission().getMask();
if (isMaskBitSet(extendedMask, grantingMask) && !isMaskBitSet(extendedMask, denyingMask)) {
result = result | p.getSimpleMask();
}
}
if (isMaskBitSet(extendedMask, AclPermission.OWNER.getMask())) {
AclPermission ownerPermission = (AclPermission) AclPermission.OWNER;
result = result | ownerPermission.getSimpleMask();
}
return result;
}
use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.
the class AclTestDao method grantPermissions.
@Transactional(propagation = Propagation.MANDATORY)
public void grantPermissions(AbstractSecuredEntity entity, String userName, List<AclPermission> permissions) {
Optional<AclSid> existingSid = loadAclSid(userName);
AclSid sid = existingSid.orElseGet(() -> {
AclSid newSid = new AclSid(true, entity.getOwner());
createAclSid(newSid);
return newSid;
});
Optional<AclObjectIdentity> existingIdentity = loadAclObjectIdentity(entity.getId());
AclObjectIdentity identity = existingIdentity.orElseGet(() -> createAclForObject(entity).getRight());
int maxOrder = loadAclEntries(identity.getId()).stream().map(AclEntry::getOrder).max(Comparator.naturalOrder()).orElse(0) + 1;
for (AclPermission p : permissions) {
AclTestDao.AclEntry groupAclEntry = new AclTestDao.AclEntry(identity, maxOrder++, sid, p.getMask(), p.isGranting());
createAclEntry(groupAclEntry);
}
}
use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.
the class PipelineConfigurationManagerTest method setUp.
@Before
public void setUp() throws Exception {
registry = new DockerRegistry();
registry.setPath(TEST_REPO);
registry.setOwner(TEST_USER);
dockerRegistryDao.createDockerRegistry(registry);
library = new ToolGroup();
library.setName(TOOL_GROUP_NAME);
library.setRegistryId(registry.getId());
library.setOwner(TEST_USER);
toolGroupDao.createToolGroup(library);
tool = new Tool();
tool.setImage(TEST_IMAGE);
tool.setRam(TEST_RAM);
tool.setCpu(TEST_CPU);
tool.setOwner(TEST_USER);
tool.setRegistryId(registry.getId());
tool.setToolGroupId(library.getId());
toolDao.createTool(tool);
// Data storages of user 1
NFSDataStorage dataStorage = new NFSDataStorage(dataStorageDao.createDataStorageId(), "testNFS", "test/path1");
dataStorage.setMountOptions("testMountOptions1");
dataStorage.setMountPoint("/some/other/path");
dataStorage.setOwner(TEST_OWNER1);
dataStorageDao.createDataStorage(dataStorage);
dataStorages.add(dataStorage);
S3bucketDataStorage bucketDataStorage = new S3bucketDataStorage(dataStorageDao.createDataStorageId(), "testBucket", "test/path2");
bucketDataStorage.setOwner(TEST_OWNER1);
dataStorageDao.createDataStorage(bucketDataStorage);
dataStorages.add(bucketDataStorage);
// Data storages of user 2
dataStorage = new NFSDataStorage(dataStorageDao.createDataStorageId(), "testNFS2", "test/path3");
dataStorage.setMountOptions("testMountOptions2");
dataStorage.setOwner(TEST_OWNER2);
dataStorageDao.createDataStorage(dataStorage);
dataStorages.add(dataStorage);
bucketDataStorage = new S3bucketDataStorage(dataStorageDao.createDataStorageId(), "testBucket2", "test/path4");
bucketDataStorage.setOwner(TEST_OWNER2);
dataStorageDao.createDataStorage(bucketDataStorage);
dataStorages.add(bucketDataStorage);
dataStorages.forEach(ds -> aclTestDao.createAclForObject(ds));
aclTestDao.grantPermissions(dataStorage, TEST_OWNER1, Collections.singletonList((AclPermission) AclPermission.READ));
}
use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.
the class GrantPermissionManager method childrenFolderPermission.
public boolean childrenFolderPermission(Long id, String permissionName) {
Folder folder = folderManager.load(id);
Folder initialFolder = folder.copy();
AclPermission aclPermission = AclPermission.getAclPermissionByName(permissionName);
filterTree(folder, aclPermission);
return checkEntityTreeWasNotFilter(initialFolder, folder, aclPermission);
}
Aggregations