Search in sources :

Example 1 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class GrantPermissionManager method clearWriteExecutePermissions.

private void clearWriteExecutePermissions(AbstractSecuredEntity entity) {
    int readBits = AclPermission.READ.getMask() | AclPermission.NO_READ.getMask();
    MutableAcl acl = aclService.getOrCreateObjectIdentity(entity);
    List<AccessControlEntry> newAces = new ArrayList<>();
    List<AccessControlEntry> aces = acl.getEntries();
    for (int i = 0; i < aces.size(); i++) {
        AccessControlEntry ace = aces.get(i);
        if (permissionsService.isPermissionSet(ace.getPermission().getMask(), (AclPermission) AclPermission.READ)) {
            Permission updated = permissionFactory.buildFromMask(ace.getPermission().getMask() & readBits);
            AccessControlEntry newAce = new AccessControlEntryImpl(ace.getId(), ace.getAcl(), ace.getSid(), updated, true, false, false);
            newAces.add(newAce);
        }
    }
    clearAces(acl);
    for (int i = 0; i < newAces.size(); i++) {
        AccessControlEntry newAce = newAces.get(i);
        acl.insertAce(i, newAce.getPermission(), newAce.getSid(), true);
    }
    aclService.updateAcl(acl);
    if (entity instanceof AbstractHierarchicalEntity) {
        AbstractHierarchicalEntity tree = (AbstractHierarchicalEntity) entity;
        if (!CollectionUtils.isEmpty(tree.getChildren())) {
            tree.getChildren().forEach(this::clearWriteExecutePermissions);
        }
        if (!CollectionUtils.isEmpty(tree.getLeaves())) {
            tree.getLeaves().forEach(this::clearWriteExecutePermissions);
        }
    }
}
Also used : AccessControlEntryImpl(org.springframework.security.acls.domain.AccessControlEntryImpl) ArrayList(java.util.ArrayList) AclPermission(com.epam.pipeline.security.acl.AclPermission) EntityPermission(com.epam.pipeline.entity.security.acl.EntityPermission) Permission(org.springframework.security.acls.model.Permission) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl) AbstractHierarchicalEntity(com.epam.pipeline.entity.AbstractHierarchicalEntity)

Example 2 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class PermissionsService method mergeMask.

public Integer mergeMask(int extendedMask, List<AclPermission> basicPermissions) {
    int result = 0;
    for (AclPermission p : basicPermissions) {
        int grantingMask = p.getMask();
        int denyingMask = p.getDenyPermission().getMask();
        if (isMaskBitSet(extendedMask, grantingMask) && !isMaskBitSet(extendedMask, denyingMask)) {
            result = result | p.getSimpleMask();
        }
    }
    if (isMaskBitSet(extendedMask, AclPermission.OWNER.getMask())) {
        AclPermission ownerPermission = (AclPermission) AclPermission.OWNER;
        result = result | ownerPermission.getSimpleMask();
    }
    return result;
}
Also used : AclPermission(com.epam.pipeline.security.acl.AclPermission)

Example 3 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class AclTestDao method grantPermissions.

@Transactional(propagation = Propagation.MANDATORY)
public void grantPermissions(AbstractSecuredEntity entity, String userName, List<AclPermission> permissions) {
    Optional<AclSid> existingSid = loadAclSid(userName);
    AclSid sid = existingSid.orElseGet(() -> {
        AclSid newSid = new AclSid(true, entity.getOwner());
        createAclSid(newSid);
        return newSid;
    });
    Optional<AclObjectIdentity> existingIdentity = loadAclObjectIdentity(entity.getId());
    AclObjectIdentity identity = existingIdentity.orElseGet(() -> createAclForObject(entity).getRight());
    int maxOrder = loadAclEntries(identity.getId()).stream().map(AclEntry::getOrder).max(Comparator.naturalOrder()).orElse(0) + 1;
    for (AclPermission p : permissions) {
        AclTestDao.AclEntry groupAclEntry = new AclTestDao.AclEntry(identity, maxOrder++, sid, p.getMask(), p.isGranting());
        createAclEntry(groupAclEntry);
    }
}
Also used : AclPermission(com.epam.pipeline.security.acl.AclPermission) Transactional(org.springframework.transaction.annotation.Transactional)

Example 4 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class PipelineConfigurationManagerTest method setUp.

@Before
public void setUp() throws Exception {
    registry = new DockerRegistry();
    registry.setPath(TEST_REPO);
    registry.setOwner(TEST_USER);
    dockerRegistryDao.createDockerRegistry(registry);
    library = new ToolGroup();
    library.setName(TOOL_GROUP_NAME);
    library.setRegistryId(registry.getId());
    library.setOwner(TEST_USER);
    toolGroupDao.createToolGroup(library);
    tool = new Tool();
    tool.setImage(TEST_IMAGE);
    tool.setRam(TEST_RAM);
    tool.setCpu(TEST_CPU);
    tool.setOwner(TEST_USER);
    tool.setRegistryId(registry.getId());
    tool.setToolGroupId(library.getId());
    toolDao.createTool(tool);
    // Data storages of user 1
    NFSDataStorage dataStorage = new NFSDataStorage(dataStorageDao.createDataStorageId(), "testNFS", "test/path1");
    dataStorage.setMountOptions("testMountOptions1");
    dataStorage.setMountPoint("/some/other/path");
    dataStorage.setOwner(TEST_OWNER1);
    dataStorageDao.createDataStorage(dataStorage);
    dataStorages.add(dataStorage);
    S3bucketDataStorage bucketDataStorage = new S3bucketDataStorage(dataStorageDao.createDataStorageId(), "testBucket", "test/path2");
    bucketDataStorage.setOwner(TEST_OWNER1);
    dataStorageDao.createDataStorage(bucketDataStorage);
    dataStorages.add(bucketDataStorage);
    // Data storages of user 2
    dataStorage = new NFSDataStorage(dataStorageDao.createDataStorageId(), "testNFS2", "test/path3");
    dataStorage.setMountOptions("testMountOptions2");
    dataStorage.setOwner(TEST_OWNER2);
    dataStorageDao.createDataStorage(dataStorage);
    dataStorages.add(dataStorage);
    bucketDataStorage = new S3bucketDataStorage(dataStorageDao.createDataStorageId(), "testBucket2", "test/path4");
    bucketDataStorage.setOwner(TEST_OWNER2);
    dataStorageDao.createDataStorage(bucketDataStorage);
    dataStorages.add(bucketDataStorage);
    dataStorages.forEach(ds -> aclTestDao.createAclForObject(ds));
    aclTestDao.grantPermissions(dataStorage, TEST_OWNER1, Collections.singletonList((AclPermission) AclPermission.READ));
}
Also used : DockerRegistry(com.epam.pipeline.entity.pipeline.DockerRegistry) AclPermission(com.epam.pipeline.security.acl.AclPermission) ToolGroup(com.epam.pipeline.entity.pipeline.ToolGroup) NFSDataStorage(com.epam.pipeline.entity.datastorage.nfs.NFSDataStorage) S3bucketDataStorage(com.epam.pipeline.entity.datastorage.aws.S3bucketDataStorage) Tool(com.epam.pipeline.entity.pipeline.Tool) Before(org.junit.Before)

Example 5 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class GrantPermissionManager method childrenFolderPermission.

public boolean childrenFolderPermission(Long id, String permissionName) {
    Folder folder = folderManager.load(id);
    Folder initialFolder = folder.copy();
    AclPermission aclPermission = AclPermission.getAclPermissionByName(permissionName);
    filterTree(folder, aclPermission);
    return checkEntityTreeWasNotFilter(initialFolder, folder, aclPermission);
}
Also used : AclPermission(com.epam.pipeline.security.acl.AclPermission) Folder(com.epam.pipeline.entity.pipeline.Folder)

Aggregations

AclPermission (com.epam.pipeline.security.acl.AclPermission)7 EntityPermission (com.epam.pipeline.entity.security.acl.EntityPermission)2 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)2 MutableAcl (org.springframework.security.acls.model.MutableAcl)2 Permission (org.springframework.security.acls.model.Permission)2 AbstractHierarchicalEntity (com.epam.pipeline.entity.AbstractHierarchicalEntity)1 S3bucketDataStorage (com.epam.pipeline.entity.datastorage.aws.S3bucketDataStorage)1 NFSDataStorage (com.epam.pipeline.entity.datastorage.nfs.NFSDataStorage)1 DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)1 Folder (com.epam.pipeline.entity.pipeline.Folder)1 Tool (com.epam.pipeline.entity.pipeline.Tool)1 ToolGroup (com.epam.pipeline.entity.pipeline.ToolGroup)1 AclSid (com.epam.pipeline.entity.security.acl.AclSid)1 ArrayList (java.util.ArrayList)1 Before (org.junit.Before)1 AccessControlEntryImpl (org.springframework.security.acls.domain.AccessControlEntryImpl)1 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)1 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)1 Acl (org.springframework.security.acls.model.Acl)1 Sid (org.springframework.security.acls.model.Sid)1