Examples with AclPermission - com.epam.pipeline.security.acl.AclPermission

Example 6 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class GrantPermissionManager method retrieveMaskForSid.

private Integer retrieveMaskForSid(AbstractSecuredEntity entity, boolean merge, boolean includeInherited, List<Sid> sids) {
    Acl child = aclService.getAcl(entity);
    // check ownership
    if (child == null && permissionsHelper.isOwner(entity)) {
        return merge ? AbstractSecuredEntity.ALL_PERMISSIONS_MASK : AbstractSecuredEntity.ALL_PERMISSIONS_MASK_FULL;
    }
    if (child == null && entity.getParent() == null) {
        LOGGER.debug("Object is not registered in ACL {} {}", entity.getAclClass(), entity.getId());
        return 0;
    }
    // get parent
    Acl acl = child == null ? aclService.getAcl(entity.getParent()) : child;
    if (sids.stream().anyMatch(sid -> acl.getOwner().equals(sid))) {
        return merge ? AbstractSecuredEntity.ALL_PERMISSIONS_MASK : AbstractSecuredEntity.ALL_PERMISSIONS_MASK_FULL;
    }
    List<AclPermission> basicPermissions = permissionsService.getBasicPermissions();
    int extendedMask = collectPermissions(0, acl, sids, basicPermissions, includeInherited);
    return merge ? permissionsService.mergeMask(extendedMask, basicPermissions) : extendedMask;
}

Also used : AclPermission(com.epam.pipeline.security.acl.AclPermission) MutableAcl(org.springframework.security.acls.model.MutableAcl) Acl(org.springframework.security.acls.model.Acl)

Example 7 with AclPermission

use of com.epam.pipeline.security.acl.AclPermission in project cloud-pipeline by epam.

the class GrantPermissionManager method collectPermissions.

private int collectPermissions(int mask, Acl acl, List<Sid> sids, List<AclPermission> permissionToCollect, boolean includeInherited) {
    if (permissionsService.allPermissionsSet(mask, permissionToCollect)) {
        return mask;
    }
    int currentMask = mask;
    final List<AccessControlEntry> aces = acl.getEntries();
    for (Sid sid : sids) {
        // Attempt to find exact match for this permission mask and SID
        for (AccessControlEntry ace : aces) {
            if (ace.getSid().equals(sid)) {
                Permission permission = ace.getPermission();
                for (AclPermission p : permissionToCollect) {
                    if (!permissionsService.isPermissionSet(currentMask, p)) {
                        // try to set granting mask
                        currentMask = currentMask | (permission.getMask() & p.getMask());
                        if (!permissionsService.isPermissionSet(currentMask, p)) {
                            // try to set denying mask
                            currentMask = currentMask | (permission.getMask() & p.getDenyPermission().getMask());
                        }
                    }
                }
            }
        }
    }
    if (permissionsService.allPermissionsSet(currentMask, permissionToCollect)) {
        return currentMask;
    }
    // No matches have been found so far
    if (includeInherited && acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
        // We have a parent, so let them try to find a matching ACE
        return collectPermissions(currentMask, acl.getParentAcl(), sids, permissionToCollect, includeInherited);
    } else {
        return currentMask;
    }
}

Also used : AclPermission(com.epam.pipeline.security.acl.AclPermission) AclPermission(com.epam.pipeline.security.acl.AclPermission) EntityPermission(com.epam.pipeline.entity.security.acl.EntityPermission) Permission(org.springframework.security.acls.model.Permission) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) Sid(org.springframework.security.acls.model.Sid) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) AclSid(com.epam.pipeline.entity.security.acl.AclSid)

Aggregations

AclPermission (com.epam.pipeline.security.acl.AclPermission)7 EntityPermission (com.epam.pipeline.entity.security.acl.EntityPermission)2 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)2 MutableAcl (org.springframework.security.acls.model.MutableAcl)2 Permission (org.springframework.security.acls.model.Permission)2 AbstractHierarchicalEntity (com.epam.pipeline.entity.AbstractHierarchicalEntity)1 S3bucketDataStorage (com.epam.pipeline.entity.datastorage.aws.S3bucketDataStorage)1 NFSDataStorage (com.epam.pipeline.entity.datastorage.nfs.NFSDataStorage)1 DockerRegistry (com.epam.pipeline.entity.pipeline.DockerRegistry)1 Folder (com.epam.pipeline.entity.pipeline.Folder)1 Tool (com.epam.pipeline.entity.pipeline.Tool)1 ToolGroup (com.epam.pipeline.entity.pipeline.ToolGroup)1 AclSid (com.epam.pipeline.entity.security.acl.AclSid)1 ArrayList (java.util.ArrayList)1 Before (org.junit.Before)1 AccessControlEntryImpl (org.springframework.security.acls.domain.AccessControlEntryImpl)1 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)1 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)1 Acl (org.springframework.security.acls.model.Acl)1 Sid (org.springframework.security.acls.model.Sid)1