Search in sources :

Example 1 with Account

use of com.netflix.spinnaker.fiat.model.resources.Account in project fiat by spinnaker.

the class FiatPermissionEvaluator method permissionContains.

private boolean permissionContains(UserPermission.View permission, String resourceName, ResourceType resourceType, Authorization authorization) {
    if (permission == null) {
        return false;
    }
    if (permission.isAdmin()) {
        // grant access regardless of whether an explicit permission to the resource exists
        return true;
    }
    Function<Set<? extends Authorizable>, Boolean> containsAuth = resources -> resources.stream().anyMatch(view -> {
        Set<Authorization> authorizations = Optional.ofNullable(view.getAuthorizations()).orElse(Collections.emptySet());
        return view.getName().equalsIgnoreCase(resourceName) && authorizations.contains(authorization);
    });
    if (resourceType.equals(ResourceType.ACCOUNT)) {
        boolean authorized = containsAuth.apply(permission.getAccounts());
        // Todo(jonsie): Debug transitory access denied issue, remove when not necessary
        if (!authorized) {
            Map<String, Set<Authorization>> accounts = permission.getAccounts().stream().collect(Collectors.toMap(Account.View::getName, Account.View::getAuthorizations));
            log.debug("Authorization={} denied to account={} for user permission={}, found={}", authorization.toString(), resourceName, permission.getName(), accounts.toString());
        }
        return authorized;
    } else if (resourceType.equals(ResourceType.APPLICATION)) {
        boolean applicationHasPermissions = permission.getApplications().stream().anyMatch(a -> a.getName().equalsIgnoreCase(resourceName));
        if (!applicationHasPermissions && permission.isAllowAccessToUnknownApplications()) {
            // allow access to any applications w/o explicit permissions
            return true;
        }
        return permission.isLegacyFallback() || containsAuth.apply(permission.getApplications());
    } else if (resourceType.equals(ResourceType.SERVICE_ACCOUNT)) {
        return permission.getServiceAccounts().stream().anyMatch(view -> view.getName().equalsIgnoreCase(resourceName));
    } else if (resourceType.equals(ResourceType.BUILD_SERVICE)) {
        return permission.isLegacyFallback() || containsAuth.apply(permission.getBuildServices());
    } else if (permission.getExtensionResources() != null && permission.getExtensionResources().containsKey(resourceType)) {
        val extensionResources = permission.getExtensionResources().get(resourceType);
        return permission.isLegacyFallback() || containsAuth.apply(extensionResources);
    } else {
        return false;
    }
}
Also used : Arrays(java.util.Arrays) Authorizable(com.netflix.spinnaker.fiat.model.resources.Authorizable) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) Autowired(org.springframework.beans.factory.annotation.Autowired) Callable(java.util.concurrent.Callable) ExponentialBackOff(org.springframework.util.backoff.ExponentialBackOff) Cache(com.github.benmanes.caffeine.cache.Cache) Id(com.netflix.spectator.api.Id) AtomicReference(java.util.concurrent.atomic.AtomicReference) Function(java.util.function.Function) StringUtils(org.apache.commons.lang3.StringUtils) Map(java.util.Map) UserDetails(org.springframework.security.core.userdetails.UserDetails) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) Nonnull(javax.annotation.Nonnull) Caffeine(com.github.benmanes.caffeine.cache.Caffeine) AuthenticatedRequest(com.netflix.spinnaker.security.AuthenticatedRequest) BackOffExecution(org.springframework.util.backoff.BackOffExecution) lombok.val(lombok.val) ResourceType(com.netflix.spinnaker.fiat.model.resources.ResourceType) Set(java.util.Set) PermissionEvaluator(org.springframework.security.access.PermissionEvaluator) Collectors(java.util.stream.Collectors) Serializable(java.io.Serializable) TimeUnit(java.util.concurrent.TimeUnit) HttpStatus(org.springframework.http.HttpStatus) Slf4j(lombok.extern.slf4j.Slf4j) Component(org.springframework.stereotype.Component) CaffeineStatsCounter(com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter) RetrofitError(retrofit.RetrofitError) IntegrationException(com.netflix.spinnaker.kork.exceptions.IntegrationException) Registry(com.netflix.spectator.api.Registry) Optional(java.util.Optional) Account(com.netflix.spinnaker.fiat.model.resources.Account) UserPermission(com.netflix.spinnaker.fiat.model.UserPermission) Authorization(com.netflix.spinnaker.fiat.model.Authorization) Authentication(org.springframework.security.core.Authentication) Collections(java.util.Collections) Authorization(com.netflix.spinnaker.fiat.model.Authorization) lombok.val(lombok.val) Account(com.netflix.spinnaker.fiat.model.resources.Account) Set(java.util.Set) Authorizable(com.netflix.spinnaker.fiat.model.resources.Authorizable) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)

Aggregations

Cache (com.github.benmanes.caffeine.cache.Cache)1 Caffeine (com.github.benmanes.caffeine.cache.Caffeine)1 Id (com.netflix.spectator.api.Id)1 Registry (com.netflix.spectator.api.Registry)1 Authorization (com.netflix.spinnaker.fiat.model.Authorization)1 UserPermission (com.netflix.spinnaker.fiat.model.UserPermission)1 Account (com.netflix.spinnaker.fiat.model.resources.Account)1 Authorizable (com.netflix.spinnaker.fiat.model.resources.Authorizable)1 ResourceType (com.netflix.spinnaker.fiat.model.resources.ResourceType)1 IntegrationException (com.netflix.spinnaker.kork.exceptions.IntegrationException)1 CaffeineStatsCounter (com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter)1 AuthenticatedRequest (com.netflix.spinnaker.security.AuthenticatedRequest)1 Serializable (java.io.Serializable)1 Arrays (java.util.Arrays)1 Collections (java.util.Collections)1 Map (java.util.Map)1 Optional (java.util.Optional)1 Set (java.util.Set)1 Callable (java.util.concurrent.Callable)1 TimeUnit (java.util.concurrent.TimeUnit)1