Example 1 with Authorizable
use of com.netflix.spinnaker.fiat.model.resources.Authorizable in project fiat by spinnaker.
the class FiatPermissionEvaluator method permissionContains.
private boolean permissionContains(UserPermission.View permission, String resourceName, ResourceType resourceType, Authorization authorization) {
if (permission == null) {
return false;
}
if (permission.isAdmin()) {
// grant access regardless of whether an explicit permission to the resource exists
return true;
}
Function<Set<? extends Authorizable>, Boolean> containsAuth = resources -> resources.stream().anyMatch(view -> {
Set<Authorization> authorizations = Optional.ofNullable(view.getAuthorizations()).orElse(Collections.emptySet());
return view.getName().equalsIgnoreCase(resourceName) && authorizations.contains(authorization);
});
if (resourceType.equals(ResourceType.ACCOUNT)) {
boolean authorized = containsAuth.apply(permission.getAccounts());
// Todo(jonsie): Debug transitory access denied issue, remove when not necessary
if (!authorized) {
Map<String, Set<Authorization>> accounts = permission.getAccounts().stream().collect(Collectors.toMap(Account.View::getName, Account.View::getAuthorizations));
log.debug("Authorization={} denied to account={} for user permission={}, found={}", authorization.toString(), resourceName, permission.getName(), accounts.toString());
}
return authorized;
} else if (resourceType.equals(ResourceType.APPLICATION)) {
boolean applicationHasPermissions = permission.getApplications().stream().anyMatch(a -> a.getName().equalsIgnoreCase(resourceName));
if (!applicationHasPermissions && permission.isAllowAccessToUnknownApplications()) {
// allow access to any applications w/o explicit permissions
return true;
}
return permission.isLegacyFallback() || containsAuth.apply(permission.getApplications());
} else if (resourceType.equals(ResourceType.SERVICE_ACCOUNT)) {
return permission.getServiceAccounts().stream().anyMatch(view -> view.getName().equalsIgnoreCase(resourceName));
} else if (resourceType.equals(ResourceType.BUILD_SERVICE)) {
return permission.isLegacyFallback() || containsAuth.apply(permission.getBuildServices());
} else if (permission.getExtensionResources() != null && permission.getExtensionResources().containsKey(resourceType)) {
val extensionResources = permission.getExtensionResources().get(resourceType);
return permission.isLegacyFallback() || containsAuth.apply(extensionResources);
} else {
return false;
}
}
Also used :
Arrays(java.util.Arrays)
Authorizable(com.netflix.spinnaker.fiat.model.resources.Authorizable)
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
Autowired(org.springframework.beans.factory.annotation.Autowired)
Callable(java.util.concurrent.Callable)
ExponentialBackOff(org.springframework.util.backoff.ExponentialBackOff)
Cache(com.github.benmanes.caffeine.cache.Cache)
Id(com.netflix.spectator.api.Id)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Function(java.util.function.Function)
StringUtils(org.apache.commons.lang3.StringUtils)
Map(java.util.Map)
UserDetails(org.springframework.security.core.userdetails.UserDetails)
SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder)
Nonnull(javax.annotation.Nonnull)
Caffeine(com.github.benmanes.caffeine.cache.Caffeine)
AuthenticatedRequest(com.netflix.spinnaker.security.AuthenticatedRequest)
BackOffExecution(org.springframework.util.backoff.BackOffExecution)
lombok.val(lombok.val)
ResourceType(com.netflix.spinnaker.fiat.model.resources.ResourceType)
Set(java.util.Set)
PermissionEvaluator(org.springframework.security.access.PermissionEvaluator)
Collectors(java.util.stream.Collectors)
Serializable(java.io.Serializable)
TimeUnit(java.util.concurrent.TimeUnit)
HttpStatus(org.springframework.http.HttpStatus)
Slf4j(lombok.extern.slf4j.Slf4j)
Component(org.springframework.stereotype.Component)
CaffeineStatsCounter(com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter)
RetrofitError(retrofit.RetrofitError)
IntegrationException(com.netflix.spinnaker.kork.exceptions.IntegrationException)
Registry(com.netflix.spectator.api.Registry)
Optional(java.util.Optional)
Account(com.netflix.spinnaker.fiat.model.resources.Account)
UserPermission(com.netflix.spinnaker.fiat.model.UserPermission)
Authorization(com.netflix.spinnaker.fiat.model.Authorization)
Authentication(org.springframework.security.core.Authentication)
Collections(java.util.Collections)
Authorization(com.netflix.spinnaker.fiat.model.Authorization)
lombok.val(lombok.val)
Account(com.netflix.spinnaker.fiat.model.resources.Account)
Set(java.util.Set)
Authorizable(com.netflix.spinnaker.fiat.model.resources.Authorizable)
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
Aggregations
Cache (com.github.benmanes.caffeine.cache.Cache)1
Caffeine (com.github.benmanes.caffeine.cache.Caffeine)1
Id (com.netflix.spectator.api.Id)1
Registry (com.netflix.spectator.api.Registry)1
Authorization (com.netflix.spinnaker.fiat.model.Authorization)1
UserPermission (com.netflix.spinnaker.fiat.model.UserPermission)1
Account (com.netflix.spinnaker.fiat.model.resources.Account)1
Authorizable (com.netflix.spinnaker.fiat.model.resources.Authorizable)1
ResourceType (com.netflix.spinnaker.fiat.model.resources.ResourceType)1
IntegrationException (com.netflix.spinnaker.kork.exceptions.IntegrationException)1
CaffeineStatsCounter (com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter)1
AuthenticatedRequest (com.netflix.spinnaker.security.AuthenticatedRequest)1
Serializable (java.io.Serializable)1
Arrays (java.util.Arrays)1
Collections (java.util.Collections)1
Map (java.util.Map)1
Optional (java.util.Optional)1
Set (java.util.Set)1
Callable (java.util.concurrent.Callable)1
TimeUnit (java.util.concurrent.TimeUnit)1
