Search in sources :

Example 91 with GWException

use of com.pspace.ifs.ksan.gw.exception.GWException in project ksan by infinistor.

the class DataPutBucketObjectLock method getObjectLockXml.

public String getObjectLockXml() throws GWException {
    ObjectLockXml = readXml();
    XmlMapper xmlMapper = new XmlMapper();
    @SuppressWarnings("unused") ObjectLockConfiguration oc;
    try {
        oc = xmlMapper.readValue(ObjectLockXml, ObjectLockConfiguration.class);
    } catch (JsonMappingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
    }
    return ObjectLockXml;
}
Also used : ObjectLockConfiguration(com.pspace.ifs.ksan.gw.format.ObjectLockConfiguration) JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)

Example 92 with GWException

use of com.pspace.ifs.ksan.gw.exception.GWException in project ksan by infinistor.

the class GWUtils method isPublicPolicyBucket.

public static boolean isPublicPolicyBucket(String policyInfo, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (s3Parameter.getBucket() != null && !Strings.isNullOrEmpty(s3Parameter.getBucket().getAccess())) {
        try {
            pabc = new XmlMapper().readValue(s3Parameter.getBucket().getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, e, s3Parameter);
        }
    }
    boolean effect = false;
    if (Strings.isNullOrEmpty(policyInfo)) {
        return effect;
    }
    Policy policy = null;
    // read policy
    ObjectMapper jsonMapper = new ObjectMapper();
    try {
        policy = jsonMapper.readValue(policyInfo, Policy.class);
        if (policy == null) {
            return effect;
        }
    } catch (JsonMappingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    // check policy - loop statement
    for (Statement s : policy.statements) {
        boolean effectcheck = false;
        // check principal (id)
        for (String aws : s.principal.aws) {
            if (aws.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        // check Resource (object path, bucket path)
        for (String resource : s.resources) {
            if (resource.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
            String[] res = resource.split(GWConstants.COLON, -1);
            // all resource check
            if (!Strings.isNullOrEmpty(res[5]) && res[5].equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        boolean conditioncheck = false;
        if (s.condition == null) {
            conditioncheck = false;
        } else {
            for (Map.Entry<String, JsonNode> entry : s.condition.getUserExtensions().entries()) {
                JsonNode jsonNode = entry.getValue();
                if (jsonNode.isObject()) {
                    Iterator<String> fieldNames = jsonNode.fieldNames();
                    if (fieldNames.hasNext()) {
                        // read key
                        String fieldName = fieldNames.next();
                        String key = fieldName;
                        logger.info(GWConstants.LOG_UTILS_KEY, key);
                        if (key.equals(GWConstants.AWS_SOURCE_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPC)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPCE)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_OWNER)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_ACCOUNT)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_DATA_ACCESS_POINT_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_IP)) {
                            conditioncheck = true;
                            break;
                        }
                    }
                }
            }
        }
        if (s.effect.equals(GWConstants.ALLOW)) {
            if (effectcheck == true && conditioncheck == false) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effect = true;
                return effect;
            }
        }
    }
    return effect;
}
Also used : Policy(com.pspace.ifs.ksan.gw.format.Policy) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) Statement(com.pspace.ifs.ksan.gw.format.Policy.Statement) JsonNode(com.fasterxml.jackson.databind.JsonNode) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper) PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) Map(java.util.Map) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 93 with GWException

use of com.pspace.ifs.ksan.gw.exception.GWException in project ksan by infinistor.

the class GWUtils method parseTimeExpire.

/**
 * Parse ISO 8601 timestamp into seconds since 1970.
 */
public static long parseTimeExpire(String date, S3Parameter s3Parameter) throws GWException {
    SimpleDateFormat formatter = new SimpleDateFormat(GWConstants.ISO_8601_TIME_SIMPLE_FORMAT);
    formatter.setTimeZone(TimeZone.getTimeZone(GWConstants.UTC));
    logger.debug(GWConstants.LOG_UTILS_8061_DATE, date);
    try {
        return formatter.parse(date).getTime() / 1000;
    } catch (ParseException pe) {
        PrintStack.logging(logger, pe);
        throw new GWException(GWErrorCode.BAD_REQUEST, s3Parameter);
    }
}
Also used : ParseException(java.text.ParseException) GWException(com.pspace.ifs.ksan.gw.exception.GWException) SimpleDateFormat(java.text.SimpleDateFormat)

Example 94 with GWException

use of com.pspace.ifs.ksan.gw.exception.GWException in project ksan by infinistor.

the class GWUtils method makeAclXml.

public static String makeAclXml(AccessControlPolicy accessControlPolicy, AccessControlPolicy preAccessControlPolicy, boolean hasKeyWord, String getAclXml, String cannedAcl, Bucket bucketInfo, String userId, String userName, String getGrantRead, String getGrantWrite, String getGrantFullControl, String getGrantReadAcp, String getGrantWriteAcp, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (bucketInfo != null && !Strings.isNullOrEmpty(bucketInfo.getAccess())) {
        try {
            pabc = new XmlMapper().readValue(bucketInfo.getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
        }
    }
    logger.info(GWConstants.LOG_UTILS_CANNED_ACL, cannedAcl);
    logger.info(GWConstants.LOG_UTILS_ACL_XML, getAclXml);
    if (preAccessControlPolicy != null && preAccessControlPolicy.owner != null) {
        accessControlPolicy.owner.id = preAccessControlPolicy.owner.id;
        accessControlPolicy.owner.displayName = preAccessControlPolicy.owner.displayName;
    } else {
        accessControlPolicy.owner.id = userId;
        accessControlPolicy.owner.displayName = userName;
    }
    String aclXml = null;
    if (!hasKeyWord) {
        aclXml = getAclXml;
    }
    if (Strings.isNullOrEmpty(cannedAcl)) {
        if (Strings.isNullOrEmpty(aclXml)) {
            if (Strings.isNullOrEmpty(getGrantRead) && Strings.isNullOrEmpty(getGrantWrite) && Strings.isNullOrEmpty(getGrantReadAcp) && Strings.isNullOrEmpty(getGrantWriteAcp) && Strings.isNullOrEmpty(getGrantFullControl)) {
                Grant priUser = new Grant();
                priUser.grantee = new Grantee();
                priUser.grantee.type = GWConstants.CANONICAL_USER;
                priUser.grantee.id = accessControlPolicy.owner.id;
                priUser.grantee.displayName = accessControlPolicy.owner.displayName;
                priUser.permission = GWConstants.GRANT_FULL_CONTROL;
                accessControlPolicy.aclList.grants.add(priUser);
            }
        }
    } else {
        if (GWConstants.CANNED_ACLS_PRIVATE.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
        } else if (GWConstants.CANNED_ACLS_PUBLIC_READ.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant pubReadUser = new Grant();
            pubReadUser.grantee = new Grantee();
            pubReadUser.grantee.type = GWConstants.GROUP;
            pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(pubReadUser);
        } else if (GWConstants.CANNED_ACLS_PUBLIC_READ_WRITE.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant pubReadUser = new Grant();
            pubReadUser.grantee = new Grantee();
            pubReadUser.grantee.type = GWConstants.GROUP;
            pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(pubReadUser);
            Grant pubWriteUser = new Grant();
            pubWriteUser.grantee = new Grantee();
            pubWriteUser.grantee.type = GWConstants.GROUP;
            pubWriteUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubWriteUser.permission = GWConstants.GRANT_WRITE;
            accessControlPolicy.aclList.grants.add(pubWriteUser);
        } else if (GWConstants.CANNED_ACLS_AUTHENTICATED_READ.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant authReadUser = new Grant();
            authReadUser.grantee = new Grantee();
            authReadUser.grantee.type = GWConstants.GROUP;
            authReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS;
            authReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(authReadUser);
        } else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_READ.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant bucketOwnerReadUser = new Grant();
            bucketOwnerReadUser.grantee = new Grantee();
            bucketOwnerReadUser.grantee.type = GWConstants.CANONICAL_USER;
            bucketOwnerReadUser.grantee.id = bucketInfo.getUserId();
            bucketOwnerReadUser.grantee.displayName = bucketInfo.getUserName();
            bucketOwnerReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(bucketOwnerReadUser);
        } else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_FULL_CONTROL.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant bucketOwnerFullUser = new Grant();
            bucketOwnerFullUser.grantee = new Grantee();
            bucketOwnerFullUser.grantee.type = GWConstants.CANONICAL_USER;
            bucketOwnerFullUser.grantee.id = bucketInfo.getUserId();
            bucketOwnerFullUser.grantee.displayName = bucketInfo.getUserName();
            bucketOwnerFullUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(bucketOwnerFullUser);
        } else if (GWConstants.CANNED_ACLS.contains(cannedAcl)) {
            logger.error(GWErrorCode.NOT_IMPLEMENTED.getMessage() + GWConstants.LOG_ACCESS_CANNED_ACL, cannedAcl);
            throw new GWException(GWErrorCode.NOT_IMPLEMENTED, s3Parameter);
        } else {
            logger.error(HttpServletResponse.SC_BAD_REQUEST + GWConstants.LOG_ACCESS_PROCESS_FAILED);
            throw new GWException(GWErrorCode.BAD_REQUEST, s3Parameter);
        }
    }
    if (!Strings.isNullOrEmpty(getGrantRead)) {
        readAclHeader(getGrantRead, GWConstants.GRANT_READ, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantWrite)) {
        readAclHeader(getGrantWrite, GWConstants.GRANT_WRITE, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantReadAcp)) {
        readAclHeader(getGrantReadAcp, GWConstants.GRANT_READ_ACP, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantWriteAcp)) {
        readAclHeader(getGrantWriteAcp, GWConstants.GRANT_WRITE_ACP, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantFullControl)) {
        readAclHeader(getGrantFullControl, GWConstants.GRANT_FULL_CONTROL, accessControlPolicy);
    }
    if (Strings.isNullOrEmpty(aclXml)) {
        XmlMapper xmlMapper = new XmlMapper();
        try {
            aclXml = xmlMapper.writeValueAsString(accessControlPolicy).replaceAll(GWConstants.WSTXNS, GWConstants.XSI);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
        }
    }
    // check user
    try {
        XmlMapper xmlMapper = new XmlMapper();
        AccessControlPolicy checkAcl = xmlMapper.readValue(aclXml, AccessControlPolicy.class);
        aclXml = checkAcl.toString();
        if (checkAcl.aclList.grants != null) {
            for (Grant user : checkAcl.aclList.grants) {
                if (!Strings.isNullOrEmpty(user.grantee.displayName) && GWUtils.getDBInstance().getIdentityByName(user.grantee.displayName, s3Parameter) == null) {
                    logger.info(user.grantee.displayName);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
                if (!Strings.isNullOrEmpty(user.grantee.id) && !user.grantee.id.matches(GWConstants.BACKSLASH_D_PLUS)) {
                    logger.info(user.grantee.id);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
                if (!Strings.isNullOrEmpty(user.grantee.id) && GWUtils.getDBInstance().getIdentityByID(user.grantee.id, s3Parameter) == null) {
                    logger.info(user.grantee.id);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
            }
        }
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    return aclXml;
}
Also used : PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant) Grantee(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)

Example 95 with GWException

use of com.pspace.ifs.ksan.gw.exception.GWException in project ksan by infinistor.

the class DeleteBucketObjectLock method process.

@Override
public void process() throws GWException {
    logger.info(GWConstants.LOG_DELETE_BUCKET_OBJECT_LOCK_START);
    String bucket = s3Parameter.getBucketName();
    initBucketInfo(bucket);
    S3Bucket s3Bucket = new S3Bucket();
    s3Bucket.setCors(getBucketInfo().getCors());
    s3Bucket.setAccess(getBucketInfo().getAccess());
    s3Parameter.setBucket(s3Bucket);
    GWUtils.checkCors(s3Parameter);
    if (s3Parameter.isPublicAccess() && GWUtils.isIgnorePublicAcls(s3Parameter)) {
        throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
    }
    updateBucketObjectLock(bucket, "");
    s3Parameter.getResponse().setStatus(HttpServletResponse.SC_NO_CONTENT);
}
Also used : S3Bucket(com.pspace.ifs.ksan.gw.identity.S3Bucket) GWException(com.pspace.ifs.ksan.gw.exception.GWException)

Aggregations

GWException (com.pspace.ifs.ksan.gw.exception.GWException)130 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)61 S3Bucket (com.pspace.ifs.ksan.gw.identity.S3Bucket)58 XMLStreamException (javax.xml.stream.XMLStreamException)48 IOException (java.io.IOException)46 JsonMappingException (com.fasterxml.jackson.databind.JsonMappingException)45 ResourceNotFoundException (com.pspace.ifs.ksan.objmanager.ObjManagerException.ResourceNotFoundException)43 ResourceAlreadyExistException (com.pspace.ifs.ksan.objmanager.ObjManagerException.ResourceAlreadyExistException)32 XmlMapper (com.fasterxml.jackson.dataformat.xml.XmlMapper)23 Metadata (com.pspace.ifs.ksan.objmanager.Metadata)23 S3Metadata (com.pspace.ifs.ksan.gw.identity.S3Metadata)17 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)16 XMLOutputFactory (javax.xml.stream.XMLOutputFactory)15 AccessControlPolicy (com.pspace.ifs.ksan.gw.format.AccessControlPolicy)14 Writer (java.io.Writer)13 XMLStreamWriter (javax.xml.stream.XMLStreamWriter)13 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)11 Grant (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)10 S3ObjectOperation (com.pspace.ifs.ksan.gw.object.S3ObjectOperation)10 Date (java.util.Date)8