Example 6 with AccessControlPolicy
use of com.pspace.ifs.ksan.gw.format.AccessControlPolicy in project ksan by infinistor.
the class CreateBucket method process.
@Override
public void process() throws GWException {
logger.info(GWConstants.LOG_CREATE_BUCKET_START);
String bucket = s3Parameter.getBucketName();
logger.debug(GWConstants.LOG_CREATE_BUCKET_NAME, bucket);
checkBucketName(bucket);
if (isExistBucket(bucket) || bucket.equalsIgnoreCase(GWConstants.WEBSITE)) {
logger.info(GWConstants.LOG_CREATE_BUCKET_EXIST, bucket);
initBucketInfo(bucket);
if (isBucketOwner(String.valueOf(s3Parameter.getUser().getUserId()))) {
throw new GWException(GWErrorCode.BUCKET_ALREADY_OWNED_BY_YOU, s3Parameter);
}
throw new GWException(GWErrorCode.BUCKET_ALREADY_EXISTS, s3Parameter);
}
DataCreateBucket dataCreateBucket = new DataCreateBucket(s3Parameter);
dataCreateBucket.extract();
accessControlPolicy = new AccessControlPolicy();
accessControlPolicy.aclList = new AccessControlList();
accessControlPolicy.aclList.grants = new ArrayList<Grant>();
accessControlPolicy.owner = new Owner();
accessControlPolicy.owner.id = String.valueOf(s3Parameter.getUser().getUserId());
accessControlPolicy.owner.displayName = s3Parameter.getUser().getUserName();
String xml = GWUtils.makeAclXml(accessControlPolicy, null, dataCreateBucket.hasAclKeyword(), null, dataCreateBucket.getAcl(), getBucketInfo(), String.valueOf(s3Parameter.getUser().getUserId()), s3Parameter.getUser().getUserName(), dataCreateBucket.getGrantRead(), dataCreateBucket.getGrantWrite(), dataCreateBucket.getGrantFullControl(), dataCreateBucket.getGrantReadAcp(), dataCreateBucket.getGrantWriteAcp(), s3Parameter);
logger.debug(GWConstants.LOG_ACL, xml);
int result = 0;
if (!Strings.isNullOrEmpty(dataCreateBucket.getBucketObjectLockEnabled()) && GWConstants.STRING_TRUE.equalsIgnoreCase(dataCreateBucket.getBucketObjectLockEnabled())) {
logger.info(GWConstants.LOG_CREATE_BUCKET_VERSIONING_ENABLED_OBJECT_LOCK_TRUE);
String objectLockXml = GWConstants.OBJECT_LOCK_XML;
result = createBucket(bucket, s3Parameter.getUser().getUserName(), String.valueOf(s3Parameter.getUser().getUserId()), xml, "", objectLockXml);
putBucketVersioning(bucket, GWConstants.STATUS_ENABLED);
} else {
result = createBucket(bucket, s3Parameter.getUser().getUserName(), String.valueOf(s3Parameter.getUser().getUserId()), xml, "", "");
}
if (result != 0) {
throw new GWException(GWErrorCode.INTERNAL_SERVER_DB_ERROR, s3Parameter);
}
s3Parameter.getResponse().addHeader(HttpHeaders.LOCATION, GWConstants.SLASH + bucket);
s3Parameter.getResponse().setStatus(HttpServletResponse.SC_OK);
}
Also used :
AccessControlList(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList)
DataCreateBucket(com.pspace.ifs.ksan.gw.data.DataCreateBucket)
Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)
AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy)
Owner(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.Owner)
GWException(com.pspace.ifs.ksan.gw.exception.GWException)
Example 7 with AccessControlPolicy
use of com.pspace.ifs.ksan.gw.format.AccessControlPolicy in project ksan by infinistor.
the class CreateMultipartUpload method process.
@Override
public void process() throws GWException {
logger.info(GWConstants.LOG_CREATE_MULTIPART_UPLOAD_START);
String bucket = s3Parameter.getBucketName();
initBucketInfo(bucket);
String object = s3Parameter.getObjectName();
S3Bucket s3Bucket = new S3Bucket();
s3Bucket.setCors(getBucketInfo().getCors());
s3Bucket.setAccess(getBucketInfo().getAccess());
s3Parameter.setBucket(s3Bucket);
GWUtils.checkCors(s3Parameter);
if (s3Parameter.isPublicAccess() && GWUtils.isIgnorePublicAcls(s3Parameter)) {
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
checkGrantBucket(s3Parameter.isPublicAccess(), String.valueOf(s3Parameter.getUser().getUserId()), GWConstants.GRANT_WRITE);
DataCreateMultipartUpload dataCreateMultipartUpload = new DataCreateMultipartUpload(s3Parameter);
dataCreateMultipartUpload.extract();
accessControlPolicy = new AccessControlPolicy();
accessControlPolicy.aclList = new AccessControlList();
accessControlPolicy.aclList.grants = new ArrayList<Grant>();
accessControlPolicy.owner = new Owner();
accessControlPolicy.owner.id = String.valueOf(s3Parameter.getUser().getUserId());
accessControlPolicy.owner.displayName = s3Parameter.getUser().getUserName();
String xml = GWUtils.makeAclXml(accessControlPolicy, null, dataCreateMultipartUpload.hasAclKeyword(), null, dataCreateMultipartUpload.getAcl(), getBucketInfo(), String.valueOf(s3Parameter.getUser().getUserId()), s3Parameter.getUser().getUserName(), dataCreateMultipartUpload.getGrantRead(), dataCreateMultipartUpload.getGrantWrite(), dataCreateMultipartUpload.getGrantFullControl(), dataCreateMultipartUpload.getGrantReadAcp(), dataCreateMultipartUpload.getGrantWriteAcp(), s3Parameter);
String customerAlgorithm = dataCreateMultipartUpload.getServerSideEncryptionCustomerAlgorithm();
String customerKey = dataCreateMultipartUpload.getServerSideEncryptionCustomerKey();
String customerKeyMD5 = dataCreateMultipartUpload.getServerSideEncryptionCustomerKeyMD5();
String serverSideEncryption = dataCreateMultipartUpload.getServerSideEncryption();
if (!Strings.isNullOrEmpty(serverSideEncryption)) {
if (!serverSideEncryption.equalsIgnoreCase(GWConstants.AES256)) {
logger.error(GWErrorCode.NOT_IMPLEMENTED.getMessage() + GWConstants.SERVER_SIDE_OPTION);
throw new GWException(GWErrorCode.NOT_IMPLEMENTED, s3Parameter);
}
}
S3Metadata s3Metadata = new S3Metadata();
s3Metadata.setOwnerId(String.valueOf(s3Parameter.getUser().getUserId()));
s3Metadata.setOwnerName(s3Parameter.getUser().getUserName());
s3Metadata.setServersideEncryption(serverSideEncryption);
s3Metadata.setCustomerAlgorithm(customerAlgorithm);
s3Metadata.setCustomerKey(customerKey);
s3Metadata.setCustomerKeyMD5(customerKeyMD5);
s3Metadata.setName(object);
String cacheControl = dataCreateMultipartUpload.getCacheControl();
String contentDisposition = dataCreateMultipartUpload.getContentDisposition();
String contentEncoding = dataCreateMultipartUpload.getContentEncoding();
String contentLanguage = dataCreateMultipartUpload.getContentLanguage();
String contentType = dataCreateMultipartUpload.getContentType();
String serversideEncryption = dataCreateMultipartUpload.getServerSideEncryption();
s3Metadata.setOwnerId(String.valueOf(s3Parameter.getUser().getUserId()));
s3Metadata.setOwnerName(s3Parameter.getUser().getUserName());
s3Metadata.setUserMetadataMap(dataCreateMultipartUpload.getUserMetadata());
if (!Strings.isNullOrEmpty(serversideEncryption)) {
if (!serversideEncryption.equalsIgnoreCase(GWConstants.AES256)) {
logger.error(GWErrorCode.NOT_IMPLEMENTED.getMessage() + GWConstants.SERVER_SIDE_OPTION);
throw new GWException(GWErrorCode.NOT_IMPLEMENTED, s3Parameter);
} else {
s3Metadata.setServersideEncryption(serversideEncryption);
}
}
if (!Strings.isNullOrEmpty(cacheControl)) {
s3Metadata.setCacheControl(cacheControl);
}
if (!Strings.isNullOrEmpty(contentDisposition)) {
s3Metadata.setContentDisposition(contentDisposition);
}
if (!Strings.isNullOrEmpty(contentEncoding)) {
s3Metadata.setContentEncoding(contentEncoding);
}
if (!Strings.isNullOrEmpty(contentLanguage)) {
s3Metadata.setContentLanguage(contentLanguage);
}
if (!Strings.isNullOrEmpty(contentType)) {
s3Metadata.setContentType(contentType);
}
if (!Strings.isNullOrEmpty(customerAlgorithm)) {
s3Metadata.setCustomerAlgorithm(customerAlgorithm);
}
if (!Strings.isNullOrEmpty(customerKey)) {
s3Metadata.setCustomerKey(customerKey);
}
if (!Strings.isNullOrEmpty(customerKeyMD5)) {
s3Metadata.setCustomerKeyMD5(customerKeyMD5);
}
ObjectMapper jsonMapper = new ObjectMapper();
String metaJson = "";
try {
metaJson = jsonMapper.writeValueAsString(s3Metadata);
} catch (JsonProcessingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.INTERNAL_SERVER_DB_ERROR, s3Parameter);
}
Metadata objMeta = null;
try {
// check exist object
objMeta = createLocal(bucket, object);
} catch (GWException e) {
logger.info(e.getMessage());
logger.error(GWConstants.LOG_CREATE_MULTIPART_UPLOAD_FAILED, bucket, object);
throw new GWException(GWErrorCode.INTERNAL_SERVER_DB_ERROR, s3Parameter);
}
String uploadId = null;
try {
ObjMultipart objMultipart = new ObjMultipart(bucket);
uploadId = objMultipart.createMultipartUpload(bucket, object, xml, metaJson, objMeta.getPrimaryDisk().getId());
} catch (UnknownHostException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
} catch (Exception e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
}
XMLOutputFactory xmlOutputFactory = XMLOutputFactory.newInstance();
try (Writer writer = s3Parameter.getResponse().getWriter()) {
s3Parameter.getResponse().setContentType(GWConstants.XML_CONTENT_TYPE);
XMLStreamWriter xmlStreamWriter = xmlOutputFactory.createXMLStreamWriter(writer);
xmlStreamWriter.writeStartDocument();
xmlStreamWriter.writeStartElement(GWConstants.INITATE_MULTIPART_UPLOAD_RESULT);
xmlStreamWriter.writeDefaultNamespace(GWConstants.AWS_XMLNS);
writeSimpleElement(xmlStreamWriter, GWConstants.BUCKET, bucket);
writeSimpleElement(xmlStreamWriter, GWConstants.KEY, object);
writeSimpleElement(xmlStreamWriter, GWConstants.XML_UPLOADID, uploadId);
xmlStreamWriter.writeEndElement();
xmlStreamWriter.flush();
} catch (XMLStreamException xse) {
PrintStack.logging(logger, xse);
throw new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
} catch (IOException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
}
}
Also used :
AccessControlList(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList)
ObjMultipart(com.pspace.ifs.ksan.objmanager.ObjMultipart)
Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)
AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy)
Owner(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.Owner)
XMLOutputFactory(javax.xml.stream.XMLOutputFactory)
UnknownHostException(java.net.UnknownHostException)
DataCreateMultipartUpload(com.pspace.ifs.ksan.gw.data.DataCreateMultipartUpload)
S3Metadata(com.pspace.ifs.ksan.gw.identity.S3Metadata)
Metadata(com.pspace.ifs.ksan.objmanager.Metadata)
IOException(java.io.IOException)
GWException(com.pspace.ifs.ksan.gw.exception.GWException)
XMLStreamException(javax.xml.stream.XMLStreamException)
IOException(java.io.IOException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
UnknownHostException(java.net.UnknownHostException)
S3Bucket(com.pspace.ifs.ksan.gw.identity.S3Bucket)
XMLStreamException(javax.xml.stream.XMLStreamException)
S3Metadata(com.pspace.ifs.ksan.gw.identity.S3Metadata)
XMLStreamWriter(javax.xml.stream.XMLStreamWriter)
GWException(com.pspace.ifs.ksan.gw.exception.GWException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
XMLStreamWriter(javax.xml.stream.XMLStreamWriter)
Writer(java.io.Writer)
Example 8 with AccessControlPolicy
use of com.pspace.ifs.ksan.gw.format.AccessControlPolicy in project ksan by infinistor.
the class GWUtils method makeAclXml.
public static String makeAclXml(AccessControlPolicy accessControlPolicy, AccessControlPolicy preAccessControlPolicy, boolean hasKeyWord, String getAclXml, String cannedAcl, Bucket bucketInfo, String userId, String userName, String getGrantRead, String getGrantWrite, String getGrantFullControl, String getGrantReadAcp, String getGrantWriteAcp, S3Parameter s3Parameter) throws GWException {
PublicAccessBlockConfiguration pabc = null;
if (bucketInfo != null && !Strings.isNullOrEmpty(bucketInfo.getAccess())) {
try {
pabc = new XmlMapper().readValue(bucketInfo.getAccess(), PublicAccessBlockConfiguration.class);
} catch (JsonProcessingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
}
}
logger.info(GWConstants.LOG_UTILS_CANNED_ACL, cannedAcl);
logger.info(GWConstants.LOG_UTILS_ACL_XML, getAclXml);
if (preAccessControlPolicy != null && preAccessControlPolicy.owner != null) {
accessControlPolicy.owner.id = preAccessControlPolicy.owner.id;
accessControlPolicy.owner.displayName = preAccessControlPolicy.owner.displayName;
} else {
accessControlPolicy.owner.id = userId;
accessControlPolicy.owner.displayName = userName;
}
String aclXml = null;
if (!hasKeyWord) {
aclXml = getAclXml;
}
if (Strings.isNullOrEmpty(cannedAcl)) {
if (Strings.isNullOrEmpty(aclXml)) {
if (Strings.isNullOrEmpty(getGrantRead) && Strings.isNullOrEmpty(getGrantWrite) && Strings.isNullOrEmpty(getGrantReadAcp) && Strings.isNullOrEmpty(getGrantWriteAcp) && Strings.isNullOrEmpty(getGrantFullControl)) {
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
}
}
} else {
if (GWConstants.CANNED_ACLS_PRIVATE.equalsIgnoreCase(cannedAcl)) {
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
} else if (GWConstants.CANNED_ACLS_PUBLIC_READ.equalsIgnoreCase(cannedAcl)) {
if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
Grant pubReadUser = new Grant();
pubReadUser.grantee = new Grantee();
pubReadUser.grantee.type = GWConstants.GROUP;
pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
pubReadUser.permission = GWConstants.GRANT_READ;
accessControlPolicy.aclList.grants.add(pubReadUser);
} else if (GWConstants.CANNED_ACLS_PUBLIC_READ_WRITE.equalsIgnoreCase(cannedAcl)) {
if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
Grant pubReadUser = new Grant();
pubReadUser.grantee = new Grantee();
pubReadUser.grantee.type = GWConstants.GROUP;
pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
pubReadUser.permission = GWConstants.GRANT_READ;
accessControlPolicy.aclList.grants.add(pubReadUser);
Grant pubWriteUser = new Grant();
pubWriteUser.grantee = new Grantee();
pubWriteUser.grantee.type = GWConstants.GROUP;
pubWriteUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
pubWriteUser.permission = GWConstants.GRANT_WRITE;
accessControlPolicy.aclList.grants.add(pubWriteUser);
} else if (GWConstants.CANNED_ACLS_AUTHENTICATED_READ.equalsIgnoreCase(cannedAcl)) {
if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
}
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
Grant authReadUser = new Grant();
authReadUser.grantee = new Grantee();
authReadUser.grantee.type = GWConstants.GROUP;
authReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS;
authReadUser.permission = GWConstants.GRANT_READ;
accessControlPolicy.aclList.grants.add(authReadUser);
} else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_READ.equalsIgnoreCase(cannedAcl)) {
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
Grant bucketOwnerReadUser = new Grant();
bucketOwnerReadUser.grantee = new Grantee();
bucketOwnerReadUser.grantee.type = GWConstants.CANONICAL_USER;
bucketOwnerReadUser.grantee.id = bucketInfo.getUserId();
bucketOwnerReadUser.grantee.displayName = bucketInfo.getUserName();
bucketOwnerReadUser.permission = GWConstants.GRANT_READ;
accessControlPolicy.aclList.grants.add(bucketOwnerReadUser);
} else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_FULL_CONTROL.equalsIgnoreCase(cannedAcl)) {
Grant priUser = new Grant();
priUser.grantee = new Grantee();
priUser.grantee.type = GWConstants.CANONICAL_USER;
priUser.grantee.id = accessControlPolicy.owner.id;
priUser.grantee.displayName = accessControlPolicy.owner.displayName;
priUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(priUser);
Grant bucketOwnerFullUser = new Grant();
bucketOwnerFullUser.grantee = new Grantee();
bucketOwnerFullUser.grantee.type = GWConstants.CANONICAL_USER;
bucketOwnerFullUser.grantee.id = bucketInfo.getUserId();
bucketOwnerFullUser.grantee.displayName = bucketInfo.getUserName();
bucketOwnerFullUser.permission = GWConstants.GRANT_FULL_CONTROL;
accessControlPolicy.aclList.grants.add(bucketOwnerFullUser);
} else if (GWConstants.CANNED_ACLS.contains(cannedAcl)) {
logger.error(GWErrorCode.NOT_IMPLEMENTED.getMessage() + GWConstants.LOG_ACCESS_CANNED_ACL, cannedAcl);
throw new GWException(GWErrorCode.NOT_IMPLEMENTED, s3Parameter);
} else {
logger.error(HttpServletResponse.SC_BAD_REQUEST + GWConstants.LOG_ACCESS_PROCESS_FAILED);
throw new GWException(GWErrorCode.BAD_REQUEST, s3Parameter);
}
}
if (!Strings.isNullOrEmpty(getGrantRead)) {
readAclHeader(getGrantRead, GWConstants.GRANT_READ, accessControlPolicy);
}
if (!Strings.isNullOrEmpty(getGrantWrite)) {
readAclHeader(getGrantWrite, GWConstants.GRANT_WRITE, accessControlPolicy);
}
if (!Strings.isNullOrEmpty(getGrantReadAcp)) {
readAclHeader(getGrantReadAcp, GWConstants.GRANT_READ_ACP, accessControlPolicy);
}
if (!Strings.isNullOrEmpty(getGrantWriteAcp)) {
readAclHeader(getGrantWriteAcp, GWConstants.GRANT_WRITE_ACP, accessControlPolicy);
}
if (!Strings.isNullOrEmpty(getGrantFullControl)) {
readAclHeader(getGrantFullControl, GWConstants.GRANT_FULL_CONTROL, accessControlPolicy);
}
if (Strings.isNullOrEmpty(aclXml)) {
XmlMapper xmlMapper = new XmlMapper();
try {
aclXml = xmlMapper.writeValueAsString(accessControlPolicy).replaceAll(GWConstants.WSTXNS, GWConstants.XSI);
} catch (JsonProcessingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
}
}
// check user
try {
XmlMapper xmlMapper = new XmlMapper();
AccessControlPolicy checkAcl = xmlMapper.readValue(aclXml, AccessControlPolicy.class);
aclXml = checkAcl.toString();
if (checkAcl.aclList.grants != null) {
for (Grant user : checkAcl.aclList.grants) {
if (!Strings.isNullOrEmpty(user.grantee.displayName) && GWUtils.getDBInstance().getIdentityByName(user.grantee.displayName, s3Parameter) == null) {
logger.info(user.grantee.displayName);
throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
}
if (!Strings.isNullOrEmpty(user.grantee.id) && !user.grantee.id.matches(GWConstants.BACKSLASH_D_PLUS)) {
logger.info(user.grantee.id);
throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
}
if (!Strings.isNullOrEmpty(user.grantee.id) && GWUtils.getDBInstance().getIdentityByID(user.grantee.id, s3Parameter) == null) {
logger.info(user.grantee.id);
throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
}
}
}
} catch (JsonProcessingException e) {
PrintStack.logging(logger, e);
throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
}
return aclXml;
}
Also used :
PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration)
Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)
Grantee(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee)
AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy)
GWException(com.pspace.ifs.ksan.gw.exception.GWException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)
Example 9 with AccessControlPolicy
use of com.pspace.ifs.ksan.gw.format.AccessControlPolicy in project ksan by infinistor.
the class S3Request method isGrant.
protected boolean isGrant(String id, String s3grant) throws GWException {
if (dstBucket == null) {
return false;
}
XmlMapper xmlMapper = new XmlMapper();
try {
accessControlPolicy = xmlMapper.readValue(dstBucket.getAcl(), AccessControlPolicy.class);
} catch (JsonMappingException e) {
logger.error(e.getMessage());
new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
} catch (JsonProcessingException e) {
logger.error(e.getMessage());
new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
}
logger.info(GWConstants.LOG_REQUEST_CHECK_ACL_ID_GRANT, id, s3grant);
logger.info(GWConstants.LOG_REQUEST_BUCKET_ACL, dstBucket.getAcl());
logger.info(GWConstants.LOG_REQUEST_BUCKET_OWNER_ID, accessControlPolicy.owner.id);
if (accessControlPolicy.owner.id.compareTo(id) == 0) {
// owner has full-grant
return true;
}
switch(s3grant) {
case GWConstants.GRANT_READ:
for (Grant grant : accessControlPolicy.aclList.grants) {
if (grant.permission.compareTo(GWConstants.GRANT_FULL_CONTROL) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
} else if (grant.permission.compareTo(GWConstants.GRANT_READ) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
}
}
break;
case GWConstants.GRANT_WRITE:
for (Grant grant : accessControlPolicy.aclList.grants) {
if (grant.permission.compareTo(GWConstants.GRANT_FULL_CONTROL) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
} else if (grant.permission.compareTo(GWConstants.GRANT_WRITE) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
}
}
break;
case GWConstants.GRANT_READ_ACP:
for (Grant grant : accessControlPolicy.aclList.grants) {
if (grant.permission.compareTo(GWConstants.GRANT_FULL_CONTROL) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
} else if (grant.permission.compareTo(GWConstants.GRANT_READ_ACP) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
}
}
break;
case GWConstants.GRANT_WRITE_ACP:
for (Grant grant : accessControlPolicy.aclList.grants) {
if (grant.permission.compareTo(GWConstants.GRANT_FULL_CONTROL) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
} else if (grant.permission.compareTo(GWConstants.GRANT_WRITE_ACP) == 0) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
}
}
break;
case GWConstants.GRANT_FULL_CONTROL:
for (Grant grant : accessControlPolicy.aclList.grants) {
if (grant.grantee.type.compareTo(GWConstants.GROUP) == 0) {
if (grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_ALL_USERS) == 0 || grant.grantee.uri.compareTo(GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS) == 0) {
return true;
}
} else if (grant.grantee.type.compareTo(GWConstants.CANONICAL_USER) == 0) {
if (grant.grantee.id.compareTo(id) == 0) {
return true;
}
}
}
break;
default:
logger.error(GWConstants.LOG_REQUEST_GRANT_NOT_DEFINED, s3grant);
new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
}
return false;
}
Also used :
Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)
AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy)
JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException)
GWException(com.pspace.ifs.ksan.gw.exception.GWException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)
Example 10 with AccessControlPolicy
use of com.pspace.ifs.ksan.gw.format.AccessControlPolicy in project ksan by infinistor.
the class S3Request method isGrantBucketOwner.
protected boolean isGrantBucketOwner(String id, String s3grant) throws GWException {
if (dstBucket == null) {
return false;
}
if (accessControlPolicy == null) {
XmlMapper xmlMapper = new XmlMapper();
try {
accessControlPolicy = xmlMapper.readValue(dstBucket.getAcl(), AccessControlPolicy.class);
} catch (JsonMappingException e) {
logger.error(e.getMessage());
new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
} catch (JsonProcessingException e) {
logger.error(e.getMessage());
new GWException(GWErrorCode.INTERNAL_SERVER_ERROR, s3Parameter);
}
}
logger.info(GWConstants.LOG_REQUEST_CHECK_ACL_ID_GRANT, id, s3grant);
logger.info(GWConstants.LOG_REQUEST_BUCKET_ACL, dstBucket.getAcl());
logger.info(GWConstants.LOG_REQUEST_BUCKET_OWNER_ID, accessControlPolicy.owner.id);
if (accessControlPolicy.owner.id.compareTo(id) == 0) {
// owner has full-grant
return true;
}
if (accessControlPolicy.aclList.grants == null) {
return false;
}
return checkGrant(id, s3grant, accessControlPolicy);
}
Also used :
AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy)
JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException)
GWException(com.pspace.ifs.ksan.gw.exception.GWException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)
Aggregations
GWException (com.pspace.ifs.ksan.gw.exception.GWException)11
AccessControlPolicy (com.pspace.ifs.ksan.gw.format.AccessControlPolicy)11
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)9
Grant (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)9
XmlMapper (com.fasterxml.jackson.dataformat.xml.XmlMapper)7
AccessControlList (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList)6
Owner (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.Owner)6
S3Bucket (com.pspace.ifs.ksan.gw.identity.S3Bucket)5
JsonMappingException (com.fasterxml.jackson.databind.JsonMappingException)4
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4
Metadata (com.pspace.ifs.ksan.objmanager.Metadata)4
S3Metadata (com.pspace.ifs.ksan.gw.identity.S3Metadata)3
IOException (java.io.IOException)3
Grantee (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee)2
S3Object (com.pspace.ifs.ksan.gw.object.S3Object)2
S3ObjectOperation (com.pspace.ifs.ksan.gw.object.S3ObjectOperation)2
Writer (java.io.Writer)2
XMLOutputFactory (javax.xml.stream.XMLOutputFactory)2
XMLStreamException (javax.xml.stream.XMLStreamException)2
XMLStreamWriter (javax.xml.stream.XMLStreamWriter)2
