Search in sources :

Example 1 with Policy

use of com.pspace.ifs.ksan.gw.format.Policy in project ksan by infinistor.

the class GWUtils method isPublicPolicyBucket.

public static boolean isPublicPolicyBucket(String policyInfo, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (s3Parameter.getBucket() != null && !Strings.isNullOrEmpty(s3Parameter.getBucket().getAccess())) {
        try {
            pabc = new XmlMapper().readValue(s3Parameter.getBucket().getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, e, s3Parameter);
        }
    }
    boolean effect = false;
    if (Strings.isNullOrEmpty(policyInfo)) {
        return effect;
    }
    Policy policy = null;
    // read policy
    ObjectMapper jsonMapper = new ObjectMapper();
    try {
        policy = jsonMapper.readValue(policyInfo, Policy.class);
        if (policy == null) {
            return effect;
        }
    } catch (JsonMappingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    // check policy - loop statement
    for (Statement s : policy.statements) {
        boolean effectcheck = false;
        // check principal (id)
        for (String aws : s.principal.aws) {
            if (aws.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        // check Resource (object path, bucket path)
        for (String resource : s.resources) {
            if (resource.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
            String[] res = resource.split(GWConstants.COLON, -1);
            // all resource check
            if (!Strings.isNullOrEmpty(res[5]) && res[5].equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        boolean conditioncheck = false;
        if (s.condition == null) {
            conditioncheck = false;
        } else {
            for (Map.Entry<String, JsonNode> entry : s.condition.getUserExtensions().entries()) {
                JsonNode jsonNode = entry.getValue();
                if (jsonNode.isObject()) {
                    Iterator<String> fieldNames = jsonNode.fieldNames();
                    if (fieldNames.hasNext()) {
                        // read key
                        String fieldName = fieldNames.next();
                        String key = fieldName;
                        logger.info(GWConstants.LOG_UTILS_KEY, key);
                        if (key.equals(GWConstants.AWS_SOURCE_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPC)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPCE)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_OWNER)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_ACCOUNT)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_DATA_ACCESS_POINT_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_IP)) {
                            conditioncheck = true;
                            break;
                        }
                    }
                }
            }
        }
        if (s.effect.equals(GWConstants.ALLOW)) {
            if (effectcheck == true && conditioncheck == false) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effect = true;
                return effect;
            }
        }
    }
    return effect;
}
Also used : Policy(com.pspace.ifs.ksan.gw.format.Policy) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) Statement(com.pspace.ifs.ksan.gw.format.Policy.Statement) JsonNode(com.fasterxml.jackson.databind.JsonNode) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper) PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) Map(java.util.Map) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Aggregations

JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)1 JsonMappingException (com.fasterxml.jackson.databind.JsonMappingException)1 JsonNode (com.fasterxml.jackson.databind.JsonNode)1 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 XmlMapper (com.fasterxml.jackson.dataformat.xml.XmlMapper)1 GWException (com.pspace.ifs.ksan.gw.exception.GWException)1 AccessControlPolicy (com.pspace.ifs.ksan.gw.format.AccessControlPolicy)1 Policy (com.pspace.ifs.ksan.gw.format.Policy)1 Statement (com.pspace.ifs.ksan.gw.format.Policy.Statement)1 PublicAccessBlockConfiguration (com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration)1 Map (java.util.Map)1