Examples with PublicAccessBlockConfiguration com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration used on opensource projects

Search in sources :

Example 1 with PublicAccessBlockConfiguration

use of com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration in project ksan by infinistor.

the class GWUtils method isPublicPolicyBucket.

public static boolean isPublicPolicyBucket(String policyInfo, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (s3Parameter.getBucket() != null && !Strings.isNullOrEmpty(s3Parameter.getBucket().getAccess())) {
        try {
            pabc = new XmlMapper().readValue(s3Parameter.getBucket().getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, e, s3Parameter);
        }
    }
    boolean effect = false;
    if (Strings.isNullOrEmpty(policyInfo)) {
        return effect;
    }
    Policy policy = null;
    // read policy
    ObjectMapper jsonMapper = new ObjectMapper();
    try {
        policy = jsonMapper.readValue(policyInfo, Policy.class);
        if (policy == null) {
            return effect;
        }
    } catch (JsonMappingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    // check policy - loop statement
    for (Statement s : policy.statements) {
        boolean effectcheck = false;
        // check principal (id)
        for (String aws : s.principal.aws) {
            if (aws.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        // check Resource (object path, bucket path)
        for (String resource : s.resources) {
            if (resource.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
            String[] res = resource.split(GWConstants.COLON, -1);
            // all resource check
            if (!Strings.isNullOrEmpty(res[5]) && res[5].equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        boolean conditioncheck = false;
        if (s.condition == null) {
            conditioncheck = false;
        } else {
            for (Map.Entry<String, JsonNode> entry : s.condition.getUserExtensions().entries()) {
                JsonNode jsonNode = entry.getValue();
                if (jsonNode.isObject()) {
                    Iterator<String> fieldNames = jsonNode.fieldNames();
                    if (fieldNames.hasNext()) {
                        // read key
                        String fieldName = fieldNames.next();
                        String key = fieldName;
                        logger.info(GWConstants.LOG_UTILS_KEY, key);
                        if (key.equals(GWConstants.AWS_SOURCE_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPC)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPCE)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_OWNER)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_ACCOUNT)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_DATA_ACCESS_POINT_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_IP)) {
                            conditioncheck = true;
                            break;
                        }
                    }
                }
            }
        }
        if (s.effect.equals(GWConstants.ALLOW)) {
            if (effectcheck == true && conditioncheck == false) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effect = true;
                return effect;
            }
        }
    }
    return effect;
}
Also used : Policy(com.pspace.ifs.ksan.gw.format.Policy) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) Statement(com.pspace.ifs.ksan.gw.format.Policy.Statement) JsonNode(com.fasterxml.jackson.databind.JsonNode) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper) PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) Map(java.util.Map) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 2 with PublicAccessBlockConfiguration

use of com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration in project ksan by infinistor.

the class GWUtils method makeAclXml.

public static String makeAclXml(AccessControlPolicy accessControlPolicy, AccessControlPolicy preAccessControlPolicy, boolean hasKeyWord, String getAclXml, String cannedAcl, Bucket bucketInfo, String userId, String userName, String getGrantRead, String getGrantWrite, String getGrantFullControl, String getGrantReadAcp, String getGrantWriteAcp, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (bucketInfo != null && !Strings.isNullOrEmpty(bucketInfo.getAccess())) {
        try {
            pabc = new XmlMapper().readValue(bucketInfo.getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
        }
    }
    logger.info(GWConstants.LOG_UTILS_CANNED_ACL, cannedAcl);
    logger.info(GWConstants.LOG_UTILS_ACL_XML, getAclXml);
    if (preAccessControlPolicy != null && preAccessControlPolicy.owner != null) {
        accessControlPolicy.owner.id = preAccessControlPolicy.owner.id;
        accessControlPolicy.owner.displayName = preAccessControlPolicy.owner.displayName;
    } else {
        accessControlPolicy.owner.id = userId;
        accessControlPolicy.owner.displayName = userName;
    }
    String aclXml = null;
    if (!hasKeyWord) {
        aclXml = getAclXml;
    }
    if (Strings.isNullOrEmpty(cannedAcl)) {
        if (Strings.isNullOrEmpty(aclXml)) {
            if (Strings.isNullOrEmpty(getGrantRead) && Strings.isNullOrEmpty(getGrantWrite) && Strings.isNullOrEmpty(getGrantReadAcp) && Strings.isNullOrEmpty(getGrantWriteAcp) && Strings.isNullOrEmpty(getGrantFullControl)) {
                Grant priUser = new Grant();
                priUser.grantee = new Grantee();
                priUser.grantee.type = GWConstants.CANONICAL_USER;
                priUser.grantee.id = accessControlPolicy.owner.id;
                priUser.grantee.displayName = accessControlPolicy.owner.displayName;
                priUser.permission = GWConstants.GRANT_FULL_CONTROL;
                accessControlPolicy.aclList.grants.add(priUser);
            }
        }
    } else {
        if (GWConstants.CANNED_ACLS_PRIVATE.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
        } else if (GWConstants.CANNED_ACLS_PUBLIC_READ.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant pubReadUser = new Grant();
            pubReadUser.grantee = new Grantee();
            pubReadUser.grantee.type = GWConstants.GROUP;
            pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(pubReadUser);
        } else if (GWConstants.CANNED_ACLS_PUBLIC_READ_WRITE.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant pubReadUser = new Grant();
            pubReadUser.grantee = new Grantee();
            pubReadUser.grantee.type = GWConstants.GROUP;
            pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(pubReadUser);
            Grant pubWriteUser = new Grant();
            pubWriteUser.grantee = new Grantee();
            pubWriteUser.grantee.type = GWConstants.GROUP;
            pubWriteUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubWriteUser.permission = GWConstants.GRANT_WRITE;
            accessControlPolicy.aclList.grants.add(pubWriteUser);
        } else if (GWConstants.CANNED_ACLS_AUTHENTICATED_READ.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant authReadUser = new Grant();
            authReadUser.grantee = new Grantee();
            authReadUser.grantee.type = GWConstants.GROUP;
            authReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS;
            authReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(authReadUser);
        } else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_READ.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant bucketOwnerReadUser = new Grant();
            bucketOwnerReadUser.grantee = new Grantee();
            bucketOwnerReadUser.grantee.type = GWConstants.CANONICAL_USER;
            bucketOwnerReadUser.grantee.id = bucketInfo.getUserId();
            bucketOwnerReadUser.grantee.displayName = bucketInfo.getUserName();
            bucketOwnerReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(bucketOwnerReadUser);
        } else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_FULL_CONTROL.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant bucketOwnerFullUser = new Grant();
            bucketOwnerFullUser.grantee = new Grantee();
            bucketOwnerFullUser.grantee.type = GWConstants.CANONICAL_USER;
            bucketOwnerFullUser.grantee.id = bucketInfo.getUserId();
            bucketOwnerFullUser.grantee.displayName = bucketInfo.getUserName();
            bucketOwnerFullUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(bucketOwnerFullUser);
        } else if (GWConstants.CANNED_ACLS.contains(cannedAcl)) {
            logger.error(GWErrorCode.NOT_IMPLEMENTED.getMessage() + GWConstants.LOG_ACCESS_CANNED_ACL, cannedAcl);
            throw new GWException(GWErrorCode.NOT_IMPLEMENTED, s3Parameter);
        } else {
            logger.error(HttpServletResponse.SC_BAD_REQUEST + GWConstants.LOG_ACCESS_PROCESS_FAILED);
            throw new GWException(GWErrorCode.BAD_REQUEST, s3Parameter);
        }
    }
    if (!Strings.isNullOrEmpty(getGrantRead)) {
        readAclHeader(getGrantRead, GWConstants.GRANT_READ, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantWrite)) {
        readAclHeader(getGrantWrite, GWConstants.GRANT_WRITE, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantReadAcp)) {
        readAclHeader(getGrantReadAcp, GWConstants.GRANT_READ_ACP, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantWriteAcp)) {
        readAclHeader(getGrantWriteAcp, GWConstants.GRANT_WRITE_ACP, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantFullControl)) {
        readAclHeader(getGrantFullControl, GWConstants.GRANT_FULL_CONTROL, accessControlPolicy);
    }
    if (Strings.isNullOrEmpty(aclXml)) {
        XmlMapper xmlMapper = new XmlMapper();
        try {
            aclXml = xmlMapper.writeValueAsString(accessControlPolicy).replaceAll(GWConstants.WSTXNS, GWConstants.XSI);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
        }
    }
    // check user
    try {
        XmlMapper xmlMapper = new XmlMapper();
        AccessControlPolicy checkAcl = xmlMapper.readValue(aclXml, AccessControlPolicy.class);
        aclXml = checkAcl.toString();
        if (checkAcl.aclList.grants != null) {
            for (Grant user : checkAcl.aclList.grants) {
                if (!Strings.isNullOrEmpty(user.grantee.displayName) && GWUtils.getDBInstance().getIdentityByName(user.grantee.displayName, s3Parameter) == null) {
                    logger.info(user.grantee.displayName);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
                if (!Strings.isNullOrEmpty(user.grantee.id) && !user.grantee.id.matches(GWConstants.BACKSLASH_D_PLUS)) {
                    logger.info(user.grantee.id);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
                if (!Strings.isNullOrEmpty(user.grantee.id) && GWUtils.getDBInstance().getIdentityByID(user.grantee.id, s3Parameter) == null) {
                    logger.info(user.grantee.id);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
            }
        }
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    return aclXml;
}
Also used : PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant) Grantee(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)

Aggregations

JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)2 XmlMapper (com.fasterxml.jackson.dataformat.xml.XmlMapper)2 GWException (com.pspace.ifs.ksan.gw.exception.GWException)2 AccessControlPolicy (com.pspace.ifs.ksan.gw.format.AccessControlPolicy)2 PublicAccessBlockConfiguration (com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration)2 JsonMappingException (com.fasterxml.jackson.databind.JsonMappingException)1 JsonNode (com.fasterxml.jackson.databind.JsonNode)1 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 Grant (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)1 Grantee (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee)1 Policy (com.pspace.ifs.ksan.gw.format.Policy)1 Statement (com.pspace.ifs.ksan.gw.format.Policy.Statement)1 Map (java.util.Map)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial