Search in sources :

Example 1 with PublicAccessBlockConfiguration

use of com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration in project ksan by infinistor.

the class GWUtils method isPublicPolicyBucket.

public static boolean isPublicPolicyBucket(String policyInfo, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (s3Parameter.getBucket() != null && !Strings.isNullOrEmpty(s3Parameter.getBucket().getAccess())) {
        try {
            pabc = new XmlMapper().readValue(s3Parameter.getBucket().getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, e, s3Parameter);
        }
    }
    boolean effect = false;
    if (Strings.isNullOrEmpty(policyInfo)) {
        return effect;
    }
    Policy policy = null;
    // read policy
    ObjectMapper jsonMapper = new ObjectMapper();
    try {
        policy = jsonMapper.readValue(policyInfo, Policy.class);
        if (policy == null) {
            return effect;
        }
    } catch (JsonMappingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    // check policy - loop statement
    for (Statement s : policy.statements) {
        boolean effectcheck = false;
        // check principal (id)
        for (String aws : s.principal.aws) {
            if (aws.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        // check Resource (object path, bucket path)
        for (String resource : s.resources) {
            if (resource.equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
            String[] res = resource.split(GWConstants.COLON, -1);
            // all resource check
            if (!Strings.isNullOrEmpty(res[5]) && res[5].equals(GWConstants.ASTERISK)) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effectcheck = true;
                break;
            }
        }
        boolean conditioncheck = false;
        if (s.condition == null) {
            conditioncheck = false;
        } else {
            for (Map.Entry<String, JsonNode> entry : s.condition.getUserExtensions().entries()) {
                JsonNode jsonNode = entry.getValue();
                if (jsonNode.isObject()) {
                    Iterator<String> fieldNames = jsonNode.fieldNames();
                    if (fieldNames.hasNext()) {
                        // read key
                        String fieldName = fieldNames.next();
                        String key = fieldName;
                        logger.info(GWConstants.LOG_UTILS_KEY, key);
                        if (key.equals(GWConstants.AWS_SOURCE_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPC)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_VPCE)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_OWNER)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_ACCOUNT)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_SERVER_SIDE_ENCRYPTION_AWS_KMS_KEY_ID)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.S3_DATA_ACCESS_POINT_ARN)) {
                            conditioncheck = true;
                            break;
                        } else if (key.equals(GWConstants.AWS_SOURCE_IP)) {
                            conditioncheck = true;
                            break;
                        }
                    }
                }
            }
        }
        if (s.effect.equals(GWConstants.ALLOW)) {
            if (effectcheck == true && conditioncheck == false) {
                if (pabc != null && pabc.BlockPublicPolicy.equalsIgnoreCase(GWConstants.STRING_TRUE)) {
                    throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
                }
                effect = true;
                return effect;
            }
        }
    }
    return effect;
}
Also used : Policy(com.pspace.ifs.ksan.gw.format.Policy) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) Statement(com.pspace.ifs.ksan.gw.format.Policy.Statement) JsonNode(com.fasterxml.jackson.databind.JsonNode) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper) PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) JsonMappingException(com.fasterxml.jackson.databind.JsonMappingException) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) Map(java.util.Map) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Example 2 with PublicAccessBlockConfiguration

use of com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration in project ksan by infinistor.

the class GWUtils method makeAclXml.

public static String makeAclXml(AccessControlPolicy accessControlPolicy, AccessControlPolicy preAccessControlPolicy, boolean hasKeyWord, String getAclXml, String cannedAcl, Bucket bucketInfo, String userId, String userName, String getGrantRead, String getGrantWrite, String getGrantFullControl, String getGrantReadAcp, String getGrantWriteAcp, S3Parameter s3Parameter) throws GWException {
    PublicAccessBlockConfiguration pabc = null;
    if (bucketInfo != null && !Strings.isNullOrEmpty(bucketInfo.getAccess())) {
        try {
            pabc = new XmlMapper().readValue(bucketInfo.getAccess(), PublicAccessBlockConfiguration.class);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
        }
    }
    logger.info(GWConstants.LOG_UTILS_CANNED_ACL, cannedAcl);
    logger.info(GWConstants.LOG_UTILS_ACL_XML, getAclXml);
    if (preAccessControlPolicy != null && preAccessControlPolicy.owner != null) {
        accessControlPolicy.owner.id = preAccessControlPolicy.owner.id;
        accessControlPolicy.owner.displayName = preAccessControlPolicy.owner.displayName;
    } else {
        accessControlPolicy.owner.id = userId;
        accessControlPolicy.owner.displayName = userName;
    }
    String aclXml = null;
    if (!hasKeyWord) {
        aclXml = getAclXml;
    }
    if (Strings.isNullOrEmpty(cannedAcl)) {
        if (Strings.isNullOrEmpty(aclXml)) {
            if (Strings.isNullOrEmpty(getGrantRead) && Strings.isNullOrEmpty(getGrantWrite) && Strings.isNullOrEmpty(getGrantReadAcp) && Strings.isNullOrEmpty(getGrantWriteAcp) && Strings.isNullOrEmpty(getGrantFullControl)) {
                Grant priUser = new Grant();
                priUser.grantee = new Grantee();
                priUser.grantee.type = GWConstants.CANONICAL_USER;
                priUser.grantee.id = accessControlPolicy.owner.id;
                priUser.grantee.displayName = accessControlPolicy.owner.displayName;
                priUser.permission = GWConstants.GRANT_FULL_CONTROL;
                accessControlPolicy.aclList.grants.add(priUser);
            }
        }
    } else {
        if (GWConstants.CANNED_ACLS_PRIVATE.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
        } else if (GWConstants.CANNED_ACLS_PUBLIC_READ.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant pubReadUser = new Grant();
            pubReadUser.grantee = new Grantee();
            pubReadUser.grantee.type = GWConstants.GROUP;
            pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(pubReadUser);
        } else if (GWConstants.CANNED_ACLS_PUBLIC_READ_WRITE.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant pubReadUser = new Grant();
            pubReadUser.grantee = new Grantee();
            pubReadUser.grantee.type = GWConstants.GROUP;
            pubReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(pubReadUser);
            Grant pubWriteUser = new Grant();
            pubWriteUser.grantee = new Grantee();
            pubWriteUser.grantee.type = GWConstants.GROUP;
            pubWriteUser.grantee.uri = GWConstants.AWS_GRANT_URI_ALL_USERS;
            pubWriteUser.permission = GWConstants.GRANT_WRITE;
            accessControlPolicy.aclList.grants.add(pubWriteUser);
        } else if (GWConstants.CANNED_ACLS_AUTHENTICATED_READ.equalsIgnoreCase(cannedAcl)) {
            if (pabc != null && GWConstants.STRING_TRUE.equalsIgnoreCase(pabc.BlockPublicAcls)) {
                logger.info(GWConstants.LOG_ACCESS_DENIED_PUBLIC_ACLS);
                throw new GWException(GWErrorCode.ACCESS_DENIED, s3Parameter);
            }
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant authReadUser = new Grant();
            authReadUser.grantee = new Grantee();
            authReadUser.grantee.type = GWConstants.GROUP;
            authReadUser.grantee.uri = GWConstants.AWS_GRANT_URI_AUTHENTICATED_USERS;
            authReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(authReadUser);
        } else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_READ.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant bucketOwnerReadUser = new Grant();
            bucketOwnerReadUser.grantee = new Grantee();
            bucketOwnerReadUser.grantee.type = GWConstants.CANONICAL_USER;
            bucketOwnerReadUser.grantee.id = bucketInfo.getUserId();
            bucketOwnerReadUser.grantee.displayName = bucketInfo.getUserName();
            bucketOwnerReadUser.permission = GWConstants.GRANT_READ;
            accessControlPolicy.aclList.grants.add(bucketOwnerReadUser);
        } else if (GWConstants.CANNED_ACLS_BUCKET_OWNER_FULL_CONTROL.equalsIgnoreCase(cannedAcl)) {
            Grant priUser = new Grant();
            priUser.grantee = new Grantee();
            priUser.grantee.type = GWConstants.CANONICAL_USER;
            priUser.grantee.id = accessControlPolicy.owner.id;
            priUser.grantee.displayName = accessControlPolicy.owner.displayName;
            priUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(priUser);
            Grant bucketOwnerFullUser = new Grant();
            bucketOwnerFullUser.grantee = new Grantee();
            bucketOwnerFullUser.grantee.type = GWConstants.CANONICAL_USER;
            bucketOwnerFullUser.grantee.id = bucketInfo.getUserId();
            bucketOwnerFullUser.grantee.displayName = bucketInfo.getUserName();
            bucketOwnerFullUser.permission = GWConstants.GRANT_FULL_CONTROL;
            accessControlPolicy.aclList.grants.add(bucketOwnerFullUser);
        } else if (GWConstants.CANNED_ACLS.contains(cannedAcl)) {
            logger.error(GWErrorCode.NOT_IMPLEMENTED.getMessage() + GWConstants.LOG_ACCESS_CANNED_ACL, cannedAcl);
            throw new GWException(GWErrorCode.NOT_IMPLEMENTED, s3Parameter);
        } else {
            logger.error(HttpServletResponse.SC_BAD_REQUEST + GWConstants.LOG_ACCESS_PROCESS_FAILED);
            throw new GWException(GWErrorCode.BAD_REQUEST, s3Parameter);
        }
    }
    if (!Strings.isNullOrEmpty(getGrantRead)) {
        readAclHeader(getGrantRead, GWConstants.GRANT_READ, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantWrite)) {
        readAclHeader(getGrantWrite, GWConstants.GRANT_WRITE, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantReadAcp)) {
        readAclHeader(getGrantReadAcp, GWConstants.GRANT_READ_ACP, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantWriteAcp)) {
        readAclHeader(getGrantWriteAcp, GWConstants.GRANT_WRITE_ACP, accessControlPolicy);
    }
    if (!Strings.isNullOrEmpty(getGrantFullControl)) {
        readAclHeader(getGrantFullControl, GWConstants.GRANT_FULL_CONTROL, accessControlPolicy);
    }
    if (Strings.isNullOrEmpty(aclXml)) {
        XmlMapper xmlMapper = new XmlMapper();
        try {
            aclXml = xmlMapper.writeValueAsString(accessControlPolicy).replaceAll(GWConstants.WSTXNS, GWConstants.XSI);
        } catch (JsonProcessingException e) {
            PrintStack.logging(logger, e);
            throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
        }
    }
    // check user
    try {
        XmlMapper xmlMapper = new XmlMapper();
        AccessControlPolicy checkAcl = xmlMapper.readValue(aclXml, AccessControlPolicy.class);
        aclXml = checkAcl.toString();
        if (checkAcl.aclList.grants != null) {
            for (Grant user : checkAcl.aclList.grants) {
                if (!Strings.isNullOrEmpty(user.grantee.displayName) && GWUtils.getDBInstance().getIdentityByName(user.grantee.displayName, s3Parameter) == null) {
                    logger.info(user.grantee.displayName);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
                if (!Strings.isNullOrEmpty(user.grantee.id) && !user.grantee.id.matches(GWConstants.BACKSLASH_D_PLUS)) {
                    logger.info(user.grantee.id);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
                if (!Strings.isNullOrEmpty(user.grantee.id) && GWUtils.getDBInstance().getIdentityByID(user.grantee.id, s3Parameter) == null) {
                    logger.info(user.grantee.id);
                    throw new GWException(GWErrorCode.INVALID_ARGUMENT, s3Parameter);
                }
            }
        }
    } catch (JsonProcessingException e) {
        PrintStack.logging(logger, e);
        throw new GWException(GWErrorCode.SERVER_ERROR, s3Parameter);
    }
    return aclXml;
}
Also used : PublicAccessBlockConfiguration(com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration) Grant(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant) Grantee(com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee) AccessControlPolicy(com.pspace.ifs.ksan.gw.format.AccessControlPolicy) GWException(com.pspace.ifs.ksan.gw.exception.GWException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) XmlMapper(com.fasterxml.jackson.dataformat.xml.XmlMapper)

Aggregations

JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)2 XmlMapper (com.fasterxml.jackson.dataformat.xml.XmlMapper)2 GWException (com.pspace.ifs.ksan.gw.exception.GWException)2 AccessControlPolicy (com.pspace.ifs.ksan.gw.format.AccessControlPolicy)2 PublicAccessBlockConfiguration (com.pspace.ifs.ksan.gw.format.PublicAccessBlockConfiguration)2 JsonMappingException (com.fasterxml.jackson.databind.JsonMappingException)1 JsonNode (com.fasterxml.jackson.databind.JsonNode)1 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 Grant (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant)1 Grantee (com.pspace.ifs.ksan.gw.format.AccessControlPolicy.AccessControlList.Grant.Grantee)1 Policy (com.pspace.ifs.ksan.gw.format.Policy)1 Statement (com.pspace.ifs.ksan.gw.format.Policy.Statement)1 Map (java.util.Map)1