Search in sources :

Example 1 with AuthorizationResourceAction

use of com.sequenceiq.authorization.resource.AuthorizationResourceAction in project cloudbreak by hortonworks.

the class UmsResourceAuthorizationServiceTest method init.

@BeforeEach
public void init() throws IllegalAccessException {
    when(resourceNameFactoryService.getNames(any())).thenReturn(Collections.EMPTY_MAP);
    this.authorizationMessageUtilsService = spy(new AuthorizationMessageUtilsService(resourceNameFactoryService));
    FieldUtils.writeField(underTest, "authorizationMessageUtilsService", authorizationMessageUtilsService, true);
    when(umsRightProvider.getRight(any())).thenAnswer(invocation -> {
        AuthorizationResourceAction action = invocation.getArgument(0);
        return action.getRight();
    });
}
Also used : AuthorizationMessageUtilsService(com.sequenceiq.authorization.utils.AuthorizationMessageUtilsService) AuthorizationResourceAction(com.sequenceiq.authorization.resource.AuthorizationResourceAction) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 2 with AuthorizationResourceAction

use of com.sequenceiq.authorization.resource.AuthorizationResourceAction in project cloudbreak by hortonworks.

the class EnforcePropertyProviderTestUtil method validationAnnotationByProvider.

private static <T extends ResourcePropertyProvider> Optional<Class<? extends ResourcePropertyProvider>> validationAnnotationByProvider(Class<T> propertyProviderClass, Set<Predicate<Annotation>> validationPredicates, Annotation annotation) {
    AuthorizationResourceAction action = getAction(annotation);
    AuthorizationResourceType authorizationResourceType = action.getAuthorizationResourceType();
    if (validationPredicates.stream().allMatch(predicate -> predicate.test(annotation))) {
        return PROVIDER_SUBTYPES_MAP.get(propertyProviderClass).stream().filter(type -> {
            ResourcePropertyProvider resourcePropertyProvider = (T) EnforceAuthorizationTestUtil.getSampleObjectFactory().manufacturePojo(type);
            return authorizationResourceType.equals(resourcePropertyProvider.getSupportedAuthorizationResourceType());
        }).findFirst();
    }
    return Optional.of(propertyProviderClass);
}
Also used : Arrays(java.util.Arrays) AuthorizationResourceCrnListProvider(com.sequenceiq.authorization.service.AuthorizationResourceCrnListProvider) LoggerFactory(org.slf4j.LoggerFactory) CheckPermissionByRequestProperty(com.sequenceiq.authorization.annotation.CheckPermissionByRequestProperty) CRN_LIST(com.sequenceiq.authorization.resource.AuthorizationVariableType.CRN_LIST) CheckPermissionByResourceCrnList(com.sequenceiq.authorization.annotation.CheckPermissionByResourceCrnList) Map(java.util.Map) AuthorizationResourceType(com.sequenceiq.authorization.resource.AuthorizationResourceType) ResourcePropertyProvider(com.sequenceiq.authorization.service.ResourcePropertyProvider) AuthorizationResourceCrnProvider(com.sequenceiq.authorization.service.AuthorizationResourceCrnProvider) CheckPermissionByResourceName(com.sequenceiq.authorization.annotation.CheckPermissionByResourceName) Lists(com.google.api.client.util.Lists) AuthorizationEnvironmentCrnProvider(com.sequenceiq.authorization.service.AuthorizationEnvironmentCrnProvider) Method(java.lang.reflect.Method) EnforceAuthorizationTestUtil.validateMethodByFunction(com.sequenceiq.authorization.EnforceAuthorizationTestUtil.validateMethodByFunction) AuthorizationEnvironmentCrnListProvider(com.sequenceiq.authorization.service.AuthorizationEnvironmentCrnListProvider) NAME(com.sequenceiq.authorization.resource.AuthorizationVariableType.NAME) CRN(com.sequenceiq.authorization.resource.AuthorizationVariableType.CRN) Logger(org.slf4j.Logger) CheckPermissionByCompositeRequestProperty(com.sequenceiq.authorization.annotation.CheckPermissionByCompositeRequestProperty) ImmutableMap(com.google.common.collect.ImmutableMap) NAME_LIST(com.sequenceiq.authorization.resource.AuthorizationVariableType.NAME_LIST) Predicate(java.util.function.Predicate) CheckPermissionByResourceNameList(com.sequenceiq.authorization.annotation.CheckPermissionByResourceNameList) Set(java.util.Set) Collectors(java.util.stream.Collectors) Sets(com.google.common.collect.Sets) InvocationTargetException(java.lang.reflect.InvocationTargetException) List(java.util.List) CheckPermissionByResourceCrn(com.sequenceiq.authorization.annotation.CheckPermissionByResourceCrn) AuthorizationVariableType(com.sequenceiq.authorization.resource.AuthorizationVariableType) Annotation(java.lang.annotation.Annotation) Optional(java.util.Optional) AuthorizationResourceAction(com.sequenceiq.authorization.resource.AuthorizationResourceAction) AuthorizationResourceType(com.sequenceiq.authorization.resource.AuthorizationResourceType) ResourcePropertyProvider(com.sequenceiq.authorization.service.ResourcePropertyProvider) AuthorizationResourceAction(com.sequenceiq.authorization.resource.AuthorizationResourceAction)

Example 3 with AuthorizationResourceAction

use of com.sequenceiq.authorization.resource.AuthorizationResourceAction in project cloudbreak by hortonworks.

the class EnforcePropertyProviderTestUtil method addErrorIfNeeded.

private static void addErrorIfNeeded(Method method, List<String> errors, Class<? extends ResourcePropertyProvider> providerClass, Annotation annotation, Optional<Class<? extends ResourcePropertyProvider>> providerClassPresent) {
    if (providerClassPresent.isEmpty()) {
        AuthorizationResourceAction action = getAction(annotation);
        AuthorizationResourceType authorizationResourceType = action.getAuthorizationResourceType();
        errors.add(String.format("Provider with interface %s implemented is needed to authorize using action %s and resource type %s (method: %s)", providerClass.getSimpleName(), action, authorizationResourceType, method.getDeclaringClass().getSimpleName() + "#" + method.getName()));
    }
}
Also used : AuthorizationResourceType(com.sequenceiq.authorization.resource.AuthorizationResourceType) AuthorizationResourceAction(com.sequenceiq.authorization.resource.AuthorizationResourceAction)

Example 4 with AuthorizationResourceAction

use of com.sequenceiq.authorization.resource.AuthorizationResourceAction in project cloudbreak by hortonworks.

the class RequestPropertyAuthorizationFactory method calcAuthorization.

private Optional<AuthorizationRule> calcAuthorization(Object resourceObject, CheckPermissionByRequestProperty methodAnnotation, String userCrn) {
    boolean skipOnNull = methodAnnotation.skipOnNull();
    try {
        Object fieldObject = PropertyUtils.getProperty(resourceObject, methodAnnotation.path());
        AuthorizationVariableType authorizationVariableType = methodAnnotation.type();
        AuthorizationResourceAction action = methodAnnotation.action();
        if (fieldObject != null) {
            return calcAuthorizationFromObject(action, authorizationVariableType, fieldObject, userCrn);
        } else if (!methodAnnotation.skipOnNull()) {
            throw new BadRequestException(String.format("Property [%s] of the request object must not be null.", methodAnnotation.path()));
        }
    } catch (NestedNullException nne) {
        if (!skipOnNull) {
            throw new BadRequestException(String.format("Property [%s] of the request object must not be null.", methodAnnotation.path()));
        }
    } catch (NotFoundException nfe) {
        LOGGER.warn("Resource not found during permission check of resource object, this should be handled by microservice.");
    } catch (Error | RuntimeException unchecked) {
        LOGGER.error("Error happened during authorization of the request object: ", unchecked);
        throw unchecked;
    } catch (Throwable t) {
        LOGGER.error("Error happened during authorization of the request object: ", t);
        throw new AccessDeniedException("Error happened during authorization of the request object, thus access is denied!", t);
    }
    return Optional.empty();
}
Also used : AccessDeniedException(org.springframework.security.access.AccessDeniedException) BadRequestException(com.sequenceiq.cloudbreak.common.exception.BadRequestException) NestedNullException(org.apache.commons.beanutils.NestedNullException) NotFoundException(com.sequenceiq.cloudbreak.common.exception.NotFoundException) RequestObject(com.sequenceiq.authorization.annotation.RequestObject) AuthorizationResourceAction(com.sequenceiq.authorization.resource.AuthorizationResourceAction) AuthorizationVariableType(com.sequenceiq.authorization.resource.AuthorizationVariableType)

Example 5 with AuthorizationResourceAction

use of com.sequenceiq.authorization.resource.AuthorizationResourceAction in project cloudbreak by hortonworks.

the class ResourceCrnListAuthorizationFactory method doGetAuthorization.

@Override
public Optional<AuthorizationRule> doGetAuthorization(CheckPermissionByResourceCrnList methodAnnotation, String userCrn, ProceedingJoinPoint proceedingJoinPoint, MethodSignature methodSignature) {
    AuthorizationResourceAction action = methodAnnotation.action();
    Collection<String> resourceCrns = commonPermissionCheckingUtils.getParameter(proceedingJoinPoint, methodSignature, ResourceCrnList.class, Collection.class);
    crnAccountValidator.validateSameAccount(userCrn, resourceCrns);
    LOGGER.debug("Getting authorization rule to authorize user [{}] for action [{}] over resources [{}]", userCrn, action, Joiner.on(",").join(resourceCrns));
    return calcAuthorization(resourceCrns, action);
}
Also used : AuthorizationResourceAction(com.sequenceiq.authorization.resource.AuthorizationResourceAction)

Aggregations

AuthorizationResourceAction (com.sequenceiq.authorization.resource.AuthorizationResourceAction)9 AuthorizationResourceType (com.sequenceiq.authorization.resource.AuthorizationResourceType)2 AuthorizationVariableType (com.sequenceiq.authorization.resource.AuthorizationVariableType)2 Lists (com.google.api.client.util.Lists)1 ImmutableMap (com.google.common.collect.ImmutableMap)1 Sets (com.google.common.collect.Sets)1 EnforceAuthorizationTestUtil.validateMethodByFunction (com.sequenceiq.authorization.EnforceAuthorizationTestUtil.validateMethodByFunction)1 CheckPermissionByCompositeRequestProperty (com.sequenceiq.authorization.annotation.CheckPermissionByCompositeRequestProperty)1 CheckPermissionByRequestProperty (com.sequenceiq.authorization.annotation.CheckPermissionByRequestProperty)1 CheckPermissionByResourceCrn (com.sequenceiq.authorization.annotation.CheckPermissionByResourceCrn)1 CheckPermissionByResourceCrnList (com.sequenceiq.authorization.annotation.CheckPermissionByResourceCrnList)1 CheckPermissionByResourceName (com.sequenceiq.authorization.annotation.CheckPermissionByResourceName)1 CheckPermissionByResourceNameList (com.sequenceiq.authorization.annotation.CheckPermissionByResourceNameList)1 RequestObject (com.sequenceiq.authorization.annotation.RequestObject)1 CRN (com.sequenceiq.authorization.resource.AuthorizationVariableType.CRN)1 CRN_LIST (com.sequenceiq.authorization.resource.AuthorizationVariableType.CRN_LIST)1 NAME (com.sequenceiq.authorization.resource.AuthorizationVariableType.NAME)1 NAME_LIST (com.sequenceiq.authorization.resource.AuthorizationVariableType.NAME_LIST)1 AuthorizationEnvironmentCrnListProvider (com.sequenceiq.authorization.service.AuthorizationEnvironmentCrnListProvider)1 AuthorizationEnvironmentCrnProvider (com.sequenceiq.authorization.service.AuthorizationEnvironmentCrnProvider)1