Search in sources :

Example 6 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class JsonStoreManager method assertStoragePolicy.

private void assertStoragePolicy(UUID orgId) {
    PolicyEngine policy = policyManager.get(orgId, null, UserPrincipal.assertCurrent().getUser().getId());
    if (policy == null) {
        return;
    }
    CheckResult<JsonStoreRule.StoreRule, Integer> result;
    try {
        result = policy.getJsonStoragePolicy().checkStorage(() -> storeDao.count(orgId));
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    if (!result.getDeny().isEmpty()) {
        throw new ConcordApplicationException("Found JSON store policy violations: " + buildErrorMessage(result.getDeny()));
    }
}
Also used : JsonStoreRule(com.walmartlabs.concord.policyengine.JsonStoreRule) ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) ValidationErrorsException(org.sonatype.siesta.ValidationErrorsException) ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException)

Example 7 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class JsonStoreManager method getCapacity.

public JsonStoreCapacity getCapacity(String orgName, String storeName) {
    OrganizationEntry org = orgManager.assertAccess(orgName, false);
    JsonStoreEntry store = jsonStoreAccessManager.assertAccess(org.getId(), null, storeName, ResourceAccessLevel.READER, true);
    long currentSize = storeDataDao.getSize(store.id());
    PolicyEngine policy = policyManager.get(store.id(), null, UserPrincipal.assertCurrent().getId());
    Long maxSize = null;
    if (policy != null) {
        maxSize = policy.getJsonStoragePolicy().getMaxSize();
    }
    return JsonStoreCapacity.builder().size(currentSize).maxSize(maxSize).build();
}
Also used : PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine)

Example 8 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class PolicyCache method reloadPolicies.

private void reloadPolicies() {
    PolicyEngine defaultPolicy = null;
    Map<UUID, PolicyEngine> byOrg = new HashMap<>();
    Map<UUID, PolicyEngine> byProject = new HashMap<>();
    Map<UUID, PolicyEngine> byUser = new HashMap<>();
    List<PolicyItem> otherUserPolicies = new ArrayList<>();
    List<PolicyLink> links = dao.listLinks();
    if (links.isEmpty()) {
        setPolicies(defaultPolicy, byOrg, byProject, byUser, otherUserPolicies);
        return;
    }
    Map<UUID, Policy> policies = mergePolicies(dao.listPolicies());
    for (PolicyLink l : links) {
        Policy policy = policies.get(l.policyId());
        if (policy == null) {
            continue;
        }
        PolicyEngine pe = new PolicyEngine(policy.policyNames(), policy.rules());
        if (l.orgId() == null && l.projectId() == null && l.userId() == null) {
            defaultPolicy = pe;
        } else if (l.orgId() != null && l.projectId() == null && l.userId() == null) {
            byOrg.put(l.orgId(), pe);
        } else if (l.orgId() == null && l.projectId() != null && l.userId() == null) {
            byProject.put(l.projectId(), pe);
        } else if (l.orgId() == null && l.projectId() == null && l.userId() != null) {
            byUser.put(l.userId(), pe);
        } else if (l.userId() != null) {
            otherUserPolicies.add(PolicyItem.of(l, pe));
        } else {
            log.warn("Unexpected policy link: {}", l);
        }
    }
    setPolicies(defaultPolicy, byOrg, byProject, byUser, otherUserPolicies);
}
Also used : PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine)

Example 9 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class ProcessStateManager method importPath.

@WithTimer
public void importPath(DSLContext tx, ProcessKey processKey, String path, Path src, BiFunction<Path, BasicFileAttributes, Boolean> filter) {
    PolicyEngine policyEngine = assertPolicy(tx, processKey, src, filter);
    String prefix = fixPath(path);
    List<BatchItem> batch = new ArrayList<>();
    try {
        Files.walkFileTree(src, new SimpleFileVisitor<Path>() {

            @Override
            public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
                if (!filter.apply(file, attrs)) {
                    return FileVisitResult.CONTINUE;
                }
                Path p = src.relativize(file);
                // the caller shouldn't attempt to import anything but regular files
                if (!Files.isRegularFile(file, LinkOption.NOFOLLOW_LINKS)) {
                    throw new IllegalStateException("Can't import non-regular files into the process state: " + p + " This is most likely a bug.");
                }
                String n = p.toString();
                if (prefix != null) {
                    n = prefix + n;
                }
                Set<PosixFilePermission> permissions = Files.getPosixFilePermissions(file);
                int unixMode = Posix.unixMode(permissions);
                boolean needsEncryption = secureFiles.contains(n);
                tx.deleteFrom(PROCESS_STATE).where(PROCESS_STATE.INSTANCE_ID.eq(processKey.getInstanceId()).and(PROCESS_STATE.INSTANCE_CREATED_AT.eq(processKey.getCreatedAt())).and(PROCESS_STATE.ITEM_PATH.eq(n))).execute();
                batch.add(new BatchItem(n, file, unixMode, needsEncryption));
                if (batch.size() >= INSERT_BATCH_SIZE) {
                    insert(tx, processKey.getInstanceId(), processKey.getCreatedAt(), batch);
                    batch.clear();
                }
                return FileVisitResult.CONTINUE;
            }
        });
        if (!batch.isEmpty()) {
            insert(tx, processKey.getInstanceId(), processKey.getCreatedAt(), batch);
        }
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    assertPolicy(tx, processKey, policyEngine);
}
Also used : ResultSet(java.sql.ResultSet) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) IOException(java.io.IOException) BasicFileAttributes(java.nio.file.attribute.BasicFileAttributes) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)

Example 10 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class ProcessStateManager method assertPolicy.

private PolicyEngine assertPolicy(DSLContext tx, ProcessKey processKey, Path src, BiFunction<Path, BasicFileAttributes, Boolean> filter) {
    PolicyEngine pe = getPolicyEngine(tx, processKey);
    if (pe == null) {
        return null;
    }
    CheckResult<StateRule, Path> result;
    try {
        result = pe.getStatePolicy().check(src, filter);
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    result.getWarn().forEach(w -> logManager.warn(processKey, "Potentially restricted state file '{}' (state policy: {})", src.relativize(w.getEntity()), w.getRule().getMsg()));
    result.getDeny().forEach(e -> logManager.error(processKey, "State file '{}' is forbidden by the state policy {}", src.relativize(e.getEntity()), e.getRule().getMsg()));
    if (!result.getDeny().isEmpty()) {
        throw new PolicyException("Found forbidden state files");
    }
    return pe;
}
Also used : StateRule(com.walmartlabs.concord.policyengine.StateRule) PolicyException(com.walmartlabs.concord.server.policy.PolicyException) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) IOException(java.io.IOException)

Aggregations

PolicyEngine (com.walmartlabs.concord.policyengine.PolicyEngine)18 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)5 IOException (java.io.IOException)4 Path (java.nio.file.Path)4 ProcessException (com.walmartlabs.concord.server.process.ProcessException)3 UUID (java.util.UUID)3 ValidationErrorsException (org.sonatype.siesta.ValidationErrorsException)3 ExecutionException (com.walmartlabs.concord.agent.ExecutionException)2 PolicyEngineRules (com.walmartlabs.concord.policyengine.PolicyEngineRules)2 PolicyException (com.walmartlabs.concord.server.policy.PolicyException)2 ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 ApiClient (com.walmartlabs.concord.ApiClient)1 ProcessLog (com.walmartlabs.concord.agent.logging.ProcessLog)1 DependencyEntity (com.walmartlabs.concord.dependencymanager.DependencyEntity)1 AttachmentsRule (com.walmartlabs.concord.policyengine.AttachmentsRule)1 ConcurrentProcessRule (com.walmartlabs.concord.policyengine.ConcurrentProcessRule)1 DependencyRule (com.walmartlabs.concord.policyengine.DependencyRule)1 Dependency (com.walmartlabs.concord.policyengine.DependencyVersionsPolicy.Dependency)1 EntityRule (com.walmartlabs.concord.policyengine.EntityRule)1