use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class JsonStoreManager method assertStoragePolicy.
private void assertStoragePolicy(UUID orgId) {
PolicyEngine policy = policyManager.get(orgId, null, UserPrincipal.assertCurrent().getUser().getId());
if (policy == null) {
return;
}
CheckResult<JsonStoreRule.StoreRule, Integer> result;
try {
result = policy.getJsonStoragePolicy().checkStorage(() -> storeDao.count(orgId));
} catch (Exception e) {
throw new RuntimeException(e);
}
if (!result.getDeny().isEmpty()) {
throw new ConcordApplicationException("Found JSON store policy violations: " + buildErrorMessage(result.getDeny()));
}
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class JsonStoreManager method getCapacity.
public JsonStoreCapacity getCapacity(String orgName, String storeName) {
OrganizationEntry org = orgManager.assertAccess(orgName, false);
JsonStoreEntry store = jsonStoreAccessManager.assertAccess(org.getId(), null, storeName, ResourceAccessLevel.READER, true);
long currentSize = storeDataDao.getSize(store.id());
PolicyEngine policy = policyManager.get(store.id(), null, UserPrincipal.assertCurrent().getId());
Long maxSize = null;
if (policy != null) {
maxSize = policy.getJsonStoragePolicy().getMaxSize();
}
return JsonStoreCapacity.builder().size(currentSize).maxSize(maxSize).build();
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class PolicyCache method reloadPolicies.
private void reloadPolicies() {
PolicyEngine defaultPolicy = null;
Map<UUID, PolicyEngine> byOrg = new HashMap<>();
Map<UUID, PolicyEngine> byProject = new HashMap<>();
Map<UUID, PolicyEngine> byUser = new HashMap<>();
List<PolicyItem> otherUserPolicies = new ArrayList<>();
List<PolicyLink> links = dao.listLinks();
if (links.isEmpty()) {
setPolicies(defaultPolicy, byOrg, byProject, byUser, otherUserPolicies);
return;
}
Map<UUID, Policy> policies = mergePolicies(dao.listPolicies());
for (PolicyLink l : links) {
Policy policy = policies.get(l.policyId());
if (policy == null) {
continue;
}
PolicyEngine pe = new PolicyEngine(policy.policyNames(), policy.rules());
if (l.orgId() == null && l.projectId() == null && l.userId() == null) {
defaultPolicy = pe;
} else if (l.orgId() != null && l.projectId() == null && l.userId() == null) {
byOrg.put(l.orgId(), pe);
} else if (l.orgId() == null && l.projectId() != null && l.userId() == null) {
byProject.put(l.projectId(), pe);
} else if (l.orgId() == null && l.projectId() == null && l.userId() != null) {
byUser.put(l.userId(), pe);
} else if (l.userId() != null) {
otherUserPolicies.add(PolicyItem.of(l, pe));
} else {
log.warn("Unexpected policy link: {}", l);
}
}
setPolicies(defaultPolicy, byOrg, byProject, byUser, otherUserPolicies);
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class ProcessStateManager method importPath.
@WithTimer
public void importPath(DSLContext tx, ProcessKey processKey, String path, Path src, BiFunction<Path, BasicFileAttributes, Boolean> filter) {
PolicyEngine policyEngine = assertPolicy(tx, processKey, src, filter);
String prefix = fixPath(path);
List<BatchItem> batch = new ArrayList<>();
try {
Files.walkFileTree(src, new SimpleFileVisitor<Path>() {
@Override
public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
if (!filter.apply(file, attrs)) {
return FileVisitResult.CONTINUE;
}
Path p = src.relativize(file);
// the caller shouldn't attempt to import anything but regular files
if (!Files.isRegularFile(file, LinkOption.NOFOLLOW_LINKS)) {
throw new IllegalStateException("Can't import non-regular files into the process state: " + p + " This is most likely a bug.");
}
String n = p.toString();
if (prefix != null) {
n = prefix + n;
}
Set<PosixFilePermission> permissions = Files.getPosixFilePermissions(file);
int unixMode = Posix.unixMode(permissions);
boolean needsEncryption = secureFiles.contains(n);
tx.deleteFrom(PROCESS_STATE).where(PROCESS_STATE.INSTANCE_ID.eq(processKey.getInstanceId()).and(PROCESS_STATE.INSTANCE_CREATED_AT.eq(processKey.getCreatedAt())).and(PROCESS_STATE.ITEM_PATH.eq(n))).execute();
batch.add(new BatchItem(n, file, unixMode, needsEncryption));
if (batch.size() >= INSERT_BATCH_SIZE) {
insert(tx, processKey.getInstanceId(), processKey.getCreatedAt(), batch);
batch.clear();
}
return FileVisitResult.CONTINUE;
}
});
if (!batch.isEmpty()) {
insert(tx, processKey.getInstanceId(), processKey.getCreatedAt(), batch);
}
} catch (IOException e) {
throw new RuntimeException(e);
}
assertPolicy(tx, processKey, policyEngine);
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class ProcessStateManager method assertPolicy.
private PolicyEngine assertPolicy(DSLContext tx, ProcessKey processKey, Path src, BiFunction<Path, BasicFileAttributes, Boolean> filter) {
PolicyEngine pe = getPolicyEngine(tx, processKey);
if (pe == null) {
return null;
}
CheckResult<StateRule, Path> result;
try {
result = pe.getStatePolicy().check(src, filter);
} catch (IOException e) {
throw new RuntimeException(e);
}
result.getWarn().forEach(w -> logManager.warn(processKey, "Potentially restricted state file '{}' (state policy: {})", src.relativize(w.getEntity()), w.getRule().getMsg()));
result.getDeny().forEach(e -> logManager.error(processKey, "State file '{}' is forbidden by the state policy {}", src.relativize(e.getEntity()), e.getRule().getMsg()));
if (!result.getDeny().isEmpty()) {
throw new PolicyException("Found forbidden state files");
}
return pe;
}
Aggregations