use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class ConcurrentProcessFilter method findProcess.
@Override
protected List<UUID> findProcess(DSLContext tx, ProcessQueueEntry item, List<ProcessQueueEntry> startingProcesses) {
PolicyEngine pe = getPolicyEngine(item.orgId(), item.projectId(), item.initiatorId());
if (pe == null) {
return Collections.emptyList();
}
CheckResult<ConcurrentProcessRule, List<UUID>> result = pe.getConcurrentProcessPolicy().check(() -> processesPerOrg(tx, item.orgId(), startingProcesses), () -> processesPerProject(tx, item.projectId(), startingProcesses));
if (result.getDeny().isEmpty()) {
return Collections.emptyList();
}
return result.getDeny().get(0).getEntity();
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class RunnerJobExecutor method validateDependencies.
private void validateDependencies(RunnerJob job, Collection<DependencyEntity> resolvedDepEntities) throws ExecutionException {
PolicyEngine policyEngine = job.getPolicyEngine();
if (policyEngine == null) {
return;
}
ProcessLog processLog = job.getLog();
processLog.info("Checking the dependency policy...");
CheckResult<DependencyRule, DependencyEntity> result = policyEngine.getDependencyPolicy().check(resolvedDepEntities);
result.getWarn().forEach(d -> processLog.warn("Potentially restricted artifact '{}' (dependency policy: {})", d.getEntity(), d.getRule().getMsg()));
result.getDeny().forEach(d -> processLog.warn("Artifact '{}' is forbidden by the dependency policy {}", d.getEntity(), d.getRule().getMsg()));
if (!result.getDeny().isEmpty()) {
throw new ExecutionException("Found restricted dependencies");
}
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class ProcessResource method assertAttachmentsPolicy.
private void assertAttachmentsPolicy(Path tmpDir, ProcessEntry entry) throws IOException {
PolicyEngine policy = policyManager.get(entry.orgId(), entry.projectId(), UserPrincipal.assertCurrent().getUser().getId());
if (policy == null) {
return;
}
CheckResult<AttachmentsRule, Long> checkResult = policy.getAttachmentsPolicy().check(tmpDir);
if (!checkResult.getDeny().isEmpty()) {
String errorMessage = buildErrorMessage(checkResult.getDeny());
processLogManager.error(new ProcessKey(entry.instanceId(), entry.createdAt()), errorMessage);
throw new PolicyException("Found forbidden policy: " + errorMessage);
}
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class PolicyManager method checkEntity.
public void checkEntity(UUID orgId, UUID projectId, EntityType entityType, EntityAction action, UserEntry owner, Map<String, Object> entityAttrs) {
PolicyEngine pe = get(orgId, projectId, UserPrincipal.assertCurrent().getId());
if (pe == null) {
return;
}
CheckResult<EntityRule, Map<String, Object>> result = pe.getEntityPolicy().check(entityType.id(), action.id(), () -> {
Map<String, Object> attrs = new HashMap<>();
attrs.put("owner", getOwnerAttrs(owner));
attrs.put("entity", entityAttrs);
return attrs;
});
if (!result.getDeny().isEmpty()) {
throw new ValidationErrorsException("Action forbidden: " + result.getDeny().get(0).getRule().getMsg());
}
}
use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.
the class ConfigurationProcessorTest method testAllCfg.
@Test
public void testAllCfg() throws Exception {
Path workDir = Files.createTempDirectory("testAllCfg_workDir");
UUID instanceId = UUID.randomUUID();
UUID orgId = UUID.randomUUID();
UUID prjId = UUID.randomUUID();
Map<String, Object> req = new HashMap<>();
req.put("a", "a-req");
req.put("req", "req-value");
Map<String, Object> orgCfg = new HashMap<>();
orgCfg.put("a", "a-org");
orgCfg.put("org", "org-value");
Map<String, Object> prjCfg = new HashMap<>();
prjCfg.put("a", "a-prj");
prjCfg.put("project", "prj-value");
ProjectEntry projectEntry = new ProjectEntry(prjId, null, null, null, null, null, prjCfg, null, null, null, null, null, null);
Map<String, Object> processCfgPolicy = new HashMap<>();
processCfgPolicy.put("a", "a-process-cfg-policy");
processCfgPolicy.put("process-cfg-policy", "process-cfg-policy-value");
Map<String, Object> defaultProcessCfgPolicy = new HashMap<>();
defaultProcessCfgPolicy.put("a", "default");
defaultProcessCfgPolicy.put("process-cfg-policy", "default-2");
PolicyEngineRules policy = new PolicyEngineRules(null, null, null, null, null, null, null, null, processCfgPolicy, null, defaultProcessCfgPolicy, null, null, null, null);
// ---
when(orgDao.getConfiguration(eq(orgId))).thenReturn(orgCfg);
when(projectDao.get(eq(prjId))).thenReturn(projectEntry);
Payload payload = new Payload(new ProcessKey(instanceId, OffsetDateTime.now()));
payload = payload.putHeader(Payload.CONFIGURATION, req).putHeader(Payload.ORGANIZATION_ID, orgId).putHeader(Payload.PROJECT_ID, prjId).putHeader(Payload.WORKSPACE_DIR, workDir).putHeader(Payload.POLICY, new PolicyEngine("test", policy));
// ---
Map<String, Object> expected = new HashMap<>();
expected.put("activeProfiles", Collections.singletonList("default"));
// orgCfg < prjCfg < req < org-policy < prj-policy
expected.put("a", "a-process-cfg-policy");
expected.put("org", "org-value");
expected.put("project", "prj-value");
expected.put("req", "req-value");
expected.put("process-cfg-policy", "process-cfg-policy-value");
Map<String, Object> result = process(payload);
// don't care about arguments and other stuff here
result.remove(Constants.Request.ARGUMENTS_KEY);
result.remove(Constants.Request.PROCESS_INFO_KEY);
result.remove(Constants.Request.PROJECT_INFO_KEY);
assertEquals(expected, result);
}
Aggregations