Search in sources :

Example 11 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class ConcurrentProcessFilter method findProcess.

@Override
protected List<UUID> findProcess(DSLContext tx, ProcessQueueEntry item, List<ProcessQueueEntry> startingProcesses) {
    PolicyEngine pe = getPolicyEngine(item.orgId(), item.projectId(), item.initiatorId());
    if (pe == null) {
        return Collections.emptyList();
    }
    CheckResult<ConcurrentProcessRule, List<UUID>> result = pe.getConcurrentProcessPolicy().check(() -> processesPerOrg(tx, item.orgId(), startingProcesses), () -> processesPerProject(tx, item.projectId(), startingProcesses));
    if (result.getDeny().isEmpty()) {
        return Collections.emptyList();
    }
    return result.getDeny().get(0).getEntity();
}
Also used : PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) ConcurrentProcessRule(com.walmartlabs.concord.policyengine.ConcurrentProcessRule)

Example 12 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class RunnerJobExecutor method validateDependencies.

private void validateDependencies(RunnerJob job, Collection<DependencyEntity> resolvedDepEntities) throws ExecutionException {
    PolicyEngine policyEngine = job.getPolicyEngine();
    if (policyEngine == null) {
        return;
    }
    ProcessLog processLog = job.getLog();
    processLog.info("Checking the dependency policy...");
    CheckResult<DependencyRule, DependencyEntity> result = policyEngine.getDependencyPolicy().check(resolvedDepEntities);
    result.getWarn().forEach(d -> processLog.warn("Potentially restricted artifact '{}' (dependency policy: {})", d.getEntity(), d.getRule().getMsg()));
    result.getDeny().forEach(d -> processLog.warn("Artifact '{}' is forbidden by the dependency policy {}", d.getEntity(), d.getRule().getMsg()));
    if (!result.getDeny().isEmpty()) {
        throw new ExecutionException("Found restricted dependencies");
    }
}
Also used : DependencyEntity(com.walmartlabs.concord.dependencymanager.DependencyEntity) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) DependencyRule(com.walmartlabs.concord.policyengine.DependencyRule) ExecutionException(com.walmartlabs.concord.agent.ExecutionException) ProcessLog(com.walmartlabs.concord.agent.logging.ProcessLog)

Example 13 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class ProcessResource method assertAttachmentsPolicy.

private void assertAttachmentsPolicy(Path tmpDir, ProcessEntry entry) throws IOException {
    PolicyEngine policy = policyManager.get(entry.orgId(), entry.projectId(), UserPrincipal.assertCurrent().getUser().getId());
    if (policy == null) {
        return;
    }
    CheckResult<AttachmentsRule, Long> checkResult = policy.getAttachmentsPolicy().check(tmpDir);
    if (!checkResult.getDeny().isEmpty()) {
        String errorMessage = buildErrorMessage(checkResult.getDeny());
        processLogManager.error(new ProcessKey(entry.instanceId(), entry.createdAt()), errorMessage);
        throw new PolicyException("Found forbidden policy: " + errorMessage);
    }
}
Also used : PolicyException(com.walmartlabs.concord.server.policy.PolicyException) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) PartialProcessKey(com.walmartlabs.concord.server.sdk.PartialProcessKey) ProcessKey(com.walmartlabs.concord.server.sdk.ProcessKey) AttachmentsRule(com.walmartlabs.concord.policyengine.AttachmentsRule)

Example 14 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class PolicyManager method checkEntity.

public void checkEntity(UUID orgId, UUID projectId, EntityType entityType, EntityAction action, UserEntry owner, Map<String, Object> entityAttrs) {
    PolicyEngine pe = get(orgId, projectId, UserPrincipal.assertCurrent().getId());
    if (pe == null) {
        return;
    }
    CheckResult<EntityRule, Map<String, Object>> result = pe.getEntityPolicy().check(entityType.id(), action.id(), () -> {
        Map<String, Object> attrs = new HashMap<>();
        attrs.put("owner", getOwnerAttrs(owner));
        attrs.put("entity", entityAttrs);
        return attrs;
    });
    if (!result.getDeny().isEmpty()) {
        throw new ValidationErrorsException("Action forbidden: " + result.getDeny().get(0).getRule().getMsg());
    }
}
Also used : EntityRule(com.walmartlabs.concord.policyengine.EntityRule) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) ValidationErrorsException(org.sonatype.siesta.ValidationErrorsException)

Example 15 with PolicyEngine

use of com.walmartlabs.concord.policyengine.PolicyEngine in project concord by walmartlabs.

the class ConfigurationProcessorTest method testAllCfg.

@Test
public void testAllCfg() throws Exception {
    Path workDir = Files.createTempDirectory("testAllCfg_workDir");
    UUID instanceId = UUID.randomUUID();
    UUID orgId = UUID.randomUUID();
    UUID prjId = UUID.randomUUID();
    Map<String, Object> req = new HashMap<>();
    req.put("a", "a-req");
    req.put("req", "req-value");
    Map<String, Object> orgCfg = new HashMap<>();
    orgCfg.put("a", "a-org");
    orgCfg.put("org", "org-value");
    Map<String, Object> prjCfg = new HashMap<>();
    prjCfg.put("a", "a-prj");
    prjCfg.put("project", "prj-value");
    ProjectEntry projectEntry = new ProjectEntry(prjId, null, null, null, null, null, prjCfg, null, null, null, null, null, null);
    Map<String, Object> processCfgPolicy = new HashMap<>();
    processCfgPolicy.put("a", "a-process-cfg-policy");
    processCfgPolicy.put("process-cfg-policy", "process-cfg-policy-value");
    Map<String, Object> defaultProcessCfgPolicy = new HashMap<>();
    defaultProcessCfgPolicy.put("a", "default");
    defaultProcessCfgPolicy.put("process-cfg-policy", "default-2");
    PolicyEngineRules policy = new PolicyEngineRules(null, null, null, null, null, null, null, null, processCfgPolicy, null, defaultProcessCfgPolicy, null, null, null, null);
    // ---
    when(orgDao.getConfiguration(eq(orgId))).thenReturn(orgCfg);
    when(projectDao.get(eq(prjId))).thenReturn(projectEntry);
    Payload payload = new Payload(new ProcessKey(instanceId, OffsetDateTime.now()));
    payload = payload.putHeader(Payload.CONFIGURATION, req).putHeader(Payload.ORGANIZATION_ID, orgId).putHeader(Payload.PROJECT_ID, prjId).putHeader(Payload.WORKSPACE_DIR, workDir).putHeader(Payload.POLICY, new PolicyEngine("test", policy));
    // ---
    Map<String, Object> expected = new HashMap<>();
    expected.put("activeProfiles", Collections.singletonList("default"));
    // orgCfg < prjCfg < req < org-policy < prj-policy
    expected.put("a", "a-process-cfg-policy");
    expected.put("org", "org-value");
    expected.put("project", "prj-value");
    expected.put("req", "req-value");
    expected.put("process-cfg-policy", "process-cfg-policy-value");
    Map<String, Object> result = process(payload);
    // don't care about arguments and other stuff here
    result.remove(Constants.Request.ARGUMENTS_KEY);
    result.remove(Constants.Request.PROCESS_INFO_KEY);
    result.remove(Constants.Request.PROJECT_INFO_KEY);
    assertEquals(expected, result);
}
Also used : Path(java.nio.file.Path) ProjectEntry(com.walmartlabs.concord.server.org.project.ProjectEntry) PolicyEngineRules(com.walmartlabs.concord.policyengine.PolicyEngineRules) HashMap(java.util.HashMap) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) Payload(com.walmartlabs.concord.server.process.Payload) ProcessKey(com.walmartlabs.concord.server.sdk.ProcessKey) UUID(java.util.UUID) Test(org.junit.jupiter.api.Test)

Aggregations

PolicyEngine (com.walmartlabs.concord.policyengine.PolicyEngine)18 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)5 IOException (java.io.IOException)4 Path (java.nio.file.Path)4 ProcessException (com.walmartlabs.concord.server.process.ProcessException)3 UUID (java.util.UUID)3 ValidationErrorsException (org.sonatype.siesta.ValidationErrorsException)3 ExecutionException (com.walmartlabs.concord.agent.ExecutionException)2 PolicyEngineRules (com.walmartlabs.concord.policyengine.PolicyEngineRules)2 PolicyException (com.walmartlabs.concord.server.policy.PolicyException)2 ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 ApiClient (com.walmartlabs.concord.ApiClient)1 ProcessLog (com.walmartlabs.concord.agent.logging.ProcessLog)1 DependencyEntity (com.walmartlabs.concord.dependencymanager.DependencyEntity)1 AttachmentsRule (com.walmartlabs.concord.policyengine.AttachmentsRule)1 ConcurrentProcessRule (com.walmartlabs.concord.policyengine.ConcurrentProcessRule)1 DependencyRule (com.walmartlabs.concord.policyengine.DependencyRule)1 Dependency (com.walmartlabs.concord.policyengine.DependencyVersionsPolicy.Dependency)1 EntityRule (com.walmartlabs.concord.policyengine.EntityRule)1