use of com.walmartlabs.concord.server.policy.PolicyException in project concord by walmartlabs.
the class ProcessResource method uploadAttachments.
/**
* Upload process attachments.
*
* @param instanceId
* @param data
*/
@POST
@javax.ws.rs.Path("{id}/attachment")
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
public void uploadAttachments(@PathParam("id") UUID instanceId, InputStream data) {
ProcessEntry entry = assertProcess(PartialProcessKey.from(instanceId));
ProcessKey processKey = new ProcessKey(entry.instanceId(), entry.createdAt());
Path tmpIn = null;
Path tmpDir = null;
try {
tmpIn = IOUtils.createTempFile("attachments", ".zip");
Files.copy(data, tmpIn, StandardCopyOption.REPLACE_EXISTING);
tmpDir = IOUtils.createTempDir("attachments");
IOUtils.unzip(tmpIn, tmpDir);
assertAttachmentsPolicy(tmpDir, entry);
Path finalTmpDir = tmpDir;
stateManager.tx(tx -> {
stateManager.deleteDirectory(tx, processKey, path(Constants.Files.JOB_ATTACHMENTS_DIR_NAME, Constants.Files.JOB_STATE_DIR_NAME));
stateManager.importPath(tx, processKey, Constants.Files.JOB_ATTACHMENTS_DIR_NAME, finalTmpDir, (p, attrs) -> true);
});
Map<String, Object> out = OutVariablesUtils.read(tmpDir);
if (out.isEmpty()) {
queueDao.removeMeta(processKey, "out");
} else {
queueDao.updateMeta(processKey, Collections.singletonMap("out", out));
}
} catch (PolicyException e) {
throw new ConcordApplicationException(e.getMessage(), Status.FORBIDDEN);
} catch (IOException e) {
log.error("uploadAttachments ['{}'] -> error", processKey, e);
throw new ConcordApplicationException("upload error: " + e.getMessage());
} finally {
if (tmpDir != null) {
try {
IOUtils.deleteRecursively(tmpDir);
} catch (IOException e) {
log.warn("uploadAttachments -> cleanup error: {}", e.getMessage());
}
}
if (tmpIn != null) {
try {
Files.delete(tmpIn);
} catch (IOException e) {
log.warn("uploadAttachments -> cleanup error: {}", e.getMessage());
}
}
}
}
use of com.walmartlabs.concord.server.policy.PolicyException in project concord by walmartlabs.
the class ProcessStateManager method assertPolicy.
private PolicyEngine assertPolicy(DSLContext tx, ProcessKey processKey, Path src, BiFunction<Path, BasicFileAttributes, Boolean> filter) {
PolicyEngine pe = getPolicyEngine(tx, processKey);
if (pe == null) {
return null;
}
CheckResult<StateRule, Path> result;
try {
result = pe.getStatePolicy().check(src, filter);
} catch (IOException e) {
throw new RuntimeException(e);
}
result.getWarn().forEach(w -> logManager.warn(processKey, "Potentially restricted state file '{}' (state policy: {})", src.relativize(w.getEntity()), w.getRule().getMsg()));
result.getDeny().forEach(e -> logManager.error(processKey, "State file '{}' is forbidden by the state policy {}", src.relativize(e.getEntity()), e.getRule().getMsg()));
if (!result.getDeny().isEmpty()) {
throw new PolicyException("Found forbidden state files");
}
return pe;
}
use of com.walmartlabs.concord.server.policy.PolicyException in project concord by walmartlabs.
the class ProcessResource method assertAttachmentsPolicy.
private void assertAttachmentsPolicy(Path tmpDir, ProcessEntry entry) throws IOException {
PolicyEngine policy = policyManager.get(entry.orgId(), entry.projectId(), UserPrincipal.assertCurrent().getUser().getId());
if (policy == null) {
return;
}
CheckResult<AttachmentsRule, Long> checkResult = policy.getAttachmentsPolicy().check(tmpDir);
if (!checkResult.getDeny().isEmpty()) {
String errorMessage = buildErrorMessage(checkResult.getDeny());
processLogManager.error(new ProcessKey(entry.instanceId(), entry.createdAt()), errorMessage);
throw new PolicyException("Found forbidden policy: " + errorMessage);
}
}
Aggregations