Search in sources :

Example 1 with PolicyException

use of com.walmartlabs.concord.server.policy.PolicyException in project concord by walmartlabs.

the class ProcessResource method uploadAttachments.

/**
 * Upload process attachments.
 *
 * @param instanceId
 * @param data
 */
@POST
@javax.ws.rs.Path("{id}/attachment")
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
public void uploadAttachments(@PathParam("id") UUID instanceId, InputStream data) {
    ProcessEntry entry = assertProcess(PartialProcessKey.from(instanceId));
    ProcessKey processKey = new ProcessKey(entry.instanceId(), entry.createdAt());
    Path tmpIn = null;
    Path tmpDir = null;
    try {
        tmpIn = IOUtils.createTempFile("attachments", ".zip");
        Files.copy(data, tmpIn, StandardCopyOption.REPLACE_EXISTING);
        tmpDir = IOUtils.createTempDir("attachments");
        IOUtils.unzip(tmpIn, tmpDir);
        assertAttachmentsPolicy(tmpDir, entry);
        Path finalTmpDir = tmpDir;
        stateManager.tx(tx -> {
            stateManager.deleteDirectory(tx, processKey, path(Constants.Files.JOB_ATTACHMENTS_DIR_NAME, Constants.Files.JOB_STATE_DIR_NAME));
            stateManager.importPath(tx, processKey, Constants.Files.JOB_ATTACHMENTS_DIR_NAME, finalTmpDir, (p, attrs) -> true);
        });
        Map<String, Object> out = OutVariablesUtils.read(tmpDir);
        if (out.isEmpty()) {
            queueDao.removeMeta(processKey, "out");
        } else {
            queueDao.updateMeta(processKey, Collections.singletonMap("out", out));
        }
    } catch (PolicyException e) {
        throw new ConcordApplicationException(e.getMessage(), Status.FORBIDDEN);
    } catch (IOException e) {
        log.error("uploadAttachments ['{}'] -> error", processKey, e);
        throw new ConcordApplicationException("upload error: " + e.getMessage());
    } finally {
        if (tmpDir != null) {
            try {
                IOUtils.deleteRecursively(tmpDir);
            } catch (IOException e) {
                log.warn("uploadAttachments -> cleanup error: {}", e.getMessage());
            }
        }
        if (tmpIn != null) {
            try {
                Files.delete(tmpIn);
            } catch (IOException e) {
                log.warn("uploadAttachments -> cleanup error: {}", e.getMessage());
            }
        }
    }
}
Also used : Path(java.nio.file.Path) PolicyException(com.walmartlabs.concord.server.policy.PolicyException) ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException) PartialProcessKey(com.walmartlabs.concord.server.sdk.PartialProcessKey) ProcessKey(com.walmartlabs.concord.server.sdk.ProcessKey)

Example 2 with PolicyException

use of com.walmartlabs.concord.server.policy.PolicyException in project concord by walmartlabs.

the class ProcessStateManager method assertPolicy.

private PolicyEngine assertPolicy(DSLContext tx, ProcessKey processKey, Path src, BiFunction<Path, BasicFileAttributes, Boolean> filter) {
    PolicyEngine pe = getPolicyEngine(tx, processKey);
    if (pe == null) {
        return null;
    }
    CheckResult<StateRule, Path> result;
    try {
        result = pe.getStatePolicy().check(src, filter);
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
    result.getWarn().forEach(w -> logManager.warn(processKey, "Potentially restricted state file '{}' (state policy: {})", src.relativize(w.getEntity()), w.getRule().getMsg()));
    result.getDeny().forEach(e -> logManager.error(processKey, "State file '{}' is forbidden by the state policy {}", src.relativize(e.getEntity()), e.getRule().getMsg()));
    if (!result.getDeny().isEmpty()) {
        throw new PolicyException("Found forbidden state files");
    }
    return pe;
}
Also used : StateRule(com.walmartlabs.concord.policyengine.StateRule) PolicyException(com.walmartlabs.concord.server.policy.PolicyException) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) IOException(java.io.IOException)

Example 3 with PolicyException

use of com.walmartlabs.concord.server.policy.PolicyException in project concord by walmartlabs.

the class ProcessResource method assertAttachmentsPolicy.

private void assertAttachmentsPolicy(Path tmpDir, ProcessEntry entry) throws IOException {
    PolicyEngine policy = policyManager.get(entry.orgId(), entry.projectId(), UserPrincipal.assertCurrent().getUser().getId());
    if (policy == null) {
        return;
    }
    CheckResult<AttachmentsRule, Long> checkResult = policy.getAttachmentsPolicy().check(tmpDir);
    if (!checkResult.getDeny().isEmpty()) {
        String errorMessage = buildErrorMessage(checkResult.getDeny());
        processLogManager.error(new ProcessKey(entry.instanceId(), entry.createdAt()), errorMessage);
        throw new PolicyException("Found forbidden policy: " + errorMessage);
    }
}
Also used : PolicyException(com.walmartlabs.concord.server.policy.PolicyException) PolicyEngine(com.walmartlabs.concord.policyengine.PolicyEngine) PartialProcessKey(com.walmartlabs.concord.server.sdk.PartialProcessKey) ProcessKey(com.walmartlabs.concord.server.sdk.ProcessKey) AttachmentsRule(com.walmartlabs.concord.policyengine.AttachmentsRule)

Aggregations

PolicyException (com.walmartlabs.concord.server.policy.PolicyException)3 PolicyEngine (com.walmartlabs.concord.policyengine.PolicyEngine)2 PartialProcessKey (com.walmartlabs.concord.server.sdk.PartialProcessKey)2 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)2 AttachmentsRule (com.walmartlabs.concord.policyengine.AttachmentsRule)1 StateRule (com.walmartlabs.concord.policyengine.StateRule)1 ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)1 IOException (java.io.IOException)1 Path (java.nio.file.Path)1