Example 1 with UserPrincipal
use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.
the class ProjectAccessManager method hasAccess.
@WithTimer
public boolean hasAccess(ProjectEntry project, ResourceAccessLevel level, boolean orgMembersOnly) {
if (Roles.isAdmin()) {
// an admin can access any project
return true;
}
UserPrincipal principal = UserPrincipal.assertCurrent();
if (level == ResourceAccessLevel.READER && (Roles.isGlobalReader() || Roles.isGlobalWriter())) {
return true;
} else if (level == ResourceAccessLevel.WRITER && Roles.isGlobalWriter()) {
return true;
}
EntityOwner owner = project.getOwner();
if (ResourceAccessUtils.isSame(principal, owner)) {
// the owner can do anything with his projects
return true;
}
if (orgMembersOnly && project.getVisibility() == ProjectVisibility.PUBLIC && level == ResourceAccessLevel.READER && userDao.isInOrganization(principal.getId(), project.getOrgId())) {
// organization members can READ any public project in the same organization
return true;
}
OrganizationEntry org = orgManager.assertAccess(project.getOrgId(), false);
if (ResourceAccessUtils.isSame(principal, org.getOwner())) {
// the org owner can do anything with the org's projects
return true;
}
if (orgMembersOnly || project.getVisibility() != ProjectVisibility.PUBLIC) {
// the organization's members or the project is not public
if (!projectDao.hasAccessLevel(project.getId(), principal.getId(), ResourceAccessLevel.atLeast(level))) {
throw new UnauthorizedException("The current user (" + principal.getUsername() + ") doesn't have " + "the necessary access level (" + level + ") to the project: " + project.getName());
}
}
return true;
}
Also used :
UnauthorizedException(org.apache.shiro.authz.UnauthorizedException)
UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)
WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)
Example 2 with UserPrincipal
use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.
the class SecretManager method list.
/**
* Returns a list of secrets for the specified organization.
*/
public List<SecretEntry> list(UUID orgId, int offset, int limit, String filter) {
UserPrincipal p = UserPrincipal.assertCurrent();
UUID userId = p.getId();
if (Roles.isAdmin() || Roles.isGlobalReader() || Roles.isGlobalWriter()) {
userId = null;
}
return secretDao.list(orgId, userId, SECRETS.SECRET_NAME, true, offset, limit, filter);
}
Also used :
UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)
Example 3 with UserPrincipal
use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.
the class LdapRealm method queryForAuthenticationInfo.
@Override
@WithTimer
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
if (this.url == null) {
return null;
}
UsernamePasswordToken t = (UsernamePasswordToken) token;
LdapPrincipal ldapPrincipal;
try {
ldapPrincipal = getPrincipal(t);
} catch (Exception e) {
throw new AuthenticationException("LDAP error while attempting to retrieve the user's principal: " + t.getUsername(), e);
}
if (ldapPrincipal == null) {
throw new AuthenticationException("LDAP data not found: " + t.getUsername());
}
// TODO merge getOrCreate+update operations into a single one (only for this use case)
UserEntry u = userManager.getOrCreate(ldapPrincipal.getUsername(), ldapPrincipal.getDomain(), UserType.LDAP).orElseThrow(() -> new ConcordApplicationException("User not found: " + ldapPrincipal.getUsername()));
if (u.isDisabled()) {
throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
}
UUID userId = u.getId();
u = userManager.update(userId, ldapPrincipal.getDisplayName(), ldapPrincipal.getEmail(), UserType.LDAP, false, null).orElseThrow(() -> new RuntimeException("User record not found: " + userId));
ldapGroupManager.cacheLdapGroupsIfNeeded(userId, ldapPrincipal.getGroups());
UserPrincipal userPrincipal = new UserPrincipal(REALM_NAME, u);
auditLog.add(AuditObject.SYSTEM, AuditAction.ACCESS).userId(userId).field("username", u.getName()).field("domain", u.getDomain()).field("realm", REALM_NAME).log();
return new SimpleAccount(Arrays.asList(userPrincipal, t, ldapPrincipal), t, getName());
}
Also used :
ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException)
UserEntry(com.walmartlabs.concord.server.user.UserEntry)
UUID(java.util.UUID)
NamingException(javax.naming.NamingException)
ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException)
UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)
WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)
Example 4 with UserPrincipal
use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.
the class UserManager method getCurrentUserInfo.
public UserInfo getCurrentUserInfo() {
UserPrincipal u = UserPrincipal.getCurrent();
if (u == null) {
return null;
}
UserType type = assertSsoUserType(u, u.getType());
UserInfoProvider p = assertProvider(type);
return p.getInfo(u.getId(), u.getUsername(), u.getDomain());
}
Also used :
UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)
Example 5 with UserPrincipal
use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.
the class PasswordCheckerTest method bindUser.
@BeforeEach
public void bindUser() {
SecurityManager securityManager = new DefaultSecurityManager();
ThreadContext.bind(securityManager);
UserPrincipal p = new UserPrincipal("test", new UserEntry(UUID.randomUUID(), USERNAME, null, null, null, null, null, null, false));
SubjectContext ctx = new DefaultSubjectContext();
ctx.setAuthenticated(true);
ctx.setPrincipals(new SimplePrincipalCollection(p, p.getRealm()));
Subject subject = securityManager.createSubject(ctx);
ThreadContext.bind(subject);
}
Also used :
DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager)
SecurityManager(org.apache.shiro.mgt.SecurityManager)
SubjectContext(org.apache.shiro.subject.SubjectContext)
DefaultSubjectContext(org.apache.shiro.subject.support.DefaultSubjectContext)
DefaultSubjectContext(org.apache.shiro.subject.support.DefaultSubjectContext)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
UserEntry(com.walmartlabs.concord.server.user.UserEntry)
DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager)
UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)
Subject(org.apache.shiro.subject.Subject)
BeforeEach(org.junit.jupiter.api.BeforeEach)
Aggregations
UserPrincipal (com.walmartlabs.concord.server.security.UserPrincipal)37
UnauthorizedException (org.apache.shiro.authz.UnauthorizedException)15
WithTimer (com.walmartlabs.concord.server.sdk.metrics.WithTimer)14
ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)9
UserEntry (com.walmartlabs.concord.server.user.UserEntry)8
UUID (java.util.UUID)8
PartialProcessKey (com.walmartlabs.concord.server.sdk.PartialProcessKey)7
ApiOperation (io.swagger.annotations.ApiOperation)6
OrganizationEntry (com.walmartlabs.concord.server.org.OrganizationEntry)3
EntryPoint (com.walmartlabs.concord.server.process.PayloadManager.EntryPoint)3
ProcessEntry (com.walmartlabs.concord.server.process.ProcessEntry)3
SessionKeyPrincipal (com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal)3
SimpleAccount (org.apache.shiro.authc.SimpleAccount)3
ValidationErrorsException (org.sonatype.siesta.ValidationErrorsException)3
ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)2
LdapPrincipal (com.walmartlabs.concord.server.security.ldap.LdapPrincipal)2
SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2
Subject (org.apache.shiro.subject.Subject)2
CacheBuilder (com.google.common.cache.CacheBuilder)1
Imports (com.walmartlabs.concord.imports.Imports)1
