Search in sources :

Example 1 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ProjectAccessManager method hasAccess.

@WithTimer
public boolean hasAccess(ProjectEntry project, ResourceAccessLevel level, boolean orgMembersOnly) {
    if (Roles.isAdmin()) {
        // an admin can access any project
        return true;
    }
    UserPrincipal principal = UserPrincipal.assertCurrent();
    if (level == ResourceAccessLevel.READER && (Roles.isGlobalReader() || Roles.isGlobalWriter())) {
        return true;
    } else if (level == ResourceAccessLevel.WRITER && Roles.isGlobalWriter()) {
        return true;
    }
    EntityOwner owner = project.getOwner();
    if (ResourceAccessUtils.isSame(principal, owner)) {
        // the owner can do anything with his projects
        return true;
    }
    if (orgMembersOnly && project.getVisibility() == ProjectVisibility.PUBLIC && level == ResourceAccessLevel.READER && userDao.isInOrganization(principal.getId(), project.getOrgId())) {
        // organization members can READ any public project in the same organization
        return true;
    }
    OrganizationEntry org = orgManager.assertAccess(project.getOrgId(), false);
    if (ResourceAccessUtils.isSame(principal, org.getOwner())) {
        // the org owner can do anything with the org's projects
        return true;
    }
    if (orgMembersOnly || project.getVisibility() != ProjectVisibility.PUBLIC) {
        // the organization's members or the project is not public
        if (!projectDao.hasAccessLevel(project.getId(), principal.getId(), ResourceAccessLevel.atLeast(level))) {
            throw new UnauthorizedException("The current user (" + principal.getUsername() + ") doesn't have " + "the necessary access level (" + level + ") to the project: " + project.getName());
        }
    }
    return true;
}
Also used : UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)

Example 2 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class SecretManager method list.

/**
 * Returns a list of secrets for the specified organization.
 */
public List<SecretEntry> list(UUID orgId, int offset, int limit, String filter) {
    UserPrincipal p = UserPrincipal.assertCurrent();
    UUID userId = p.getId();
    if (Roles.isAdmin() || Roles.isGlobalReader() || Roles.isGlobalWriter()) {
        userId = null;
    }
    return secretDao.list(orgId, userId, SECRETS.SECRET_NAME, true, offset, limit, filter);
}
Also used : UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 3 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class LdapRealm method queryForAuthenticationInfo.

@Override
@WithTimer
protected AuthenticationInfo queryForAuthenticationInfo(AuthenticationToken token, LdapContextFactory ldapContextFactory) throws NamingException {
    if (this.url == null) {
        return null;
    }
    UsernamePasswordToken t = (UsernamePasswordToken) token;
    LdapPrincipal ldapPrincipal;
    try {
        ldapPrincipal = getPrincipal(t);
    } catch (Exception e) {
        throw new AuthenticationException("LDAP error while attempting to retrieve the user's principal: " + t.getUsername(), e);
    }
    if (ldapPrincipal == null) {
        throw new AuthenticationException("LDAP data not found: " + t.getUsername());
    }
    // TODO merge getOrCreate+update operations into a single one (only for this use case)
    UserEntry u = userManager.getOrCreate(ldapPrincipal.getUsername(), ldapPrincipal.getDomain(), UserType.LDAP).orElseThrow(() -> new ConcordApplicationException("User not found: " + ldapPrincipal.getUsername()));
    if (u.isDisabled()) {
        throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
    }
    UUID userId = u.getId();
    u = userManager.update(userId, ldapPrincipal.getDisplayName(), ldapPrincipal.getEmail(), UserType.LDAP, false, null).orElseThrow(() -> new RuntimeException("User record not found: " + userId));
    ldapGroupManager.cacheLdapGroupsIfNeeded(userId, ldapPrincipal.getGroups());
    UserPrincipal userPrincipal = new UserPrincipal(REALM_NAME, u);
    auditLog.add(AuditObject.SYSTEM, AuditAction.ACCESS).userId(userId).field("username", u.getName()).field("domain", u.getDomain()).field("realm", REALM_NAME).log();
    return new SimpleAccount(Arrays.asList(userPrincipal, t, ldapPrincipal), t, getName());
}
Also used : ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException) UserEntry(com.walmartlabs.concord.server.user.UserEntry) UUID(java.util.UUID) NamingException(javax.naming.NamingException) ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)

Example 4 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class UserManager method getCurrentUserInfo.

public UserInfo getCurrentUserInfo() {
    UserPrincipal u = UserPrincipal.getCurrent();
    if (u == null) {
        return null;
    }
    UserType type = assertSsoUserType(u, u.getType());
    UserInfoProvider p = assertProvider(type);
    return p.getInfo(u.getId(), u.getUsername(), u.getDomain());
}
Also used : UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 5 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class PasswordCheckerTest method bindUser.

@BeforeEach
public void bindUser() {
    SecurityManager securityManager = new DefaultSecurityManager();
    ThreadContext.bind(securityManager);
    UserPrincipal p = new UserPrincipal("test", new UserEntry(UUID.randomUUID(), USERNAME, null, null, null, null, null, null, false));
    SubjectContext ctx = new DefaultSubjectContext();
    ctx.setAuthenticated(true);
    ctx.setPrincipals(new SimplePrincipalCollection(p, p.getRealm()));
    Subject subject = securityManager.createSubject(ctx);
    ThreadContext.bind(subject);
}
Also used : DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager) SecurityManager(org.apache.shiro.mgt.SecurityManager) SubjectContext(org.apache.shiro.subject.SubjectContext) DefaultSubjectContext(org.apache.shiro.subject.support.DefaultSubjectContext) DefaultSubjectContext(org.apache.shiro.subject.support.DefaultSubjectContext) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) UserEntry(com.walmartlabs.concord.server.user.UserEntry) DefaultSecurityManager(org.apache.shiro.mgt.DefaultSecurityManager) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) Subject(org.apache.shiro.subject.Subject) BeforeEach(org.junit.jupiter.api.BeforeEach)

Aggregations

UserPrincipal (com.walmartlabs.concord.server.security.UserPrincipal)37 UnauthorizedException (org.apache.shiro.authz.UnauthorizedException)15 WithTimer (com.walmartlabs.concord.server.sdk.metrics.WithTimer)14 ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)9 UserEntry (com.walmartlabs.concord.server.user.UserEntry)8 UUID (java.util.UUID)8 PartialProcessKey (com.walmartlabs.concord.server.sdk.PartialProcessKey)7 ApiOperation (io.swagger.annotations.ApiOperation)6 OrganizationEntry (com.walmartlabs.concord.server.org.OrganizationEntry)3 EntryPoint (com.walmartlabs.concord.server.process.PayloadManager.EntryPoint)3 ProcessEntry (com.walmartlabs.concord.server.process.ProcessEntry)3 SessionKeyPrincipal (com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal)3 SimpleAccount (org.apache.shiro.authc.SimpleAccount)3 ValidationErrorsException (org.sonatype.siesta.ValidationErrorsException)3 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)2 LdapPrincipal (com.walmartlabs.concord.server.security.ldap.LdapPrincipal)2 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2 Subject (org.apache.shiro.subject.Subject)2 CacheBuilder (com.google.common.cache.CacheBuilder)1 Imports (com.walmartlabs.concord.imports.Imports)1