Search in sources :

Example 16 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class FormAccessManager method assertFormAccess.

public void assertFormAccess(String formName, Map<String, Serializable> runAsParams) {
    if (runAsParams == null || runAsParams.isEmpty()) {
        return;
    }
    UserPrincipal p = UserPrincipal.assertCurrent();
    Set<String> expectedUsers = com.walmartlabs.concord.forms.FormUtils.getRunAsUsers(formName, runAsParams);
    if (!expectedUsers.isEmpty() && !expectedUsers.contains(p.getUsername())) {
        throw new UnauthorizedException("The current user (" + p.getUsername() + ") doesn't have " + "the necessary permissions to access the form.");
    }
    Set<String> groups = com.walmartlabs.concord.forms.FormUtils.getRunAsLdapGroups(formName, runAsParams);
    if (!groups.isEmpty()) {
        Set<String> userLdapGroups = Optional.ofNullable(LdapPrincipal.getCurrent()).map(LdapPrincipal::getGroups).orElse(null);
        boolean isGroupMatched = groups.stream().anyMatch(group -> matchesLdapGroup(group, userLdapGroups));
        if (!isGroupMatched) {
            throw new UnauthorizedException("The current user (" + p.getUsername() + ") doesn't have " + "the necessary permissions to resume process. Expected LDAP group(s) '" + groups + "'");
        }
    }
}
Also used : UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 17 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ProcessResource method start.

/**
 * Starts a new process instance using the specified entry point and provided configuration.
 *
 * @param entryPoint
 * @param req
 * @param parentInstanceId
 * @param sync
 * @return
 * @deprecated use {@link #start(MultipartInput, UUID, boolean, String[], HttpServletRequest)}
 */
@POST
@ApiOperation(value = "Start a new process using the specified entry point and provided configuration", hidden = true)
@javax.ws.rs.Path("/{entryPoint}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@WithTimer(suffix = "_json")
@Deprecated
public StartProcessResponse start(@PathParam("entryPoint") String entryPoint, Map<String, Object> req, @QueryParam("parentId") UUID parentInstanceId, @Deprecated @DefaultValue("false") @QueryParam("sync") boolean sync, @QueryParam("out") String[] out) {
    if (sync) {
        throw syncIsForbidden();
    }
    assertPartialKey(parentInstanceId);
    PartialProcessKey processKey = PartialProcessKey.from(UUID.randomUUID());
    UUID orgId = OrganizationManager.DEFAULT_ORG_ID;
    EntryPoint ep = payloadManager.parseEntryPoint(processKey, orgId, entryPoint);
    UserPrincipal userPrincipal = UserPrincipal.assertCurrent();
    Payload payload;
    try {
        payload = payloadManager.createPayload(processKey, parentInstanceId, userPrincipal.getId(), userPrincipal.getUsername(), ep, req, out);
    } catch (IOException e) {
        log.error("start ['{}'] -> error creating a payload: {}", entryPoint, e);
        throw new ConcordApplicationException("Error creating a payload", e);
    }
    return toResponse(processManager.start(payload));
}
Also used : PartialProcessKey(com.walmartlabs.concord.server.sdk.PartialProcessKey) ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException) EntryPoint(com.walmartlabs.concord.server.process.PayloadManager.EntryPoint) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer) ApiOperation(io.swagger.annotations.ApiOperation)

Example 18 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ProcessCheckpointManager method assertProcessAccess.

public void assertProcessAccess(ProcessEntry e) {
    UserPrincipal p = UserPrincipal.assertCurrent();
    UUID initiatorId = e.initiatorId();
    if (p.getId().equals(initiatorId)) {
        // process owners should be able to restore the process from a checkpoint
        return;
    }
    if (Roles.isAdmin()) {
        return;
    }
    UUID projectId = e.projectId();
    if (projectId != null) {
        projectAccessManager.assertAccess(projectId, ResourceAccessLevel.WRITER, false);
        return;
    }
    throw new UnauthorizedException("The current user (" + p.getUsername() + ") doesn't have " + "the necessary permissions to restore the process using a checkpoint: " + e.instanceId());
}
Also used : UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) UUID(java.util.UUID) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 19 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ApiKeyRealm method doGetAuthenticationInfo.

@Override
@WithTimer
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    ApiKey t = (ApiKey) token;
    UserEntry u = userManager.get(t.getUserId()).orElse(null);
    if (u == null) {
        return null;
    }
    if (u.isDisabled()) {
        throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
    }
    auditLog.add(AuditObject.SYSTEM, AuditAction.ACCESS).userId(u.getId()).field("realm", REALM_NAME).field("apiKeyId", t.getKeyId()).log();
    UserPrincipal p = new UserPrincipal(REALM_NAME, u);
    return new SimpleAccount(Arrays.asList(p, t), t.getKey(), getName());
}
Also used : SimpleAccount(org.apache.shiro.authc.SimpleAccount) AuthenticationException(org.apache.shiro.authc.AuthenticationException) UserEntry(com.walmartlabs.concord.server.user.UserEntry) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)

Example 20 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ProcessResource method start.

/**
 * Starts a new process instance using the specified entry point and multipart request data.
 *
 * @param entryPoint
 * @param input
 * @param parentInstanceId
 * @param sync
 * @return
 * @deprecated use {@link #start(MultipartInput, UUID, boolean, String[], HttpServletRequest)}
 */
@POST
@ApiOperation(value = "Start a new process using the specified entry point and multipart request data", hidden = true)
@javax.ws.rs.Path("/{entryPoint}")
@Consumes(MediaType.MULTIPART_FORM_DATA)
@Produces(MediaType.APPLICATION_JSON)
@WithTimer(suffix = "_with_entrypoint")
@Deprecated
public StartProcessResponse start(@PathParam("entryPoint") String entryPoint, MultipartInput input, @QueryParam("parentId") UUID parentInstanceId, @Deprecated @DefaultValue("false") @QueryParam("sync") boolean sync, @QueryParam("out") String[] out) {
    if (sync) {
        throw syncIsForbidden();
    }
    assertPartialKey(parentInstanceId);
    PartialProcessKey processKey = PartialProcessKey.from(UUID.randomUUID());
    UUID orgId = OrganizationManager.DEFAULT_ORG_ID;
    EntryPoint ep = payloadManager.parseEntryPoint(processKey, orgId, entryPoint);
    UserPrincipal userPrincipal = UserPrincipal.assertCurrent();
    Payload payload;
    try {
        payload = payloadManager.createPayload(processKey, parentInstanceId, userPrincipal.getId(), userPrincipal.getUsername(), ep, input, out);
    } catch (IOException e) {
        log.error("start ['{}'] -> error creating a payload: {}", entryPoint, e);
        throw new ConcordApplicationException("Error creating a payload", e);
    }
    return toResponse(processManager.start(payload));
}
Also used : PartialProcessKey(com.walmartlabs.concord.server.sdk.PartialProcessKey) ConcordApplicationException(com.walmartlabs.concord.server.sdk.ConcordApplicationException) EntryPoint(com.walmartlabs.concord.server.process.PayloadManager.EntryPoint) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer) ApiOperation(io.swagger.annotations.ApiOperation)

Aggregations

UserPrincipal (com.walmartlabs.concord.server.security.UserPrincipal)37 UnauthorizedException (org.apache.shiro.authz.UnauthorizedException)15 WithTimer (com.walmartlabs.concord.server.sdk.metrics.WithTimer)14 ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)9 UserEntry (com.walmartlabs.concord.server.user.UserEntry)8 UUID (java.util.UUID)8 PartialProcessKey (com.walmartlabs.concord.server.sdk.PartialProcessKey)7 ApiOperation (io.swagger.annotations.ApiOperation)6 OrganizationEntry (com.walmartlabs.concord.server.org.OrganizationEntry)3 EntryPoint (com.walmartlabs.concord.server.process.PayloadManager.EntryPoint)3 ProcessEntry (com.walmartlabs.concord.server.process.ProcessEntry)3 SessionKeyPrincipal (com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal)3 SimpleAccount (org.apache.shiro.authc.SimpleAccount)3 ValidationErrorsException (org.sonatype.siesta.ValidationErrorsException)3 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)2 LdapPrincipal (com.walmartlabs.concord.server.security.ldap.LdapPrincipal)2 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2 Subject (org.apache.shiro.subject.Subject)2 CacheBuilder (com.google.common.cache.CacheBuilder)1 Imports (com.walmartlabs.concord.imports.Imports)1