Search in sources :

Example 31 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ProcessLogAccessManager method assertLogAccess.

public ProcessKey assertLogAccess(UUID instanceId) {
    ProcessEntry pe = processManager.assertProcess(instanceId);
    ProcessKey pk = new ProcessKey(pe.instanceId(), pe.createdAt());
    if (!processCfg.isCheckLogPermissions()) {
        return pk;
    }
    if (Roles.isAdmin() || Roles.isGlobalReader()) {
        return pk;
    }
    UserPrincipal principal = UserPrincipal.assertCurrent();
    UUID initiatorId = pe.initiatorId();
    if (principal.getId().equals(initiatorId)) {
        // process owners should be able to view the process' logs
        return pk;
    }
    SessionKeyPrincipal s = SessionKeyPrincipal.getCurrent();
    if (s != null && pk.partOf(s.getProcessKey())) {
        // processes can access their own logs
        return pk;
    }
    if (pe.projectId() != null) {
        projectAccessManager.assertAccess(pe.projectId(), ResourceAccessLevel.WRITER, true);
        return pk;
    }
    throw new UnauthorizedException("The current user (" + principal.getUsername() + ") doesn't have " + "the necessary permissions to view the process log: " + instanceId);
}
Also used : SessionKeyPrincipal(com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal) UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) ProcessEntry(com.walmartlabs.concord.server.process.ProcessEntry) ProcessKey(com.walmartlabs.concord.server.sdk.ProcessKey) UUID(java.util.UUID) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 32 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class SecretManager method assertProjectScope.

private void assertProjectScope(AccessScope scope, SecretEntry e) {
    UUID projectId = e.getProjectId();
    if (projectId == null) {
        return;
    }
    // currently both the server and the agent access repositories and thus require access to secrets
    // the agent uses its own API key which is typically a "globalReader". That is why we need to check both
    // "globalReaders" and the current session token
    // TODO create a separate role or move the repository cloning into the runner and use session tokens?
    UserPrincipal u = UserPrincipal.getCurrent();
    if (u != null && Roles.isGlobalReader()) {
        return;
    }
    if (scope instanceof InternalAccessScope) {
        return;
    }
    // internal access within a scope of a project
    if (scope instanceof ProjectAccessScope) {
        UUID scopeProjectId = ((ProjectAccessScope) scope).getProjectId();
        if (!projectId.equals(scopeProjectId)) {
            throw new UnauthorizedException("Project-scoped secrets can only be accessed within the project they belong to. Secret: " + e.getName());
        }
        return;
    }
    SessionKeyPrincipal session = SessionKeyPrincipal.getCurrent();
    if (session == null) {
        throw new UnauthorizedException("Project-scoped secrets can only be accessed within a running process. Secret: " + e.getName());
    }
    ProcessEntry p = processQueueManager.get(session.getProcessKey());
    if (p == null) {
        throw new IllegalStateException("Process not found: " + session.getProcessKey());
    }
    if (!projectId.equals(p.projectId())) {
        throw new UnauthorizedException("Project-scoped secrets can only be accessed within the project they belong to. Secret: " + e.getName());
    }
}
Also used : SessionKeyPrincipal(com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal) UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) ProcessEntry(com.walmartlabs.concord.server.process.ProcessEntry) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 33 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class SecretManager method assertAccess.

@WithTimer
public SecretEntry assertAccess(UUID orgId, UUID secretId, String secretName, ResourceAccessLevel level, boolean orgMembersOnly) {
    if (secretId == null && (orgId == null || secretName == null)) {
        throw new ValidationErrorsException("Secret ID or an organization ID and a secret name is required");
    }
    SecretEntry e = null;
    if (secretId != null) {
        e = secretDao.get(secretId);
        if (e == null) {
            throw new WebApplicationException("Secret not found: " + secretId, Status.NOT_FOUND);
        }
    }
    if (e == null) {
        e = secretDao.getByName(orgId, secretName);
        if (e == null) {
            throw new WebApplicationException("Secret not found: " + secretName, Status.NOT_FOUND);
        }
    }
    if (Roles.isAdmin()) {
        // an admin can access any secret
        return e;
    }
    if (level == ResourceAccessLevel.READER && (Roles.isGlobalReader() || Roles.isGlobalWriter())) {
        return e;
    } else if (level == ResourceAccessLevel.WRITER && Roles.isGlobalWriter()) {
        return e;
    }
    UserPrincipal p = UserPrincipal.assertCurrent();
    EntityOwner owner = e.getOwner();
    if (owner != null && p.getId().equals(owner.id())) {
        // the owner can do anything with his secrets
        return e;
    }
    if (orgMembersOnly && e.getVisibility() == SecretVisibility.PUBLIC && level == ResourceAccessLevel.READER && userDao.isInOrganization(p.getId(), e.getOrgId())) {
        // organization members can access any public secret in the same organization
        return e;
    }
    OrganizationEntry org = orgManager.assertAccess(e.getOrgId(), false);
    if (ResourceAccessUtils.isSame(p, org.getOwner())) {
        // the org owner can do anything with the org's secrets
        return e;
    }
    if (orgMembersOnly || e.getVisibility() != SecretVisibility.PUBLIC) {
        // the organization's members or the secret is not public
        if (!secretDao.hasAccessLevel(e.getId(), p.getId(), ResourceAccessLevel.atLeast(level))) {
            throw new UnauthorizedException("The current user doesn't have " + "the necessary access level (" + level + ") to the secret: " + e.getName());
        }
    }
    return e;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) ValidationErrorsException(org.sonatype.siesta.ValidationErrorsException) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal) WithTimer(com.walmartlabs.concord.server.sdk.metrics.WithTimer)

Example 34 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class ProjectManager method list.

public List<ProjectEntry> list(UUID orgId, int offset, int limit, String filter) {
    UserPrincipal p = UserPrincipal.assertCurrent();
    UUID userId = p.getId();
    if (Roles.isAdmin() || Roles.isGlobalReader() || Roles.isGlobalWriter()) {
        // admins or "global readers" can see any project, so we shouldn't filter projects by user
        userId = null;
    }
    return projectDao.list(orgId, userId, PROJECTS.PROJECT_NAME, true, offset, limit, filter);
}
Also used : UUID(java.util.UUID) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 35 with UserPrincipal

use of com.walmartlabs.concord.server.security.UserPrincipal in project concord by walmartlabs.

the class JsonStoreManager method list.

public List<JsonStoreEntry> list(String orgName, int offset, int limit, String filter) {
    OrganizationEntry org = orgManager.assertAccess(orgName, false);
    UserPrincipal p = UserPrincipal.assertCurrent();
    UUID userId = p.getId();
    if (Roles.isAdmin() || Roles.isGlobalReader() || Roles.isGlobalWriter()) {
        // admins or "global readers" can see any stores, so we shouldn't filter stores by user
        userId = null;
    }
    return storeDao.list(org.getId(), userId, offset, limit, filter);
}
Also used : UUID(java.util.UUID) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Aggregations

UserPrincipal (com.walmartlabs.concord.server.security.UserPrincipal)37 UnauthorizedException (org.apache.shiro.authz.UnauthorizedException)15 WithTimer (com.walmartlabs.concord.server.sdk.metrics.WithTimer)14 ConcordApplicationException (com.walmartlabs.concord.server.sdk.ConcordApplicationException)9 UserEntry (com.walmartlabs.concord.server.user.UserEntry)8 UUID (java.util.UUID)8 PartialProcessKey (com.walmartlabs.concord.server.sdk.PartialProcessKey)7 ApiOperation (io.swagger.annotations.ApiOperation)6 OrganizationEntry (com.walmartlabs.concord.server.org.OrganizationEntry)3 EntryPoint (com.walmartlabs.concord.server.process.PayloadManager.EntryPoint)3 ProcessEntry (com.walmartlabs.concord.server.process.ProcessEntry)3 SessionKeyPrincipal (com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal)3 SimpleAccount (org.apache.shiro.authc.SimpleAccount)3 ValidationErrorsException (org.sonatype.siesta.ValidationErrorsException)3 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)2 LdapPrincipal (com.walmartlabs.concord.server.security.ldap.LdapPrincipal)2 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2 Subject (org.apache.shiro.subject.Subject)2 CacheBuilder (com.google.common.cache.CacheBuilder)1 Imports (com.walmartlabs.concord.imports.Imports)1