Search in sources :

Example 1 with SessionKeyPrincipal

use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.

the class ProcessManager method assertUpdateRights.

private void assertUpdateRights(PartialProcessKey processKey) {
    if (Roles.isAdmin() || Roles.isGlobalWriter()) {
        return;
    }
    UserPrincipal p = UserPrincipal.assertCurrent();
    SessionKeyPrincipal s = SessionKeyPrincipal.getCurrent();
    if (s != null && processKey.partOf(s.getProcessKey())) {
        // processes can update their own statuses
        return;
    }
    throw new UnauthorizedException("The current user (" + p.getUsername() + ") does not have permissions " + "to update the process status: " + processKey);
}
Also used : SessionKeyPrincipal(com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal) UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 2 with SessionKeyPrincipal

use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.

the class ProcessSecurityContext method storeCurrentSubject.

public void storeCurrentSubject(ProcessKey processKey) {
    Subject s = SecurityUtils.getSubject();
    PrincipalCollection src = s.getPrincipals();
    // filter out transient principals
    SimplePrincipalCollection dst = new SimplePrincipalCollection();
    for (String realm : src.getRealmNames()) {
        Collection ps = src.fromRealm(realm);
        for (Object p : ps) {
            if (p instanceof SessionKeyPrincipal) {
                continue;
            }
            dst.add(p, realm);
        }
    }
    stateManager.replace(processKey, PRINCIPAL_FILE_PATH, PrincipalUtils.serialize(dst));
}
Also used : SessionKeyPrincipal(com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) Collection(java.util.Collection) Subject(org.apache.shiro.subject.Subject)

Example 3 with SessionKeyPrincipal

use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.

the class ProcessLogAccessManager method assertLogAccess.

public ProcessKey assertLogAccess(UUID instanceId) {
    ProcessEntry pe = processManager.assertProcess(instanceId);
    ProcessKey pk = new ProcessKey(pe.instanceId(), pe.createdAt());
    if (!processCfg.isCheckLogPermissions()) {
        return pk;
    }
    if (Roles.isAdmin() || Roles.isGlobalReader()) {
        return pk;
    }
    UserPrincipal principal = UserPrincipal.assertCurrent();
    UUID initiatorId = pe.initiatorId();
    if (principal.getId().equals(initiatorId)) {
        // process owners should be able to view the process' logs
        return pk;
    }
    SessionKeyPrincipal s = SessionKeyPrincipal.getCurrent();
    if (s != null && pk.partOf(s.getProcessKey())) {
        // processes can access their own logs
        return pk;
    }
    if (pe.projectId() != null) {
        projectAccessManager.assertAccess(pe.projectId(), ResourceAccessLevel.WRITER, true);
        return pk;
    }
    throw new UnauthorizedException("The current user (" + principal.getUsername() + ") doesn't have " + "the necessary permissions to view the process log: " + instanceId);
}
Also used : SessionKeyPrincipal(com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal) UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) ProcessEntry(com.walmartlabs.concord.server.process.ProcessEntry) ProcessKey(com.walmartlabs.concord.server.sdk.ProcessKey) UUID(java.util.UUID) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Example 4 with SessionKeyPrincipal

use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.

the class SecretManager method assertProjectScope.

private void assertProjectScope(AccessScope scope, SecretEntry e) {
    UUID projectId = e.getProjectId();
    if (projectId == null) {
        return;
    }
    // currently both the server and the agent access repositories and thus require access to secrets
    // the agent uses its own API key which is typically a "globalReader". That is why we need to check both
    // "globalReaders" and the current session token
    // TODO create a separate role or move the repository cloning into the runner and use session tokens?
    UserPrincipal u = UserPrincipal.getCurrent();
    if (u != null && Roles.isGlobalReader()) {
        return;
    }
    if (scope instanceof InternalAccessScope) {
        return;
    }
    // internal access within a scope of a project
    if (scope instanceof ProjectAccessScope) {
        UUID scopeProjectId = ((ProjectAccessScope) scope).getProjectId();
        if (!projectId.equals(scopeProjectId)) {
            throw new UnauthorizedException("Project-scoped secrets can only be accessed within the project they belong to. Secret: " + e.getName());
        }
        return;
    }
    SessionKeyPrincipal session = SessionKeyPrincipal.getCurrent();
    if (session == null) {
        throw new UnauthorizedException("Project-scoped secrets can only be accessed within a running process. Secret: " + e.getName());
    }
    ProcessEntry p = processQueueManager.get(session.getProcessKey());
    if (p == null) {
        throw new IllegalStateException("Process not found: " + session.getProcessKey());
    }
    if (!projectId.equals(p.projectId())) {
        throw new UnauthorizedException("Project-scoped secrets can only be accessed within the project they belong to. Secret: " + e.getName());
    }
}
Also used : SessionKeyPrincipal(com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal) UnauthorizedException(org.apache.shiro.authz.UnauthorizedException) ProcessEntry(com.walmartlabs.concord.server.process.ProcessEntry) UserPrincipal(com.walmartlabs.concord.server.security.UserPrincipal)

Aggregations

SessionKeyPrincipal (com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal)4 UserPrincipal (com.walmartlabs.concord.server.security.UserPrincipal)3 UnauthorizedException (org.apache.shiro.authz.UnauthorizedException)3 ProcessEntry (com.walmartlabs.concord.server.process.ProcessEntry)2 ProcessKey (com.walmartlabs.concord.server.sdk.ProcessKey)1 Collection (java.util.Collection)1 UUID (java.util.UUID)1 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)1 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)1 Subject (org.apache.shiro.subject.Subject)1