use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.
the class ProcessManager method assertUpdateRights.
private void assertUpdateRights(PartialProcessKey processKey) {
if (Roles.isAdmin() || Roles.isGlobalWriter()) {
return;
}
UserPrincipal p = UserPrincipal.assertCurrent();
SessionKeyPrincipal s = SessionKeyPrincipal.getCurrent();
if (s != null && processKey.partOf(s.getProcessKey())) {
// processes can update their own statuses
return;
}
throw new UnauthorizedException("The current user (" + p.getUsername() + ") does not have permissions " + "to update the process status: " + processKey);
}
use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.
the class ProcessSecurityContext method storeCurrentSubject.
public void storeCurrentSubject(ProcessKey processKey) {
Subject s = SecurityUtils.getSubject();
PrincipalCollection src = s.getPrincipals();
// filter out transient principals
SimplePrincipalCollection dst = new SimplePrincipalCollection();
for (String realm : src.getRealmNames()) {
Collection ps = src.fromRealm(realm);
for (Object p : ps) {
if (p instanceof SessionKeyPrincipal) {
continue;
}
dst.add(p, realm);
}
}
stateManager.replace(processKey, PRINCIPAL_FILE_PATH, PrincipalUtils.serialize(dst));
}
use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.
the class ProcessLogAccessManager method assertLogAccess.
public ProcessKey assertLogAccess(UUID instanceId) {
ProcessEntry pe = processManager.assertProcess(instanceId);
ProcessKey pk = new ProcessKey(pe.instanceId(), pe.createdAt());
if (!processCfg.isCheckLogPermissions()) {
return pk;
}
if (Roles.isAdmin() || Roles.isGlobalReader()) {
return pk;
}
UserPrincipal principal = UserPrincipal.assertCurrent();
UUID initiatorId = pe.initiatorId();
if (principal.getId().equals(initiatorId)) {
// process owners should be able to view the process' logs
return pk;
}
SessionKeyPrincipal s = SessionKeyPrincipal.getCurrent();
if (s != null && pk.partOf(s.getProcessKey())) {
// processes can access their own logs
return pk;
}
if (pe.projectId() != null) {
projectAccessManager.assertAccess(pe.projectId(), ResourceAccessLevel.WRITER, true);
return pk;
}
throw new UnauthorizedException("The current user (" + principal.getUsername() + ") doesn't have " + "the necessary permissions to view the process log: " + instanceId);
}
use of com.walmartlabs.concord.server.security.sessionkey.SessionKeyPrincipal in project concord by walmartlabs.
the class SecretManager method assertProjectScope.
private void assertProjectScope(AccessScope scope, SecretEntry e) {
UUID projectId = e.getProjectId();
if (projectId == null) {
return;
}
// currently both the server and the agent access repositories and thus require access to secrets
// the agent uses its own API key which is typically a "globalReader". That is why we need to check both
// "globalReaders" and the current session token
// TODO create a separate role or move the repository cloning into the runner and use session tokens?
UserPrincipal u = UserPrincipal.getCurrent();
if (u != null && Roles.isGlobalReader()) {
return;
}
if (scope instanceof InternalAccessScope) {
return;
}
// internal access within a scope of a project
if (scope instanceof ProjectAccessScope) {
UUID scopeProjectId = ((ProjectAccessScope) scope).getProjectId();
if (!projectId.equals(scopeProjectId)) {
throw new UnauthorizedException("Project-scoped secrets can only be accessed within the project they belong to. Secret: " + e.getName());
}
return;
}
SessionKeyPrincipal session = SessionKeyPrincipal.getCurrent();
if (session == null) {
throw new UnauthorizedException("Project-scoped secrets can only be accessed within a running process. Secret: " + e.getName());
}
ProcessEntry p = processQueueManager.get(session.getProcessKey());
if (p == null) {
throw new IllegalStateException("Process not found: " + session.getProcessKey());
}
if (!projectId.equals(p.projectId())) {
throw new UnauthorizedException("Project-scoped secrets can only be accessed within the project they belong to. Secret: " + e.getName());
}
}
Aggregations