Example 6 with ForbiddenAccessException
use of com.yahoo.elide.core.exceptions.ForbiddenAccessException in project elide by yahoo.
the class VerifyFieldAccessFilterExpressionVisitor method evaluateUserChecks.
/**
* Scan the Path for user checks.
* <ol>
* <li>If all are PASS, return PASS
* <li>If any FAIL, return FAIL
* <li>Otherwise return DEFERRED
* </ol>
* @param filterPredicate filterPredicate
* @param permissionExecutor permissionExecutor
* @return ExpressionResult
*/
private ExpressionResult evaluateUserChecks(FilterPredicate filterPredicate, PermissionExecutor permissionExecutor) {
PermissionExecutor executor = resource.getRequestScope().getPermissionExecutor();
ExpressionResult ret = ExpressionResult.PASS;
for (PathElement element : filterPredicate.getPath().getPathElements()) {
ExpressionResult result;
try {
result = executor.checkUserPermissions(element.getType(), ReadPermission.class, element.getFieldName());
} catch (ForbiddenAccessException e) {
result = permissionExecutor.handleFilterJoinReject(filterPredicate, element, e);
}
if (result == ExpressionResult.FAIL) {
return ExpressionResult.FAIL;
}
if (result != ExpressionResult.PASS) {
ret = ExpressionResult.DEFERRED;
}
}
return ret;
}
Also used :
PathElement(com.yahoo.elide.core.Path.PathElement)
ExpressionResult(com.yahoo.elide.core.security.permissions.ExpressionResult)
PermissionExecutor(com.yahoo.elide.core.security.PermissionExecutor)
ReadPermission(com.yahoo.elide.annotation.ReadPermission)
ForbiddenAccessException(com.yahoo.elide.core.exceptions.ForbiddenAccessException)
Example 7 with ForbiddenAccessException
use of com.yahoo.elide.core.exceptions.ForbiddenAccessException in project elide by yahoo.
the class AbstractPermissionExecutor method executeCommitChecks.
/**
* Execute commmit checks.
*/
@Override
public void executeCommitChecks() {
commitCheckQueue.forEach((expr) -> {
Expression expression = expr.getExpression();
ExpressionResult result = expression.evaluate(Expression.EvaluationMode.ALL_CHECKS);
if (result == FAIL) {
ForbiddenAccessException e = new ForbiddenAccessException(expr.getAnnotationClass(), expression, Expression.EvaluationMode.ALL_CHECKS);
if (log.isTraceEnabled()) {
log.trace("{}", e.getLoggedMessage());
}
throw e;
}
});
commitCheckQueue.clear();
}
Also used :
Expression(com.yahoo.elide.core.security.permissions.expressions.Expression)
ExpressionResult(com.yahoo.elide.core.security.permissions.ExpressionResult)
ForbiddenAccessException(com.yahoo.elide.core.exceptions.ForbiddenAccessException)
Example 8 with ForbiddenAccessException
use of com.yahoo.elide.core.exceptions.ForbiddenAccessException in project elide by yahoo.
the class IncludedProcessor method addResourcesForPath.
/**
* Adds all the relation resources for a given relation path to the included block of the
* JsonApiDocument.
*/
private void addResourcesForPath(JsonApiDocument jsonApiDocument, PersistentResource<?> rec, List<String> relationPath, EntityProjection projection) {
// Pop off a relation of relation path
String relation = relationPath.remove(0);
Set<PersistentResource> collection;
Relationship relationship = projection.getRelationship(relation).orElseThrow(IllegalStateException::new);
try {
collection = rec.getRelationCheckedFiltered(relationship).toList(LinkedHashSet::new).blockingGet();
} catch (ForbiddenAccessException e) {
return;
}
collection.forEach(resource -> {
jsonApiDocument.addIncluded(resource.toResource());
// If more relations left in the path, process a level deeper
if (!relationPath.isEmpty()) {
// Use a copy of the relationPath to preserve the path for remaining branches of the relationship tree
addResourcesForPath(jsonApiDocument, resource, new ArrayList<>(relationPath), relationship.getProjection());
}
});
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
PersistentResource(com.yahoo.elide.core.PersistentResource)
Relationship(com.yahoo.elide.core.request.Relationship)
ForbiddenAccessException(com.yahoo.elide.core.exceptions.ForbiddenAccessException)
Example 9 with ForbiddenAccessException
use of com.yahoo.elide.core.exceptions.ForbiddenAccessException in project elide by yahoo.
the class ActivePermissionExecutor method executeExpressions.
/**
* Execute expressions.
*
* @param expression The expression to evaluate.
* @param annotationClass The permission associated with the expression.
* @param mode The evaluation mode of the expression.
*/
private ExpressionResult executeExpressions(final Expression expression, final Class<? extends Annotation> annotationClass, Expression.EvaluationMode mode) {
ExpressionResult result = expression.evaluate(mode);
// Record the check
if (log.isTraceEnabled()) {
String checkKey = expression.toString();
Long checkOccurrences = checkStats.getOrDefault(checkKey, 0L) + 1;
checkStats.put(checkKey, checkOccurrences);
}
if (result == DEFERRED) {
/*
* Checking user checks only are an optimization step. We don't need to defer these checks because
* INLINE_ONLY checks will be evaluated later. Also, the user checks don't have
* the correct context to evaluate as COMMIT checks later.
*/
if (mode == Expression.EvaluationMode.USER_CHECKS_ONLY) {
return DEFERRED;
}
if (isInlineOnlyCheck(annotationClass)) {
// Force evaluation of checks that can only be executed inline.
result = expression.evaluate(Expression.EvaluationMode.ALL_CHECKS);
if (result == FAIL) {
ForbiddenAccessException e = new ForbiddenAccessException(annotationClass, expression, Expression.EvaluationMode.ALL_CHECKS);
if (log.isTraceEnabled()) {
log.trace("{}", e.getLoggedMessage());
}
throw e;
}
return result;
}
commitCheckQueue.add(new QueuedCheck(expression, annotationClass));
return DEFERRED;
}
if (result == FAIL) {
ForbiddenAccessException e = new ForbiddenAccessException(annotationClass, expression, mode);
if (log.isTraceEnabled()) {
log.trace("{}", e.getLoggedMessage());
}
throw e;
}
return result;
}
Also used :
ExpressionResult(com.yahoo.elide.core.security.permissions.ExpressionResult)
ForbiddenAccessException(com.yahoo.elide.core.exceptions.ForbiddenAccessException)
Example 10 with ForbiddenAccessException
use of com.yahoo.elide.core.exceptions.ForbiddenAccessException in project elide by yahoo.
the class Relationship method toPersistentResources.
public Set<PersistentResource> toPersistentResources(RequestScope requestScope) throws ForbiddenAccessException, InvalidObjectIdentifierException {
Set<PersistentResource> res = new LinkedHashSet<>();
if (data == null) {
return null;
}
Collection<Resource> resources = data.get();
if (resources != null) {
for (Resource resource : resources) {
try {
if (resource == null) {
continue;
}
res.add(resource.toPersistentResource(requestScope));
} catch (ForbiddenAccessException e) {
// skip resource
}
}
}
return res.isEmpty() ? (data.isToOne() ? null : res) : res;
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
PersistentResource(com.yahoo.elide.core.PersistentResource)
PersistentResource(com.yahoo.elide.core.PersistentResource)
ForbiddenAccessException(com.yahoo.elide.core.exceptions.ForbiddenAccessException)
Aggregations
ForbiddenAccessException (com.yahoo.elide.core.exceptions.ForbiddenAccessException)11
ExpressionResult (com.yahoo.elide.core.security.permissions.ExpressionResult)6
PersistentResource (com.yahoo.elide.core.PersistentResource)4
ReadPermission (com.yahoo.elide.annotation.ReadPermission)3
PathElement (com.yahoo.elide.core.Path.PathElement)3
FilterExpression (com.yahoo.elide.core.filter.expression.FilterExpression)3
PermissionExecutor (com.yahoo.elide.core.security.PermissionExecutor)3
LinkedHashSet (java.util.LinkedHashSet)3
CustomErrorException (com.yahoo.elide.core.exceptions.CustomErrorException)2
ErrorObjects (com.yahoo.elide.core.exceptions.ErrorObjects)2
HttpStatusException (com.yahoo.elide.core.exceptions.HttpStatusException)2
AndFilterExpression (com.yahoo.elide.core.filter.expression.AndFilterExpression)2
NotFilterExpression (com.yahoo.elide.core.filter.expression.NotFilterExpression)2
OrFilterExpression (com.yahoo.elide.core.filter.expression.OrFilterExpression)2
FilterPredicate (com.yahoo.elide.core.filter.predicates.FilterPredicate)2
Relationship (com.yahoo.elide.core.request.Relationship)2
Expression (com.yahoo.elide.core.security.permissions.expressions.Expression)2
HashMap (java.util.HashMap)2
ConstraintViolationException (javax.validation.ConstraintViolationException)2
WebApplicationException (javax.ws.rs.WebApplicationException)2
