Example 11 with Check
use of com.yahoo.elide.core.security.checks.Check in project elide by yahoo.
the class EntityDictionary method addSecurityCheck.
/**
* Add security checks and bind them to the dictionary.
* @param cls Security check class.
*/
public void addSecurityCheck(Class<?> cls) {
if (Check.class.isAssignableFrom(cls)) {
SecurityCheck securityCheckMeta = cls.getAnnotation(SecurityCheck.class);
log.debug("Register Elide Check [{}] with expression [{}]", cls.getCanonicalName(), securityCheckMeta.value());
checkNames.put(securityCheckMeta.value(), cls.asSubclass(Check.class));
// Populate check instance.
getCheckInstance(securityCheckMeta.value());
} else {
throw new IllegalStateException("Class annotated with SecurityCheck is not a Check");
}
}
Also used :
SecurityCheck(com.yahoo.elide.annotation.SecurityCheck)
UserCheck(com.yahoo.elide.core.security.checks.UserCheck)
Check(com.yahoo.elide.core.security.checks.Check)
SecurityCheck(com.yahoo.elide.annotation.SecurityCheck)
Example 12 with Check
use of com.yahoo.elide.core.security.checks.Check in project elide by yahoo.
the class PermissionToFilterExpressionVisitorTest method setupEntityDictionary.
@BeforeEach
public void setupEntityDictionary() {
Map<String, Class<? extends Check>> checks = new HashMap<>();
checks.put(AT_OP_ALLOW, Permissions.Succeeds.class);
checks.put(AT_OP_DENY, Permissions.Fails.class);
checks.put(USER_ALLOW, Role.ALL.class);
checks.put(USER_DENY, Role.NONE.class);
checks.put(IN_FILTER, Permissions.InFilterExpression.class);
checks.put(NOT_IN_FILTER, Permissions.NotInFilterExpression.class);
checks.put(LT_FILTER, Permissions.LessThanFilterExpression.class);
checks.put(GE_FILTER, Permissions.GreaterThanOrEqualFilterExpression.class);
dictionary = TestDictionary.getTestDictionary(checks);
elideSettings = new ElideSettingsBuilder(null).withEntityDictionary(dictionary).build();
requestScope = newRequestScope();
cache = new ExpressionResultCache();
}
Also used :
Role(com.yahoo.elide.core.security.checks.prefab.Role)
ElideSettingsBuilder(com.yahoo.elide.ElideSettingsBuilder)
HashMap(java.util.HashMap)
OperationCheck(com.yahoo.elide.core.security.checks.OperationCheck)
FilterExpressionCheck(com.yahoo.elide.core.security.checks.FilterExpressionCheck)
Check(com.yahoo.elide.core.security.checks.Check)
EntityPermissions(com.yahoo.elide.core.dictionary.EntityPermissions)
ExpressionResultCache(com.yahoo.elide.core.security.permissions.ExpressionResultCache)
BeforeEach(org.junit.jupiter.api.BeforeEach)
Example 13 with Check
use of com.yahoo.elide.core.security.checks.Check in project elide by yahoo.
the class PermissionToFilterExpressionVisitor method visitCheckExpression.
@Override
public FilterExpression visitCheckExpression(CheckExpression checkExpression) {
Check check = checkExpression.getCheck();
if (check instanceof FilterExpressionCheck) {
FilterExpressionCheck filterCheck = (FilterExpressionCheck) check;
FilterExpression filterExpression = filterCheck.getFilterExpression(entityClass, requestScope);
if (filterExpression == null) {
throw new IllegalStateException("FilterCheck#getFilterExpression must not return null.");
}
return filterExpression;
}
if (check instanceof UserCheck) {
boolean userCheckResult = ((UserCheck) check).ok(requestScope.getUser());
return userCheckResult ? TRUE_USER_CHECK_EXPRESSION : FALSE_USER_CHECK_EXPRESSION;
}
return NO_EVALUATION_EXPRESSION;
}
Also used :
UserCheck(com.yahoo.elide.core.security.checks.UserCheck)
FilterExpressionCheck(com.yahoo.elide.core.security.checks.FilterExpressionCheck)
Check(com.yahoo.elide.core.security.checks.Check)
UserCheck(com.yahoo.elide.core.security.checks.UserCheck)
FilterExpressionCheck(com.yahoo.elide.core.security.checks.FilterExpressionCheck)
NotFilterExpression(com.yahoo.elide.core.filter.expression.NotFilterExpression)
OrFilterExpression(com.yahoo.elide.core.filter.expression.OrFilterExpression)
AndFilterExpression(com.yahoo.elide.core.filter.expression.AndFilterExpression)
FilterExpression(com.yahoo.elide.core.filter.expression.FilterExpression)
Example 14 with Check
use of com.yahoo.elide.core.security.checks.Check in project elide by yahoo.
the class PermissionExpressionBuilder method buildUserCheckEntityAndAnyFieldExpression.
/**
* Build an expression that strictly evaluates UserCheck's and ignores other checks for an entity.
* expression = (entityRule AND (field1Rule OR field2Rule ... OR fieldNRule))
* <p>
* NOTE: This method returns _NO_ commit checks.
*
* @param resourceClass Resource class
* @param annotationClass Annotation class
* @param scope Request scope
* @param <A> type parameter
* @return User check expression to evaluate
*/
public <A extends Annotation> Expression buildUserCheckEntityAndAnyFieldExpression(final Type<?> resourceClass, final Class<A> annotationClass, Set<String> requestedFields, final RequestScope scope) {
final Function<Check, Expression> leafBuilderFn = (check) -> new CheckExpression(check, null, scope, null, cache);
ParseTree classPermissions = entityDictionary.getPermissionsForClass(resourceClass, annotationClass);
Expression entityExpression = normalizedExpressionFromParseTree(classPermissions, leafBuilderFn);
Expression anyFieldExpression = buildAnyFieldOnlyExpression(new PermissionCondition(annotationClass, resourceClass), leafBuilderFn, requestedFields);
if (entityExpression == null) {
return anyFieldExpression;
}
return new AndExpression(entityExpression, anyFieldExpression);
}
Also used :
CheckExpression(com.yahoo.elide.core.security.permissions.expressions.CheckExpression)
PermissionExpressionNormalizationVisitor(com.yahoo.elide.core.security.visitors.PermissionExpressionNormalizationVisitor)
OrExpression(com.yahoo.elide.core.security.permissions.expressions.OrExpression)
Function(java.util.function.Function)
FAILURE(com.yahoo.elide.core.security.permissions.expressions.Expression.Results.FAILURE)
OrFilterExpression(com.yahoo.elide.core.filter.expression.OrFilterExpression)
SpecificFieldExpression(com.yahoo.elide.core.security.permissions.expressions.SpecificFieldExpression)
PersistentResource(com.yahoo.elide.core.PersistentResource)
PermissionExpressionVisitor(com.yahoo.elide.core.security.visitors.PermissionExpressionVisitor)
ParseTree(org.antlr.v4.runtime.tree.ParseTree)
NO_EVALUATION_EXPRESSION(com.yahoo.elide.core.security.visitors.PermissionToFilterExpressionVisitor.NO_EVALUATION_EXPRESSION)
FilterExpression(com.yahoo.elide.core.filter.expression.FilterExpression)
RequestScope(com.yahoo.elide.core.RequestScope)
ChangeSpec(com.yahoo.elide.core.security.ChangeSpec)
Check(com.yahoo.elide.core.security.checks.Check)
PermissionToFilterExpressionVisitor(com.yahoo.elide.core.security.visitors.PermissionToFilterExpressionVisitor)
AndExpression(com.yahoo.elide.core.security.permissions.expressions.AndExpression)
AnyFieldExpression(com.yahoo.elide.core.security.permissions.expressions.AnyFieldExpression)
Set(java.util.Set)
Collectors(java.util.stream.Collectors)
EntityDictionary(com.yahoo.elide.core.dictionary.EntityDictionary)
Expression(com.yahoo.elide.core.security.permissions.expressions.Expression)
List(java.util.List)
ReadPermission(com.yahoo.elide.annotation.ReadPermission)
Type(com.yahoo.elide.core.type.Type)
Annotation(java.lang.annotation.Annotation)
FALSE_USER_CHECK_EXPRESSION(com.yahoo.elide.core.security.visitors.PermissionToFilterExpressionVisitor.FALSE_USER_CHECK_EXPRESSION)
TRUE_USER_CHECK_EXPRESSION(com.yahoo.elide.core.security.visitors.PermissionToFilterExpressionVisitor.TRUE_USER_CHECK_EXPRESSION)
AndExpression(com.yahoo.elide.core.security.permissions.expressions.AndExpression)
CheckExpression(com.yahoo.elide.core.security.permissions.expressions.CheckExpression)
OrExpression(com.yahoo.elide.core.security.permissions.expressions.OrExpression)
OrFilterExpression(com.yahoo.elide.core.filter.expression.OrFilterExpression)
SpecificFieldExpression(com.yahoo.elide.core.security.permissions.expressions.SpecificFieldExpression)
FilterExpression(com.yahoo.elide.core.filter.expression.FilterExpression)
AndExpression(com.yahoo.elide.core.security.permissions.expressions.AndExpression)
AnyFieldExpression(com.yahoo.elide.core.security.permissions.expressions.AnyFieldExpression)
Expression(com.yahoo.elide.core.security.permissions.expressions.Expression)
Check(com.yahoo.elide.core.security.checks.Check)
ParseTree(org.antlr.v4.runtime.tree.ParseTree)
CheckExpression(com.yahoo.elide.core.security.permissions.expressions.CheckExpression)
Example 15 with Check
use of com.yahoo.elide.core.security.checks.Check in project elide by yahoo.
the class ElideStandaloneConfigStoreTest method init.
@BeforeAll
public void init() throws Exception {
configRoot = Files.createTempDirectory("test");
settings = new ElideStandaloneTestSettings() {
@Override
public EntityDictionary getEntityDictionary(ServiceLocator injector, ClassScanner scanner, Optional<DynamicConfiguration> dynamicConfiguration, Set<Type<?>> entitiesToExclude) {
Map<String, Class<? extends Check>> checks = new HashMap<>();
if (getAnalyticProperties().enableDynamicModelConfigAPI()) {
checks.put(ConfigChecks.CAN_CREATE_CONFIG, ConfigChecks.CanCreate.class);
checks.put(ConfigChecks.CAN_READ_CONFIG, ConfigChecks.CanRead.class);
checks.put(ConfigChecks.CAN_DELETE_CONFIG, ConfigChecks.CanDelete.class);
checks.put(ConfigChecks.CAN_UPDATE_CONFIG, ConfigChecks.CanNotUpdate.class);
}
EntityDictionary dictionary = new EntityDictionary(// Checks
checks, // Role Checks
new HashMap<>(), new Injector() {
@Override
public void inject(Object entity) {
injector.inject(entity);
}
@Override
public <T> T instantiate(Class<T> cls) {
return injector.create(cls);
}
}, // Serde Lookup
CoerceUtil::lookup, entitiesToExclude, scanner);
dynamicConfiguration.map(DynamicConfiguration::getRoles).orElseGet(Collections::emptySet).forEach(role -> dictionary.addRoleCheck(role, new Role.RoleMemberCheck(role)));
return dictionary;
}
@Override
public ElideStandaloneAnalyticSettings getAnalyticProperties() {
return new ElideStandaloneAnalyticSettings() {
@Override
public boolean enableDynamicModelConfig() {
return true;
}
@Override
public boolean enableDynamicModelConfigAPI() {
return true;
}
@Override
public String getDynamicConfigPath() {
return configRoot.toFile().getAbsolutePath();
}
@Override
public boolean enableAggregationDataStore() {
return true;
}
@Override
public boolean enableMetaDataStore() {
return true;
}
};
}
};
elide = new ElideStandalone(settings);
elide.start(false);
}
Also used :
ElideStandalone(com.yahoo.elide.standalone.ElideStandalone)
HttpStatus(com.yahoo.elide.core.exceptions.HttpStatus)
DynamicConfiguration(com.yahoo.elide.modelconfig.DynamicConfiguration)
JSONAPI_CONTENT_TYPE(com.yahoo.elide.Elide.JSONAPI_CONTENT_TYPE)
CoreMatchers.equalTo(org.hamcrest.CoreMatchers.equalTo)
ElideStandaloneSettings(com.yahoo.elide.standalone.config.ElideStandaloneSettings)
HashMap(java.util.HashMap)
Role(com.yahoo.elide.core.security.checks.prefab.Role)
JsonApiDSL.attr(com.yahoo.elide.test.jsonapi.JsonApiDSL.attr)
AfterAll(org.junit.jupiter.api.AfterAll)
MediaType(javax.ws.rs.core.MediaType)
TestInstance(org.junit.jupiter.api.TestInstance)
BeforeAll(org.junit.jupiter.api.BeforeAll)
GraphQLDSL.mutation(com.yahoo.elide.test.graphql.GraphQLDSL.mutation)
ClassScanner(com.yahoo.elide.core.utils.ClassScanner)
Injector(com.yahoo.elide.core.dictionary.Injector)
Map(java.util.Map)
RestAssured.when(io.restassured.RestAssured.when)
GraphQLDSL.argument(com.yahoo.elide.test.graphql.GraphQLDSL.argument)
JsonApiDSL.datum(com.yahoo.elide.test.jsonapi.JsonApiDSL.datum)
Path(java.nio.file.Path)
JsonApiDSL.type(com.yahoo.elide.test.jsonapi.JsonApiDSL.type)
JsonApiDSL.links(com.yahoo.elide.test.jsonapi.JsonApiDSL.links)
GraphQLDSL.selection(com.yahoo.elide.test.graphql.GraphQLDSL.selection)
JsonApiDSL.attributes(com.yahoo.elide.test.jsonapi.JsonApiDSL.attributes)
Check(com.yahoo.elide.core.security.checks.Check)
Files(java.nio.file.Files)
GraphQLDSL.selections(com.yahoo.elide.test.graphql.GraphQLDSL.selections)
GraphQLDSL.field(com.yahoo.elide.test.graphql.GraphQLDSL.field)
ElideStandaloneAnalyticSettings(com.yahoo.elide.standalone.config.ElideStandaloneAnalyticSettings)
Set(java.util.Set)
ConfigChecks(com.yahoo.elide.modelconfig.store.models.ConfigChecks)
CoerceUtil(com.yahoo.elide.core.utils.coerce.CoerceUtil)
EntityDictionary(com.yahoo.elide.core.dictionary.EntityDictionary)
JsonApiDSL.resource(com.yahoo.elide.test.jsonapi.JsonApiDSL.resource)
GraphQLDSL(com.yahoo.elide.test.graphql.GraphQLDSL)
Test(org.junit.jupiter.api.Test)
JsonApiDSL.id(com.yahoo.elide.test.jsonapi.JsonApiDSL.id)
GraphQLDSL.arguments(com.yahoo.elide.test.graphql.GraphQLDSL.arguments)
JsonApiDSL.data(com.yahoo.elide.test.jsonapi.JsonApiDSL.data)
Type(com.yahoo.elide.core.type.Type)
Optional(java.util.Optional)
RestAssured.given(io.restassured.RestAssured.given)
ServiceLocator(org.glassfish.hk2.api.ServiceLocator)
Collections(java.util.Collections)
HashMap(java.util.HashMap)
ClassScanner(com.yahoo.elide.core.utils.ClassScanner)
DynamicConfiguration(com.yahoo.elide.modelconfig.DynamicConfiguration)
Injector(com.yahoo.elide.core.dictionary.Injector)
Collections(java.util.Collections)
EntityDictionary(com.yahoo.elide.core.dictionary.EntityDictionary)
ElideStandaloneAnalyticSettings(com.yahoo.elide.standalone.config.ElideStandaloneAnalyticSettings)
ServiceLocator(org.glassfish.hk2.api.ServiceLocator)
Role(com.yahoo.elide.core.security.checks.prefab.Role)
MediaType(javax.ws.rs.core.MediaType)
Type(com.yahoo.elide.core.type.Type)
ElideStandalone(com.yahoo.elide.standalone.ElideStandalone)
HashMap(java.util.HashMap)
Map(java.util.Map)
BeforeAll(org.junit.jupiter.api.BeforeAll)
Aggregations
Check (com.yahoo.elide.core.security.checks.Check)22
HashMap (java.util.HashMap)17
ElideSettingsBuilder (com.yahoo.elide.ElideSettingsBuilder)13
BeforeEach (org.junit.jupiter.api.BeforeEach)11
Elide (com.yahoo.elide.Elide)9
RequestScope (com.yahoo.elide.core.RequestScope)8
HashMapDataStore (com.yahoo.elide.core.datastore.inmemory.HashMapDataStore)8
EntityDictionary (com.yahoo.elide.core.dictionary.EntityDictionary)8
Role (com.yahoo.elide.core.security.checks.prefab.Role)6
FilterExpressionCheck (com.yahoo.elide.core.security.checks.FilterExpressionCheck)5
AsyncQuery (com.yahoo.elide.async.models.AsyncQuery)4
Injector (com.yahoo.elide.core.dictionary.Injector)4
FilterExpression (com.yahoo.elide.core.filter.expression.FilterExpression)4
User (com.yahoo.elide.core.security.User)4
UserCheck (com.yahoo.elide.core.security.checks.UserCheck)4
Type (com.yahoo.elide.core.type.Type)4
DefaultAsyncAPIDAO (com.yahoo.elide.async.service.dao.DefaultAsyncAPIDAO)3
FileResultStorageEngine (com.yahoo.elide.async.service.storageengine.FileResultStorageEngine)3
DataStoreTransaction (com.yahoo.elide.core.datastore.DataStoreTransaction)3
OrFilterExpression (com.yahoo.elide.core.filter.expression.OrFilterExpression)3
