Search in sources :

Example 6 with UnauthorizedException

use of datawave.webservice.common.exception.UnauthorizedException in project datawave by NationalSecurityAgency.

the class QueryExecutorBean method validateQuery.

/**
 * This method will provide some initial query validation for the define and create query calls.
 */
private QueryData validateQuery(String queryLogicName, MultivaluedMap<String, String> queryParameters, HttpHeaders httpHeaders) {
    // Parameter 'logicName' is required and passed in prior to this call. Add to the queryParameters now.
    if (!queryParameters.containsKey(QueryParameters.QUERY_LOGIC_NAME)) {
        queryParameters.putSingle(QueryParameters.QUERY_LOGIC_NAME, queryLogicName);
    }
    QueryData qd = new QueryData();
    log.debug(queryParameters);
    qp.clear();
    qp.setRequestHeaders(httpHeaders != null ? httpHeaders.getRequestHeaders() : null);
    // Pull "params" values into individual query parameters for validation on the query logic.
    // This supports the deprecated "params" value (both on the old and new API). Once we remove the deprecated
    // parameter, this code block can go away.
    String params = queryParameters.getFirst(QueryParameters.QUERY_PARAMS);
    if (params != null) {
        for (Parameter pm : QueryUtil.parseParameters(params)) {
            if (!queryParameters.containsKey(pm.getParameterName())) {
                queryParameters.putSingle(pm.getParameterName(), pm.getParameterValue());
            }
        }
    }
    queryParameters.remove(AuditParameters.QUERY_SECURITY_MARKING_COLVIZ);
    queryParameters.remove(AuditParameters.USER_DN);
    queryParameters.remove(AuditParameters.QUERY_AUDIT_TYPE);
    // Ensure that all required parameters exist prior to validating the values.
    qp.validate(queryParameters);
    // Leaving for now until we can test to ensure that is always the case.
    if (qp.getPagesize() <= 0) {
        log.error("Invalid page size: " + qp.getPagesize());
        GenericResponse<String> response = new GenericResponse<>();
        throwBadRequest(DatawaveErrorCode.INVALID_PAGE_SIZE, response);
    }
    if (qp.getPageTimeout() != -1 && (qp.getPageTimeout() < PAGE_TIMEOUT_MIN || qp.getPageTimeout() > PAGE_TIMEOUT_MAX)) {
        log.error("Invalid page timeout: " + qp.getPageTimeout());
        GenericResponse<String> response = new GenericResponse<>();
        throwBadRequest(DatawaveErrorCode.INVALID_PAGE_TIMEOUT, response);
    }
    if (System.currentTimeMillis() >= qp.getExpirationDate().getTime()) {
        log.error("Invalid expiration date: " + qp.getExpirationDate());
        GenericResponse<String> response = new GenericResponse<>();
        throwBadRequest(DatawaveErrorCode.INVALID_EXPIRATION_DATE, response);
    }
    // Ensure begin date does not occur after the end date (if dates are not null)
    if ((qp.getBeginDate() != null && qp.getEndDate() != null) && qp.getBeginDate().after(qp.getEndDate())) {
        log.error("Invalid begin and/or end date: " + qp.getBeginDate() + " - " + qp.getEndDate());
        GenericResponse<String> response = new GenericResponse<>();
        throwBadRequest(DatawaveErrorCode.BEGIN_DATE_AFTER_END_DATE, response);
    }
    // will throw IllegalArgumentException if not defined
    try {
        qd.logic = queryLogicFactory.getQueryLogic(queryLogicName, ctx.getCallerPrincipal());
    } catch (Exception e) {
        log.error("Failed to get query logic for " + queryLogicName, e);
        BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.QUERY_LOGIC_ERROR, e);
        GenericResponse<String> response = new GenericResponse<>();
        response.addException(qe.getBottomQueryException());
        throw new BadRequestException(qe, response);
    }
    qd.logic.validate(queryParameters);
    try {
        marking.clear();
        marking.validate(queryParameters);
    } catch (IllegalArgumentException e) {
        log.error("Failed security markings validation", e);
        BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.SECURITY_MARKING_CHECK_ERROR, e);
        GenericResponse<String> response = new GenericResponse<>();
        response.addException(qe);
        throw new BadRequestException(qe, response);
    }
    // Find out who/what called this method
    qd.proxyServers = null;
    qd.p = ctx.getCallerPrincipal();
    qd.userDn = qd.p.getName();
    qd.userid = qd.userDn;
    qd.dnList = Collections.singletonList(qd.userid);
    if (qd.p instanceof DatawavePrincipal) {
        DatawavePrincipal dp = (DatawavePrincipal) qd.p;
        qd.userid = dp.getShortName();
        qd.userDn = dp.getUserDN().subjectDN();
        String[] dns = dp.getDNs();
        Arrays.sort(dns);
        qd.dnList = Arrays.asList(dns);
        qd.proxyServers = dp.getProxyServers();
        // Verify that the calling principal has access to the query logic.
        if (!qd.logic.containsDNWithAccess(qd.dnList)) {
            UnauthorizedQueryException qe = new UnauthorizedQueryException("None of the DNs used have access to this query logic: " + qd.dnList, 401);
            GenericResponse<String> response = new GenericResponse<>();
            response.addException(qe);
            throw new UnauthorizedException(qe, response);
        }
    }
    log.trace(qd.userid + " has authorizations " + ((qd.p instanceof DatawavePrincipal) ? ((DatawavePrincipal) qd.p).getAuthorizations() : ""));
    // always check against the max
    if (qd.logic.getMaxPageSize() > 0 && qp.getPagesize() > qd.logic.getMaxPageSize()) {
        log.error("Invalid page size: " + qp.getPagesize() + " vs " + qd.logic.getMaxPageSize());
        BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.PAGE_SIZE_TOO_LARGE, MessageFormat.format("Max = {0}.", qd.logic.getMaxPageSize()));
        GenericResponse<String> response = new GenericResponse<>();
        response.addException(qe);
        throw new BadRequestException(qe, response);
    }
    // privileged users however can set whatever they want
    if (qp.isMaxResultsOverridden() && qd.logic.getMaxResults() >= 0) {
        if (!ctx.isCallerInRole(PRIVILEGED_USER)) {
            if (qp.getMaxResultsOverride() < 0 || (qd.logic.getMaxResults() < qp.getMaxResultsOverride())) {
                log.error("Invalid max results override: " + qp.getMaxResultsOverride() + " vs " + qd.logic.getMaxResults());
                GenericResponse<String> response = new GenericResponse<>();
                throwBadRequest(DatawaveErrorCode.INVALID_MAX_RESULTS_OVERRIDE, response);
            }
        }
    }
    // Set private audit-related parameters, stripping off any that the user might have passed in first.
    // These are parameters that aren't passed in by the user, but rather are computed from other sources.
    PrivateAuditConstants.stripPrivateParameters(queryParameters);
    queryParameters.add(PrivateAuditConstants.LOGIC_CLASS, queryLogicName);
    queryParameters.putSingle(PrivateAuditConstants.COLUMN_VISIBILITY, marking.toColumnVisibilityString());
    queryParameters.add(PrivateAuditConstants.USER_DN, qd.userDn);
    return qd;
}
Also used : GenericResponse(datawave.webservice.result.GenericResponse) BadRequestQueryException(datawave.webservice.query.exception.BadRequestQueryException) DatawaveWebApplicationException(datawave.webservice.common.exception.DatawaveWebApplicationException) CancellationException(java.util.concurrent.CancellationException) PreConditionFailedQueryException(datawave.webservice.query.exception.PreConditionFailedQueryException) WebApplicationException(javax.ws.rs.WebApplicationException) HeuristicMixedException(javax.transaction.HeuristicMixedException) NotFoundQueryException(datawave.webservice.query.exception.NotFoundQueryException) NoResultsQueryException(datawave.webservice.query.exception.NoResultsQueryException) IOException(java.io.IOException) QueryException(datawave.webservice.query.exception.QueryException) BadRequestException(datawave.webservice.common.exception.BadRequestException) HeuristicRollbackException(javax.transaction.HeuristicRollbackException) UnauthorizedQueryException(datawave.webservice.query.exception.UnauthorizedQueryException) JAXBException(javax.xml.bind.JAXBException) UnauthorizedException(datawave.webservice.common.exception.UnauthorizedException) NoResultsException(datawave.webservice.common.exception.NoResultsException) RejectedExecutionException(java.util.concurrent.RejectedExecutionException) RollbackException(javax.transaction.RollbackException) BadRequestQueryException(datawave.webservice.query.exception.BadRequestQueryException) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) UnauthorizedQueryException(datawave.webservice.query.exception.UnauthorizedQueryException) UnauthorizedException(datawave.webservice.common.exception.UnauthorizedException) Parameter(datawave.webservice.query.QueryImpl.Parameter) BadRequestException(datawave.webservice.common.exception.BadRequestException)

Example 7 with UnauthorizedException

use of datawave.webservice.common.exception.UnauthorizedException in project datawave by NationalSecurityAgency.

the class ModificationBean method submit.

/**
 * Execute a Modification service with the given name and runtime parameters
 *
 * @param modificationServiceName
 *            Name of the modification service configuration
 * @param request
 *            object type specified in listConfigurations response.
 * @return datawave.webservice.result.VoidResponse
 * @RequestHeader X-ProxiedEntitiesChain use when proxying request for user
 * @RequestHeader X-ProxiedIssuersChain required when using X-ProxiedEntitiesChain, specify one issuer DN per subject DN listed in X-ProxiedEntitiesChain
 * @ResponseHeader X-OperationTimeInMS time spent on the server performing the operation, does not account for network or result serialization
 * @HTTP 200 success
 * @HTTP 400 if jobName is invalid
 * @HTTP 401 if user does not have correct roles
 * @HTTP 500 error starting the job
 */
@PUT
@Consumes({ "application/xml", "text/xml", "application/json" })
@Produces({ "application/xml", "text/xml", "application/json", "text/yaml", "text/x-yaml", "application/x-yaml", "application/x-protobuf", "application/x-protostuff" })
@Path("/{serviceName}/submit")
@GZIP
@Interceptors({ RequiredInterceptor.class, ResponseInterceptor.class })
public VoidResponse submit(@Required("modificationServiceName") @PathParam("serviceName") String modificationServiceName, @Required("request") ModificationRequestBase request) {
    VoidResponse response = new VoidResponse();
    // Find out who/what called this method
    Principal p = ctx.getCallerPrincipal();
    String user;
    Set<Authorizations> cbAuths = new HashSet<>();
    Collection<String> userRoles = Collections.emptySet();
    if (p instanceof DatawavePrincipal) {
        DatawavePrincipal dp = (DatawavePrincipal) p;
        user = dp.getShortName();
        userRoles = dp.getPrimaryUser().getRoles();
        for (Collection<String> c : dp.getAuthorizations()) cbAuths.add(new Authorizations(c.toArray(new String[c.size()])));
    } else {
        QueryException qe = new QueryException(DatawaveErrorCode.UNEXPECTED_PRINCIPAL_ERROR, MessageFormat.format("Class: {0}", p.getClass().getName()));
        response.addException(qe);
        throw new DatawaveWebApplicationException(qe, response);
    }
    Connector con = null;
    AccumuloConnectionFactory.Priority priority;
    try {
        // Get the Modification Service from the configuration
        ModificationServiceConfiguration service = modificationConfiguration.getConfiguration(modificationServiceName);
        if (!request.getClass().equals(service.getRequestClass())) {
            BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.INVALID_REQUEST_CLASS, MessageFormat.format("Requires: {0}", service.getRequestClass().getName()));
            response.addException(qe);
            throw new BadRequestException(qe, response);
        }
        priority = service.getPriority();
        // Ensure that the user is in the list of authorized roles
        if (null != service.getAuthorizedRoles()) {
            boolean authorized = !Collections.disjoint(userRoles, service.getAuthorizedRoles());
            if (!authorized) {
                // Then the user does not have any of the authorized roles
                UnauthorizedQueryException qe = new UnauthorizedQueryException(DatawaveErrorCode.JOB_EXECUTION_UNAUTHORIZED, MessageFormat.format("Requires one of: {0}", service.getAuthorizedRoles()));
                response.addException(qe);
                throw new UnauthorizedException(qe, response);
            }
        }
        if (service.getRequiresAudit()) {
            try {
                MultivaluedMap<String, String> requestMap = new MultivaluedMapImpl<>();
                requestMap.putAll(request.toMap());
                auditParameterBuilder.convertAndValidate(requestMap);
            } catch (Exception e) {
                QueryException qe = new QueryException(DatawaveErrorCode.QUERY_AUDITING_ERROR, e);
                log.error(qe);
                response.addException(qe.getBottomQueryException());
            }
        }
        // Process the modification
        Map<String, String> trackingMap = connectionFactory.getTrackingMap(Thread.currentThread().getStackTrace());
        con = connectionFactory.getConnection(modificationConfiguration.getPoolName(), priority, trackingMap);
        service.setQueryService(queryService);
        log.info("Processing modification request from user=" + user + ": \n" + request);
        service.process(con, request, cache.getCachedMutableFieldList(), cbAuths, user);
        return response;
    } catch (DatawaveWebApplicationException e) {
        throw e;
    } catch (Exception e) {
        QueryException qe = new QueryException(DatawaveErrorCode.MODIFICATION_ERROR, e);
        log.error(qe);
        response.addException(qe.getBottomQueryException());
        throw new DatawaveWebApplicationException(e, response);
    } finally {
        if (null != con)
            try {
                connectionFactory.returnConnection(con);
            } catch (Exception e) {
                log.error("Error returning connection", e);
            }
    }
}
Also used : Connector(org.apache.accumulo.core.client.Connector) Authorizations(org.apache.accumulo.core.security.Authorizations) BadRequestQueryException(datawave.webservice.query.exception.BadRequestQueryException) MultivaluedMapImpl(org.jboss.resteasy.specimpl.MultivaluedMapImpl) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) BadRequestException(datawave.webservice.common.exception.BadRequestException) DatawaveWebApplicationException(datawave.webservice.common.exception.DatawaveWebApplicationException) UnauthorizedQueryException(datawave.webservice.query.exception.UnauthorizedQueryException) UnauthorizedException(datawave.webservice.common.exception.UnauthorizedException) BadRequestQueryException(datawave.webservice.query.exception.BadRequestQueryException) QueryException(datawave.webservice.query.exception.QueryException) AccumuloConnectionFactory(datawave.webservice.common.connection.AccumuloConnectionFactory) UnauthorizedQueryException(datawave.webservice.query.exception.UnauthorizedQueryException) UnauthorizedQueryException(datawave.webservice.query.exception.UnauthorizedQueryException) BadRequestQueryException(datawave.webservice.query.exception.BadRequestQueryException) QueryException(datawave.webservice.query.exception.QueryException) VoidResponse(datawave.webservice.result.VoidResponse) UnauthorizedException(datawave.webservice.common.exception.UnauthorizedException) DatawaveWebApplicationException(datawave.webservice.common.exception.DatawaveWebApplicationException) BadRequestException(datawave.webservice.common.exception.BadRequestException) Principal(java.security.Principal) DatawavePrincipal(datawave.security.authorization.DatawavePrincipal) HashSet(java.util.HashSet) ModificationServiceConfiguration(datawave.webservice.modification.configuration.ModificationServiceConfiguration) Path(javax.ws.rs.Path) Interceptors(javax.interceptor.Interceptors) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) GZIP(org.jboss.resteasy.annotations.GZIP) PUT(javax.ws.rs.PUT)

Aggregations

UnauthorizedException (datawave.webservice.common.exception.UnauthorizedException)7 DatawavePrincipal (datawave.security.authorization.DatawavePrincipal)6 UnauthorizedQueryException (datawave.webservice.query.exception.UnauthorizedQueryException)6 DatawaveWebApplicationException (datawave.webservice.common.exception.DatawaveWebApplicationException)5 BadRequestQueryException (datawave.webservice.query.exception.BadRequestQueryException)5 NotFoundQueryException (datawave.webservice.query.exception.NotFoundQueryException)5 QueryException (datawave.webservice.query.exception.QueryException)5 IOException (java.io.IOException)5 Principal (java.security.Principal)5 Produces (javax.ws.rs.Produces)5 GZIP (org.jboss.resteasy.annotations.GZIP)5 BadRequestException (datawave.webservice.common.exception.BadRequestException)4 NotFoundException (datawave.webservice.common.exception.NotFoundException)4 GenericResponse (datawave.webservice.result.GenericResponse)4 PreConditionFailedQueryException (datawave.webservice.query.exception.PreConditionFailedQueryException)3 VoidResponse (datawave.webservice.result.VoidResponse)3 Interceptors (javax.interceptor.Interceptors)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 Timed (com.codahale.metrics.annotation.Timed)2 ServerPrincipal (datawave.security.system.ServerPrincipal)2