use of datawave.webservice.common.exception.UnauthorizedException in project datawave by NationalSecurityAgency.
the class QueryExecutorBean method validateQuery.
/**
* This method will provide some initial query validation for the define and create query calls.
*/
private QueryData validateQuery(String queryLogicName, MultivaluedMap<String, String> queryParameters, HttpHeaders httpHeaders) {
// Parameter 'logicName' is required and passed in prior to this call. Add to the queryParameters now.
if (!queryParameters.containsKey(QueryParameters.QUERY_LOGIC_NAME)) {
queryParameters.putSingle(QueryParameters.QUERY_LOGIC_NAME, queryLogicName);
}
QueryData qd = new QueryData();
log.debug(queryParameters);
qp.clear();
qp.setRequestHeaders(httpHeaders != null ? httpHeaders.getRequestHeaders() : null);
// Pull "params" values into individual query parameters for validation on the query logic.
// This supports the deprecated "params" value (both on the old and new API). Once we remove the deprecated
// parameter, this code block can go away.
String params = queryParameters.getFirst(QueryParameters.QUERY_PARAMS);
if (params != null) {
for (Parameter pm : QueryUtil.parseParameters(params)) {
if (!queryParameters.containsKey(pm.getParameterName())) {
queryParameters.putSingle(pm.getParameterName(), pm.getParameterValue());
}
}
}
queryParameters.remove(AuditParameters.QUERY_SECURITY_MARKING_COLVIZ);
queryParameters.remove(AuditParameters.USER_DN);
queryParameters.remove(AuditParameters.QUERY_AUDIT_TYPE);
// Ensure that all required parameters exist prior to validating the values.
qp.validate(queryParameters);
// Leaving for now until we can test to ensure that is always the case.
if (qp.getPagesize() <= 0) {
log.error("Invalid page size: " + qp.getPagesize());
GenericResponse<String> response = new GenericResponse<>();
throwBadRequest(DatawaveErrorCode.INVALID_PAGE_SIZE, response);
}
if (qp.getPageTimeout() != -1 && (qp.getPageTimeout() < PAGE_TIMEOUT_MIN || qp.getPageTimeout() > PAGE_TIMEOUT_MAX)) {
log.error("Invalid page timeout: " + qp.getPageTimeout());
GenericResponse<String> response = new GenericResponse<>();
throwBadRequest(DatawaveErrorCode.INVALID_PAGE_TIMEOUT, response);
}
if (System.currentTimeMillis() >= qp.getExpirationDate().getTime()) {
log.error("Invalid expiration date: " + qp.getExpirationDate());
GenericResponse<String> response = new GenericResponse<>();
throwBadRequest(DatawaveErrorCode.INVALID_EXPIRATION_DATE, response);
}
// Ensure begin date does not occur after the end date (if dates are not null)
if ((qp.getBeginDate() != null && qp.getEndDate() != null) && qp.getBeginDate().after(qp.getEndDate())) {
log.error("Invalid begin and/or end date: " + qp.getBeginDate() + " - " + qp.getEndDate());
GenericResponse<String> response = new GenericResponse<>();
throwBadRequest(DatawaveErrorCode.BEGIN_DATE_AFTER_END_DATE, response);
}
// will throw IllegalArgumentException if not defined
try {
qd.logic = queryLogicFactory.getQueryLogic(queryLogicName, ctx.getCallerPrincipal());
} catch (Exception e) {
log.error("Failed to get query logic for " + queryLogicName, e);
BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.QUERY_LOGIC_ERROR, e);
GenericResponse<String> response = new GenericResponse<>();
response.addException(qe.getBottomQueryException());
throw new BadRequestException(qe, response);
}
qd.logic.validate(queryParameters);
try {
marking.clear();
marking.validate(queryParameters);
} catch (IllegalArgumentException e) {
log.error("Failed security markings validation", e);
BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.SECURITY_MARKING_CHECK_ERROR, e);
GenericResponse<String> response = new GenericResponse<>();
response.addException(qe);
throw new BadRequestException(qe, response);
}
// Find out who/what called this method
qd.proxyServers = null;
qd.p = ctx.getCallerPrincipal();
qd.userDn = qd.p.getName();
qd.userid = qd.userDn;
qd.dnList = Collections.singletonList(qd.userid);
if (qd.p instanceof DatawavePrincipal) {
DatawavePrincipal dp = (DatawavePrincipal) qd.p;
qd.userid = dp.getShortName();
qd.userDn = dp.getUserDN().subjectDN();
String[] dns = dp.getDNs();
Arrays.sort(dns);
qd.dnList = Arrays.asList(dns);
qd.proxyServers = dp.getProxyServers();
// Verify that the calling principal has access to the query logic.
if (!qd.logic.containsDNWithAccess(qd.dnList)) {
UnauthorizedQueryException qe = new UnauthorizedQueryException("None of the DNs used have access to this query logic: " + qd.dnList, 401);
GenericResponse<String> response = new GenericResponse<>();
response.addException(qe);
throw new UnauthorizedException(qe, response);
}
}
log.trace(qd.userid + " has authorizations " + ((qd.p instanceof DatawavePrincipal) ? ((DatawavePrincipal) qd.p).getAuthorizations() : ""));
// always check against the max
if (qd.logic.getMaxPageSize() > 0 && qp.getPagesize() > qd.logic.getMaxPageSize()) {
log.error("Invalid page size: " + qp.getPagesize() + " vs " + qd.logic.getMaxPageSize());
BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.PAGE_SIZE_TOO_LARGE, MessageFormat.format("Max = {0}.", qd.logic.getMaxPageSize()));
GenericResponse<String> response = new GenericResponse<>();
response.addException(qe);
throw new BadRequestException(qe, response);
}
// privileged users however can set whatever they want
if (qp.isMaxResultsOverridden() && qd.logic.getMaxResults() >= 0) {
if (!ctx.isCallerInRole(PRIVILEGED_USER)) {
if (qp.getMaxResultsOverride() < 0 || (qd.logic.getMaxResults() < qp.getMaxResultsOverride())) {
log.error("Invalid max results override: " + qp.getMaxResultsOverride() + " vs " + qd.logic.getMaxResults());
GenericResponse<String> response = new GenericResponse<>();
throwBadRequest(DatawaveErrorCode.INVALID_MAX_RESULTS_OVERRIDE, response);
}
}
}
// Set private audit-related parameters, stripping off any that the user might have passed in first.
// These are parameters that aren't passed in by the user, but rather are computed from other sources.
PrivateAuditConstants.stripPrivateParameters(queryParameters);
queryParameters.add(PrivateAuditConstants.LOGIC_CLASS, queryLogicName);
queryParameters.putSingle(PrivateAuditConstants.COLUMN_VISIBILITY, marking.toColumnVisibilityString());
queryParameters.add(PrivateAuditConstants.USER_DN, qd.userDn);
return qd;
}
use of datawave.webservice.common.exception.UnauthorizedException in project datawave by NationalSecurityAgency.
the class ModificationBean method submit.
/**
* Execute a Modification service with the given name and runtime parameters
*
* @param modificationServiceName
* Name of the modification service configuration
* @param request
* object type specified in listConfigurations response.
* @return datawave.webservice.result.VoidResponse
* @RequestHeader X-ProxiedEntitiesChain use when proxying request for user
* @RequestHeader X-ProxiedIssuersChain required when using X-ProxiedEntitiesChain, specify one issuer DN per subject DN listed in X-ProxiedEntitiesChain
* @ResponseHeader X-OperationTimeInMS time spent on the server performing the operation, does not account for network or result serialization
* @HTTP 200 success
* @HTTP 400 if jobName is invalid
* @HTTP 401 if user does not have correct roles
* @HTTP 500 error starting the job
*/
@PUT
@Consumes({ "application/xml", "text/xml", "application/json" })
@Produces({ "application/xml", "text/xml", "application/json", "text/yaml", "text/x-yaml", "application/x-yaml", "application/x-protobuf", "application/x-protostuff" })
@Path("/{serviceName}/submit")
@GZIP
@Interceptors({ RequiredInterceptor.class, ResponseInterceptor.class })
public VoidResponse submit(@Required("modificationServiceName") @PathParam("serviceName") String modificationServiceName, @Required("request") ModificationRequestBase request) {
VoidResponse response = new VoidResponse();
// Find out who/what called this method
Principal p = ctx.getCallerPrincipal();
String user;
Set<Authorizations> cbAuths = new HashSet<>();
Collection<String> userRoles = Collections.emptySet();
if (p instanceof DatawavePrincipal) {
DatawavePrincipal dp = (DatawavePrincipal) p;
user = dp.getShortName();
userRoles = dp.getPrimaryUser().getRoles();
for (Collection<String> c : dp.getAuthorizations()) cbAuths.add(new Authorizations(c.toArray(new String[c.size()])));
} else {
QueryException qe = new QueryException(DatawaveErrorCode.UNEXPECTED_PRINCIPAL_ERROR, MessageFormat.format("Class: {0}", p.getClass().getName()));
response.addException(qe);
throw new DatawaveWebApplicationException(qe, response);
}
Connector con = null;
AccumuloConnectionFactory.Priority priority;
try {
// Get the Modification Service from the configuration
ModificationServiceConfiguration service = modificationConfiguration.getConfiguration(modificationServiceName);
if (!request.getClass().equals(service.getRequestClass())) {
BadRequestQueryException qe = new BadRequestQueryException(DatawaveErrorCode.INVALID_REQUEST_CLASS, MessageFormat.format("Requires: {0}", service.getRequestClass().getName()));
response.addException(qe);
throw new BadRequestException(qe, response);
}
priority = service.getPriority();
// Ensure that the user is in the list of authorized roles
if (null != service.getAuthorizedRoles()) {
boolean authorized = !Collections.disjoint(userRoles, service.getAuthorizedRoles());
if (!authorized) {
// Then the user does not have any of the authorized roles
UnauthorizedQueryException qe = new UnauthorizedQueryException(DatawaveErrorCode.JOB_EXECUTION_UNAUTHORIZED, MessageFormat.format("Requires one of: {0}", service.getAuthorizedRoles()));
response.addException(qe);
throw new UnauthorizedException(qe, response);
}
}
if (service.getRequiresAudit()) {
try {
MultivaluedMap<String, String> requestMap = new MultivaluedMapImpl<>();
requestMap.putAll(request.toMap());
auditParameterBuilder.convertAndValidate(requestMap);
} catch (Exception e) {
QueryException qe = new QueryException(DatawaveErrorCode.QUERY_AUDITING_ERROR, e);
log.error(qe);
response.addException(qe.getBottomQueryException());
}
}
// Process the modification
Map<String, String> trackingMap = connectionFactory.getTrackingMap(Thread.currentThread().getStackTrace());
con = connectionFactory.getConnection(modificationConfiguration.getPoolName(), priority, trackingMap);
service.setQueryService(queryService);
log.info("Processing modification request from user=" + user + ": \n" + request);
service.process(con, request, cache.getCachedMutableFieldList(), cbAuths, user);
return response;
} catch (DatawaveWebApplicationException e) {
throw e;
} catch (Exception e) {
QueryException qe = new QueryException(DatawaveErrorCode.MODIFICATION_ERROR, e);
log.error(qe);
response.addException(qe.getBottomQueryException());
throw new DatawaveWebApplicationException(e, response);
} finally {
if (null != con)
try {
connectionFactory.returnConnection(con);
} catch (Exception e) {
log.error("Error returning connection", e);
}
}
}
Aggregations