use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.
the class OAuthPlugin method process.
/**
* Verifies that a source configured to use OAuth has a valid access token to process and that the
* user has authorized the use of their data against this source.
*
* @param source source being queried
* @param input query request
* @throws OAuthPluginException if the user's access token is not available or if the source is
* not authorized
* @throws StopProcessingException for errors not related to OAuth
*/
@Override
public QueryRequest process(Source source, QueryRequest input) throws StopProcessingException {
OAuthFederatedSource oauthSource = getSource(source);
if (oauthSource == null) {
return input;
}
Object securityAssertion = input.getProperties().get(SECURITY_SUBJECT);
if (!(securityAssertion instanceof Subject)) {
LOGGER.warn("The user's subject is not available.");
throw new StopProcessingException("The user's subject is not available.");
}
Subject subject = (Subject) securityAssertion;
Session session = subject.getSession(false);
if (session == null) {
LOGGER.warn("The user's session is not available.");
throw new StopProcessingException("The user's session is not available.");
}
String sessionId = (String) session.getId();
if (sessionId == null) {
LOGGER.warn("The user's session ID is not available.");
throw new StopProcessingException("The user's session ID is not available.");
}
OIDCProviderMetadata metadata;
try {
metadata = OIDCProviderMetadata.parse(resourceRetriever.retrieveResource(new URL(oauthSource.getOauthDiscoveryUrl())).getContent());
} catch (OAuthServiceException | IOException | ParseException e) {
LOGGER.error("Unable to retrieve OAuth provider's metadata for the {} source.", oauthSource.getId());
throw new StopProcessingException("Unable to retrieve OAuth provider's metadata.");
}
TokenEntry tokenEntry = tokenStorage.read(sessionId, oauthSource.getId());
if (tokenEntry == null) {
// See if the user already logged in to the OAuth provider for a different source
findExistingTokens(oauthSource, sessionId, metadata);
throw createNoAuthException(oauthSource, sessionId, metadata, "the user's tokens were not found.");
}
// an outdated token)
if (!oauthSource.getOauthDiscoveryUrl().equals(tokenEntry.getDiscoveryUrl())) {
// the discoveryUrl is different from the one stored - the user must login
tokenStorage.delete(sessionId, oauthSource.getId());
findExistingTokens(oauthSource, sessionId, metadata);
throw createNoAuthException(oauthSource, sessionId, metadata, "the oauth provider information has been changed and is different from the one stored.");
}
verifyAccessToken(oauthSource, sessionId, tokenEntry, metadata);
return input;
}
use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.
the class FilterPlugin method processPreCreate.
@Override
public CreateRequest processPreCreate(CreateRequest input) throws StopProcessingException {
KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.CREATE_ACTION);
List<Metacard> metacards = input.getMetacards();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> userNotPermittedTitles = new ArrayList<>();
List<String> systemNotPermittedTitles = new ArrayList<>();
for (Metacard metacard : metacards) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.CREATE_ACTION)) {
userNotPermittedTitles.add(metacard.getTitle());
}
if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.CREATE_ACTION)) {
systemNotPermittedTitles.add(metacard.getTitle());
}
}
if (!userNotPermittedTitles.isEmpty()) {
String userName = "unknown";
if (subjectOperations != null) {
userName = subjectOperations.getName(subject);
}
throw new StopProcessingException("Metacard creation not permitted for " + userName + ": [ " + listToString(userNotPermittedTitles) + " ]");
}
if (!systemNotPermittedTitles.isEmpty()) {
throw new StopProcessingException("Metacard creation not permitted for this system: [ " + listToString(systemNotPermittedTitles) + " ]");
}
return input;
}
use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.
the class FilterPlugin method processPreUpdate.
@Override
public UpdateRequest processPreUpdate(UpdateRequest input, Map<String, Metacard> metacards) throws StopProcessingException {
KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.UPDATE_ACTION);
List<Map.Entry<Serializable, Metacard>> updates = input.getUpdates();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> unknownIds = new ArrayList<>();
List<String> userNotPermittedIds = new ArrayList<>();
List<String> systemNotPermittedIds = new ArrayList<>();
for (Map.Entry<Serializable, Metacard> entry : updates) {
Metacard newMetacard = entry.getValue();
Attribute attr = newMetacard.getAttribute(Metacard.SECURITY);
String id = null;
if (entry.getKey() != null && !entry.getKey().equals("null")) {
id = (String) entry.getKey();
} else if (newMetacard.getId() != null && !newMetacard.getId().equals("null")) {
id = newMetacard.getId();
}
Metacard oldMetacard = metacards.get(id);
if (oldMetacard == null) {
unknownIds.add(id);
} else {
Attribute oldAttr = oldMetacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.UPDATE_ACTION) || !checkPermissions(oldAttr, securityPermission, subject, CollectionPermission.UPDATE_ACTION)) {
userNotPermittedIds.add(newMetacard.getId());
}
if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.UPDATE_ACTION)) {
systemNotPermittedIds.add(newMetacard.getId());
}
}
}
if (!unknownIds.isEmpty() || !userNotPermittedIds.isEmpty()) {
throw new StopProcessingException("Update operation not permitted with bad data. Unknown metacards: [ " + listToString(unknownIds) + " ]. Not Permitted metacards: [ " + listToString(userNotPermittedIds) + " ]");
}
if (!systemNotPermittedIds.isEmpty()) {
throw new StopProcessingException("Update operation not permitted for this system metacards: [ " + listToString(systemNotPermittedIds) + " ]");
}
return input;
}
use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.
the class FilterPlugin method processPostQuery.
@Override
public QueryResponse processPostQuery(QueryResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException(UNABLE_TO_FILTER_MSG);
}
Subject subject = getSubject(input);
List<Result> results = input.getResults();
List<Result> newResults = new ArrayList<>(results.size());
Metacard metacard;
KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Result result : results) {
metacard = result.getMetacard();
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(new ResultImpl(filterResult.metacard()));
}
break;
// returned responses are ignored for queries
}
}
filteredMetacards++;
} else {
newResults.add(result);
}
}
if (filteredMetacards > 0) {
securityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
}
input.getResults().clear();
input.getResults().addAll(newResults);
newResults.clear();
return input;
}
use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.
the class FilterPlugin method processPostDelete.
@Override
public DeleteResponse processPostDelete(DeleteResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException(UNABLE_TO_FILTER_MSG);
}
Subject subject = getSubject(input);
List<Metacard> results = input.getDeletedMetacards();
List<Metacard> newResults = new ArrayList<>(results.size());
KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Metacard metacard : results) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(filterResult.metacard());
}
break;
// returned responses are ignored for deletes
}
}
filteredMetacards++;
} else {
newResults.add(metacard);
}
}
if (filteredMetacards > 0) {
securityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
}
input.getDeletedMetacards().clear();
input.getDeletedMetacards().addAll(newResults);
newResults.clear();
return input;
}
Aggregations