Search in sources :

Example 11 with StopProcessingException

use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.

the class OAuthPlugin method process.

/**
 * Verifies that a source configured to use OAuth has a valid access token to process and that the
 * user has authorized the use of their data against this source.
 *
 * @param source source being queried
 * @param input query request
 * @throws OAuthPluginException if the user's access token is not available or if the source is
 *     not authorized
 * @throws StopProcessingException for errors not related to OAuth
 */
@Override
public QueryRequest process(Source source, QueryRequest input) throws StopProcessingException {
    OAuthFederatedSource oauthSource = getSource(source);
    if (oauthSource == null) {
        return input;
    }
    Object securityAssertion = input.getProperties().get(SECURITY_SUBJECT);
    if (!(securityAssertion instanceof Subject)) {
        LOGGER.warn("The user's subject is not available.");
        throw new StopProcessingException("The user's subject is not available.");
    }
    Subject subject = (Subject) securityAssertion;
    Session session = subject.getSession(false);
    if (session == null) {
        LOGGER.warn("The user's session is not available.");
        throw new StopProcessingException("The user's session is not available.");
    }
    String sessionId = (String) session.getId();
    if (sessionId == null) {
        LOGGER.warn("The user's session ID is not available.");
        throw new StopProcessingException("The user's session ID is not available.");
    }
    OIDCProviderMetadata metadata;
    try {
        metadata = OIDCProviderMetadata.parse(resourceRetriever.retrieveResource(new URL(oauthSource.getOauthDiscoveryUrl())).getContent());
    } catch (OAuthServiceException | IOException | ParseException e) {
        LOGGER.error("Unable to retrieve OAuth provider's metadata for the {} source.", oauthSource.getId());
        throw new StopProcessingException("Unable to retrieve OAuth provider's metadata.");
    }
    TokenEntry tokenEntry = tokenStorage.read(sessionId, oauthSource.getId());
    if (tokenEntry == null) {
        // See if the user already logged in to the OAuth provider for a different source
        findExistingTokens(oauthSource, sessionId, metadata);
        throw createNoAuthException(oauthSource, sessionId, metadata, "the user's tokens were not found.");
    }
    // an outdated token)
    if (!oauthSource.getOauthDiscoveryUrl().equals(tokenEntry.getDiscoveryUrl())) {
        // the discoveryUrl is different from the one stored - the user must login
        tokenStorage.delete(sessionId, oauthSource.getId());
        findExistingTokens(oauthSource, sessionId, metadata);
        throw createNoAuthException(oauthSource, sessionId, metadata, "the oauth provider information has been changed and is different from the one stored.");
    }
    verifyAccessToken(oauthSource, sessionId, tokenEntry, metadata);
    return input;
}
Also used : OAuthFederatedSource(ddf.catalog.source.OAuthFederatedSource) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) StopProcessingException(ddf.catalog.plugin.StopProcessingException) IOException(java.io.IOException) Subject(ddf.security.Subject) URL(java.net.URL) DISCOVERY_URL(org.codice.ddf.security.token.storage.api.TokenStorage.DISCOVERY_URL) TokenEntry(org.codice.ddf.security.token.storage.api.TokenInformation.TokenEntry) OIDCProviderMetadata(com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata) ParseException(com.nimbusds.oauth2.sdk.ParseException) Session(org.apache.shiro.session.Session)

Example 12 with StopProcessingException

use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.

the class FilterPlugin method processPreCreate.

@Override
public CreateRequest processPreCreate(CreateRequest input) throws StopProcessingException {
    KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.CREATE_ACTION);
    List<Metacard> metacards = input.getMetacards();
    Subject subject = getSubject(input);
    Subject systemSubject = getSystemSubject();
    List<String> userNotPermittedTitles = new ArrayList<>();
    List<String> systemNotPermittedTitles = new ArrayList<>();
    for (Metacard metacard : metacards) {
        Attribute attr = metacard.getAttribute(Metacard.SECURITY);
        if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.CREATE_ACTION)) {
            userNotPermittedTitles.add(metacard.getTitle());
        }
        if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.CREATE_ACTION)) {
            systemNotPermittedTitles.add(metacard.getTitle());
        }
    }
    if (!userNotPermittedTitles.isEmpty()) {
        String userName = "unknown";
        if (subjectOperations != null) {
            userName = subjectOperations.getName(subject);
        }
        throw new StopProcessingException("Metacard creation not permitted for " + userName + ": [ " + listToString(userNotPermittedTitles) + " ]");
    }
    if (!systemNotPermittedTitles.isEmpty()) {
        throw new StopProcessingException("Metacard creation not permitted for this system: [ " + listToString(systemNotPermittedTitles) + " ]");
    }
    return input;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Metacard(ddf.catalog.data.Metacard) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) StopProcessingException(ddf.catalog.plugin.StopProcessingException) Subject(org.apache.shiro.subject.Subject)

Example 13 with StopProcessingException

use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.

the class FilterPlugin method processPreUpdate.

@Override
public UpdateRequest processPreUpdate(UpdateRequest input, Map<String, Metacard> metacards) throws StopProcessingException {
    KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.UPDATE_ACTION);
    List<Map.Entry<Serializable, Metacard>> updates = input.getUpdates();
    Subject subject = getSubject(input);
    Subject systemSubject = getSystemSubject();
    List<String> unknownIds = new ArrayList<>();
    List<String> userNotPermittedIds = new ArrayList<>();
    List<String> systemNotPermittedIds = new ArrayList<>();
    for (Map.Entry<Serializable, Metacard> entry : updates) {
        Metacard newMetacard = entry.getValue();
        Attribute attr = newMetacard.getAttribute(Metacard.SECURITY);
        String id = null;
        if (entry.getKey() != null && !entry.getKey().equals("null")) {
            id = (String) entry.getKey();
        } else if (newMetacard.getId() != null && !newMetacard.getId().equals("null")) {
            id = newMetacard.getId();
        }
        Metacard oldMetacard = metacards.get(id);
        if (oldMetacard == null) {
            unknownIds.add(id);
        } else {
            Attribute oldAttr = oldMetacard.getAttribute(Metacard.SECURITY);
            if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.UPDATE_ACTION) || !checkPermissions(oldAttr, securityPermission, subject, CollectionPermission.UPDATE_ACTION)) {
                userNotPermittedIds.add(newMetacard.getId());
            }
            if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.UPDATE_ACTION)) {
                systemNotPermittedIds.add(newMetacard.getId());
            }
        }
    }
    if (!unknownIds.isEmpty() || !userNotPermittedIds.isEmpty()) {
        throw new StopProcessingException("Update operation not permitted with bad data. Unknown metacards: [ " + listToString(unknownIds) + " ]. Not Permitted metacards: [ " + listToString(userNotPermittedIds) + " ]");
    }
    if (!systemNotPermittedIds.isEmpty()) {
        throw new StopProcessingException("Update operation not permitted for this system metacards: [ " + listToString(systemNotPermittedIds) + " ]");
    }
    return input;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Serializable(java.io.Serializable) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) StopProcessingException(ddf.catalog.plugin.StopProcessingException) Subject(org.apache.shiro.subject.Subject) Metacard(ddf.catalog.data.Metacard) Map(java.util.Map) TreeMap(java.util.TreeMap)

Example 14 with StopProcessingException

use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.

the class FilterPlugin method processPostQuery.

@Override
public QueryResponse processPostQuery(QueryResponse input) throws StopProcessingException {
    if (input.getRequest() == null || input.getRequest().getProperties() == null) {
        throw new StopProcessingException(UNABLE_TO_FILTER_MSG);
    }
    Subject subject = getSubject(input);
    List<Result> results = input.getResults();
    List<Result> newResults = new ArrayList<>(results.size());
    Metacard metacard;
    KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.READ_ACTION);
    int filteredMetacards = 0;
    for (Result result : results) {
        metacard = result.getMetacard();
        Attribute attr = metacard.getAttribute(Metacard.SECURITY);
        if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
            for (FilterStrategy filterStrategy : filterStrategies.values()) {
                FilterResult filterResult = filterStrategy.process(input, metacard);
                if (filterResult.processed()) {
                    if (filterResult.metacard() != null) {
                        newResults.add(new ResultImpl(filterResult.metacard()));
                    }
                    break;
                // returned responses are ignored for queries
                }
            }
            filteredMetacards++;
        } else {
            newResults.add(result);
        }
    }
    if (filteredMetacards > 0) {
        securityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
    }
    input.getResults().clear();
    input.getResults().addAll(newResults);
    newResults.clear();
    return input;
}
Also used : Metacard(ddf.catalog.data.Metacard) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) FilterStrategy(ddf.catalog.security.FilterStrategy) ResultImpl(ddf.catalog.data.impl.ResultImpl) StopProcessingException(ddf.catalog.plugin.StopProcessingException) FilterResult(ddf.catalog.security.FilterResult) Subject(org.apache.shiro.subject.Subject) FilterResult(ddf.catalog.security.FilterResult) Result(ddf.catalog.data.Result)

Example 15 with StopProcessingException

use of ddf.catalog.plugin.StopProcessingException in project ddf by codice.

the class FilterPlugin method processPostDelete.

@Override
public DeleteResponse processPostDelete(DeleteResponse input) throws StopProcessingException {
    if (input.getRequest() == null || input.getRequest().getProperties() == null) {
        throw new StopProcessingException(UNABLE_TO_FILTER_MSG);
    }
    Subject subject = getSubject(input);
    List<Metacard> results = input.getDeletedMetacards();
    List<Metacard> newResults = new ArrayList<>(results.size());
    KeyValueCollectionPermission securityPermission = permissions.buildKeyValueCollectionPermission(CollectionPermission.READ_ACTION);
    int filteredMetacards = 0;
    for (Metacard metacard : results) {
        Attribute attr = metacard.getAttribute(Metacard.SECURITY);
        if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
            for (FilterStrategy filterStrategy : filterStrategies.values()) {
                FilterResult filterResult = filterStrategy.process(input, metacard);
                if (filterResult.processed()) {
                    if (filterResult.metacard() != null) {
                        newResults.add(filterResult.metacard());
                    }
                    break;
                // returned responses are ignored for deletes
                }
            }
            filteredMetacards++;
        } else {
            newResults.add(metacard);
        }
    }
    if (filteredMetacards > 0) {
        securityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
    }
    input.getDeletedMetacards().clear();
    input.getDeletedMetacards().addAll(newResults);
    newResults.clear();
    return input;
}
Also used : Metacard(ddf.catalog.data.Metacard) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) FilterStrategy(ddf.catalog.security.FilterStrategy) StopProcessingException(ddf.catalog.plugin.StopProcessingException) FilterResult(ddf.catalog.security.FilterResult) Subject(org.apache.shiro.subject.Subject)

Aggregations

StopProcessingException (ddf.catalog.plugin.StopProcessingException)38 QueryResponse (ddf.catalog.operation.QueryResponse)11 Metacard (ddf.catalog.data.Metacard)10 PluginExecutionException (ddf.catalog.plugin.PluginExecutionException)10 QueryRequest (ddf.catalog.operation.QueryRequest)9 ArrayList (java.util.ArrayList)9 Test (org.junit.Test)8 Attribute (ddf.catalog.data.Attribute)7 QueryRequestImpl (ddf.catalog.operation.impl.QueryRequestImpl)7 QueryResponseImpl (ddf.catalog.operation.impl.QueryResponseImpl)7 Serializable (java.io.Serializable)7 HashMap (java.util.HashMap)7 Result (ddf.catalog.data.Result)6 Query (ddf.catalog.operation.Query)6 PreFederatedQueryPlugin (ddf.catalog.plugin.PreFederatedQueryPlugin)6 Source (ddf.catalog.source.Source)6 Map (java.util.Map)6 Subject (org.apache.shiro.subject.Subject)6 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)5 List (java.util.List)5