Example 21 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.
the class AuthorizationTest method createAuthNamespace.
private void createAuthNamespace() throws Exception {
AccessController accessController = getAccessController();
grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(StandardPermission.GET, StandardPermission.CREATE));
getNamespaceAdmin().create(AUTH_NAMESPACE_META);
Assert.assertEquals(ImmutableSet.of(new GrantedPermission(AUTH_NAMESPACE, StandardPermission.GET), new GrantedPermission(AUTH_NAMESPACE, StandardPermission.CREATE)), accessController.listGrants(ALICE));
}
Also used :
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Example 22 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.
the class AuthorizationTest method grantAndAssertSuccess.
private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
AccessController accessController = getAccessController();
Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
accessController.grant(authorizable, principal, permissions);
ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
for (Permission permission : permissions) {
expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
}
Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used :
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
ImmutableSet(com.google.common.collect.ImmutableSet)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission)
AccessPermission(io.cdap.cdap.proto.security.AccessPermission)
Permission(io.cdap.cdap.proto.security.Permission)
StandardPermission(io.cdap.cdap.proto.security.StandardPermission)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Example 23 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.
the class AuthorizationTest method revokeAndAssertSuccess.
private void revokeAndAssertSuccess(final EntityId entityId) throws Exception {
AccessController accessController = getAccessController();
accessController.revoke(Authorizable.fromEntityId(entityId));
assertNoAccess(entityId);
}
Also used :
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
Example 24 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.
the class AuthorizationTest method assertNoAccess.
private void assertNoAccess(Principal principal, final EntityId entityId) throws Exception {
AccessController accessController = getAccessController();
Predicate<GrantedPermission> entityFilter = new Predicate<GrantedPermission>() {
@Override
public boolean apply(GrantedPermission input) {
return Authorizable.fromEntityId(entityId).equals(input.getAuthorizable());
}
};
Assert.assertTrue(Sets.filter(accessController.listGrants(principal), entityFilter).isEmpty());
}
Also used :
InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)
Predicate(com.google.common.base.Predicate)
Example 25 with AccessController
use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.
the class AccessControllerClassLoader method rewriteClass.
@Nullable
@Override
public byte[] rewriteClass(String className, InputStream input) throws IOException {
if (!accessControllerClassName.equals(className)) {
return null;
}
// Rewrite the AccessController class to wrap every methods call with context classloader change
Set<java.lang.reflect.Method> accessControlMethods = Stream.of(Authorizer.class, AccessController.class).flatMap(c -> Stream.of(c.getMethods())).collect(Collectors.toSet());
ClassReader cr = new ClassReader(input);
ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES);
cr.accept(new ClassVisitor(Opcodes.ASM7, cw) {
private String superName;
@Override
public void visit(int version, int access, String name, String signature, String superName, String[] interfaces) {
super.visit(version, access, name, signature, superName, interfaces);
this.superName = superName;
}
@Override
public MethodVisitor visitMethod(int access, String name, String descriptor, String signature, String[] exceptions) {
MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
Method method = new Method(name, descriptor);
// Only rewrite methods defined in the Authorizer or AccessController interface.
if (accessControlMethods.removeIf(m -> method.equals(Method.getMethod(m)))) {
return rewriteMethod(access, name, descriptor, mv);
}
return mv;
}
@Override
public void visitEnd() {
if (Type.getType(Object.class).getInternalName().equals(superName)) {
// the one we need and it's not trivial as those interfaces can be in the current jar we are trying to load.
return;
}
// Generates all the missing methods on the Authorizer interface so that we can wrap them with the
// context classloader switch.
Set<Method> generatedMethods = new HashSet<>();
new HashSet<>(accessControlMethods).forEach(m -> {
Method method = Method.getMethod(m);
// Guard against same method signature that comes from different parent interfaces
if (!generatedMethods.add(method)) {
return;
}
// Generate the method by calling super.[method]
String signature = Signatures.getMethodSignature(method, TypeToken.of(m.getGenericReturnType()), Arrays.stream(m.getGenericParameterTypes()).map(TypeToken::of).toArray(TypeToken[]::new));
String[] exceptions = Arrays.stream(m.getExceptionTypes()).map(Type::getInternalName).toArray(String[]::new);
MethodVisitor mv = rewriteMethod(Opcodes.ACC_PUBLIC, method.getName(), method.getDescriptor(), visitMethod(Opcodes.ACC_PUBLIC, method.getName(), method.getDescriptor(), signature, exceptions));
GeneratorAdapter generator = new GeneratorAdapter(Opcodes.ACC_PUBLIC, method, mv);
generator.visitCode();
generator.loadThis();
generator.loadArgs();
generator.visitMethodInsn(Opcodes.INVOKESPECIAL, superName, method.getName(), method.getDescriptor(), false);
generator.returnValue();
generator.endMethod();
});
super.visitEnd();
}
/**
* Rewrites the method by wrapping the whole method call with the context classloader switch to the
* AccessControllerClassLoader.
*/
private MethodVisitor rewriteMethod(int access, String name, String descriptor, MethodVisitor mv) {
return new FinallyAdapter(Opcodes.ASM7, mv, access, name, descriptor) {
int currentThread;
int oldClassLoader;
@Override
protected void onMethodEnter() {
// Thread currentThread = Thread.currentThread();
invokeStatic(THREAD_TYPE, new Method("currentThread", THREAD_TYPE, new Type[0]));
currentThread = newLocal(THREAD_TYPE);
storeLocal(currentThread, THREAD_TYPE);
// ClassLoader oldClassLoader = currentThread.getContextClassLoader();
loadLocal(currentThread, THREAD_TYPE);
invokeVirtual(THREAD_TYPE, new Method("getContextClassLoader", CLASSLOADER_TYPE, new Type[0]));
oldClassLoader = newLocal(CLASSLOADER_TYPE);
storeLocal(oldClassLoader, CLASSLOADER_TYPE);
// currentThread.setContextClassLoader(getClass().getClassLoader());
loadLocal(currentThread, THREAD_TYPE);
loadThis();
invokeVirtual(Type.getType(Object.class), new Method("getClass", Type.getType(Class.class), new Type[0]));
invokeVirtual(Type.getType(Class.class), new Method("getClassLoader", CLASSLOADER_TYPE, new Type[0]));
invokeVirtual(THREAD_TYPE, new Method("setContextClassLoader", Type.VOID_TYPE, new Type[] { CLASSLOADER_TYPE }));
beginTry();
}
@Override
protected void onFinally(int opcode) {
// currentThread.setContextClassLoader(oldClassLoader);
loadLocal(currentThread, THREAD_TYPE);
loadLocal(oldClassLoader, CLASSLOADER_TYPE);
invokeVirtual(THREAD_TYPE, new Method("setContextClassLoader", Type.VOID_TYPE, new Type[] { CLASSLOADER_TYPE }));
}
};
}
}, ClassReader.EXPAND_FRAMES);
return cw.toByteArray();
}
Also used :
ClassWriter(org.objectweb.asm.ClassWriter)
Manifest(java.util.jar.Manifest)
Authorizer(io.cdap.cdap.security.spi.authorization.Authorizer)
Arrays(java.util.Arrays)
MethodVisitor(org.objectweb.asm.MethodVisitor)
LoggerFactory(org.slf4j.LoggerFactory)
TypeToken(com.google.common.reflect.TypeToken)
Type(org.objectweb.asm.Type)
HashSet(java.util.HashSet)
Method(org.objectweb.asm.commons.Method)
GeneratorAdapter(org.objectweb.asm.commons.GeneratorAdapter)
ClassVisitor(org.objectweb.asm.ClassVisitor)
Nullable(javax.annotation.Nullable)
FinallyAdapter(io.cdap.cdap.internal.asm.FinallyAdapter)
Opcodes(org.objectweb.asm.Opcodes)
ImmutableSet(com.google.common.collect.ImmutableSet)
Logger(org.slf4j.Logger)
AccessController(io.cdap.cdap.security.spi.authorization.AccessController)
Set(java.util.Set)
IOException(java.io.IOException)
Attributes(java.util.jar.Attributes)
Collectors(java.util.stream.Collectors)
File(java.io.File)
FilterClassLoader(io.cdap.cdap.common.lang.FilterClassLoader)
Stream(java.util.stream.Stream)
ClassPathResources(io.cdap.cdap.common.lang.ClassPathResources)
Signatures(io.cdap.cdap.internal.asm.Signatures)
ClassReader(org.objectweb.asm.ClassReader)
DirectoryClassLoader(io.cdap.cdap.common.lang.DirectoryClassLoader)
BundleJarUtil(io.cdap.cdap.common.lang.jar.BundleJarUtil)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
DirUtils(io.cdap.cdap.common.utils.DirUtils)
InputStream(java.io.InputStream)
FinallyAdapter(io.cdap.cdap.internal.asm.FinallyAdapter)
HashSet(java.util.HashSet)
ImmutableSet(com.google.common.collect.ImmutableSet)
Set(java.util.Set)
Method(org.objectweb.asm.commons.Method)
ClassVisitor(org.objectweb.asm.ClassVisitor)
ClassWriter(org.objectweb.asm.ClassWriter)
MethodVisitor(org.objectweb.asm.MethodVisitor)
Type(org.objectweb.asm.Type)
ClassReader(org.objectweb.asm.ClassReader)
GeneratorAdapter(org.objectweb.asm.commons.GeneratorAdapter)
HashSet(java.util.HashSet)
Nullable(javax.annotation.Nullable)
Aggregations
AccessController (io.cdap.cdap.security.spi.authorization.AccessController)50
NoOpAccessController (io.cdap.cdap.security.spi.authorization.NoOpAccessController)30
Test (org.junit.Test)24
InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)18
CConfiguration (io.cdap.cdap.common.conf.CConfiguration)12
Principal (io.cdap.cdap.proto.security.Principal)12
Credential (io.cdap.cdap.proto.security.Credential)10
GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)10
DatasetId (io.cdap.cdap.proto.id.DatasetId)8
StandardPermission (io.cdap.cdap.proto.security.StandardPermission)8
ImmutableSet (com.google.common.collect.ImmutableSet)6
SConfiguration (io.cdap.cdap.common.conf.SConfiguration)6
EntityId (io.cdap.cdap.proto.id.EntityId)6
NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6
TinkCipher (io.cdap.cdap.security.auth.TinkCipher)6
File (java.io.File)6
IOException (java.io.IOException)6
AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)4
CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)4
MasterAuthenticationContext (io.cdap.cdap.security.auth.context.MasterAuthenticationContext)4
