Search in sources :

Example 21 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class AuthorizationTest method createAuthNamespace.

private void createAuthNamespace() throws Exception {
    AccessController accessController = getAccessController();
    grantAndAssertSuccess(AUTH_NAMESPACE, ALICE, ImmutableSet.of(StandardPermission.GET, StandardPermission.CREATE));
    getNamespaceAdmin().create(AUTH_NAMESPACE_META);
    Assert.assertEquals(ImmutableSet.of(new GrantedPermission(AUTH_NAMESPACE, StandardPermission.GET), new GrantedPermission(AUTH_NAMESPACE, StandardPermission.CREATE)), accessController.listGrants(ALICE));
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 22 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class AuthorizationTest method grantAndAssertSuccess.

private void grantAndAssertSuccess(Authorizable authorizable, Principal principal, Set<? extends Permission> permissions) throws Exception {
    AccessController accessController = getAccessController();
    Set<GrantedPermission> existingPrivileges = accessController.listGrants(principal);
    accessController.grant(authorizable, principal, permissions);
    ImmutableSet.Builder<GrantedPermission> expectedPrivilegesAfterGrant = ImmutableSet.builder();
    for (Permission permission : permissions) {
        expectedPrivilegesAfterGrant.add(new GrantedPermission(authorizable, permission));
    }
    Assert.assertEquals(Sets.union(existingPrivileges, expectedPrivilegesAfterGrant.build()), accessController.listGrants(principal));
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) ImmutableSet(com.google.common.collect.ImmutableSet) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) ApplicationPermission(io.cdap.cdap.proto.security.ApplicationPermission) AccessPermission(io.cdap.cdap.proto.security.AccessPermission) Permission(io.cdap.cdap.proto.security.Permission) StandardPermission(io.cdap.cdap.proto.security.StandardPermission) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission)

Example 23 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class AuthorizationTest method revokeAndAssertSuccess.

private void revokeAndAssertSuccess(final EntityId entityId) throws Exception {
    AccessController accessController = getAccessController();
    accessController.revoke(Authorizable.fromEntityId(entityId));
    assertNoAccess(entityId);
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController)

Example 24 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by cdapio.

the class AuthorizationTest method assertNoAccess.

private void assertNoAccess(Principal principal, final EntityId entityId) throws Exception {
    AccessController accessController = getAccessController();
    Predicate<GrantedPermission> entityFilter = new Predicate<GrantedPermission>() {

        @Override
        public boolean apply(GrantedPermission input) {
            return Authorizable.fromEntityId(entityId).equals(input.getAuthorizable());
        }
    };
    Assert.assertTrue(Sets.filter(accessController.listGrants(principal), entityFilter).isEmpty());
}
Also used : InMemoryAccessController(io.cdap.cdap.security.authorization.InMemoryAccessController) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) GrantedPermission(io.cdap.cdap.proto.security.GrantedPermission) Predicate(com.google.common.base.Predicate)

Example 25 with AccessController

use of io.cdap.cdap.security.spi.authorization.AccessController in project cdap by caskdata.

the class AccessControllerClassLoader method rewriteClass.

@Nullable
@Override
public byte[] rewriteClass(String className, InputStream input) throws IOException {
    if (!accessControllerClassName.equals(className)) {
        return null;
    }
    // Rewrite the AccessController class to wrap every methods call with context classloader change
    Set<java.lang.reflect.Method> accessControlMethods = Stream.of(Authorizer.class, AccessController.class).flatMap(c -> Stream.of(c.getMethods())).collect(Collectors.toSet());
    ClassReader cr = new ClassReader(input);
    ClassWriter cw = new ClassWriter(ClassWriter.COMPUTE_FRAMES);
    cr.accept(new ClassVisitor(Opcodes.ASM7, cw) {

        private String superName;

        @Override
        public void visit(int version, int access, String name, String signature, String superName, String[] interfaces) {
            super.visit(version, access, name, signature, superName, interfaces);
            this.superName = superName;
        }

        @Override
        public MethodVisitor visitMethod(int access, String name, String descriptor, String signature, String[] exceptions) {
            MethodVisitor mv = super.visitMethod(access, name, descriptor, signature, exceptions);
            Method method = new Method(name, descriptor);
            // Only rewrite methods defined in the Authorizer or AccessController interface.
            if (accessControlMethods.removeIf(m -> method.equals(Method.getMethod(m)))) {
                return rewriteMethod(access, name, descriptor, mv);
            }
            return mv;
        }

        @Override
        public void visitEnd() {
            if (Type.getType(Object.class).getInternalName().equals(superName)) {
                // the one we need and it's not trivial as those interfaces can be in the current jar we are trying to load.
                return;
            }
            // Generates all the missing methods on the Authorizer interface so that we can wrap them with the
            // context classloader switch.
            Set<Method> generatedMethods = new HashSet<>();
            new HashSet<>(accessControlMethods).forEach(m -> {
                Method method = Method.getMethod(m);
                // Guard against same method signature that comes from different parent interfaces
                if (!generatedMethods.add(method)) {
                    return;
                }
                // Generate the method by calling super.[method]
                String signature = Signatures.getMethodSignature(method, TypeToken.of(m.getGenericReturnType()), Arrays.stream(m.getGenericParameterTypes()).map(TypeToken::of).toArray(TypeToken[]::new));
                String[] exceptions = Arrays.stream(m.getExceptionTypes()).map(Type::getInternalName).toArray(String[]::new);
                MethodVisitor mv = rewriteMethod(Opcodes.ACC_PUBLIC, method.getName(), method.getDescriptor(), visitMethod(Opcodes.ACC_PUBLIC, method.getName(), method.getDescriptor(), signature, exceptions));
                GeneratorAdapter generator = new GeneratorAdapter(Opcodes.ACC_PUBLIC, method, mv);
                generator.visitCode();
                generator.loadThis();
                generator.loadArgs();
                generator.visitMethodInsn(Opcodes.INVOKESPECIAL, superName, method.getName(), method.getDescriptor(), false);
                generator.returnValue();
                generator.endMethod();
            });
            super.visitEnd();
        }

        /**
         * Rewrites the method by wrapping the whole method call with the context classloader switch to the
         * AccessControllerClassLoader.
         */
        private MethodVisitor rewriteMethod(int access, String name, String descriptor, MethodVisitor mv) {
            return new FinallyAdapter(Opcodes.ASM7, mv, access, name, descriptor) {

                int currentThread;

                int oldClassLoader;

                @Override
                protected void onMethodEnter() {
                    // Thread currentThread = Thread.currentThread();
                    invokeStatic(THREAD_TYPE, new Method("currentThread", THREAD_TYPE, new Type[0]));
                    currentThread = newLocal(THREAD_TYPE);
                    storeLocal(currentThread, THREAD_TYPE);
                    // ClassLoader oldClassLoader = currentThread.getContextClassLoader();
                    loadLocal(currentThread, THREAD_TYPE);
                    invokeVirtual(THREAD_TYPE, new Method("getContextClassLoader", CLASSLOADER_TYPE, new Type[0]));
                    oldClassLoader = newLocal(CLASSLOADER_TYPE);
                    storeLocal(oldClassLoader, CLASSLOADER_TYPE);
                    // currentThread.setContextClassLoader(getClass().getClassLoader());
                    loadLocal(currentThread, THREAD_TYPE);
                    loadThis();
                    invokeVirtual(Type.getType(Object.class), new Method("getClass", Type.getType(Class.class), new Type[0]));
                    invokeVirtual(Type.getType(Class.class), new Method("getClassLoader", CLASSLOADER_TYPE, new Type[0]));
                    invokeVirtual(THREAD_TYPE, new Method("setContextClassLoader", Type.VOID_TYPE, new Type[] { CLASSLOADER_TYPE }));
                    beginTry();
                }

                @Override
                protected void onFinally(int opcode) {
                    // currentThread.setContextClassLoader(oldClassLoader);
                    loadLocal(currentThread, THREAD_TYPE);
                    loadLocal(oldClassLoader, CLASSLOADER_TYPE);
                    invokeVirtual(THREAD_TYPE, new Method("setContextClassLoader", Type.VOID_TYPE, new Type[] { CLASSLOADER_TYPE }));
                }
            };
        }
    }, ClassReader.EXPAND_FRAMES);
    return cw.toByteArray();
}
Also used : ClassWriter(org.objectweb.asm.ClassWriter) Manifest(java.util.jar.Manifest) Authorizer(io.cdap.cdap.security.spi.authorization.Authorizer) Arrays(java.util.Arrays) MethodVisitor(org.objectweb.asm.MethodVisitor) LoggerFactory(org.slf4j.LoggerFactory) TypeToken(com.google.common.reflect.TypeToken) Type(org.objectweb.asm.Type) HashSet(java.util.HashSet) Method(org.objectweb.asm.commons.Method) GeneratorAdapter(org.objectweb.asm.commons.GeneratorAdapter) ClassVisitor(org.objectweb.asm.ClassVisitor) Nullable(javax.annotation.Nullable) FinallyAdapter(io.cdap.cdap.internal.asm.FinallyAdapter) Opcodes(org.objectweb.asm.Opcodes) ImmutableSet(com.google.common.collect.ImmutableSet) Logger(org.slf4j.Logger) AccessController(io.cdap.cdap.security.spi.authorization.AccessController) Set(java.util.Set) IOException(java.io.IOException) Attributes(java.util.jar.Attributes) Collectors(java.util.stream.Collectors) File(java.io.File) FilterClassLoader(io.cdap.cdap.common.lang.FilterClassLoader) Stream(java.util.stream.Stream) ClassPathResources(io.cdap.cdap.common.lang.ClassPathResources) Signatures(io.cdap.cdap.internal.asm.Signatures) ClassReader(org.objectweb.asm.ClassReader) DirectoryClassLoader(io.cdap.cdap.common.lang.DirectoryClassLoader) BundleJarUtil(io.cdap.cdap.common.lang.jar.BundleJarUtil) VisibleForTesting(com.google.common.annotations.VisibleForTesting) DirUtils(io.cdap.cdap.common.utils.DirUtils) InputStream(java.io.InputStream) FinallyAdapter(io.cdap.cdap.internal.asm.FinallyAdapter) HashSet(java.util.HashSet) ImmutableSet(com.google.common.collect.ImmutableSet) Set(java.util.Set) Method(org.objectweb.asm.commons.Method) ClassVisitor(org.objectweb.asm.ClassVisitor) ClassWriter(org.objectweb.asm.ClassWriter) MethodVisitor(org.objectweb.asm.MethodVisitor) Type(org.objectweb.asm.Type) ClassReader(org.objectweb.asm.ClassReader) GeneratorAdapter(org.objectweb.asm.commons.GeneratorAdapter) HashSet(java.util.HashSet) Nullable(javax.annotation.Nullable)

Aggregations

AccessController (io.cdap.cdap.security.spi.authorization.AccessController)50 NoOpAccessController (io.cdap.cdap.security.spi.authorization.NoOpAccessController)30 Test (org.junit.Test)24 InMemoryAccessController (io.cdap.cdap.security.authorization.InMemoryAccessController)18 CConfiguration (io.cdap.cdap.common.conf.CConfiguration)12 Principal (io.cdap.cdap.proto.security.Principal)12 Credential (io.cdap.cdap.proto.security.Credential)10 GrantedPermission (io.cdap.cdap.proto.security.GrantedPermission)10 DatasetId (io.cdap.cdap.proto.id.DatasetId)8 StandardPermission (io.cdap.cdap.proto.security.StandardPermission)8 ImmutableSet (com.google.common.collect.ImmutableSet)6 SConfiguration (io.cdap.cdap.common.conf.SConfiguration)6 EntityId (io.cdap.cdap.proto.id.EntityId)6 NamespaceId (io.cdap.cdap.proto.id.NamespaceId)6 TinkCipher (io.cdap.cdap.security.auth.TinkCipher)6 File (java.io.File)6 IOException (java.io.IOException)6 AuthorizationClient (io.cdap.cdap.client.AuthorizationClient)4 CommonNettyHttpServiceBuilder (io.cdap.cdap.common.http.CommonNettyHttpServiceBuilder)4 MasterAuthenticationContext (io.cdap.cdap.security.auth.context.MasterAuthenticationContext)4