Search in sources :

Example 1 with PermissionDeniedException

use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.

the class OpenShiftAuthManager method validateAction.

private Stream<CompletableFuture<Void>> validateAction(OpenShiftClient client, String namespace, ResourceAction resourceAction) {
    Set<GroupResource> resources = resourceMap.getOrDefault(resourceAction.getResource(), Set.of());
    if (resources.isEmpty()) {
        return Stream.of();
    }
    String verb = map(resourceAction.getVerb());
    return resources.stream().map(resource -> new SelfSubjectAccessReviewBuilder().withNewSpec().withNewResourceAttributes().withNamespace(namespace).withGroup(resource.getGroup()).withResource(resource.getResource()).withSubresource(resource.getSubResource()).withVerb(verb).endResourceAttributes().endSpec().build()).map(accessReview -> {
        CompletableFuture<Void> result = new CompletableFuture<>();
        AuthRequest evt = new AuthRequest();
        try {
            evt.begin();
            SelfSubjectAccessReview accessReviewResult = client.authorization().v1().selfSubjectAccessReview().create(accessReview);
            evt.setRequestSuccessful(true);
            if (accessReviewResult.getStatus().getAllowed()) {
                result.complete(null);
            } else {
                result.completeExceptionally(new PermissionDeniedException(namespace, new GroupResource(accessReview.getSpec().getResourceAttributes()).toString(), verb, accessReviewResult.getStatus().getReason()));
            }
        } catch (Exception e) {
            result.completeExceptionally(e);
        } finally {
            if (evt.shouldCommit()) {
                evt.end();
                evt.commit();
            }
        }
        return result;
    });
}
Also used : JsonProperty(com.fasterxml.jackson.annotation.JsonProperty) Event(jdk.jfr.Event) Label(jdk.jfr.Label) Arrays(java.util.Arrays) URISyntaxException(java.net.URISyntaxException) Scheduler(com.github.benmanes.caffeine.cache.Scheduler) StringUtils(org.apache.commons.lang3.StringUtils) UserInfo(io.cryostat.net.UserInfo) Future(java.util.concurrent.Future) Matcher(java.util.regex.Matcher) MissingEnvironmentVariableException(io.cryostat.net.MissingEnvironmentVariableException) Duration(java.time.Duration) Map(java.util.Map) AuthenticationScheme(io.cryostat.net.AuthenticationScheme) ResponseBody(okhttp3.ResponseBody) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) Request(okhttp3.Request) LoadingCache(com.github.benmanes.caffeine.cache.LoadingCache) URIBuilder(org.apache.http.client.utils.URIBuilder) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) ResourceType(io.cryostat.net.security.ResourceType) Set(java.util.Set) TokenReview(io.fabric8.kubernetes.api.model.authentication.TokenReview) Collectors(java.util.stream.Collectors) Lazy(dagger.Lazy) StandardCharsets(java.nio.charset.StandardCharsets) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) TokenNotFoundException(io.cryostat.net.TokenNotFoundException) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) HttpUrl(okhttp3.HttpUrl) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings) JsonIgnoreProperties(com.fasterxml.jackson.annotation.JsonIgnoreProperties) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) HashMap(java.util.HashMap) CompletableFuture(java.util.concurrent.CompletableFuture) ResourceVerb(io.cryostat.net.security.ResourceVerb) Function(java.util.function.Function) Supplier(java.util.function.Supplier) AbstractAuthManager(io.cryostat.net.AbstractAuthManager) Name(jdk.jfr.Name) Category(jdk.jfr.Category) Logger(io.cryostat.core.log.Logger) Response(okhttp3.Response) Call(okhttp3.Call) Callback(okhttp3.Callback) Environment(io.cryostat.core.sys.Environment) AuthorizationErrorException(io.cryostat.net.AuthorizationErrorException) Caffeine(com.github.benmanes.caffeine.cache.Caffeine) Executor(java.util.concurrent.Executor) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) IOException(java.io.IOException) ResourceAttributes(io.fabric8.kubernetes.api.model.authorization.v1.ResourceAttributes) OpenShiftClient(io.fabric8.openshift.client.OpenShiftClient) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) TokenReviewBuilder(io.fabric8.kubernetes.api.model.authentication.TokenReviewBuilder) ExecutionException(java.util.concurrent.ExecutionException) TimeUnit(java.util.concurrent.TimeUnit) OkHttpClient(okhttp3.OkHttpClient) TokenReviewStatus(io.fabric8.kubernetes.api.model.authentication.TokenReviewStatus) DigestUtils(org.apache.commons.codec.digest.DigestUtils) Collections(java.util.Collections) ClassPropertiesLoader(io.cryostat.util.resource.ClassPropertiesLoader) ResourceAction(io.cryostat.net.security.ResourceAction) CompletableFuture(java.util.concurrent.CompletableFuture) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) URISyntaxException(java.net.URISyntaxException) MissingEnvironmentVariableException(io.cryostat.net.MissingEnvironmentVariableException) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) TokenNotFoundException(io.cryostat.net.TokenNotFoundException) AuthorizationErrorException(io.cryostat.net.AuthorizationErrorException) IOException(java.io.IOException) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) ExecutionException(java.util.concurrent.ExecutionException)

Example 2 with PermissionDeniedException

use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.

the class OpenShiftAuthManagerTest method shouldNotValidateTokenWithInsufficientPermissions.

@Test
void shouldNotValidateTokenWithInsufficientPermissions() throws Exception {
    SelfSubjectAccessReview accessReview = new SelfSubjectAccessReviewBuilder().withNewStatus().withAllowed(false).endStatus().build();
    server.expect().post().withPath(SUBJECT_REVIEW_API_PATH).andReturn(HttpURLConnection.HTTP_CREATED, accessReview).once();
    ExecutionException ee = Assertions.assertThrows(ExecutionException.class, () -> mgr.validateToken(() -> "token", Set.of(ResourceAction.READ_RECORDING)).get());
    ee.printStackTrace();
    ExceptionUtils.getRootCause(ee).printStackTrace();
    MatcherAssert.assertThat(ExceptionUtils.getRootCause(ee), Matchers.instanceOf(PermissionDeniedException.class));
    PermissionDeniedException pde = (PermissionDeniedException) ExceptionUtils.getRootCause(ee);
    MatcherAssert.assertThat(pde.getNamespace(), Matchers.equalTo(NAMESPACE));
    MatcherAssert.assertThat(pde.getResourceType(), Matchers.equalTo("recordings.operator.cryostat.io"));
    MatcherAssert.assertThat(pde.getVerb(), Matchers.equalTo("get"));
}
Also used : PermissionDeniedException(io.cryostat.net.PermissionDeniedException) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) ExecutionException(java.util.concurrent.ExecutionException) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 3 with PermissionDeniedException

use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.

the class AbstractAuthenticatedRequestHandlerTest method shouldThrow401IfAuthFails2.

@Test
void shouldThrow401IfAuthFails2() {
    when(auth.validateHttpHeader(Mockito.any(), Mockito.any())).thenReturn(CompletableFuture.failedFuture(new PermissionDeniedException("namespace", "resourc.group", "verb", "reason")));
    HttpException ex = Assertions.assertThrows(HttpException.class, () -> handler.handle(ctx));
    MatcherAssert.assertThat(ex.getStatusCode(), Matchers.equalTo(401));
}
Also used : PermissionDeniedException(io.cryostat.net.PermissionDeniedException) HttpException(io.vertx.ext.web.handler.HttpException) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Example 4 with PermissionDeniedException

use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.

the class AbstractAuthenticatedRequestHandlerTest method shouldThrow401IfAuthFails4.

@Test
void shouldThrow401IfAuthFails4() {
    // Check a doubly-nested PermissionDeniedException
    when(auth.validateHttpHeader(Mockito.any(), Mockito.any())).thenReturn(CompletableFuture.failedFuture(new ExecutionException(new PermissionDeniedException("namespace", "resource.group", "verb", "reason"))));
    HttpException ex = Assertions.assertThrows(HttpException.class, () -> handler.handle(ctx));
    MatcherAssert.assertThat(ex.getStatusCode(), Matchers.equalTo(401));
}
Also used : PermissionDeniedException(io.cryostat.net.PermissionDeniedException) HttpException(io.vertx.ext.web.handler.HttpException) ExecutionException(java.util.concurrent.ExecutionException) Test(org.junit.jupiter.api.Test) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)

Aggregations

PermissionDeniedException (io.cryostat.net.PermissionDeniedException)4 Test (org.junit.jupiter.api.Test)3 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)3 SelfSubjectAccessReview (io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview)2 SelfSubjectAccessReviewBuilder (io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder)2 HttpException (io.vertx.ext.web.handler.HttpException)2 ExecutionException (java.util.concurrent.ExecutionException)2 JsonIgnoreProperties (com.fasterxml.jackson.annotation.JsonIgnoreProperties)1 JsonProperty (com.fasterxml.jackson.annotation.JsonProperty)1 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 Caffeine (com.github.benmanes.caffeine.cache.Caffeine)1 LoadingCache (com.github.benmanes.caffeine.cache.LoadingCache)1 Scheduler (com.github.benmanes.caffeine.cache.Scheduler)1 Lazy (dagger.Lazy)1 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)1 Logger (io.cryostat.core.log.Logger)1 Environment (io.cryostat.core.sys.Environment)1 AbstractAuthManager (io.cryostat.net.AbstractAuthManager)1 AuthenticationScheme (io.cryostat.net.AuthenticationScheme)1 AuthorizationErrorException (io.cryostat.net.AuthorizationErrorException)1