use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.
the class OpenShiftAuthManager method validateAction.
private Stream<CompletableFuture<Void>> validateAction(OpenShiftClient client, String namespace, ResourceAction resourceAction) {
Set<GroupResource> resources = resourceMap.getOrDefault(resourceAction.getResource(), Set.of());
if (resources.isEmpty()) {
return Stream.of();
}
String verb = map(resourceAction.getVerb());
return resources.stream().map(resource -> new SelfSubjectAccessReviewBuilder().withNewSpec().withNewResourceAttributes().withNamespace(namespace).withGroup(resource.getGroup()).withResource(resource.getResource()).withSubresource(resource.getSubResource()).withVerb(verb).endResourceAttributes().endSpec().build()).map(accessReview -> {
CompletableFuture<Void> result = new CompletableFuture<>();
AuthRequest evt = new AuthRequest();
try {
evt.begin();
SelfSubjectAccessReview accessReviewResult = client.authorization().v1().selfSubjectAccessReview().create(accessReview);
evt.setRequestSuccessful(true);
if (accessReviewResult.getStatus().getAllowed()) {
result.complete(null);
} else {
result.completeExceptionally(new PermissionDeniedException(namespace, new GroupResource(accessReview.getSpec().getResourceAttributes()).toString(), verb, accessReviewResult.getStatus().getReason()));
}
} catch (Exception e) {
result.completeExceptionally(e);
} finally {
if (evt.shouldCommit()) {
evt.end();
evt.commit();
}
}
return result;
});
}
use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.
the class OpenShiftAuthManagerTest method shouldNotValidateTokenWithInsufficientPermissions.
@Test
void shouldNotValidateTokenWithInsufficientPermissions() throws Exception {
SelfSubjectAccessReview accessReview = new SelfSubjectAccessReviewBuilder().withNewStatus().withAllowed(false).endStatus().build();
server.expect().post().withPath(SUBJECT_REVIEW_API_PATH).andReturn(HttpURLConnection.HTTP_CREATED, accessReview).once();
ExecutionException ee = Assertions.assertThrows(ExecutionException.class, () -> mgr.validateToken(() -> "token", Set.of(ResourceAction.READ_RECORDING)).get());
ee.printStackTrace();
ExceptionUtils.getRootCause(ee).printStackTrace();
MatcherAssert.assertThat(ExceptionUtils.getRootCause(ee), Matchers.instanceOf(PermissionDeniedException.class));
PermissionDeniedException pde = (PermissionDeniedException) ExceptionUtils.getRootCause(ee);
MatcherAssert.assertThat(pde.getNamespace(), Matchers.equalTo(NAMESPACE));
MatcherAssert.assertThat(pde.getResourceType(), Matchers.equalTo("recordings.operator.cryostat.io"));
MatcherAssert.assertThat(pde.getVerb(), Matchers.equalTo("get"));
}
use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.
the class AbstractAuthenticatedRequestHandlerTest method shouldThrow401IfAuthFails2.
@Test
void shouldThrow401IfAuthFails2() {
when(auth.validateHttpHeader(Mockito.any(), Mockito.any())).thenReturn(CompletableFuture.failedFuture(new PermissionDeniedException("namespace", "resourc.group", "verb", "reason")));
HttpException ex = Assertions.assertThrows(HttpException.class, () -> handler.handle(ctx));
MatcherAssert.assertThat(ex.getStatusCode(), Matchers.equalTo(401));
}
use of io.cryostat.net.PermissionDeniedException in project cryostat by cryostatio.
the class AbstractAuthenticatedRequestHandlerTest method shouldThrow401IfAuthFails4.
@Test
void shouldThrow401IfAuthFails4() {
// Check a doubly-nested PermissionDeniedException
when(auth.validateHttpHeader(Mockito.any(), Mockito.any())).thenReturn(CompletableFuture.failedFuture(new ExecutionException(new PermissionDeniedException("namespace", "resource.group", "verb", "reason"))));
HttpException ex = Assertions.assertThrows(HttpException.class, () -> handler.handle(ctx));
MatcherAssert.assertThat(ex.getStatusCode(), Matchers.equalTo(401));
}
Aggregations