Search in sources :

Example 1 with ResourceAction

use of io.cryostat.net.security.ResourceAction in project cryostat by cryostatio.

the class OpenShiftAuthManager method validateToken.

@Override
public Future<Boolean> validateToken(Supplier<String> tokenProvider, Set<ResourceAction> resourceActions) {
    String token = tokenProvider.get();
    if (StringUtils.isBlank(token)) {
        return CompletableFuture.completedFuture(false);
    }
    if (resourceActions.isEmpty()) {
        return reviewToken(token);
    }
    OpenShiftClient client = userClients.get(token);
    try {
        List<CompletableFuture<Void>> results = resourceActions.stream().flatMap(resourceAction -> validateAction(client, namespace.get(), resourceAction)).collect(Collectors.toList());
        CompletableFuture.allOf(results.toArray(new CompletableFuture[0])).get(15, TimeUnit.SECONDS);
        // was thrown on allOf().get() above
        return CompletableFuture.completedFuture(true);
    } catch (KubernetesClientException | ExecutionException e) {
        userClients.invalidate(token);
        logger.info(e);
        return CompletableFuture.failedFuture(e);
    } catch (Exception e) {
        userClients.invalidate(token);
        logger.error(e);
        return CompletableFuture.failedFuture(e);
    }
}
Also used : JsonProperty(com.fasterxml.jackson.annotation.JsonProperty) Event(jdk.jfr.Event) Label(jdk.jfr.Label) Arrays(java.util.Arrays) URISyntaxException(java.net.URISyntaxException) Scheduler(com.github.benmanes.caffeine.cache.Scheduler) StringUtils(org.apache.commons.lang3.StringUtils) UserInfo(io.cryostat.net.UserInfo) Future(java.util.concurrent.Future) Matcher(java.util.regex.Matcher) MissingEnvironmentVariableException(io.cryostat.net.MissingEnvironmentVariableException) Duration(java.time.Duration) Map(java.util.Map) AuthenticationScheme(io.cryostat.net.AuthenticationScheme) ResponseBody(okhttp3.ResponseBody) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) Request(okhttp3.Request) LoadingCache(com.github.benmanes.caffeine.cache.LoadingCache) URIBuilder(org.apache.http.client.utils.URIBuilder) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) ResourceType(io.cryostat.net.security.ResourceType) Set(java.util.Set) TokenReview(io.fabric8.kubernetes.api.model.authentication.TokenReview) Collectors(java.util.stream.Collectors) Lazy(dagger.Lazy) StandardCharsets(java.nio.charset.StandardCharsets) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) TokenNotFoundException(io.cryostat.net.TokenNotFoundException) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) HttpUrl(okhttp3.HttpUrl) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings) JsonIgnoreProperties(com.fasterxml.jackson.annotation.JsonIgnoreProperties) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) HashMap(java.util.HashMap) CompletableFuture(java.util.concurrent.CompletableFuture) ResourceVerb(io.cryostat.net.security.ResourceVerb) Function(java.util.function.Function) Supplier(java.util.function.Supplier) AbstractAuthManager(io.cryostat.net.AbstractAuthManager) Name(jdk.jfr.Name) Category(jdk.jfr.Category) Logger(io.cryostat.core.log.Logger) Response(okhttp3.Response) Call(okhttp3.Call) Callback(okhttp3.Callback) Environment(io.cryostat.core.sys.Environment) AuthorizationErrorException(io.cryostat.net.AuthorizationErrorException) Caffeine(com.github.benmanes.caffeine.cache.Caffeine) Executor(java.util.concurrent.Executor) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) IOException(java.io.IOException) ResourceAttributes(io.fabric8.kubernetes.api.model.authorization.v1.ResourceAttributes) OpenShiftClient(io.fabric8.openshift.client.OpenShiftClient) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) TokenReviewBuilder(io.fabric8.kubernetes.api.model.authentication.TokenReviewBuilder) ExecutionException(java.util.concurrent.ExecutionException) TimeUnit(java.util.concurrent.TimeUnit) OkHttpClient(okhttp3.OkHttpClient) TokenReviewStatus(io.fabric8.kubernetes.api.model.authentication.TokenReviewStatus) DigestUtils(org.apache.commons.codec.digest.DigestUtils) Collections(java.util.Collections) ClassPropertiesLoader(io.cryostat.util.resource.ClassPropertiesLoader) ResourceAction(io.cryostat.net.security.ResourceAction) CompletableFuture(java.util.concurrent.CompletableFuture) OpenShiftClient(io.fabric8.openshift.client.OpenShiftClient) ExecutionException(java.util.concurrent.ExecutionException) URISyntaxException(java.net.URISyntaxException) MissingEnvironmentVariableException(io.cryostat.net.MissingEnvironmentVariableException) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) TokenNotFoundException(io.cryostat.net.TokenNotFoundException) AuthorizationErrorException(io.cryostat.net.AuthorizationErrorException) IOException(java.io.IOException) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) ExecutionException(java.util.concurrent.ExecutionException) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException)

Example 2 with ResourceAction

use of io.cryostat.net.security.ResourceAction in project cryostat by cryostatio.

the class OpenShiftAuthManager method validateAction.

private Stream<CompletableFuture<Void>> validateAction(OpenShiftClient client, String namespace, ResourceAction resourceAction) {
    Set<GroupResource> resources = resourceMap.getOrDefault(resourceAction.getResource(), Set.of());
    if (resources.isEmpty()) {
        return Stream.of();
    }
    String verb = map(resourceAction.getVerb());
    return resources.stream().map(resource -> new SelfSubjectAccessReviewBuilder().withNewSpec().withNewResourceAttributes().withNamespace(namespace).withGroup(resource.getGroup()).withResource(resource.getResource()).withSubresource(resource.getSubResource()).withVerb(verb).endResourceAttributes().endSpec().build()).map(accessReview -> {
        CompletableFuture<Void> result = new CompletableFuture<>();
        AuthRequest evt = new AuthRequest();
        try {
            evt.begin();
            SelfSubjectAccessReview accessReviewResult = client.authorization().v1().selfSubjectAccessReview().create(accessReview);
            evt.setRequestSuccessful(true);
            if (accessReviewResult.getStatus().getAllowed()) {
                result.complete(null);
            } else {
                result.completeExceptionally(new PermissionDeniedException(namespace, new GroupResource(accessReview.getSpec().getResourceAttributes()).toString(), verb, accessReviewResult.getStatus().getReason()));
            }
        } catch (Exception e) {
            result.completeExceptionally(e);
        } finally {
            if (evt.shouldCommit()) {
                evt.end();
                evt.commit();
            }
        }
        return result;
    });
}
Also used : JsonProperty(com.fasterxml.jackson.annotation.JsonProperty) Event(jdk.jfr.Event) Label(jdk.jfr.Label) Arrays(java.util.Arrays) URISyntaxException(java.net.URISyntaxException) Scheduler(com.github.benmanes.caffeine.cache.Scheduler) StringUtils(org.apache.commons.lang3.StringUtils) UserInfo(io.cryostat.net.UserInfo) Future(java.util.concurrent.Future) Matcher(java.util.regex.Matcher) MissingEnvironmentVariableException(io.cryostat.net.MissingEnvironmentVariableException) Duration(java.time.Duration) Map(java.util.Map) AuthenticationScheme(io.cryostat.net.AuthenticationScheme) ResponseBody(okhttp3.ResponseBody) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) Request(okhttp3.Request) LoadingCache(com.github.benmanes.caffeine.cache.LoadingCache) URIBuilder(org.apache.http.client.utils.URIBuilder) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) ResourceType(io.cryostat.net.security.ResourceType) Set(java.util.Set) TokenReview(io.fabric8.kubernetes.api.model.authentication.TokenReview) Collectors(java.util.stream.Collectors) Lazy(dagger.Lazy) StandardCharsets(java.nio.charset.StandardCharsets) Objects(java.util.Objects) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) TokenNotFoundException(io.cryostat.net.TokenNotFoundException) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) HttpUrl(okhttp3.HttpUrl) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings) JsonIgnoreProperties(com.fasterxml.jackson.annotation.JsonIgnoreProperties) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) HashMap(java.util.HashMap) CompletableFuture(java.util.concurrent.CompletableFuture) ResourceVerb(io.cryostat.net.security.ResourceVerb) Function(java.util.function.Function) Supplier(java.util.function.Supplier) AbstractAuthManager(io.cryostat.net.AbstractAuthManager) Name(jdk.jfr.Name) Category(jdk.jfr.Category) Logger(io.cryostat.core.log.Logger) Response(okhttp3.Response) Call(okhttp3.Call) Callback(okhttp3.Callback) Environment(io.cryostat.core.sys.Environment) AuthorizationErrorException(io.cryostat.net.AuthorizationErrorException) Caffeine(com.github.benmanes.caffeine.cache.Caffeine) Executor(java.util.concurrent.Executor) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) IOException(java.io.IOException) ResourceAttributes(io.fabric8.kubernetes.api.model.authorization.v1.ResourceAttributes) OpenShiftClient(io.fabric8.openshift.client.OpenShiftClient) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) TokenReviewBuilder(io.fabric8.kubernetes.api.model.authentication.TokenReviewBuilder) ExecutionException(java.util.concurrent.ExecutionException) TimeUnit(java.util.concurrent.TimeUnit) OkHttpClient(okhttp3.OkHttpClient) TokenReviewStatus(io.fabric8.kubernetes.api.model.authentication.TokenReviewStatus) DigestUtils(org.apache.commons.codec.digest.DigestUtils) Collections(java.util.Collections) ClassPropertiesLoader(io.cryostat.util.resource.ClassPropertiesLoader) ResourceAction(io.cryostat.net.security.ResourceAction) CompletableFuture(java.util.concurrent.CompletableFuture) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) URISyntaxException(java.net.URISyntaxException) MissingEnvironmentVariableException(io.cryostat.net.MissingEnvironmentVariableException) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) TokenNotFoundException(io.cryostat.net.TokenNotFoundException) AuthorizationErrorException(io.cryostat.net.AuthorizationErrorException) IOException(java.io.IOException) PermissionDeniedException(io.cryostat.net.PermissionDeniedException) ExecutionException(java.util.concurrent.ExecutionException)

Example 3 with ResourceAction

use of io.cryostat.net.security.ResourceAction in project cryostat by cryostatio.

the class OpenShiftAuthManager method validateToken.

@Override
public Future<Boolean> validateToken(Supplier<String> tokenProvider, Set<ResourceAction> resourceActions) {
    String token = tokenProvider.get();
    if (StringUtils.isBlank(token)) {
        return CompletableFuture.completedFuture(false);
    }
    if (resourceActions.isEmpty()) {
        return reviewToken(token);
    }
    try (OpenShiftClient client = clientProvider.apply(token)) {
        String namespace = getNamespace();
        List<CompletableFuture<Void>> results = resourceActions.parallelStream().flatMap(resourceAction -> validateAction(client, namespace, resourceAction)).collect(Collectors.toList());
        CompletableFuture.allOf(results.toArray(new CompletableFuture[0])).get(15, TimeUnit.SECONDS);
        // was thrown on allOf().get() above
        return CompletableFuture.completedFuture(true);
    } catch (KubernetesClientException | ExecutionException e) {
        logger.info(e);
        return CompletableFuture.failedFuture(e);
    } catch (Exception e) {
        logger.error(e);
        return CompletableFuture.failedFuture(e);
    }
}
Also used : Event(jdk.jfr.Event) Label(jdk.jfr.Label) SelfSubjectAccessReviewBuilder(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder) WebClient(io.vertx.ext.web.client.WebClient) SelfSubjectAccessReview(io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview) URISyntaxException(java.net.URISyntaxException) CompletableFuture(java.util.concurrent.CompletableFuture) ResourceVerb(io.cryostat.net.security.ResourceVerb) Function(java.util.function.Function) Supplier(java.util.function.Supplier) StringUtils(org.apache.commons.lang3.StringUtils) Name(jdk.jfr.Name) Future(java.util.concurrent.Future) Matcher(java.util.regex.Matcher) Category(jdk.jfr.Category) Logger(io.cryostat.core.log.Logger) JsonObject(io.vertx.core.json.JsonObject) Environment(io.cryostat.core.sys.Environment) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) URIBuilder(org.apache.http.client.utils.URIBuilder) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) ResourceType(io.cryostat.net.security.ResourceType) Set(java.util.Set) TokenReview(io.fabric8.kubernetes.api.model.authentication.TokenReview) IOException(java.io.IOException) OpenShiftClient(io.fabric8.openshift.client.OpenShiftClient) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) TokenReviewBuilder(io.fabric8.kubernetes.api.model.authentication.TokenReviewBuilder) ExecutionException(java.util.concurrent.ExecutionException) TimeUnit(java.util.concurrent.TimeUnit) Config(io.fabric8.kubernetes.client.Config) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) FileSystem(io.cryostat.core.sys.FileSystem) Paths(java.nio.file.Paths) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) TokenReviewStatus(io.fabric8.kubernetes.api.model.authentication.TokenReviewStatus) DigestUtils(org.apache.commons.codec.digest.DigestUtils) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings) ResourceAction(io.cryostat.net.security.ResourceAction) CompletableFuture(java.util.concurrent.CompletableFuture) OpenShiftClient(io.fabric8.openshift.client.OpenShiftClient) ExecutionException(java.util.concurrent.ExecutionException) URISyntaxException(java.net.URISyntaxException) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException) KubernetesClientException(io.fabric8.kubernetes.client.KubernetesClientException)

Aggregations

SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)3 Logger (io.cryostat.core.log.Logger)3 Environment (io.cryostat.core.sys.Environment)3 ResourceAction (io.cryostat.net.security.ResourceAction)3 ResourceType (io.cryostat.net.security.ResourceType)3 ResourceVerb (io.cryostat.net.security.ResourceVerb)3 TokenReview (io.fabric8.kubernetes.api.model.authentication.TokenReview)3 TokenReviewBuilder (io.fabric8.kubernetes.api.model.authentication.TokenReviewBuilder)3 TokenReviewStatus (io.fabric8.kubernetes.api.model.authentication.TokenReviewStatus)3 SelfSubjectAccessReview (io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReview)3 SelfSubjectAccessReviewBuilder (io.fabric8.kubernetes.api.model.authorization.v1.SelfSubjectAccessReviewBuilder)3 KubernetesClientException (io.fabric8.kubernetes.client.KubernetesClientException)3 OpenShiftClient (io.fabric8.openshift.client.OpenShiftClient)3 IOException (java.io.IOException)3 URISyntaxException (java.net.URISyntaxException)3 StandardCharsets (java.nio.charset.StandardCharsets)3 Base64 (java.util.Base64)3 List (java.util.List)3 JsonIgnoreProperties (com.fasterxml.jackson.annotation.JsonIgnoreProperties)2 JsonProperty (com.fasterxml.jackson.annotation.JsonProperty)2