use of io.cryostat.net.security.ResourceAction in project cryostat by cryostatio.
the class OpenShiftAuthManager method validateToken.
@Override
public Future<Boolean> validateToken(Supplier<String> tokenProvider, Set<ResourceAction> resourceActions) {
String token = tokenProvider.get();
if (StringUtils.isBlank(token)) {
return CompletableFuture.completedFuture(false);
}
if (resourceActions.isEmpty()) {
return reviewToken(token);
}
OpenShiftClient client = userClients.get(token);
try {
List<CompletableFuture<Void>> results = resourceActions.stream().flatMap(resourceAction -> validateAction(client, namespace.get(), resourceAction)).collect(Collectors.toList());
CompletableFuture.allOf(results.toArray(new CompletableFuture[0])).get(15, TimeUnit.SECONDS);
// was thrown on allOf().get() above
return CompletableFuture.completedFuture(true);
} catch (KubernetesClientException | ExecutionException e) {
userClients.invalidate(token);
logger.info(e);
return CompletableFuture.failedFuture(e);
} catch (Exception e) {
userClients.invalidate(token);
logger.error(e);
return CompletableFuture.failedFuture(e);
}
}
use of io.cryostat.net.security.ResourceAction in project cryostat by cryostatio.
the class OpenShiftAuthManager method validateAction.
private Stream<CompletableFuture<Void>> validateAction(OpenShiftClient client, String namespace, ResourceAction resourceAction) {
Set<GroupResource> resources = resourceMap.getOrDefault(resourceAction.getResource(), Set.of());
if (resources.isEmpty()) {
return Stream.of();
}
String verb = map(resourceAction.getVerb());
return resources.stream().map(resource -> new SelfSubjectAccessReviewBuilder().withNewSpec().withNewResourceAttributes().withNamespace(namespace).withGroup(resource.getGroup()).withResource(resource.getResource()).withSubresource(resource.getSubResource()).withVerb(verb).endResourceAttributes().endSpec().build()).map(accessReview -> {
CompletableFuture<Void> result = new CompletableFuture<>();
AuthRequest evt = new AuthRequest();
try {
evt.begin();
SelfSubjectAccessReview accessReviewResult = client.authorization().v1().selfSubjectAccessReview().create(accessReview);
evt.setRequestSuccessful(true);
if (accessReviewResult.getStatus().getAllowed()) {
result.complete(null);
} else {
result.completeExceptionally(new PermissionDeniedException(namespace, new GroupResource(accessReview.getSpec().getResourceAttributes()).toString(), verb, accessReviewResult.getStatus().getReason()));
}
} catch (Exception e) {
result.completeExceptionally(e);
} finally {
if (evt.shouldCommit()) {
evt.end();
evt.commit();
}
}
return result;
});
}
use of io.cryostat.net.security.ResourceAction in project cryostat by cryostatio.
the class OpenShiftAuthManager method validateToken.
@Override
public Future<Boolean> validateToken(Supplier<String> tokenProvider, Set<ResourceAction> resourceActions) {
String token = tokenProvider.get();
if (StringUtils.isBlank(token)) {
return CompletableFuture.completedFuture(false);
}
if (resourceActions.isEmpty()) {
return reviewToken(token);
}
try (OpenShiftClient client = clientProvider.apply(token)) {
String namespace = getNamespace();
List<CompletableFuture<Void>> results = resourceActions.parallelStream().flatMap(resourceAction -> validateAction(client, namespace, resourceAction)).collect(Collectors.toList());
CompletableFuture.allOf(results.toArray(new CompletableFuture[0])).get(15, TimeUnit.SECONDS);
// was thrown on allOf().get() above
return CompletableFuture.completedFuture(true);
} catch (KubernetesClientException | ExecutionException e) {
logger.info(e);
return CompletableFuture.failedFuture(e);
} catch (Exception e) {
logger.error(e);
return CompletableFuture.failedFuture(e);
}
}
Aggregations