Examples with ApiScope io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope used on opensource projects

Example 1 with ApiScope

use of io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope in project hopsworks by logicalclocks.

the class ApiKeyController method addScope.

/**
 * @param user
 * @param keyName
 * @param scopes
 * @return
 * @throws ApiKeyException
 */
public ApiKey addScope(Users user, String keyName, Set<ApiScope> scopes) throws ApiKeyException {
    ApiKey apiKey = validate(user, keyName, scopes);
    List<ApiKeyScope> newScopes;
    Set<ApiScope> oldScopes = toApiScope(apiKey.getApiKeyScopeCollection());
    scopes.removeAll(oldScopes);
    if (!scopes.isEmpty()) {
        newScopes = getKeyScopes(scopes, apiKey);
        apiKey.getApiKeyScopeCollection().addAll(newScopes);
        apiKey.setModified(new Date());
        apiKey = apiKeyFacade.update(apiKey);
        // run api key update handlers
        ApiKeyHandler.runApiKeyCreateHandlers(apiKeyHandlers, apiKey);
    }
    return apiKey;
}

Example 2 with ApiScope

use of io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope in project hopsworks by logicalclocks.

the class ApiKeyController method update.

/**
 * @param user
 * @param keyName
 * @param scopes
 * @return
 * @throws ApiKeyException
 */
public ApiKey update(Users user, String keyName, Set<ApiScope> scopes) throws ApiKeyException {
    ApiKey apiKey = validate(user, keyName, scopes);
    Collection<ApiKeyScope> oldScopes = apiKey.getApiKeyScopeCollection();
    List<ApiKeyScope> toKeep = new ArrayList<>();
    List<ApiKeyScope> toAdd = new ArrayList<>();
    boolean exist;
    boolean added = false;
    for (ApiScope scope : scopes) {
        exist = false;
        for (ApiKeyScope apiKeyScope : oldScopes) {
            if (apiKeyScope.getScope().equals(scope)) {
                toKeep.add(apiKeyScope);
                exist = true;
                break;
            }
        }
        if (!exist) {
            added = true;
            toAdd.add(new ApiKeyScope(scope, apiKey));
        }
    }
    boolean update = false;
    oldScopes.removeAll(toKeep);
    if (!oldScopes.isEmpty()) {
        for (ApiKeyScope apiKeyScope : oldScopes) {
            apiKeyScopeFacade.remove(apiKeyScope);
        }
        update = true;
    }
    if (added) {
        toKeep.addAll(toAdd);
        update = true;
    }
    if (update) {
        // make a copy of toRemove scopes
        Collection<ApiKeyScope> toRemove = new ArrayList<>(oldScopes);
        apiKey.setApiKeyScopeCollection(toKeep);
        apiKey.setModified(new Date());
        apiKey = apiKeyFacade.update(apiKey);
        // run api key handlers
        ApiKeyHandler.runApiKeyCreateHandlers(apiKeyHandlers, apiKey, toAdd);
        ApiKeyHandler.runApiKeyDeleteHandlers(apiKeyHandlers, apiKey, toRemove);
    }
    return apiKey;
}

Example 3 with ApiScope

use of io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope in project hopsworks by logicalclocks.

the class ApiKeyController method removeScope.

/**
 * @param user
 * @param keyName
 * @param scopes
 * @return
 * @throws ApiKeyException
 */
public ApiKey removeScope(Users user, String keyName, Set<ApiScope> scopes) throws ApiKeyException {
    ApiKey apiKey = validate(user, keyName, scopes);
    Collection<ApiKeyScope> oldScopes = apiKey.getApiKeyScopeCollection();
    List<ApiKeyScope> toRemove = new ArrayList<>();
    for (ApiScope scope : scopes) {
        for (ApiKeyScope apiKeyScope : oldScopes) {
            if (apiKeyScope.getScope().equals(scope)) {
                toRemove.add(apiKeyScope);
                break;
            }
        }
    }
    boolean removed = apiKey.getApiKeyScopeCollection().removeAll(toRemove);
    if (removed && !apiKey.getApiKeyScopeCollection().isEmpty()) {
        // this should not be necessary
        for (ApiKeyScope apiKeyScope : toRemove) {
            apiKeyScopeFacade.remove(apiKeyScope);
        }
        apiKey.setModified(new Date());
        apiKey = apiKeyFacade.update(apiKey);
        // run api key update handlers
        ApiKeyHandler.runApiKeyDeleteHandlers(apiKeyHandlers, apiKey, toRemove);
    } else if (removed && apiKey.getApiKeyScopeCollection().isEmpty()) {
        throw new ApiKeyException(RESTCodes.ApiKeyErrorCode.KEY_SCOPE_EMPTY, Level.FINE);
    }
    return apiKey;
}

Example 4 with ApiScope

use of io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope in project hopsworks by logicalclocks.

the class ApiKeyFilter method filter.

@Override
public void filter(ContainerRequestContext requestContext) {
    String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
    JsonResponse jsonResponse = new RESTApiJsonResponse();
    if (authorizationHeader == null) {
        LOGGER.log(Level.FINEST, "Authorization header not set.");
        jsonResponse.setErrorCode(RESTCodes.SecurityErrorCode.EJB_ACCESS_LOCAL.getCode());
        jsonResponse.setErrorMsg("Authorization header not set.");
        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).entity(jsonResponse).build());
        return;
    }
    if (authorizationHeader.startsWith(BEARER)) {
        LOGGER.log(Level.FINEST, "{0} token found, leaving Api key interceptor", BEARER);
        if (getJWTAnnotation() == null) {
            jsonResponse.setErrorCode(RESTCodes.SecurityErrorCode.EJB_ACCESS_LOCAL.getCode());
            jsonResponse.setErrorMsg("Authorization method not supported.");
            requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).entity(jsonResponse).build());
        }
        return;
    }
    if (!authorizationHeader.startsWith(API_KEY)) {
        LOGGER.log(Level.FINEST, "Invalid Api key. AuthorizationHeader : {0}", authorizationHeader);
        jsonResponse.setErrorCode(RESTCodes.SecurityErrorCode.EJB_ACCESS_LOCAL.getCode());
        jsonResponse.setErrorMsg("Invalidated Api key.");
        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).entity(jsonResponse).build());
        return;
    }
    String key = authorizationHeader.substring(API_KEY.length()).trim();
    try {
        ApiKey apiKey = apiKeyController.getApiKey(key);
        Users user = apiKey.getUser();
        List<String> roles = usersController.getUserRoles(user);
        Set<ApiScope> scopes = apiKeyController.getScopes(apiKey);
        checkRole(roles);
        checkScope(scopes);
        Subject subject = new Subject(user.getUsername(), roles);
        String scheme = requestContext.getUriInfo().getRequestUri().getScheme();
        requestContext.setSecurityContext(new HopsworksSecurityContext(subject, scheme));
    } catch (ApiKeyException e) {
        LOGGER.log(Level.FINEST, "Api key Verification Exception: {0}", e.getMessage());
        e.buildJsonResponse(jsonResponse, settings.getHopsworksRESTLogLevel());
        requestContext.abortWith(Response.status(e.getErrorCode().getRespStatus().getStatusCode()).header(HttpHeaders.WWW_AUTHENTICATE, WWW_AUTHENTICATE_VALUE).entity(jsonResponse).build());
    }
}

Example 5 with ApiScope

use of io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope in project hopsworks by logicalclocks.

the class ApiKeyResource method validateScopes.

// For a strange reason the Set of user supplied ApiScope(s) is marshalled
// to String even though it's a Set of ApiScope. We need to explicitly convert
// them to ApiScope
private Set<ApiScope> validateScopes(Users user, Set<ApiScope> scopes) throws ApiKeyException {
    Set<ApiScope> validScopes = getScopesForUser(user);
    Set<ApiScope> validatedScopes = new HashSet<>(scopes.size());
    for (Object scope : scopes) {
        try {
            ApiScope apiScope = ApiScope.fromString((String) scope);
            if (!validScopes.contains(apiScope)) {
                throw new ApiKeyException(RESTCodes.ApiKeyErrorCode.KEY_SCOPE_CONTROL_EXCEPTION, Level.FINE, "User is not allowed to issue token " + apiScope.name(), "User " + user.getUsername() + " tried to generate API key with scope " + apiScope + " but it's role is not allowed to");
            }
            validatedScopes.add(apiScope);
        } catch (IllegalArgumentException iae) {
            throw new WebApplicationException("Scope need to set a valid scope, but found: " + scope, Response.Status.NOT_FOUND);
        }
    }
    return validatedScopes;
}