Examples with CurrentUser org.apache.nifi.registry.authorization.CurrentUser used on opensource projects

Example 1 with CurrentUser

use of org.apache.nifi.registry.authorization.CurrentUser in project nifi-registry by apache.

the class SecureLdapIT method testAccessPolicyCreation.

@Test
public void testAccessPolicyCreation() throws Exception {
    // Given: the server has been configured with an initial admin "nifiadmin" and a user with no accessPolicies "nobel"
    String nobelId = getTenantIdentifierByIdentity("nobel");
    // a group containing user "nobel"
    String chemistsId = getTenantIdentifierByIdentity("chemists");
    final String basicAuthCredentials = encodeCredentialsForBasicAuth("nobel", "password");
    final String nobelAuthToken = client.target(createURL(tokenIdentityProviderPath)).request().header("Authorization", "Basic " + basicAuthCredentials).post(null, String.class);
    // When: user nobel re-checks top-level permissions
    final CurrentUser currentUser = client.target(createURL("/access")).request().header("Authorization", "Bearer " + nobelAuthToken).get(CurrentUser.class);
    // Then: 200 OK is returned indicating user has access to no top-level resources
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getBuckets());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getTenants());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getPolicies());
    assertEquals(new Permissions(), currentUser.getResourcePermissions().getProxy());
    // When: nifiadmin creates a bucket
    final Bucket bucket = new Bucket();
    bucket.setName("Integration Test Bucket");
    bucket.setDescription("A bucket created by an integration test.");
    Response adminCreatesBucketResponse = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(bucket, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 200 OK
    assertEquals(200, adminCreatesBucketResponse.getStatus());
    Bucket createdBucket = adminCreatesBucketResponse.readEntity(Bucket.class);
    // When: user nobel initial queries /buckets
    final Bucket[] buckets1 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: an empty list is returned (nobel has no read access yet)
    assertNotNull(buckets1);
    assertEquals(0, buckets1.length);
    // When: nifiadmin grants read access on createdBucket to 'chemists' a group containing nobel
    AccessPolicy readPolicy = new AccessPolicy();
    readPolicy.setResource("/buckets/" + createdBucket.getIdentifier());
    readPolicy.setAction("read");
    readPolicy.addUserGroups(Arrays.asList(new Tenant(chemistsId, "chemists")));
    Response adminGrantsReadAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(readPolicy, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 201 Created
    assertEquals(201, adminGrantsReadAccessResponse.getStatus());
    // When: nifiadmin tries to list all buckets
    final Bucket[] adminBuckets = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + adminAuthToken).get(Bucket[].class);
    // Then: the full list is returned (verifies that per-bucket access policies are additive to base /buckets policy)
    assertNotNull(adminBuckets);
    assertEquals(1, adminBuckets.length);
    assertEquals(createdBucket.getIdentifier(), adminBuckets[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true), adminBuckets[0].getPermissions());
    // When: user nobel re-queries /buckets
    final Bucket[] buckets2 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: the created bucket is now present
    assertNotNull(buckets2);
    assertEquals(1, buckets2.length);
    assertEquals(createdBucket.getIdentifier(), buckets2[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true), buckets2[0].getPermissions());
    // When: nifiadmin grants write access on createdBucket to user 'nobel'
    AccessPolicy writePolicy = new AccessPolicy();
    writePolicy.setResource("/buckets/" + createdBucket.getIdentifier());
    writePolicy.setAction("write");
    writePolicy.addUsers(Arrays.asList(new Tenant(nobelId, "nobel")));
    Response adminGrantsWriteAccessResponse = client.target(createURL("policies")).request().header("Authorization", "Bearer " + adminAuthToken).post(Entity.entity(writePolicy, MediaType.APPLICATION_JSON), Response.class);
    // Then: the server returns a 201 Created
    assertEquals(201, adminGrantsWriteAccessResponse.getStatus());
    // When: user nobel re-queries /buckets
    final Bucket[] buckets3 = client.target(createURL("buckets")).request().header("Authorization", "Bearer " + nobelAuthToken).get(Bucket[].class);
    // Then: the authorizedActions are updated
    assertNotNull(buckets3);
    assertEquals(1, buckets3.length);
    assertEquals(createdBucket.getIdentifier(), buckets3[0].getIdentifier());
    assertEquals(new Permissions().withCanRead(true).withCanWrite(true), buckets3[0].getPermissions());
}

Example 2 with CurrentUser

use of org.apache.nifi.registry.authorization.CurrentUser in project nifi-registry by apache.

the class SecureNiFiRegistryClientIT method testGetAccessStatus.

@Test
public void testGetAccessStatus() throws IOException, NiFiRegistryException {
    final UserClient userClient = client.getUserClient();
    final CurrentUser currentUser = userClient.getAccessStatus();
    Assert.assertEquals("CN=user1, OU=nifi", currentUser.getIdentity());
    Assert.assertFalse(currentUser.isAnonymous());
    Assert.assertNotNull(currentUser.getResourcePermissions());
    Permissions fullAccess = new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true);
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getAnyTopLevelResource());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getBuckets());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getTenants());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getPolicies());
    Assert.assertEquals(new Permissions().withCanWrite(true), currentUser.getResourcePermissions().getProxy());
}

Example 3 with CurrentUser

use of org.apache.nifi.registry.authorization.CurrentUser in project nifi-registry by apache.

the class SecureNiFiRegistryClientIT method testGetAccessStatusWithProxiedEntity.

@Test
public void testGetAccessStatusWithProxiedEntity() throws IOException, NiFiRegistryException {
    final String proxiedEntity = "user2";
    final UserClient userClient = client.getUserClient(proxiedEntity);
    final CurrentUser status = userClient.getAccessStatus();
    Assert.assertEquals("user2", status.getIdentity());
    Assert.assertFalse(status.isAnonymous());
}

Example 4 with CurrentUser

use of org.apache.nifi.registry.authorization.CurrentUser in project nifi-registry by apache.

the class UnsecuredNiFiRegistryClientIT method testGetAccessStatus.

@Test
public void testGetAccessStatus() throws IOException, NiFiRegistryException {
    final UserClient userClient = client.getUserClient();
    final CurrentUser currentUser = userClient.getAccessStatus();
    Assert.assertEquals("anonymous", currentUser.getIdentity());
    Assert.assertTrue(currentUser.isAnonymous());
    Assert.assertNotNull(currentUser.getResourcePermissions());
    Permissions fullAccess = new Permissions().withCanRead(true).withCanWrite(true).withCanDelete(true);
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getAnyTopLevelResource());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getBuckets());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getTenants());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getPolicies());
    Assert.assertEquals(fullAccess, currentUser.getResourcePermissions().getProxy());
}

Example 5 with CurrentUser

use of org.apache.nifi.registry.authorization.CurrentUser in project nifi-registry by apache.

the class AuthorizationService method getCurrentUser.

// ---------------------- Permissions methods ---------------------------------------
public CurrentUser getCurrentUser() {
    final NiFiUser user = NiFiUserUtils.getNiFiUser();
    final CurrentUser currentUser = new CurrentUser();
    currentUser.setIdentity(user.getIdentity());
    currentUser.setAnonymous(user.isAnonymous());
    currentUser.setResourcePermissions(getTopLevelPermissions());
    return currentUser;
}