Example 1 with DenyActivityRestriction
use of org.dcache.auth.attributes.DenyActivityRestriction in project dcache by dCache.
the class MacaroonRequestHandler method buildContext.
private MacaroonContext buildContext(String target, Request request) throws ErrorResponseException {
MacaroonContext context = new MacaroonContext();
FsPath desiredPath = _pathMapper.asDcachePath(request, target);
FsPath userRoot = FsPath.ROOT;
FsPath prefixRestrictionPath = null;
for (LoginAttribute attr : AuthenticationHandler.getLoginAttributes(request)) {
if (attr instanceof HomeDirectory) {
context.setHome(FsPath.ROOT.resolve(((HomeDirectory) attr).getHome()));
} else if (attr instanceof RootDirectory) {
userRoot = FsPath.ROOT.resolve(((RootDirectory) attr).getRoot());
} else if (attr instanceof Expiry) {
context.updateExpiry(((Expiry) attr).getExpiry());
} else if (attr instanceof DenyActivityRestriction) {
context.removeActivities(((DenyActivityRestriction) attr).getDenied());
} else if (attr instanceof PrefixRestriction) {
ImmutableSet<FsPath> paths = ((PrefixRestriction) attr).getPrefixes();
if (target.equals("/")) {
checkArgument(paths.size() == 1, "Cannot serialise with multiple path restrictions");
prefixRestrictionPath = paths.iterator().next();
} else {
prefixRestrictionPath = paths.stream().filter(desiredPath::hasPrefix).findFirst().orElseThrow(() -> new ErrorResponseException(SC_BAD_REQUEST, "Bad request path: Desired path not within existing path"));
}
} else if (attr instanceof Restriction) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot serialise restriction " + attr.getClass().getSimpleName());
} else if (attr instanceof MaxUploadSize) {
try {
context.updateMaxUpload(((MaxUploadSize) attr).getMaximumSize());
} catch (InvalidCaveatException e) {
throw new ErrorResponseException(SC_BAD_REQUEST, "Cannot add max-upload: " + e.getMessage());
}
}
}
Subject subject = getSubject();
context.setUid(Subjects.getUid(subject));
context.setGids(Subjects.getGids(subject));
context.setUsername(Subjects.getUserName(subject));
FsPath effectiveRoot = _pathMapper.effectiveRoot(userRoot, m -> new ErrorResponseException(SC_BAD_REQUEST, m));
context.setRoot(effectiveRoot);
FsPath path = prefixRestrictionPath != null ? prefixRestrictionPath : target.equals("/") ? null : desiredPath;
if (path != null) {
context.setPath(path.stripPrefix(effectiveRoot));
}
return context;
}
Also used :
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
InvalidCaveatException(org.dcache.macaroons.InvalidCaveatException)
HomeDirectory(org.dcache.auth.attributes.HomeDirectory)
LoginAttribute(org.dcache.auth.attributes.LoginAttribute)
MaxUploadSize(org.dcache.auth.attributes.MaxUploadSize)
RootDirectory(org.dcache.auth.attributes.RootDirectory)
Subject(javax.security.auth.Subject)
MacaroonContext(org.dcache.macaroons.MacaroonContext)
Restriction(org.dcache.auth.attributes.Restriction)
PrefixRestriction(org.dcache.auth.attributes.PrefixRestriction)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
Expiry(org.dcache.auth.attributes.Expiry)
DenyActivityRestriction(org.dcache.auth.attributes.DenyActivityRestriction)
FsPath(diskCacheV111.util.FsPath)
Aggregations
FsPath (diskCacheV111.util.FsPath)1
Subject (javax.security.auth.Subject)1
DenyActivityRestriction (org.dcache.auth.attributes.DenyActivityRestriction)1
Expiry (org.dcache.auth.attributes.Expiry)1
HomeDirectory (org.dcache.auth.attributes.HomeDirectory)1
LoginAttribute (org.dcache.auth.attributes.LoginAttribute)1
MaxUploadSize (org.dcache.auth.attributes.MaxUploadSize)1
PrefixRestriction (org.dcache.auth.attributes.PrefixRestriction)1
Restriction (org.dcache.auth.attributes.Restriction)1
RootDirectory (org.dcache.auth.attributes.RootDirectory)1
InvalidCaveatException (org.dcache.macaroons.InvalidCaveatException)1
MacaroonContext (org.dcache.macaroons.MacaroonContext)1
