Examples with GRN org.graylog.grn.GRN used on opensource projects

Example 41 with GRN

use of org.graylog.grn.GRN in project graylog2-server by Graylog2.

the class EntitySharesService method validateRequest.

private ValidationResult validateRequest(GRN ownedEntity, EntityShareRequest request, User sharingUser, Set<GRN> availableGranteeGRNs) {
    final ValidationResult validationResult = new ValidationResult();
    final List<GrantDTO> allEntityGrants = grantService.getForTarget(ownedEntity);
    final List<GrantDTO> existingGrants = grantService.getForTargetExcludingGrantee(ownedEntity, grnRegistry.ofUser(sharingUser));
    // The initial request doesn't submit a grantee selection. Just return.
    if (!request.selectedGranteeCapabilities().isPresent()) {
        return validationResult;
    }
    final ImmutableMap<GRN, Capability> selectedGranteeCapabilities = request.selectedGranteeCapabilities().get();
    // If there is still an owner in the selection, everything is fine
    if (selectedGranteeCapabilities.containsValue(Capability.OWN)) {
        return validationResult;
    }
    // If this entity is already ownerless, things can't get any worse. Let this request pass.
    if (allEntityGrants.stream().noneMatch(g -> g.capability().equals(Capability.OWN))) {
        return validationResult;
    }
    // Iterate over all existing owner grants and find modifications
    ArrayList<GRN> removedOwners = new ArrayList<>();
    existingGrants.stream().filter(g -> g.capability().equals(Capability.OWN)).forEach((g) -> {
        // owner got removed
        if (!selectedGranteeCapabilities.containsKey(g.grantee())) {
            // Ignore owners that were invisible to the requesting user
            if (availableGranteeGRNs.contains(g.grantee())) {
                removedOwners.add(g.grantee());
            }
        // owner capability got changed
        } else if (!selectedGranteeCapabilities.get(g.grantee()).equals(Capability.OWN)) {
            removedOwners.add(g.grantee());
        }
    });
    // If all removedOwners are applied, is there still at least one owner left?
    if (allEntityGrants.stream().filter(g -> g.capability().equals(Capability.OWN)).map(GrantDTO::grantee).anyMatch(grantee -> !removedOwners.contains(grantee))) {
        return validationResult;
    }
    validationResult.addError(EntityShareRequest.SELECTED_GRANTEE_CAPABILITIES, String.format(Locale.US, "Removing the following owners <%s> will leave the entity ownerless.", removedOwners));
    // Also return the grantees as list to be used by the frontend
    validationResult.addContext(EntityShareRequest.SELECTED_GRANTEE_CAPABILITIES, removedOwners.stream().map(Objects::toString).collect(Collectors.toSet()));
    return validationResult;
}

Example 42 with GRN

use of org.graylog.grn.GRN in project graylog2-server by Graylog2.

the class EntityDependencyPermissionChecker method check.

/**
 * Runs permission checks for the given dependencies for every selected grantee and returns the entities that
 * grantees cannot access.
 *
 * @param sharingUser      the sharing user
 * @param dependencies     the dependencies to check
 * @param selectedGrantees the selected grantees
 * @return dependencies that grantees cannot access, grouped by grantee
 */
public ImmutableMultimap<GRN, EntityDescriptor> check(GRN sharingUser, ImmutableSet<EntityDescriptor> dependencies, Set<GRN> selectedGrantees) {
    final ImmutableMultimap.Builder<GRN, EntityDescriptor> deniedDependencies = ImmutableMultimap.builder();
    final GranteeAuthorizer sharerAuthorizer = granteeAuthorizerFactory.create(sharingUser);
    for (final GRN grantee : selectedGrantees) {
        // We only check for existing grants for the actual grantee. If the grantee is a team, we only check if
        // the team has a grant, not if any users in the team can access the dependency via other grants.
        // The same for the "everyone" grantee, we only check if  the "everyone" grantee has access to a dependency.
        final GranteeAuthorizer granteeAuthorizer = granteeAuthorizerFactory.create(grantee);
        for (final EntityDescriptor dependency : dependencies) {
            // leaking information to the sharing user.
            if (cannotView(sharerAuthorizer, dependency)) {
                continue;
            }
            if (cannotView(granteeAuthorizer, dependency)) {
                deniedDependencies.put(grantee, dependency);
            }
        }
    }
    return deniedDependencies.build();
}

Example 43 with GRN

use of org.graylog.grn.GRN in project graylog2-server by Graylog2.

the class EntityOwnershipService method registerNewStream.

public void registerNewStream(String id, User user) {
    final GRN grn = grnRegistry.newGRN(GRNTypes.STREAM, id);
    registerNewEntity(grn, user);
}

Example 44 with GRN

use of org.graylog.grn.GRN in project graylog2-server by Graylog2.

the class EntityOwnershipService method registerNewDashboard.

public void registerNewDashboard(String id, User user) {
    final GRN grn = grnRegistry.newGRN(GRNTypes.DASHBOARD, id);
    registerNewEntity(grn, user);
}

Example 45 with GRN

use of org.graylog.grn.GRN in project graylog2-server by Graylog2.

the class ViewOwnerShipToGrantsMigration method upgrade.

public void upgrade() {
    viewService.streamAll().forEach(view -> {
        final Optional<User> user = view.owner().map(userService::load);
        if (user.isPresent() && !user.get().isLocalAdmin()) {
            final GRNType grnType = ViewDTO.Type.DASHBOARD.equals(view.type()) ? GRNTypes.DASHBOARD : GRNTypes.SEARCH;
            final GRN target = grnType.toGRN(view.id());
            ensureGrant(user.get(), target);
        }
    });
}