use of org.graylog.grn.GRN in project graylog2-server by Graylog2.
the class EntitySharesService method validateRequest.
private ValidationResult validateRequest(GRN ownedEntity, EntityShareRequest request, User sharingUser, Set<GRN> availableGranteeGRNs) {
final ValidationResult validationResult = new ValidationResult();
final List<GrantDTO> allEntityGrants = grantService.getForTarget(ownedEntity);
final List<GrantDTO> existingGrants = grantService.getForTargetExcludingGrantee(ownedEntity, grnRegistry.ofUser(sharingUser));
// The initial request doesn't submit a grantee selection. Just return.
if (!request.selectedGranteeCapabilities().isPresent()) {
return validationResult;
}
final ImmutableMap<GRN, Capability> selectedGranteeCapabilities = request.selectedGranteeCapabilities().get();
// If there is still an owner in the selection, everything is fine
if (selectedGranteeCapabilities.containsValue(Capability.OWN)) {
return validationResult;
}
// If this entity is already ownerless, things can't get any worse. Let this request pass.
if (allEntityGrants.stream().noneMatch(g -> g.capability().equals(Capability.OWN))) {
return validationResult;
}
// Iterate over all existing owner grants and find modifications
ArrayList<GRN> removedOwners = new ArrayList<>();
existingGrants.stream().filter(g -> g.capability().equals(Capability.OWN)).forEach((g) -> {
// owner got removed
if (!selectedGranteeCapabilities.containsKey(g.grantee())) {
// Ignore owners that were invisible to the requesting user
if (availableGranteeGRNs.contains(g.grantee())) {
removedOwners.add(g.grantee());
}
// owner capability got changed
} else if (!selectedGranteeCapabilities.get(g.grantee()).equals(Capability.OWN)) {
removedOwners.add(g.grantee());
}
});
// If all removedOwners are applied, is there still at least one owner left?
if (allEntityGrants.stream().filter(g -> g.capability().equals(Capability.OWN)).map(GrantDTO::grantee).anyMatch(grantee -> !removedOwners.contains(grantee))) {
return validationResult;
}
validationResult.addError(EntityShareRequest.SELECTED_GRANTEE_CAPABILITIES, String.format(Locale.US, "Removing the following owners <%s> will leave the entity ownerless.", removedOwners));
// Also return the grantees as list to be used by the frontend
validationResult.addContext(EntityShareRequest.SELECTED_GRANTEE_CAPABILITIES, removedOwners.stream().map(Objects::toString).collect(Collectors.toSet()));
return validationResult;
}
use of org.graylog.grn.GRN in project graylog2-server by Graylog2.
the class EntityDependencyPermissionChecker method check.
/**
* Runs permission checks for the given dependencies for every selected grantee and returns the entities that
* grantees cannot access.
*
* @param sharingUser the sharing user
* @param dependencies the dependencies to check
* @param selectedGrantees the selected grantees
* @return dependencies that grantees cannot access, grouped by grantee
*/
public ImmutableMultimap<GRN, EntityDescriptor> check(GRN sharingUser, ImmutableSet<EntityDescriptor> dependencies, Set<GRN> selectedGrantees) {
final ImmutableMultimap.Builder<GRN, EntityDescriptor> deniedDependencies = ImmutableMultimap.builder();
final GranteeAuthorizer sharerAuthorizer = granteeAuthorizerFactory.create(sharingUser);
for (final GRN grantee : selectedGrantees) {
// We only check for existing grants for the actual grantee. If the grantee is a team, we only check if
// the team has a grant, not if any users in the team can access the dependency via other grants.
// The same for the "everyone" grantee, we only check if the "everyone" grantee has access to a dependency.
final GranteeAuthorizer granteeAuthorizer = granteeAuthorizerFactory.create(grantee);
for (final EntityDescriptor dependency : dependencies) {
// leaking information to the sharing user.
if (cannotView(sharerAuthorizer, dependency)) {
continue;
}
if (cannotView(granteeAuthorizer, dependency)) {
deniedDependencies.put(grantee, dependency);
}
}
}
return deniedDependencies.build();
}
use of org.graylog.grn.GRN in project graylog2-server by Graylog2.
the class EntityOwnershipService method registerNewStream.
public void registerNewStream(String id, User user) {
final GRN grn = grnRegistry.newGRN(GRNTypes.STREAM, id);
registerNewEntity(grn, user);
}
use of org.graylog.grn.GRN in project graylog2-server by Graylog2.
the class EntityOwnershipService method registerNewDashboard.
public void registerNewDashboard(String id, User user) {
final GRN grn = grnRegistry.newGRN(GRNTypes.DASHBOARD, id);
registerNewEntity(grn, user);
}
use of org.graylog.grn.GRN in project graylog2-server by Graylog2.
the class ViewOwnerShipToGrantsMigration method upgrade.
public void upgrade() {
viewService.streamAll().forEach(view -> {
final Optional<User> user = view.owner().map(userService::load);
if (user.isPresent() && !user.get().isLocalAdmin()) {
final GRNType grnType = ViewDTO.Type.DASHBOARD.equals(view.type()) ? GRNTypes.DASHBOARD : GRNTypes.SEARCH;
final GRN target = grnType.toGRN(view.id());
ensureGrant(user.get(), target);
}
});
}
Aggregations