Examples with AccessControlEntry org.opencastproject.security.api.AccessControlEntry used on opensource projects

Search in sources :

Example 21 with AccessControlEntry

use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.

the class SeriesEndpoint method updateSeriesAcl.

@PUT
@Path("{seriesId}/acl")
@Produces({ "application/json", "application/v1.0.0+json" })
@RestQuery(name = "updateseriesacl", description = "Updates a series' access policy.", returnDescription = "", pathParameters = { @RestParameter(name = "seriesId", description = "The series id", isRequired = true, type = STRING) }, restParameters = { @RestParameter(name = "acl", isRequired = true, description = "Access policy", type = STRING) }, reponses = { @RestResponse(description = "The access control list for the specified series is updated.", responseCode = HttpServletResponse.SC_OK), @RestResponse(description = "The specified series does not exist.", responseCode = HttpServletResponse.SC_NOT_FOUND) })
public Response updateSeriesAcl(@HeaderParam("Accept") String acceptHeader, @PathParam("seriesId") String seriesID, @FormParam("acl") String aclJson) throws NotFoundException, SeriesException, UnauthorizedException {
    if (isBlank(aclJson))
        return R.badRequest("Missing form parameter 'acl'");
    JSONParser parser = new JSONParser();
    JSONArray acl;
    try {
        acl = (JSONArray) parser.parse(aclJson);
    } catch (ParseException e) {
        logger.debug("Could not parse ACL ({}): {}", aclJson, getStackTrace(e));
        return R.badRequest("Could not parse ACL");
    }
    List<AccessControlEntry> accessControlEntries = $(acl.toArray()).map(new Fn<Object, AccessControlEntry>() {

        @Override
        public AccessControlEntry apply(Object a) {
            JSONObject ace = (JSONObject) a;
            return new AccessControlEntry((String) ace.get("role"), (String) ace.get("action"), (boolean) ace.get("allow"));
        }
    }).toList();
    seriesService.updateAccessControl(seriesID, new AccessControlList(accessControlEntries));
    return ApiResponses.Json.ok(VERSION_1_0_0, aclJson);
}
Also used : AccessControlList(org.opencastproject.security.api.AccessControlList) JSONObject(org.json.simple.JSONObject) JSONArray(org.json.simple.JSONArray) Fn(com.entwinemedia.fn.Fn) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) JSONParser(org.json.simple.parser.JSONParser) JSONObject(org.json.simple.JSONObject) ParseException(org.json.simple.parser.ParseException) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) RestQuery(org.opencastproject.util.doc.rest.RestQuery) PUT(javax.ws.rs.PUT)

Example 22 with AccessControlEntry

use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.

the class EventsEndpoint method deleteEventAce.

@DELETE
@Path("{eventId}/acl/{action}/{role}")
@Produces({ "application/json", "application/v1.0.0+json" })
@RestQuery(name = "deleteeventace", description = "Revokes permission to execute action on the specified event from any user with role role.", returnDescription = "", pathParameters = { @RestParameter(name = "eventId", description = "The event id", isRequired = true, type = STRING), @RestParameter(name = "action", description = "The action that is no longer allowed to be executed", isRequired = true, type = STRING), @RestParameter(name = "role", description = "The role that is no longer granted permission", isRequired = true, type = STRING) }, reponses = { @RestResponse(description = "The permission has been revoked from the access control list of the specified event.", responseCode = HttpServletResponse.SC_NO_CONTENT), @RestResponse(description = "The specified event does not exist.", responseCode = HttpServletResponse.SC_NOT_FOUND) })
public Response deleteEventAce(@HeaderParam("Accept") String acceptHeader, @PathParam("eventId") String id, @PathParam("action") String action, @PathParam("role") String role) throws Exception {
    List<AccessControlEntry> entries = new ArrayList<>();
    for (final Event event : indexService.getEvent(id, externalIndex)) {
        AccessControlList accessControlList = getAclFromEvent(event);
        boolean foundDelete = false;
        for (AccessControlEntry ace : accessControlList.getEntries()) {
            if (ace.getAction().equals(action) && ace.getRole().equals(role)) {
                foundDelete = true;
            } else {
                entries.add(ace);
            }
        }
        if (!foundDelete) {
            return ApiResponses.notFound("Unable to find an access control entry with action '%s' and role '%s'", action, role);
        }
        AccessControlList withoutDeleted = new AccessControlList(entries);
        try {
            withoutDeleted = indexService.updateEventAcl(id, withoutDeleted, externalIndex);
        } catch (IllegalArgumentException e) {
            logger.error("Unable to delete event's '{}' acl entry with action '{}' and role '{}' because: {}", id, action, role, ExceptionUtils.getStackTrace(e));
            return Response.status(Status.FORBIDDEN).build();
        }
        return ApiResponses.Json.noContent(ApiVersion.VERSION_1_0_0);
    }
    return ApiResponses.notFound("Cannot find an event with id '%s'.", id);
}
Also used : AccessControlList(org.opencastproject.security.api.AccessControlList) ArrayList(java.util.ArrayList) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) Event(org.opencastproject.index.service.impl.index.event.Event) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Produces(javax.ws.rs.Produces) RestQuery(org.opencastproject.util.doc.rest.RestQuery)

Example 23 with AccessControlEntry

use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.

the class TestAclEndpoint method setupServices.

private void setupServices() {
    final DefaultOrganization org = new DefaultOrganization();
    AccessControlEntry ace1 = new AccessControlEntry("ROLE_ADMIN", "read", true);
    AccessControlEntry ace2 = new AccessControlEntry("ROLE_ANONYMOUS", "read", true);
    AccessControlEntry ace3 = new AccessControlEntry("ROLE_ADMIN", "read", false);
    AccessControlEntry ace4 = new AccessControlEntry("ROLE_ANONYMOUS", "read", false);
    AccessControlList publicAcl = new AccessControlList(ace1, ace2);
    AccessControlList privateAcl = new AccessControlList(ace3, ace4);
    List<ManagedAcl> managedAcls = new ArrayList<ManagedAcl>();
    managedAcls.add(new ManagedAclImpl(1L, "public", org.getId(), publicAcl));
    managedAcls.add(new ManagedAclImpl(2L, "private", org.getId(), privateAcl));
    AclService aclService = EasyMock.createNiceMock(AclService.class);
    EasyMock.expect(aclService.getAcls()).andReturn(managedAcls).anyTimes();
    EasyMock.expect(aclService.getAcl(EasyMock.anyLong())).andReturn(Option.some(managedAcls.get(0))).anyTimes();
    EasyMock.replay(aclService);
    AclServiceFactory aclServiceFactory = EasyMock.createNiceMock(AclServiceFactory.class);
    EasyMock.expect(aclServiceFactory.serviceFor(EasyMock.anyObject(Organization.class))).andReturn(aclService).anyTimes();
    EasyMock.replay(aclServiceFactory);
    SecurityService securityService = EasyMock.createNiceMock(SecurityService.class);
    EasyMock.expect(securityService.getOrganization()).andReturn(org).anyTimes();
    EasyMock.replay(securityService);
    this.setAclServiceFactory(aclServiceFactory);
    this.setSecurityService(securityService);
}
Also used : AccessControlList(org.opencastproject.security.api.AccessControlList) AclServiceFactory(org.opencastproject.authorization.xacml.manager.api.AclServiceFactory) SecurityService(org.opencastproject.security.api.SecurityService) ManagedAcl(org.opencastproject.authorization.xacml.manager.api.ManagedAcl) ArrayList(java.util.ArrayList) ManagedAclImpl(org.opencastproject.authorization.xacml.manager.impl.ManagedAclImpl) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) AclService(org.opencastproject.authorization.xacml.manager.api.AclService) DefaultOrganization(org.opencastproject.security.api.DefaultOrganization)

Example 24 with AccessControlEntry

use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.

the class XACMLUtils method getXacml.

/**
 * Builds an xml string containing the xacml for the mediapackage.
 *
 * @param mediapackage
 *          the mediapackage
 * @param accessControlList
 *          the tuples of roles to actions
 * @return
 * @throws JAXBException
 */
public static String getXacml(MediaPackage mediapackage, AccessControlList accessControlList) throws JAXBException {
    ObjectFactory jbossXacmlObjectFactory = new ObjectFactory();
    PolicyType policy = new PolicyType();
    policy.setPolicyId(mediapackage.getIdentifier().toString());
    policy.setVersion("2.0");
    policy.setRuleCombiningAlgId(XACMLUtils.RULE_COMBINING_ALG);
    // TODO: Add target/resources to rule
    TargetType policyTarget = new TargetType();
    ResourcesType resources = new ResourcesType();
    ResourceType resource = new ResourceType();
    ResourceMatchType resourceMatch = new ResourceMatchType();
    resourceMatch.setMatchId(XACMLUtils.XACML_STRING_EQUAL);
    AttributeValueType resourceAttributeValue = new AttributeValueType();
    resourceAttributeValue.setDataType(XACMLUtils.W3C_STRING);
    resourceAttributeValue.getContent().add(mediapackage.getIdentifier().toString());
    AttributeDesignatorType resourceDesignator = new AttributeDesignatorType();
    resourceDesignator.setAttributeId(XACMLUtils.RESOURCE_IDENTIFIER);
    resourceDesignator.setDataType(XACMLUtils.W3C_STRING);
    // now go back up the tree
    resourceMatch.setResourceAttributeDesignator(resourceDesignator);
    resourceMatch.setAttributeValue(resourceAttributeValue);
    resource.getResourceMatch().add(resourceMatch);
    resources.getResource().add(resource);
    policyTarget.setResources(resources);
    policy.setTarget(policyTarget);
    // Loop over roleActions and add a rule for each
    for (AccessControlEntry ace : accessControlList.getEntries()) {
        boolean allow = ace.isAllow();
        RuleType rule = new RuleType();
        rule.setRuleId(ace.getRole() + "_" + ace.getAction() + (allow ? "_Permit" : "_Deny"));
        if (allow) {
            rule.setEffect(EffectType.PERMIT);
        } else {
            rule.setEffect(EffectType.DENY);
        }
        TargetType target = new TargetType();
        ActionsType actions = new ActionsType();
        ActionType action = new ActionType();
        ActionMatchType actionMatch = new ActionMatchType();
        actionMatch.setMatchId(XACMLUtils.XACML_STRING_EQUAL);
        AttributeValueType attributeValue = new AttributeValueType();
        attributeValue.setDataType(XACMLUtils.W3C_STRING);
        attributeValue.getContent().add(ace.getAction());
        AttributeDesignatorType designator = new AttributeDesignatorType();
        designator.setAttributeId(XACMLUtils.ACTION_IDENTIFIER);
        designator.setDataType(XACMLUtils.W3C_STRING);
        // now go back up the tree
        actionMatch.setActionAttributeDesignator(designator);
        actionMatch.setAttributeValue(attributeValue);
        action.getActionMatch().add(actionMatch);
        actions.getAction().add(action);
        target.setActions(actions);
        rule.setTarget(target);
        ConditionType condition = new ConditionType();
        ApplyType apply = new ApplyType();
        apply.setFunctionId(XACMLUtils.XACML_STRING_IS_IN);
        AttributeValueType conditionAttributeValue = new AttributeValueType();
        conditionAttributeValue.setDataType(XACMLUtils.W3C_STRING);
        conditionAttributeValue.getContent().add(ace.getRole());
        SubjectAttributeDesignatorType subjectDesignator = new SubjectAttributeDesignatorType();
        subjectDesignator.setDataType(XACMLUtils.W3C_STRING);
        subjectDesignator.setAttributeId(XACMLUtils.SUBJECT_ROLE_IDENTIFIER);
        apply.getExpression().add(jbossXacmlObjectFactory.createAttributeValue(conditionAttributeValue));
        apply.getExpression().add(jbossXacmlObjectFactory.createSubjectAttributeDesignator(subjectDesignator));
        condition.setExpression(jbossXacmlObjectFactory.createApply(apply));
        rule.setCondition(condition);
        policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
    }
    // Add the global deny rule
    RuleType deny = new RuleType();
    deny.setEffect(EffectType.DENY);
    deny.setRuleId("DenyRule");
    policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(deny);
    // serialize to xml
    StringWriter writer = new StringWriter();
    XACMLUtils.jBossXacmlJaxbContext.createMarshaller().marshal(jbossXacmlObjectFactory.createPolicy(policy), writer);
    return writer.getBuffer().toString();
}
Also used : PolicyType(org.jboss.security.xacml.core.model.policy.PolicyType) ActionType(org.jboss.security.xacml.core.model.policy.ActionType) AttributeValueType(org.jboss.security.xacml.core.model.policy.AttributeValueType) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) ResourceType(org.jboss.security.xacml.core.model.policy.ResourceType) RuleType(org.jboss.security.xacml.core.model.policy.RuleType) SubjectAttributeDesignatorType(org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType) ActionsType(org.jboss.security.xacml.core.model.policy.ActionsType) ResourcesType(org.jboss.security.xacml.core.model.policy.ResourcesType) ApplyType(org.jboss.security.xacml.core.model.policy.ApplyType) ActionMatchType(org.jboss.security.xacml.core.model.policy.ActionMatchType) ObjectFactory(org.jboss.security.xacml.core.model.policy.ObjectFactory) AttributeDesignatorType(org.jboss.security.xacml.core.model.policy.AttributeDesignatorType) SubjectAttributeDesignatorType(org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType) StringWriter(java.io.StringWriter) ResourceMatchType(org.jboss.security.xacml.core.model.policy.ResourceMatchType) TargetType(org.jboss.security.xacml.core.model.policy.TargetType) ConditionType(org.jboss.security.xacml.core.model.policy.ConditionType)

Example 25 with AccessControlEntry

use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.

the class XACMLUtils method parseXacml.

/**
 * Parses a XACML into an {@link AccessControlList}.
 * <p>
 * Only rules which follow the structure of those created by {@link #getXacml(MediaPackage, AccessControlList)} may be
 * successfully parsed. All other rules are ignored.
 *
 * @param xacml
 *          the XACML to parse
 * @return the ACL, never {@code null}
 * @throws XACMLParsingException
 *           if parsing fails
 */
public static AccessControlList parseXacml(InputStream xacml) throws XACMLParsingException {
    try {
        @SuppressWarnings("unchecked") final AccessControlList acl = new AccessControlList();
        final List<AccessControlEntry> entries = acl.getEntries();
        final PolicyType policy = ((JAXBElement<PolicyType>) XACMLUtils.jBossXacmlJaxbContext.createUnmarshaller().unmarshal(xacml)).getValue();
        for (Object object : policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition()) {
            if (!(object instanceof RuleType)) {
                throw new XACMLParsingException("Object " + object + " of policy " + policy + " is not of type RuleType");
            }
            RuleType rule = (RuleType) object;
            if (rule.getTarget() == null) {
                if (rule.getRuleId().equals("DenyRule")) {
                    logger.trace("Skipping global deny rule");
                    continue;
                }
                throw new XACMLParsingException("Empty rule " + rule + " in policy " + policy);
            }
            String role = null;
            String actionForAce = null;
            try {
                ActionType action = rule.getTarget().getActions().getAction().get(0);
                actionForAce = (String) action.getActionMatch().get(0).getAttributeValue().getContent().get(0);
                @SuppressWarnings("unchecked") JAXBElement<ApplyType> apply = (JAXBElement<ApplyType>) rule.getCondition().getExpression();
                for (JAXBElement<?> element : apply.getValue().getExpression()) {
                    if (element.getValue() instanceof AttributeValueType) {
                        role = (String) ((AttributeValueType) element.getValue()).getContent().get(0);
                        break;
                    }
                }
            } catch (Exception e) {
                throw new XACMLParsingException("Rule " + rule + " of policy " + policy + " could not be parsed", e);
            }
            if (role == null) {
                throw new XACMLParsingException("Unable to find role in rule " + rule + " of policy " + policy);
            }
            AccessControlEntry ace = new AccessControlEntry(role, actionForAce, rule.getEffect().equals(EffectType.PERMIT));
            entries.add(ace);
        }
        return acl;
    } catch (Exception e) {
        if (e instanceof XACMLParsingException) {
            throw (XACMLParsingException) e;
        }
        throw new XACMLParsingException("XACML could not be parsed", e);
    }
}
Also used : AccessControlList(org.opencastproject.security.api.AccessControlList) PolicyType(org.jboss.security.xacml.core.model.policy.PolicyType) ActionType(org.jboss.security.xacml.core.model.policy.ActionType) AttributeValueType(org.jboss.security.xacml.core.model.policy.AttributeValueType) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) RuleType(org.jboss.security.xacml.core.model.policy.RuleType) JAXBElement(javax.xml.bind.JAXBElement) JAXBException(javax.xml.bind.JAXBException) ApplyType(org.jboss.security.xacml.core.model.policy.ApplyType)

Aggregations

AccessControlEntry (org.opencastproject.security.api.AccessControlEntry)38 AccessControlList (org.opencastproject.security.api.AccessControlList)30 Test (org.junit.Test)18 MediaPackage (org.opencastproject.mediapackage.MediaPackage)12 ArrayList (java.util.ArrayList)10 HashMap (java.util.HashMap)7 Job (org.opencastproject.job.api.Job)6 JaxbRole (org.opencastproject.security.api.JaxbRole)6 JobBarrier (org.opencastproject.job.api.JobBarrier)5 JaxbUser (org.opencastproject.security.api.JaxbUser)5 Date (java.util.Date)4 List (java.util.List)4 Map (java.util.Map)4 SearchQuery (org.opencastproject.search.api.SearchQuery)4 AuthorizationService (org.opencastproject.security.api.AuthorizationService)4 DefaultOrganization (org.opencastproject.security.api.DefaultOrganization)4 SecurityService (org.opencastproject.security.api.SecurityService)4 User (org.opencastproject.security.api.User)4 NotFoundException (org.opencastproject.util.NotFoundException)4 File (java.io.File)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial