use of org.simbasecurity.api.service.thrift.PolicyDecision in project simba-os by cegeka.
the class AuthorizationServiceClient method isResourceRuleAllowed.
@Override
public PolicyDecision isResourceRuleAllowed(String username, String resourcename, String operation) throws TException {
AuthorizationKey authorizationKey = new AuthorizationKey(username, resourcename, operation);
PolicyDecision policyDecision = resourceRuleCache.get(authorizationKey);
if (policyDecision == null || PolicyDecisionHelper.isExpired(policyDecision)) {
policyDecision = getAuthorizationServiceClient().isResourceRuleAllowed(username, resourcename, operation);
resourceRuleCache.put(authorizationKey, policyDecision);
}
return policyDecision;
}
use of org.simbasecurity.api.service.thrift.PolicyDecision in project simba-os by cegeka.
the class SimbaAuthorizationCachingServiceTest method shouldNotCallAuthorizationServiceWhenResourceRuleCached.
@Test
public void shouldNotCallAuthorizationServiceWhenResourceRuleCached() throws Exception {
when(authorizationServiceMock.isResourceRuleAllowed(NOT_RELEVANT, NOT_RELEVANT, NOT_RELEVANT)).thenReturn(new PolicyDecision(true, VALID_TIMESTAMP));
// Call once to fill cache
cachingService.isResourceRuleAllowed(NOT_RELEVANT, NOT_RELEVANT, NOT_RELEVANT);
PolicyDecision decision = cachingService.isResourceRuleAllowed(NOT_RELEVANT, NOT_RELEVANT, NOT_RELEVANT);
assertTrue(decision.isAllowed());
verify(authorizationServiceMock).isResourceRuleAllowed(NOT_RELEVANT, NOT_RELEVANT, NOT_RELEVANT);
verifyNoMoreInteractions(authorizationServiceMock);
}
use of org.simbasecurity.api.service.thrift.PolicyDecision in project simba-os by cegeka.
the class FeedingServlet method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
THttpClient tHttpClient = null;
try {
tHttpClient = new THttpClient(SystemConfiguration.getSimbaServiceURL(getServletContext()) + "/authorizationService");
TProtocol tProtocol = new TJSONProtocol(tHttpClient);
AuthorizationService.Client authorizationClient = new AuthorizationService.Client(tProtocol);
PolicyDecision decision = authorizationClient.isResourceRuleAllowed(request.getUserPrincipal().getName(), "ANIMAL", "WRITE");
if (!decision.isAllowed()) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
response.sendRedirect("jsp/feeding.jsp");
} catch (Exception e) {
throw new ServletException(e);
} finally {
if (tHttpClient != null) {
tHttpClient.close();
}
}
}
use of org.simbasecurity.api.service.thrift.PolicyDecision in project simba-os by cegeka.
the class URLRuleCheckCommandTest method continueWhenAccessIsAllowed.
@Test
public void continueWhenAccessIsAllowed() throws Exception {
when(authorizationServiceMock.isURLRuleAllowed(USERNAME, REQUEST_URL, REQUEST_METHOD)).thenReturn(new PolicyDecision(true, Long.MAX_VALUE));
assertEquals(State.CONTINUE, command.execute(contextMock));
verify(auditMock).log(captor.capture());
AuditLogEvent resultAuditLogEvent = captor.getValue();
assertEquals(AuditLogEventCategory.AUTHOR, resultAuditLogEvent.getCategory());
assertEquals(AuditMessages.SUCCESS + AuditMessages.CHECK_URL_RULE, resultAuditLogEvent.getMessage());
verifyZeroInteractions(auditMock);
verify(contextMock, never()).redirectToAccessDenied();
}
use of org.simbasecurity.api.service.thrift.PolicyDecision in project simba-os by cegeka.
the class AuthorizationServiceImpl method isResourceRuleAllowed.
private PolicyDecision isResourceRuleAllowed(String username, String resourceName, ResourceOperationType operationType) {
AuthorizationRequestContext context = new AuthorizationRequestContext(username);
Collection<ResourceRule> resourceRules = ruleRepository.findResourceRules(username, resourceName);
PolicyDecision decision = null;
for (ResourceRule resourceRule : resourceRules) {
boolean allowed = resourceRule.getPolicy().applies(context) && resourceRule.isAllowed(operationType);
long newTimestamp = resourceRule.getPolicy().getExpirationTimestamp(context);
decision = determineDecisionBasedOn(decision, allowed, newTimestamp);
}
if (decision == null) {
decision = NEVER_ALLOWED;
}
logAuthorizationDecision(username, RESOURCE_LABEL + resourceName + LOG_DELIM + operationType.name() + LOG_DELIM + decision.toString());
return decision;
}
Aggregations