/** * Retrieve secret for sign/verify JSON(JWT) */ protected byte[] getJWTSecret() throws IOException { URI privateKeyFileUri = this.state.privateKeyFileReference; String privateKeyPassphrase = this.state.privateKeyPassphrase; return JWTUtils.getJWTSecret(privateKeyFileUri, privateKeyPassphrase, this.isAuthorizationEnabled()); }
if (this.host.isAuthorizationEnabled()) { AuthorizationContext ctx = op.getAuthorizationContext(); if (ctx == null) {
private DeferredResult<Void> validateUserAuthorization(RequestBrokerState state, Operation startOp) { if (!this.getHost().isAuthorizationEnabled()) { return DeferredResult.completed(null);
private String getSubject(Operation op) { if (op.getAuthorizationContext() != null && op.getAuthorizationContext().isSystemUser()) { return SystemUserService.SELF_LINK; } if (getHost().isAuthorizationEnabled()) { return op.getAuthorizationContext().getClaims().getSubject(); } return GuestUserService.SELF_LINK; }
if (host.isAuthorizationEnabled()) { AuthorizationContext ctx = op.getAuthorizationContext(); if (ctx == null) {
private String getSubject(Operation op) { if (op.getAuthorizationContext() != null && op.getAuthorizationContext().isSystemUser()) { return SystemUserService.SELF_LINK; } if (getHost().isAuthorizationEnabled()) { return op.getAuthorizationContext().getClaims().getSubject(); } return GuestUserService.SELF_LINK; }
if (getHost().isAuthorizationEnabled() && state.userLink != null) { try { TaskUtils.assumeIdentity(this, op, state.userLink);
public static boolean restartStatefulHost(ServiceHost host, boolean failOnIndexDeletion) throws Throwable { long exp = Utils.fromNowMicrosUtc(host.getOperationTimeoutMicros()); do { Thread.sleep(2000); try { if (host.isAuthorizationEnabled()) { host.setAuthenticationService(new AuthorizationContextService()); } host.start(); return true; } catch (Throwable e) { Logger.getAnonymousLogger().warning(String .format("exception on host restart: %s", e.getMessage())); try { host.stop(); } catch (Throwable e1) { return false; } if (e instanceof LockObtainFailedException && !failOnIndexDeletion) { Logger.getAnonymousLogger() .warning("Lock held exception on host restart, retrying"); continue; } return false; } } while (Utils.getSystemNowMicrosUtc() < exp); return false; }
public static boolean restartStatefulHost(ServiceHost host, boolean failOnIndexDeletion) throws Throwable { long exp = Utils.fromNowMicrosUtc(host.getOperationTimeoutMicros()); do { Thread.sleep(2000); try { if (host.isAuthorizationEnabled()) { host.setAuthenticationService(new AuthorizationContextService()); } host.start(); return true; } catch (Throwable e) { Logger.getAnonymousLogger().warning(String .format("exception on host restart: %s", e.getMessage())); try { host.stop(); } catch (Throwable e1) { return false; } if (e instanceof LockObtainFailedException && !failOnIndexDeletion) { Logger.getAnonymousLogger() .warning("Lock held exception on host restart, retrying"); continue; } return false; } } while (Utils.getSystemNowMicrosUtc() < exp); return false; }
private void handleRequestAfterOpProcessingChain(Service service, Operation inboundOp) { if (service == null) { String path = inboundOp.getUri().getPath(); if (path == null) { Operation.failServiceNotFound(inboundOp); return; } // request service using either prefix or longest match service = findService(path, false); } if (service == null) { Operation.failServiceNotFound(inboundOp); return; } traceOperation(inboundOp); if (isAuthorizationEnabled()) { final Service sFinal = service; inboundOp.nestCompletion((o) -> { queueOrScheduleRequest(sFinal, inboundOp); }); service.authorizeRequest(inboundOp); return; } queueOrScheduleRequest(service, inboundOp); return; }
if (!this.isAuthorizationEnabled()) { return true;
@Override public FilterReturnCode processRequest(Operation op, OperationProcessingContext context) { if (!context.getHost().isAuthorizationEnabled() || context.getHost().getAuthorizationService() == null) { // authorization is disabled or no authorization service return FilterReturnCode.CONTINUE_PROCESSING; } context.setSuspendConsumer(o -> { if (op.getAuthorizationContext() != null) { checkAndPopulateAuthzContext(op, context); } else { populateAuthorizationContext(op, context, (authorizationContext) -> { checkAndPopulateAuthzContext(op, context); }); } }); return FilterReturnCode.SUSPEND_PROCESSING; }
.thenCompose((ignore) -> { if (!service.getHost().isAuthorizationEnabled()) { return DeferredResult.completed(null);
@Override public FilterReturnCode processRequest(Operation op, OperationProcessingContext context) { if (!context.getHost().isAuthorizationEnabled()) {
private void checkAndNestAuthupdateCompletionStage(Operation op) { if (!this.getHost().isAuthorizationEnabled() || !this.getHost().isPrivilegedService(this)) { processCompletionStageTransactionNotification(op, null); } else { op.nestCompletion((o, failure) -> { if (failure != null) { if (op.isWithinTransaction()) { processPending(op); } failRequest(op, failure); return; } processCompletionStageTransactionNotification(op, null); }); processCompletionStageUpdateAuthzArtifacts(op); } }
if (!getHost().isAuthorizationEnabled()) { return builder.build();
Operation op = Operation.createPost(this, state.factoryLink); if (getHost().isAuthorizationEnabled()) { if (state.userLink != null) { try {
private static DeferredResult<Void> handleClusterServiceOp(Service service, Operation op) { // In case of authn is not enabled do not check for authorization. if (!service.getHost().isAuthorizationEnabled()) { return DeferredResult.completed(null); } if (!(service instanceof ClusterService)) { return DeferredResult.completed(null); } String projectLink = OperationUtil.extractProjectFromHeader(op); return SecurityContextUtil.getSecurityContextForCurrentUser(service) .thenCompose(sc -> { if (sc.isCloudAdmin()) { return DeferredResult.completed(null); } else { if (op.getAction() == Action.GET && sc.isProjectAdmin(projectLink)) { return DeferredResult.completed(null); } if (isCreatePKSClusterRequest(op, sc, projectLink)) { return DeferredResult.completed(null); } } return DeferredResult.failed(new IllegalAccessError("forbidden")); }) .thenAccept(ignore -> { }); }
if (this.isAuthorizationEnabled() && post.getAuthorizationContext() == null) { post.setAuthorizationContext(getGuestAuthorizationContext());