/** * @return true if the current entitlement context may {@link Entitlements#SEE_CATALOG_ITEM see} * {@link #getCatalogItemId}. */ private boolean isEntitledToSeeCatalogItem() { return Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM, catalogItemId); }
@Override public boolean apply(@Nullable RegisteredType item) { return (item != null) && Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM, item.getId()); } }
private List<String> entitiesIdAsArray(Iterable<? extends Entity> entities) { List<String> ids = Lists.newArrayList(); for (Entity entity : entities) { if (Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY, entity)) { ids.add(entity.getId()); } } return ids; }
private List<Map<String, String>> entitiesIdAndNameAsList(Collection<? extends Entity> entities) { List<Map<String, String>> members = Lists.newArrayList(); for (Entity entity : entities) { if (Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY, entity)) { members.add(ImmutableMap.of("id", entity.getId(), "name", entity.getDisplayName())); } } return members; }
@Override public List<ApplicationSummary> list(String typeRegex) { if (Strings.isBlank(typeRegex)) { typeRegex = ".*"; } return FluentIterable .from(mgmt().getApplications()) .filter(EntitlementPredicates.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY)) .filter(EntityPredicates.hasInterfaceMatching(typeRegex)) .transform(ApplicationTransformer.fromApplication(ui.getBaseUriBuilder())) .toList(); }
@Override public List<EntitySummary> getChildren(final String application, final String entity) { return FluentIterable .from(brooklyn().getEntity(application, entity).getChildren()) .filter(EntitlementPredicates.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY)) .transform(EntityTransformer.fromEntity(ui.getBaseUriBuilder())) .toList(); }
@Test public void testNavigatorHasListPermissionsOnly() { setup(configBag); WebEntitlementContext entitlementContext = new WebEntitlementContext("navigator", "127.0.0.1", URI.create("/X").toString(), "X"); Entitlements.setEntitlementContext(entitlementContext); Assert.assertFalse(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.ROOT, null)); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_ENTITY, app)); Assert.assertFalse(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.INVOKE_EFFECTOR, EntityAndItem.of(app, StringAndArgument.of("any-eff", null)))); Assert.assertFalse(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_SENSOR, EntityAndItem.of(app, "any-sensor"))); // and cannot invoke methods confirmEffectorEntitlement(false); }
public void checkUserHasAllPermissions(String user) { setup(configBag); WebEntitlementContext entitlementContext = new WebEntitlementContext(user, "127.0.0.1", URI.create("/X").toString(), "A"); Entitlements.setEntitlementContext(entitlementContext); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.ROOT, null)); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_ENTITY, app)); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.INVOKE_EFFECTOR, EntityAndItem.of(app, StringAndArgument.of("any-eff", null)))); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_SENSOR, EntityAndItem.of(app, "any-sensor"))); // and can invoke methods confirmEffectorEntitlement(true); }
@Override public Response delete(String application) { Application app = brooklyn().getApplication(application); if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.INVOKE_EFFECTOR, Entitlements.EntityAndItem.of(app, StringAndArgument.of(Entitlements.LifecycleEffectors.DELETE, null)))) { throw WebResourceUtils.forbidden("User '%s' is not authorized to delete application %s", Entitlements.getEntitlementContext().user(), app); } Task<?> t = brooklyn().destroy(app); TaskSummary ts = TaskTransformer.fromTask(ui.getBaseUriBuilder()).apply(t); return status(ACCEPTED).entity(ts).build(); }
@Test public void testDefaultRootAllows() { setup(ConfigBag.newInstance()); // default "root" access allows ROOT permission, and invoke effector, etc Assert.assertTrue(mgmt.getEntitlementManager().isEntitled(null, Entitlements.ROOT, null)); Assert.assertTrue(mgmt.getEntitlementManager().isEntitled(null, Entitlements.SEE_ENTITY, app)); Assert.assertTrue(mgmt.getEntitlementManager().isEntitled(null, Entitlements.INVOKE_EFFECTOR, EntityAndItem.of(app, StringAndArgument.of("any-eff", null)))); Assert.assertTrue(mgmt.getEntitlementManager().isEntitled(null, Entitlements.SEE_SENSOR, EntityAndItem.of(app, "any-sensor"))); Assert.assertTrue(mgmt.getEntitlementManager().isEntitled(null, Entitlements.SEE_CONFIG, EntityAndItem.of(app, "any-config"))); // and can invoke methods, without any user/login registered confirmEffectorEntitlement(true); confirmSensorEntitlement(true); }
public void checkUserHasReadOnlyPermissions(String username) { setup(configBag); WebEntitlementContext entitlementContext = new WebEntitlementContext(username, "127.0.0.1", URI.create("/X").toString(), "B"); Entitlements.setEntitlementContext(entitlementContext); Assert.assertFalse(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.ROOT, null)); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_ENTITY, app)); Assert.assertFalse(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.INVOKE_EFFECTOR, EntityAndItem.of(app, StringAndArgument.of("any-eff", null)))); Assert.assertTrue(Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.SEE_SENSOR, EntityAndItem.of(app, "any-sensor"))); // and cannot invoke methods confirmEffectorEntitlement(false); }
@Test(enabled=false) public void testMinimalDisallows() { setup(ConfigBag.newInstance().configure(Entitlements.GLOBAL_ENTITLEMENT_MANAGER, "minimal")); Assert.assertFalse(mgmt.getEntitlementManager().isEntitled(null, Entitlements.ROOT, null)); Assert.assertFalse(mgmt.getEntitlementManager().isEntitled(null, Entitlements.SEE_ENTITY, app)); Assert.assertFalse(mgmt.getEntitlementManager().isEntitled(null, Entitlements.INVOKE_EFFECTOR, EntityAndItem.of(app, StringAndArgument.of("any-eff", null)))); Assert.assertFalse(mgmt.getEntitlementManager().isEntitled(null, Entitlements.SEE_SENSOR, EntityAndItem.of(app, "any-sensor"))); Assert.assertFalse(mgmt.getEntitlementManager().isEntitled(null, Entitlements.SEE_CONFIG, EntityAndItem.of(app, "any-config"))); confirmEffectorEntitlement(false); confirmSensorEntitlement(false); }
@Override public void delete(String application, String entityToken, String sensorName) { final Entity entity = brooklyn().getEntity(application, entityToken); if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY, entity)) { throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity '%s'", Entitlements.getEntitlementContext().user(), entity); } AttributeSensor<?> sensor = findSensor(entity, sensorName); if (log.isDebugEnabled()) log.debug("REST user "+Entitlements.getEntitlementContext()+" deleting sensor "+sensorName); ((EntityInternal)entity).sensors().remove(sensor); }
@SuppressWarnings("deprecation") @Override public void setDeprecated(String itemId, boolean deprecated) { if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM, StringAndArgument.of(itemId, "deprecated"))) { throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog", Entitlements.getEntitlementContext().user()); } CatalogUtils.setDeprecated(mgmt(), itemId, deprecated); }
@SuppressWarnings("deprecation") @Override public void setDisabled(String itemId, boolean disabled) { if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM, StringAndArgument.of(itemId, "disabled"))) { throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog", Entitlements.getEntitlementContext().user()); } CatalogUtils.setDisabled(mgmt(), itemId, disabled); }
@Override public boolean isUp() { if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS, null)) throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation", Entitlements.getEntitlementContext().user()); Maybe<ManagementContext> mm = mgmtMaybe(); return !mm.isAbsent() && mm.get().isStartupComplete() && mm.get().isRunning(); }
@Override public Response getIcon(String itemId, String version) { if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM, itemId+(Strings.isBlank(version)?"":":"+version))) { throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog entry", Entitlements.getEntitlementContext().user()); } version = processVersion(version); return getCatalogItemIcon(mgmt().getTypeRegistry().get(itemId, version)); }
@Override public boolean isShuttingDown() { if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS, null)) throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation", Entitlements.getEntitlementContext().user()); Maybe<ManagementContext> mm = mgmtMaybe(); return !mm.isAbsent() && mm.get().isStartupComplete() && !mm.get().isRunning(); }
@Override public CatalogLocationSummary getLocation(String locationId, String version) throws Exception { if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM, locationId+(Strings.isBlank(version)?"":":"+version))) { throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog entry", Entitlements.getEntitlementContext().user()); } version = processVersion(version); RegisteredType result = brooklyn().getTypeRegistry().get(locationId, version); if (result==null) { throw WebResourceUtils.notFound("Location with id '%s:%s' not found", locationId, version); } return CatalogTransformer.catalogLocationSummary(brooklyn(), result, ui.getBaseUriBuilder()); }
@Override public Map<String, Object> batchConfigRead(String application, String entityToken, Boolean raw) { // TODO: add test Entity entity = brooklyn().getEntity(application, entityToken); if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY, entity)) { throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'", Entitlements.getEntitlementContext().user(), entity); } // wrap in a task for better runtime view return Entities.submit(entity, Tasks.<Map<String,Object>>builder().displayName("REST API batch config read").body(new BatchConfigRead(mgmt(), this, entity, raw)).build()).getUnchecked(); }