/** * Creates a Map from policy identifier to AccessPolicy. * * @param policies the set of all access policies * @return the Map from policy identifier to AccessPolicy */ private Map<String, AccessPolicy> createPoliciesByIdMap(final Set<AccessPolicy> policies) { Map<String,AccessPolicy> policyMap = new HashMap<>(); for (AccessPolicy policy : policies) { policyMap.put(policy.getIdentifier(), policy); } return policyMap; }
@Override public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException { return policies.stream().filter(p -> p.getIdentifier().equals(identifier)).findFirst().get(); }
/** * Determines whether the specified access policy is configurable. Provides the opportunity for a ConfigurableAccessPolicyProvider to prevent * editing of a specific access policy. By default, all known access policies are configurable. * * @param accessPolicy the access policy * @return is configurable */ default boolean isConfigurable(AccessPolicy accessPolicy) { if (accessPolicy == null) { throw new IllegalArgumentException("Access policy cannot be null"); } return getAccessPolicy(accessPolicy.getIdentifier()) != null; }
private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException { // sort the users for the policy List<String> policyUsers = new ArrayList<>(policy.getUsers()); Collections.sort(policyUsers); // sort the groups for this policy List<String> policyGroups = new ArrayList<>(policy.getGroups()); Collections.sort(policyGroups); writer.writeStartElement(POLICY_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier()); writer.writeAttribute(RESOURCE_ATTR, policy.getResource()); writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name()); for (String policyUser : policyUsers) { writer.writeStartElement(POLICY_USER_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyUser); writer.writeEndElement(); } for (String policyGroup : policyGroups) { writer.writeStartElement(POLICY_GROUP_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyGroup); writer.writeEndElement(); } writer.writeEndElement(); }
private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException { // sort the users for the policy List<String> policyUsers = new ArrayList<>(policy.getUsers()); Collections.sort(policyUsers); // sort the groups for this policy List<String> policyGroups = new ArrayList<>(policy.getGroups()); Collections.sort(policyGroups); writer.writeStartElement(POLICY_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier()); writer.writeAttribute(RESOURCE_ATTR, policy.getResource()); writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name()); for (String policyUser : policyUsers) { writer.writeStartElement(POLICY_USER_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyUser); writer.writeEndElement(); } for (String policyGroup : policyGroups) { writer.writeStartElement(POLICY_GROUP_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyGroup); writer.writeEndElement(); } writer.writeEndElement(); }
/** * Initializes the builder with the state of the provided policy. When using this constructor * the identifier field of the builder can not be changed and will result in an IllegalStateException * if attempting to do so. * * @param other the existing access policy to initialize from */ public Builder(final AccessPolicy other) { if (other == null) { throw new IllegalArgumentException("Can not initialize builder with a null access policy"); } this.identifier = other.getIdentifier(); this.resource = other.getResource(); this.action = other.getAction(); this.users.clear(); this.users.addAll(other.getUsers()); this.groups.clear(); this.groups.addAll(other.getGroups()); this.fromPolicy = true; }
@Override public synchronized AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException { if (accessPolicy == null) { throw new IllegalArgumentException("AccessPolicy cannot be null"); } // create the new JAXB Policy final Policy policy = createJAXBPolicy(accessPolicy); // add the new Policy to the top-level list of policies final AuthorizationsHolder holder = authorizationsHolder.get(); final Authorizations authorizations = holder.getAuthorizations(); authorizations.getPolicies().getPolicy().add(policy); saveAndRefreshHolder(authorizations); return authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier()); }
private AccessPolicyEntity createAccessPolicyEntity(final AccessPolicy accessPolicy) { final RevisionDTO revision = dtoFactory.createRevisionDTO(revisionManager.getRevision(accessPolicy.getIdentifier())); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicy.getIdentifier())); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource()); return entityFactory.createAccessPolicyEntity( dtoFactory.createAccessPolicyDto(accessPolicy, accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()), accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()), componentReference), revision, permissions); }
/** * Checks if another policy exists with the same resource and action as the given policy. * * @param checkAccessPolicy an access policy being checked * @return true if another access policy exists with the same resource and action, false otherwise */ private static boolean policyExists(final AccessPolicyProvider accessPolicyProvider, final AccessPolicy checkAccessPolicy) { for (AccessPolicy accessPolicy : accessPolicyProvider.getAccessPolicies()) { if (!accessPolicy.getIdentifier().equals(checkAccessPolicy.getIdentifier()) && accessPolicy.getResource().equals(checkAccessPolicy.getResource()) && accessPolicy.getAction().equals(checkAccessPolicy.getAction())) { return true; } } return false; }
@Override public synchronized AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException { if (accessPolicy == null) { throw new IllegalArgumentException("AccessPolicy cannot be null"); } final AuthorizationsHolder holder = this.authorizationsHolder.get(); final Authorizations authorizations = holder.getAuthorizations(); // find the matching Policy and remove it boolean deletedPolicy = false; Iterator<Policy> policyIter = authorizations.getPolicies().getPolicy().iterator(); while (policyIter.hasNext()) { final Policy policy = policyIter.next(); if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) { policyIter.remove(); deletedPolicy = true; break; } } // never found a matching Policy so return null if (!deletedPolicy) { return null; } saveAndRefreshHolder(authorizations); return accessPolicy; }
@Override public String toString() { return String.format("identifier[%s], resource[%s], users[%s], groups[%s], action[%s]", getIdentifier(), getResource(), getUsers(), getGroups(), getAction()); }
@Override public synchronized AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException { if (accessPolicy == null) { throw new IllegalArgumentException("AccessPolicy cannot be null"); } final AuthorizationsHolder holder = this.authorizationsHolder.get(); final Authorizations authorizations = holder.getAuthorizations(); // try to find an existing Authorization that matches the policy id Policy updatePolicy = null; for (Policy policy : authorizations.getPolicies().getPolicy()) { if (policy.getIdentifier().equals(accessPolicy.getIdentifier())) { updatePolicy = policy; break; } } // no matching Policy so return null if (updatePolicy == null) { return null; } // update the Policy, save, reload, and return transferUsersAndGroups(accessPolicy, updatePolicy); saveAndRefreshHolder(authorizations); return this.authorizationsHolder.get().getPoliciesById().get(accessPolicy.getIdentifier()); }
private AccessPolicySummaryEntity createAccessPolicySummaryEntity(final AccessPolicy ap) { final ComponentReferenceEntity componentReference = createComponentReferenceEntity(ap.getResource()); final AccessPolicySummaryDTO apSummary = dtoFactory.createAccessPolicySummaryDto(ap, componentReference); final PermissionsDTO apPermissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(ap.getIdentifier())); final RevisionDTO apRevision = dtoFactory.createRevisionDTO(revisionManager.getRevision(ap.getIdentifier())); return entityFactory.createAccessPolicySummaryEntity(apSummary, apRevision, apPermissions); }
/** * Clean up the policies for the specified component resource. * * @param componentResource the resource for the component */ private void cleanUpPolicies(final Resource componentResource) { // ensure the authorizer supports configuration if (accessPolicyDAO.supportsConfigurableAuthorizer()) { final List<Resource> resources = new ArrayList<>(); resources.add(componentResource); resources.add(ResourceFactory.getDataResource(componentResource)); resources.add(ResourceFactory.getProvenanceDataResource(componentResource)); resources.add(ResourceFactory.getDataTransferResource(componentResource)); resources.add(ResourceFactory.getPolicyResource(componentResource)); for (final Resource resource : resources) { for (final RequestAction action : RequestAction.values()) { try { // since the component is being deleted, also delete any relevant access policies final AccessPolicy readPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier()); if (readPolicy != null) { accessPolicyDAO.deleteAccessPolicy(readPolicy.getIdentifier()); } } catch (final Exception e) { logger.warn(String.format("Unable to remove access policy for %s %s after component removal.", action, resource.getIdentifier()), e); } } } } }
/** * Attempts to roll back all policies for the specified component. This includes the component resource, data resource * for the component, view provenance resource for the component, data transfer resource for the component, and policy resource for the component. * * @param componentResource component resource */ private void rollbackClonedPolicy(final Resource componentResource) { if (!accessPolicyDAO.supportsConfigurableAuthorizer()) { return; } final List<Resource> resources = new ArrayList<>(); resources.add(componentResource); resources.add(ResourceFactory.getDataResource(componentResource)); resources.add(ResourceFactory.getProvenanceDataResource(componentResource)); resources.add(ResourceFactory.getDataTransferResource(componentResource)); resources.add(ResourceFactory.getPolicyResource(componentResource)); for (final Resource resource : resources) { for (final RequestAction action : RequestAction.values()) { final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(action, resource.getIdentifier()); if (accessPolicy != null) { try { accessPolicyDAO.deleteAccessPolicy(accessPolicy.getIdentifier()); } catch (final Exception e) { logger.warn(String.format("Unable to clean up cloned access policy for %s %s after failed copy/paste action.", action, componentResource.getIdentifier()), e); } } } } }
@Override public AccessPolicy updateAccessPolicy(final AccessPolicyDTO accessPolicyDTO) { if (supportsConfigurableAuthorizer()) { final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; final AccessPolicy currentAccessPolicy = getAccessPolicy(accessPolicyDTO.getId()); return configurableAccessPolicyProvider.updateAccessPolicy(buildAccessPolicy(currentAccessPolicy.getIdentifier(), currentAccessPolicy.getResource(), currentAccessPolicy.getAction(), accessPolicyDTO)); } else { throw new IllegalStateException(MSG_NON_CONFIGURABLE_POLICIES); } }
private Policy createJAXBPolicy(final AccessPolicy accessPolicy) { final Policy policy = new Policy(); policy.setIdentifier(accessPolicy.getIdentifier()); policy.setResource(accessPolicy.getResource()); switch (accessPolicy.getAction()) { case READ: policy.setAction(READ_CODE); break; case WRITE: policy.setAction(WRITE_CODE); break; default: break; } transferUsersAndGroups(accessPolicy, policy); return policy; }
public AccessPolicySummaryDTO createAccessPolicySummaryDto(final AccessPolicy accessPolicy, final ComponentReferenceEntity componentReference) { if (accessPolicy == null) { return null; } final AccessPolicySummaryDTO dto = new AccessPolicySummaryDTO(); dto.setId(accessPolicy.getIdentifier()); dto.setResource(accessPolicy.getResource()); dto.setAction(accessPolicy.getAction().toString()); dto.setConfigurable(AuthorizerCapabilityDetection.isAccessPolicyConfigurable(authorizer, accessPolicy)); dto.setComponentReference(componentReference); return dto; }
/** * Generates an audit record for the creation of a policy. * * @param policy policy * @param operation operation * @param actionDetails details * @return action */ public Action generateAuditRecord(AccessPolicy policy, Operation operation, ActionDetails actionDetails) { FlowChangeAction action = null; // get the current user NiFiUser user = NiFiUserUtils.getNiFiUser(); // ensure the user was found if (user != null) { // create the policy action for adding this policy action = new FlowChangeAction(); action.setUserIdentity(user.getIdentity()); action.setOperation(operation); action.setTimestamp(new Date()); action.setSourceId(policy.getIdentifier()); action.setSourceName(formatPolicyName(policy)); action.setSourceType(Component.AccessPolicy); if (actionDetails != null) { action.setActionDetails(actionDetails); } } return action; }
public AccessPolicyDTO createAccessPolicyDto(final AccessPolicy accessPolicy, final Set<TenantEntity> userGroups, final Set<TenantEntity> users, final ComponentReferenceEntity componentReference) { if (accessPolicy == null) { return null; } final AccessPolicyDTO dto = new AccessPolicyDTO(); dto.setUserGroups(userGroups); dto.setUsers(users); dto.setId(accessPolicy.getIdentifier()); dto.setResource(accessPolicy.getResource()); dto.setAction(accessPolicy.getAction().toString()); dto.setConfigurable(AuthorizerCapabilityDetection.isAccessPolicyConfigurable(authorizer, accessPolicy)); dto.setComponentReference(componentReference); return dto; }