private static boolean doCheckPermissions(StreamlineAuthorizer authorizer, Principal principal, String targetEntityNamespace, Long targetEntityId, EnumSet<Permission> permissions) { AuthenticationContext authenticationCtx = SecurityUtil.getAuthenticationContext(principal); return authorizer.hasPermissions(authenticationCtx, targetEntityNamespace, targetEntityId, permissions); }
private void validateAuthenticationContext(AuthenticationContext ctx) { if (ctx == null || ctx.getPrincipal() == null) { throw new AuthorizationException("No principal in AuthenticationContext"); } }
/** * Executes the supplied action. If {@link SecurityUtil#isKerberosAuthenticated(javax.ws.rs.core.SecurityContext)} * returns true, it wraps the action execution with Subject.doAs(subject, action), where subject is created * for every call by {@link SecurityUtil#getSubject} */ public static <T, E extends Exception> T execute(SupplierException<T, E> action, SecurityContext securityContext) throws E, PrivilegedActionException { return execute(action, securityContext, getSubject()); }
private boolean checkPermissions(AuthenticationContext ctx, String targetEntityNamespace, Long targetEntityId, EnumSet<Permission> permissions) { validateAuthenticationContext(ctx); String userName = SecurityUtil.getUserName(ctx); User user = catalogService.getUser(userName); if (user == null || user.getId() == null) { String msg = String.format("No such user '%s'", userName); LOG.warn(msg); throw new AuthorizationException(msg); } return userHasRole(user, Roles.ROLE_ADMIN) || catalogService.checkUserPermissions(targetEntityNamespace, targetEntityId, user.getId(), permissions); }
private boolean checkRole(AuthenticationContext ctx, String role) { validateAuthenticationContext(ctx); String userName = SecurityUtil.getUserName(ctx); User user = catalogService.getUser(userName); if (user == null) { String msg = String.format("No such user '%s'", userName); LOG.warn(msg); throw new AuthorizationException(msg); } return userHasRole(user, Roles.ROLE_ADMIN) || userHasRole(user, role); }
private boolean shouldAllowAclGet(AclEntry aclEntry, SecurityContext securityContext) { if (SecurityUtil.hasRole(authorizer, securityContext, ROLE_SECURITY_ADMIN)) { return true; } User currentUser = getCurrentUser(securityContext); Set<Role> currentUserRoles = catalogService.getAllUserRoles(currentUser); return matches(aclEntry, currentUser, currentUserRoles); }
public static void checkRoleOrPermissions(StreamlineAuthorizer authorizer, SecurityContext securityContext, String role, String targetEntityNamespace, Long targetEntityId, Permission first, Permission... rest) { if (!SecurityUtil.hasRole(authorizer, securityContext, role)) { SecurityUtil.checkPermissions(authorizer, securityContext, targetEntityNamespace, targetEntityId, first, rest); } else { LOG.debug("Allowing since user has role: '{}'", role); } }
/** * @return the map specified as argument only if Kerberos authentication is enabled and map !=null && !map.isEmpty() */ private Map<String, List<Principal>> getMapIfSecureIfNotEmpty(Map<String, List<Principal>> map) { return SecurityUtil.isKerberosAuthenticated(securityContext) && map != null && !map.isEmpty() ? map : null; }
public static String getUserName(AuthenticationContext context) { return context.getPrincipal() == null ? null : getUserName(context.getPrincipal().getName()); }
private <T, E extends Exception> T executeSecure(SupplierException<T, E> action) throws PrivilegedActionException, E { return SecurityUtil.execute(action, securityContext, subject); }
public static boolean hasRole(StreamlineAuthorizer authorizer, SecurityContext securityContext, String... roles) { Principal principal = securityContext.getUserPrincipal(); AuthenticationContext authenticationCtx = SecurityUtil.getAuthenticationContext(principal); for (String role : roles) { if (!authorizer.hasRole(authenticationCtx, role)) { LOG.debug("Principal: " + principal + " does not have role: " + role); return false; } } return true; }
private static AuthenticationContext getAuthenticationContext(Principal principal) { AuthenticationContext context = new AuthenticationContext(); context.setPrincipal(principal); return context; }
public static void addAcl(StreamlineAuthorizer authorizer, SecurityContext securityContext, String targetEntityNamespace, Long targetEntityId, EnumSet<Permission> permissions) { AuthenticationContext ctx = SecurityUtil.getAuthenticationContext(securityContext.getUserPrincipal()); authorizer.addAcl(ctx, targetEntityNamespace, targetEntityId, true, true, permissions); }
public static void removeAcl(StreamlineAuthorizer authorizer, SecurityContext securityContext, String targetEntityNamespace, Long targetEntityId) { AuthenticationContext ctx = SecurityUtil.getAuthenticationContext(securityContext.getUserPrincipal()); authorizer.removeAcl(ctx, targetEntityNamespace, targetEntityId); }
public static void checkPermissions(StreamlineAuthorizer authorizer, SecurityContext securityContext, String targetEntityNamespace, Long targetEntityId, Permission first, Permission... rest) { Principal principal = securityContext.getUserPrincipal(); EnumSet<Permission> permissions = EnumSet.of(first, rest); if (!doCheckPermissions(authorizer, principal, targetEntityNamespace, targetEntityId, permissions)) { throw new WebserviceAuthorizationException("Principal: " + principal + " does not have permissions: " + permissions + " on namespace: " + targetEntityNamespace + " id: " + targetEntityId); } }
private Map<String, String> getStringsMapIfSecureIfNotEmpty(Map<String, String> map) { return SecurityUtil.isKerberosAuthenticated(securityContext) && map != null && !map.isEmpty() ? map : null; }
private <T, E extends Exception> T executeSecure(SupplierException<T, E> action) throws PrivilegedActionException, E { return SecurityUtil.execute(action, securityContext, subject); }
public static void checkRole(StreamlineAuthorizer authorizer, SecurityContext securityContext, String... roles) { Principal principal = securityContext.getUserPrincipal(); AuthenticationContext authenticationCtx = SecurityUtil.getAuthenticationContext(principal); for (String role : roles) { if (!authorizer.hasRole(authenticationCtx, role)) { throw new WebserviceAuthorizationException("Principal: " + principal + " does not have role: " + role); } } }
public Authentication(SecurityContext securityContext) { if (SecurityUtil.isKerberosAuthenticated(securityContext)) { enabled = true; scheme = securityContext.getAuthenticationScheme(); } else { enabled = false; } }
public static <T, E extends Exception> T execute(SupplierException<T, E> action, SecurityContext securityContext, User user) throws E, PrivilegedActionException, IOException, InterruptedException { if (user != null && SecurityUtil.isKerberosAuthenticated(securityContext)) { LOG.debug("Executing action [{}] for user [{}] with security context [{}] using Kerberos authentication", action, securityContext, user); return user.runAs((PrivilegedExceptionAction<T>) action::get); } else { LOG.debug("Executing action [{}] for user [{}] with security context [{}] without Kerberos authentication", action, securityContext, user); return action.get(); } }