private static boolean isProjectAdminOrProjectMember(String projectLink, SecurityContext sc) { return sc.isProjectAdmin(projectLink) || sc.isProjectMember(projectLink); } }
public static SecurityContext fromPrincipalRolesToSecurityContext(PrincipalRoles roles) { SecurityContext context = new SecurityContext(); context.email = roles.email; context.id = roles.id; context.name = roles.name; context.projects = roles.projects; context.roles = roles.roles; return context; }
public boolean isProjectAdmin(String projectLink) { return checkProjectRoleInProjectEntries(AuthRole.PROJECT_ADMIN, projectLink); }
private static DeferredResult<Void> handleClusterServiceOp(Service service, Operation op) { // In case of authn is not enabled do not check for authorization. if (!service.getHost().isAuthorizationEnabled()) { return DeferredResult.completed(null); } if (!(service instanceof ClusterService)) { return DeferredResult.completed(null); } String projectLink = OperationUtil.extractProjectFromHeader(op); return SecurityContextUtil.getSecurityContextForCurrentUser(service) .thenCompose(sc -> { if (sc.isCloudAdmin()) { return DeferredResult.completed(null); } else { if (op.getAction() == Action.GET && sc.isProjectAdmin(projectLink)) { return DeferredResult.completed(null); } if (isCreatePKSClusterRequest(op, sc, projectLink)) { return DeferredResult.completed(null); } } return DeferredResult.failed(new IllegalAccessError("forbidden")); }) .thenAccept(ignore -> { }); }
if (!sc.isCloudAdmin()) { String errorMessage = String.format( UNAUTHORIZED_ACCESS_FOR_ACTION_OF_RESOURCES_MESSAGE,
assertEquals(testProject.name, entry.name); assertEquals(testProject.documentSelfLink, entry.documentSelfLink); assertTrue(securityContext[0].isProjectViewer(testProject.documentSelfLink));
.thenCompose(sc -> { if (sc.isProjectAdmin(state.documentSelfLink) && !sc.isCloudAdmin()) { delete.fail(Operation.STATUS_CODE_FORBIDDEN); return DeferredResult
private DeferredResult<Void> isUserAuthorized(ProjectEntry entry, SecurityContext context) { if (context.isProjectAdmin(entry.documentSelfLink) || context.isProjectMember(entry.documentSelfLink)) { return DeferredResult.completed(null); } return DeferredResult.failed(new IllegalAccessError("Project Viewer cannot request " + "operations over resources.")); }
@Test public void testIsUserAuthorized() throws Throwable { RequestBrokerService r = new RequestBrokerService(); Method m = r.getClass().getDeclaredMethod("isUserAuthorized", SecurityContext.ProjectEntry.class, SecurityContext.class); m.setAccessible(true); SecurityContext context = new SecurityContext(); context.projects = new ArrayList<>(); SecurityContext.ProjectEntry project = new SecurityContext.ProjectEntry(); project.documentSelfLink = "link"; project.roles = new HashSet<>(); project.roles.add(AuthRole.PROJECT_ADMIN); DeferredResult<Void> deferred = (DeferredResult<Void>) m.invoke(r, project, context); assertNotNull(deferred); assertTrue(deferred.toCompletionStage().toCompletableFuture().isCompletedExceptionally()); context.projects.add(project); deferred = (DeferredResult<Void>) m.invoke(r, project, context); assertNotNull(deferred); assertTrue(deferred.toCompletionStage().toCompletableFuture().isDone()); assertFalse(deferred.toCompletionStage().toCompletableFuture().isCancelled()); assertFalse(deferred.toCompletionStage().toCompletableFuture().isCompletedExceptionally()); }
public boolean isProjectMember(String projectLink) { return checkProjectRoleInProjectEntries(AuthRole.PROJECT_MEMBER, projectLink); }
&& dto.password.equals(EncryptionUtils.decrypt(password))) { SecurityContext sc = new SecurityContext(); sc.id = username; sc.roles = new HashSet<>(Arrays.asList(AuthRole.CLOUD_ADMIN));
public boolean isProjectViewer(String projectLink) { return checkProjectRoleInProjectEntries(AuthRole.PROJECT_VIEWER, projectLink); }