@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { AuthorizationResult authorizationResult = context.authorize(operation); if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) { throw ControllerMessages.MESSAGES.unauthorized(operation.get(OP).asString(), PathAddress.pathAddress(operation.get(OP_ADDR)), authorizationResult.getExplanation()); } try { String name = persister.snapshot(); context.getResult().set(name); } catch (ConfigurationPersistenceException e) { throw new OperationFailedException(e); } context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER); }
/** * Utility method to throw a standard failure if {@link #getDecision()} is * {@link org.jboss.as.controller.access.AuthorizationResult.Decision#DENY}. * <p> * This variant extracts the target address from the {@code address} field in the {@code operation} param * and then calls the {@linkplain #failIfDenied(ModelNode, PathAddress) overloaded variant}. * </p> * * @param operation the operation the triggered this authorization result. Cannot be {@code null} * @throws OperationFailedException if {@link #getDecision()} is * {@link org.jboss.as.controller.access.AuthorizationResult.Decision#DENY} */ public void failIfDenied(ModelNode operation) throws OperationFailedException { failIfDenied(operation, PathAddress.pathAddress(operation.get(OP_ADDR))); }
private AuthorizationResult authorize(PermissionCollection userPermissions, PermissionCollection requiredPermissions) { final Enumeration<Permission> enumeration = requiredPermissions.elements(); while (enumeration.hasMoreElements()){ Permission requiredPermission = enumeration.nextElement(); if (!userPermissions.implies(requiredPermission)) { return new AuthorizationResult(AuthorizationResult.Decision.DENY, new ModelNode(ControllerLogger.ROOT_LOGGER.permissionDenied())); } } return AuthorizationResult.PERMITTED; }
private void doExecuteInternal(OperationContext context, ModelNode operation) throws OperationFailedException { ModelNode value = context.hasResult() ? context.getResult().clone() : new ModelNode(); AuthorizationResult authorizationResult = context.authorize(operation, operation.require(NAME).asString(), value); if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) { context.getResult().clear(); throw ControllerMessages.MESSAGES.unauthorized(operation.require(OP).asString(), PathAddress.pathAddress(operation.get(OP_ADDR)), authorizationResult.getExplanation()); } context.stepCompleted(); } }
private void doExecuteInternal(OperationContext context, ModelNode operation) throws OperationFailedException { ModelNode value = context.hasResult() ? context.getResult().clone() : new ModelNode(); AuthorizationResult authorizationResult = context.authorize(operation, operation.require(NAME).asString(), value); if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) { context.getResult().clear(); throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.require(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation()); } } }
private void authorize(boolean allAttributes, Set<Action.ActionEffect> actionEffects) { AuthorizationResult accessResult = authorize(activeStep.operationId, activeStep.operation, false, ADDRESS); if (accessResult.getDecision() == AuthorizationResult.Decision.DENY) { if (activeStep.address.size() > 0) { throw ControllerMessages.MESSAGES.managementResourceNotFound(activeStep.address); } else { // WFLY-2037 -- the root resource isn't hidden; if we hit this it means the user isn't authorized throw ControllerMessages.MESSAGES.unauthorized(activeStep.operationId.name, activeStep.address, accessResult.getExplanation()); } } AuthorizationResult authResult = authorize(activeStep.operationId, activeStep.operation, allAttributes, actionEffects); if (authResult.getDecision() == AuthorizationResult.Decision.DENY) { throw ControllerMessages.MESSAGES.unauthorized(activeStep.operationId.name, activeStep.address, authResult.getExplanation()); } }
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { ModelNode op = operation.require(VALUE.getName()); PathAddress addr = PathAddress.pathAddress(op.get(OP_ADDR)); if (slave) { op = op.clone(); if (addr.size() > 0 && addr.getElement(0).getKey().equals(HOST)) { addr = addr.subAddress(1); op.get(OP_ADDR).set(addr.toModelNode()); for (PathElement element : addr) { proxyAddr = proxyAddr.append(element); ImmutableManagementResourceRegistration reg = context.getResourceRegistration().getSubModel(proxyAddr); if (reg != null && reg.isRemote()) { translator = element.getKey().equals(SERVER) ? ProxyOperationAddressTranslator.SERVER : ProxyOperationAddressTranslator.HOST; proxyReg = reg; final ModelNode result = new ModelNode(); context.addStep(result, proxyOp, proxyReg.getOperationHandler(PathAddress.EMPTY_ADDRESS, VALIDATE_OPERATION), Stage.MODEL, true); context.completeStep(new OperationContext.RollbackHandler() { } else { try { if (authorize(context, op, operation).getDecision() == Decision.DENY) { context.getFailureDescription().set(MESSAGES.managementResourceNotFoundMessage(addr)); } else { new OperationValidator(context.getResourceRegistration(), false, false).validateOperation(op);
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { final ModelNode address = operation.require(VALUE); final PathAddress pathAddr = PathAddress.pathAddress(address); final Resource resource = context.readResource(PathAddress.EMPTY_ADDRESS); Resource model = resource; final Iterator<PathElement> iterator = pathAddr.iterator(); PathAddress current = PathAddress.EMPTY_ADDRESS; out: while(iterator.hasNext()) { final PathElement next = iterator.next(); current = current.append(next); final ImmutableManagementResourceRegistration registration = context.getResourceRegistration().getSubModel(current); if(registration != null && registration.isRemote()) { final ModelNode newOperation = operation.clone(); newOperation.get(OP_ADDR).set(current.toModelNode()); final OperationStepHandler proxyHandler = registration.getOperationHandler(PathAddress.EMPTY_ADDRESS, OPERATION_NAME); if(proxyHandler != null) { context.addStep(newOperation, proxyHandler, OperationContext.Stage.MODEL, true); context.getResult().get(PROBLEM).set(ControllerMessages.MESSAGES.childResourceNotFound(next)); if (authorize(context, current, operation).getDecision() == Decision.DENY) { context.getResult().get(VALID).set(false); context.getResult().get(PROBLEM).set(ControllerMessages.MESSAGES.managementResourceNotFoundMessage(current));
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { throw new OperationFailedException(ControllerLogger.ROOT_LOGGER.unknownChildType(childType)); final boolean singletons = INCLUDE_SINGLETONS.resolveModelAttribute(context, operation).asBoolean(false); if (singletons && isSingletonResource(registry, childType)) { Set<PathElement> childTypes = registry.getChildAddresses(PathAddress.EMPTY_ADDRESS); for (PathElement child : childTypes) { if (childType.equals(child.getKey())) { ModelNode result = context.getResult(); result.setEmptyList(); PathAddress childAddress = address.append(PathElement.pathElement(childType)); ModelNode op = Util.createEmptyOperation(READ_RESOURCE_OPERATION, childAddress); op.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS)); ModelNode opAddr = op.get(OP_ADDR); ModelNode childProperty = opAddr.require(address.size()); Set<Action.ActionEffect> actionEffects = EnumSet.of(Action.ActionEffect.ADDRESS); FilteredData fd = null; for (String childName : childNames) { childProperty.set(childType, new ModelNode(childName)); if (context.authorize(op, actionEffects).getDecision() == AuthorizationResult.Decision.PERMIT) { result.add(childName); } else {
final String opName = operation.require(OP).asString(); final PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR)); context.addStep(assemblyHandler, queryRuntime ? OperationContext.Stage.VERIFY : OperationContext.Stage.MODEL, true); final ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); PathAddress absoluteChildAddr = address.append(childPE); PathAddress relativeAddr = PathAddress.pathAddress(childPE); ImmutableManagementResourceRegistration childReg = registry.getSubModel(relativeAddr); if (childReg == null) { throw new OperationFailedException(new ModelNode().set(MESSAGES.noChildRegistry(childType, child))); boolean proxy = childReg.isRemote(); boolean runtimeResource = childReg.isRuntimeOnly(); boolean getChild = !runtimeResource || (queryRuntime && !proxy) || (proxies && proxy); if (!aliases && childReg.isAlias()) { context.addStep(rrRsp, rrOp, rrHandler, OperationContext.Stage.MODEL, true); AuthorizationResult ar = context.authorize(rrOp, EnumSet.of(Action.ActionEffect.ADDRESS)); if (ar.getDecision() == AuthorizationResult.Decision.DENY) { localFilteredData.addAccessRestrictedResource(absoluteChildAddr); } else {
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { final PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR)); final String childType = CHILD_TYPE.resolveModelAttribute(context, operation).asString(); final Resource resource = context.readResource(PathAddress.EMPTY_ADDRESS, false); ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); Map<String, Set<String>> childAddresses = GlobalOperationHandlers.getChildAddresses(context, address, registry, resource, childType); Set<String> childNames = childAddresses.get(childType); if (childNames == null) { throw new OperationFailedException(new ModelNode().set(MESSAGES.unknownChildType(childType))); ModelNode result = context.getResult(); result.setEmptyList(); PathAddress childAddress = address.append(PathElement.pathElement(childType)); ModelNode op = Util.createEmptyOperation(READ_RESOURCE_OPERATION, childAddress); op.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS)); ModelNode opAddr = op.get(OP_ADDR); ModelNode childProperty = opAddr.require(address.size()); Set<Action.ActionEffect> actionEffects = EnumSet.of(Action.ActionEffect.ADDRESS); FilteredData fd = null; for (String childName : childNames) { childProperty.set(childType, new ModelNode(childName)); if (context.authorize(op, actionEffects).getDecision() == AuthorizationResult.Decision.PERMIT) { result.add(childName); } else {
NAME.validateOperation(operation); final ModelNode nameModel = GlobalOperationAttributes.NAME.resolveModelAttribute(context, operation); final PathAddress address = context.getCurrentAddress(); final ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); if (registry == null) { throw new OperationFailedException(ControllerLogger.ROOT_LOGGER.noSuchResourceType(address)); final AttributeAccess attributeAccess = registry.getAttributeAccess(PathAddress.EMPTY_ADDRESS, attributeName); if (attributeAccess == null) { throw new OperationFailedException(ControllerLogger.ROOT_LOGGER.unknownAttribute(attributeName)); ModelNode model = context.readResourceForUpdate(PathAddress.EMPTY_ADDRESS).getModel(); currentValue = model.has(attributeName) ? model.get(attributeName) : new ModelNode(); } else { AuthorizationResult authorizationResult = context.authorize(operation, attributeName, currentValue); if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) { throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.require(OP).asString(), address, authorizationResult.getExplanation()); && !registry.isRuntimeOnly()) {
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { AuthorizationResult authorizationResult = context.authorize(operation); if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) { throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.get(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation()); } String name = null; if(operation.hasDefined(LOCATION.getName())) { name = LOCATION.resolveModelAttribute(context, operation).asString(); } try { context.getResult().set(persister.publish(name)); } catch (ConfigurationPersistenceException e) { throw new OperationFailedException(e); } context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER); }
final String opName = operation.require(OP).asString(); final PathAddress address = context.getCurrentAddress(); final boolean queryRuntime = operation.get(ModelDescriptionConstants.INCLUDE_RUNTIME).asBoolean(false); final boolean proxies = operation.get(ModelDescriptionConstants.PROXIES).asBoolean(false); final boolean aliases = operation.get(ModelDescriptionConstants.INCLUDE_ALIASES).asBoolean(false); context.addStep(assemblyHandler, queryRuntime ? OperationContext.Stage.VERIFY : OperationContext.Stage.MODEL, true); final ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); PathAddress absoluteChildAddr = address.append(childPE); PathAddress relativeAddr = PathAddress.pathAddress(childPE); ImmutableManagementResourceRegistration childReg = registry == null ? null : registry.getSubModel(relativeAddr); if (childReg != null) { boolean proxy = childReg.isRemote(); boolean runtimeResource = childReg.isRuntimeOnly(); getChild = !runtimeResource || (queryRuntime && !proxy) || (proxies && proxy); if (!aliases && childReg.isAlias()) { AuthorizationResult ar = context.authorize(rrOp, EnumSet.of(Action.ActionEffect.ADDRESS)); if (ar.getDecision() == AuthorizationResult.Decision.DENY) { localFilteredData.addAccessRestrictedResource(absoluteChildAddr); } else {
/** * Checks if the calling user may execute the operation. If he may then he can see it te full operation * parameters. * * @param context the operation context. * @param op the operation we are securing. * @return the secured operation. * @throws OperationFailedException */ private ModelNode secureOperationParameters(OperationContext context, ModelNode op) throws OperationFailedException { ModelNode operation = op.clone(); OperationEntry operationEntry = context.getRootResourceRegistration().getOperationEntry( PathAddress.pathAddress(operation.get(OP_ADDR)), operation.get(OP).asString()); Set<Action.ActionEffect> effects = getEffects(operationEntry); if (context.authorize(operation, effects).getDecision() == AuthorizationResult.Decision.PERMIT) { return operation; } else { ModelNode securedOperation = new ModelNode(); securedOperation.get(OP).set(operation.get(OP)); securedOperation.get(OP_ADDR).set(operation.get(OP_ADDR)); return securedOperation; } }
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { nameValidator.validate(operation); final String attributeName = operation.require(NAME.getName()).asString(); final PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR)); final ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); if (registry == null) { throw new OperationFailedException(ControllerMessages.MESSAGES.noSuchResourceType(PathAddress.pathAddress(operation.get(OP_ADDR)))); final AttributeAccess attributeAccess = registry.getAttributeAccess(PathAddress.EMPTY_ADDRESS, attributeName); if (attributeAccess == null) { throw new OperationFailedException(new ModelNode().set(MESSAGES.unknownAttribute(attributeName))); } else if (attributeAccess.getAccessType() != AttributeAccess.AccessType.READ_WRITE) { throw new OperationFailedException(new ModelNode().set(MESSAGES.attributeNotWritable(attributeName))); } else { ModelNode model = context.readResourceForUpdate(PathAddress.EMPTY_ADDRESS).getModel(); currentValue = model.has(attributeName) ? model.get(attributeName) : new ModelNode(); } else { currentValue = new ModelNode(); AuthorizationResult authorizationResult = context.authorize(operation, attributeName, currentValue); if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) { throw ControllerMessages.MESSAGES.unauthorized(operation.require(OP).asString(), PathAddress.pathAddress(operation.get(OP_ADDR)), authorizationResult.getExplanation()); && !registry.isRuntimeOnly()) {
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { final ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); if (registry == null) { throw new OperationFailedException(ControllerMessages.MESSAGES.noSuchResourceType(PathAddress.pathAddress(operation.get(OP_ADDR)))); final Map<String, OperationEntry> operations = registry.getOperationDescriptions(PathAddress.EMPTY_ADDRESS, true); final boolean accessControl = ACCESS_CONTROL.resolveModelAttribute(context, operation).asBoolean(); final ModelNode result = new ModelNode(); if (operations.size() > 0) { final PathAddress address = PathAddress.pathAddress(operation.require(OP_ADDR)); for (final Map.Entry<String, OperationEntry> entry : operations.entrySet()) { if (entry.getValue().getType() == OperationEntry.EntryType.PUBLIC) { if (context.getProcessType() != ProcessType.DOMAIN_SERVER || entry.getValue().getFlags().contains(OperationEntry.Flag.RUNTIME_ONLY)) { ModelNode operationToCheck = Util.createOperation(entry.getKey(), address); operationToCheck.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS)); AuthorizationResult authorizationResult = context.authorizeOperation(operationToCheck); add = authorizationResult.getDecision() == Decision.PERMIT;
/** * Secure the operation : - if the caller can address the resource we check if he can see the operation * parameters. - otherwise we return the operation without its address and parameters. * * @param context the operation context. * @param operation the operation we are securing. * @return the secured opreation aka trimmed of all sensitive data. * @throws OperationFailedException */ private ModelNode secureOperation(OperationContext context, ModelNode operation) throws OperationFailedException { PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR)); for (int i = 0; i < address.size(); i++) { if (!isAccessPermitted(context, address.subAddress(0, i).toModelNode())) { return accessDenied(operation); } } ModelNode fakeOperation = new ModelNode(); fakeOperation.get(OP).set(READ_RESOURCE_OPERATION); fakeOperation.get(OP_ADDR).set(address.toModelNode()); AuthorizationResult authResult = context.authorize(fakeOperation, ADDRESS_EFFECT); if (authResult.getDecision() == AuthorizationResult.Decision.PERMIT) { return secureOperationParameters(context, operation); } return accessDenied(operation); }
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { final ImmutableManagementResourceRegistration registry = context.getResourceRegistration(); if (registry == null) { throw new OperationFailedException(ControllerLogger.ROOT_LOGGER.noSuchResourceType(context.getCurrentAddress())); final Map<String, OperationEntry> operations = registry.getOperationDescriptions(PathAddress.EMPTY_ADDRESS, true); final boolean accessControl = ACCESS_CONTROL.resolveModelAttribute(context, operation).asBoolean(); final ModelNode result = new ModelNode(); if (operations.size() > 0) { final PathAddress address = context.getCurrentAddress(); for (final Map.Entry<String, OperationEntry> entry : operations.entrySet()) { if (isVisible(entry.getValue(), context)) { if (accessControl) { ModelNode operationToCheck = Util.createOperation(entry.getKey(), address); operationToCheck.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS)); AuthorizationResult authorizationResult = context.authorizeOperation(operationToCheck); add = authorizationResult.getDecision() == Decision.PERMIT;
@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { String operationName = NAME.resolveModelAttribute(context, operation).asString(); boolean accessControl = ACCESS_CONTROL.resolveModelAttribute(context, operation).asBoolean(); if (describedOp == null || (context.getProcessType() == ProcessType.DOMAIN_SERVER && !describedOp.flags.contains(OperationEntry.Flag.RUNTIME_ONLY))) { throw new OperationFailedException(new ModelNode().set(MESSAGES.operationNotRegistered(operationName, PathAddress.pathAddress(operation.require(OP_ADDR))))); } else { final ModelNode result = describedOp.description; final PathAddress address = PathAddress.pathAddress(operation.require(OP_ADDR)); ModelNode operationToCheck = Util.createOperation(operationName, address); operationToCheck.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS)); AuthorizationResult authorizationResult = context.authorizeOperation(operationToCheck); result.get(ACCESS_CONTROL.getName(), EXECUTE).set(authorizationResult.getDecision() == Decision.PERMIT); context.getResult().set(result); context.stepCompleted();