@Override public Set<AccessPolicy> getAccessPoliciesForUser(String userId) { return accessPolicyProvider.getAccessPolicies().stream() .filter(p -> { // policy contains the user if (p.getUsers().contains(userId)) { return true; } // policy contains a group with the user return !p.getGroups().stream().filter(g -> userGroupProvider.getGroup(g).getUsers().contains(userId)).collect(Collectors.toSet()).isEmpty(); }) .collect(Collectors.toSet()); }
/** * Extracts the values for the configured properties from the specified policy. */ private Map<String, String> extractConfiguredPropertyValues(AccessPolicy policy, AccessPolicyDTO policyDTO) { Map<String, String> values = new HashMap<>(); if (policyDTO.getUsers() != null) { // get each of the auto terminated relationship names final List<String> currentUsers = new ArrayList<>(policy.getUsers()); // sort them and include in the configuration Collections.sort(currentUsers, Collator.getInstance(Locale.US)); values.put(USERS, StringUtils.join(currentUsers, ", ")); } if (policyDTO.getUserGroups() != null) { // get each of the auto terminated relationship names final List<String> currentUserGroups = new ArrayList<>(policy.getGroups()); // sort them and include in the configuration Collections.sort(currentUserGroups, Collator.getInstance(Locale.US)); values.put(USER_GROUPS, StringUtils.join(currentUserGroups, ", ")); } return values; }
private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException { // sort the users for the policy List<String> policyUsers = new ArrayList<>(policy.getUsers()); Collections.sort(policyUsers); // sort the groups for this policy List<String> policyGroups = new ArrayList<>(policy.getGroups()); Collections.sort(policyGroups); writer.writeStartElement(POLICY_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier()); writer.writeAttribute(RESOURCE_ATTR, policy.getResource()); writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name()); for (String policyUser : policyUsers) { writer.writeStartElement(POLICY_USER_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyUser); writer.writeEndElement(); } for (String policyGroup : policyGroups) { writer.writeStartElement(POLICY_GROUP_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyGroup); writer.writeEndElement(); } writer.writeEndElement(); }
private void writePolicy(final XMLStreamWriter writer, final AccessPolicy policy) throws XMLStreamException { // sort the users for the policy List<String> policyUsers = new ArrayList<>(policy.getUsers()); Collections.sort(policyUsers); // sort the groups for this policy List<String> policyGroups = new ArrayList<>(policy.getGroups()); Collections.sort(policyGroups); writer.writeStartElement(POLICY_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policy.getIdentifier()); writer.writeAttribute(RESOURCE_ATTR, policy.getResource()); writer.writeAttribute(ACTIONS_ATTR, policy.getAction().name()); for (String policyUser : policyUsers) { writer.writeStartElement(POLICY_USER_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyUser); writer.writeEndElement(); } for (String policyGroup : policyGroups) { writer.writeStartElement(POLICY_GROUP_ELEMENT); writer.writeAttribute(IDENTIFIER_ATTR, policyGroup); writer.writeEndElement(); } writer.writeEndElement(); }
/** * Initializes the builder with the state of the provided policy. When using this constructor * the identifier field of the builder can not be changed and will result in an IllegalStateException * if attempting to do so. * * @param other the existing access policy to initialize from */ public Builder(final AccessPolicy other) { if (other == null) { throw new IllegalArgumentException("Can not initialize builder with a null access policy"); } this.identifier = other.getIdentifier(); this.resource = other.getResource(); this.action = other.getAction(); this.users.clear(); this.users.addAll(other.getUsers()); this.groups.clear(); this.groups.addAll(other.getGroups()); this.fromPolicy = true; }
@Override public String toString() { return String.format("identifier[%s], resource[%s], users[%s], groups[%s], action[%s]", getIdentifier(), getResource(), getUsers(), getGroups(), getAction()); }
private AccessPolicyEntity createAccessPolicyEntity(final AccessPolicy accessPolicy) { final RevisionDTO revision = dtoFactory.createRevisionDTO(revisionManager.getRevision(accessPolicy.getIdentifier())); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicy.getIdentifier())); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource()); return entityFactory.createAccessPolicyEntity( dtoFactory.createAccessPolicyDto(accessPolicy, accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()), accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()), componentReference), revision, permissions); }
@Override public AccessPolicyEntity updateAccessPolicy(final Revision revision, final AccessPolicyDTO accessPolicyDTO) { final Authorizable authorizable = authorizableLookup.getAccessPolicyById(accessPolicyDTO.getId()); final RevisionUpdate<AccessPolicyDTO> snapshot = updateComponent(revision, authorizable, () -> accessPolicyDAO.updateAccessPolicy(accessPolicyDTO), accessPolicy -> { final Set<TenantEntity> users = accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()); final Set<TenantEntity> userGroups = accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource()); return dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference); }); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizable); return entityFactory.createAccessPolicyEntity(snapshot.getComponent(), dtoFactory.createRevisionDTO(snapshot.getLastModification()), permissions); }
@Override public AccessPolicyEntity deleteAccessPolicy(final Revision revision, final String accessPolicyId) { final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyId); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource()); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicyId)); final Set<TenantEntity> userGroups = accessPolicy != null ? accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()) : null; final Set<TenantEntity> users = accessPolicy != null ? accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null; final AccessPolicyDTO snapshot = deleteComponent( revision, new Resource() { @Override public String getIdentifier() { return accessPolicy.getResource(); } @Override public String getName() { return accessPolicy.getResource(); } @Override public String getSafeDescription() { return "Policy " + accessPolicyId; } }, () -> accessPolicyDAO.deleteAccessPolicy(accessPolicyId), false, // no need to clean up any policies as it's already been removed above dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference)); return entityFactory.createAccessPolicyEntity(snapshot, null, permissions); }
/** * Sets the given Policy to the state of the provided AccessPolicy. Users and Groups will be cleared and * set to match the AccessPolicy, the resource and action will be set to match the AccessPolicy. * * Does not set the identifier. * * @param accessPolicy the AccessPolicy to transfer state from * @param policy the Policy to transfer state to */ private void transferUsersAndGroups(AccessPolicy accessPolicy, Policy policy) { // add users to the policy policy.getUser().clear(); for (String userIdentifier : accessPolicy.getUsers()) { Policy.User policyUser = new Policy.User(); policyUser.setIdentifier(userIdentifier); policy.getUser().add(policyUser); } // add groups to the policy policy.getGroup().clear(); for (String groupIdentifier : accessPolicy.getGroups()) { Policy.Group policyGroup = new Policy.Group(); policyGroup.setIdentifier(groupIdentifier); policy.getGroup().add(policyGroup); } }
@Override public AccessPolicyEntity createAccessPolicy(final Revision revision, final AccessPolicyDTO accessPolicyDTO) { final Authorizable tenantAuthorizable = authorizableLookup.getTenant(); final String creator = NiFiUserUtils.getNiFiUserIdentity(); final AccessPolicy newAccessPolicy = accessPolicyDAO.createAccessPolicy(accessPolicyDTO); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(newAccessPolicy.getResource()); final AccessPolicyDTO newAccessPolicyDto = dtoFactory.createAccessPolicyDto(newAccessPolicy, newAccessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()), newAccessPolicy.getUsers().stream().map(userId -> { final RevisionDTO userRevision = dtoFactory.createRevisionDTO(revisionManager.getRevision(userId)); return entityFactory.createTenantEntity(dtoFactory.createTenantDTO(userDAO.getUser(userId)), userRevision, dtoFactory.createPermissionsDto(tenantAuthorizable)); }).collect(Collectors.toSet()), componentReference); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicyDTO.getId())); return entityFactory.createAccessPolicyEntity(newAccessPolicyDto, dtoFactory.createRevisionDTO(new FlowModification(revision, creator)), permissions); }
@Override public User deleteUser(final String userId) { if (userGroupProvider instanceof ConfigurableUserGroupProvider) { final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; final User user = getUser(userId); final User removedUser = configurableUserGroupProvider.deleteUser(user); // ensure the user was removed if (removedUser == null) { throw new ResourceNotFoundException(String.format("Unable to find user with id '%s'.", userId)); } // remove any references to the user being deleted from policies if possible if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) { for (AccessPolicy policy : accessPolicyProvider.getAccessPolicies()) { final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; // ensure this policy contains a reference to the user and this policy is configurable (check proactively to prevent an exception) if (policy.getUsers().contains(removedUser.getIdentifier()) && configurableAccessPolicyProvider.isConfigurable(policy)) { final AccessPolicy.Builder builder = new AccessPolicy.Builder(policy).removeUser(removedUser.getIdentifier()); configurableAccessPolicyProvider.updateAccessPolicy(builder.build()); } } } return removedUser; } else { throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); } }
accessPolicy.getUsers().forEach(userId -> { final TenantEntity entity = new TenantEntity(); entity.setId(userId);
@Override public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = accessPolicyProvider.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity()); final User user = userAndGroups.getUser(); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = userAndGroups.getGroups(); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }
@Override public final AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final UsersAndAccessPolicies usersAndAccessPolicies = getUsersAndAccessPolicies(); final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = usersAndAccessPolicies.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final User user = usersAndAccessPolicies.getUser(request.getIdentity()); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = usersAndAccessPolicies.getGroups(user.getIdentity()); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }