@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
String operationName = NAME.resolveModelAttribute(context, operation).asString();
boolean accessControl = ACCESS_CONTROL.resolveModelAttribute(context, operation).asBoolean();
final DescribedOp describedOp =
getDescribedOp(context, operationName, operation, !accessControl);
if (describedOp == null
|| (context.getProcessType() == ProcessType.DOMAIN_SERVER
&& !describedOp.flags.contains(OperationEntry.Flag.RUNTIME_ONLY))) {
throw new OperationFailedException(
ControllerLogger.ROOT_LOGGER.operationNotRegistered(
operationName, context.getCurrentAddress()));
} else {
ModelNode result = describedOp.getDescription();
if (accessControl) {
final PathAddress address = context.getCurrentAddress();
ModelNode operationToCheck = Util.createOperation(operationName, address);
operationToCheck.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS));
AuthorizationResult authorizationResult = context.authorizeOperation(operationToCheck);
result
.get(ACCESS_CONTROL.getName(), EXECUTE)
.set(authorizationResult.getDecision() == Decision.PERMIT);
}
context.getResult().set(result);
}
}
@Test
public void testAuthorizerResourcePermit() {
Action action =
new Action(
null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);
assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
}
@Test
public void testAuthorizerAttributeDeny() {
Action action =
new Action(
null,
null,
EnumSet.of(
Action.ActionEffect.ADDRESS,
Action.ActionEffect.READ_CONFIG,
Action.ActionEffect.WRITE_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
TargetAttribute targetAttribute =
new TargetAttribute("test", null, new ModelNode(), targetResource);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);
assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
}
@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
AuthorizationResult authorizationResult = context.authorize(operation);
if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
throw ControllerLogger.ROOT_LOGGER.unauthorized(
operation.get(OP).asString(),
context.getCurrentAddress(),
authorizationResult.getExplanation());
}
try {
SnapshotInfo info = persister.listSnapshots();
ModelNode result = context.getResult();
result.get(ModelDescriptionConstants.DIRECTORY).set(info.getSnapshotDirectory());
result.get(ModelDescriptionConstants.NAMES).setEmptyList();
for (String name : info.names()) {
result.get(ModelDescriptionConstants.NAMES).add(name);
}
} catch (Exception e) {
throw new OperationFailedException(e);
}
context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
NAME.validateOperation(operation);
final ModelNode nameModel =
GlobalOperationAttributes.NAME.resolveModelAttribute(context, operation);
final PathAddress address = context.getCurrentAddress();
final ImmutableManagementResourceRegistration registry = context.getResourceRegistration();
if (registry == null) {
throw new OperationFailedException(ControllerLogger.ROOT_LOGGER.noSuchResourceType(address));
}
final boolean useEnhancedSyntax = containsEnhancedSyntax(nameModel.asString(), registry);
final String attributeName;
final String attributeExpression;
if (useEnhancedSyntax) {
attributeExpression = nameModel.asString();
attributeName = extractAttributeName(nameModel.asString());
} else {
attributeName = nameModel.asString();
attributeExpression = attributeName;
}
final AttributeAccess attributeAccess =
registry.getAttributeAccess(PathAddress.EMPTY_ADDRESS, attributeName);
if (attributeAccess == null) {
throw new OperationFailedException(
ControllerLogger.ROOT_LOGGER.unknownAttribute(attributeName));
} else if (attributeAccess.getAccessType() != AttributeAccess.AccessType.READ_WRITE) {
throw new OperationFailedException(
ControllerLogger.ROOT_LOGGER.attributeNotWritable(attributeName));
} else {
// Authorize
ModelNode currentValue;
if (attributeAccess.getStorageType() == AttributeAccess.Storage.CONFIGURATION) {
ModelNode model = context.readResourceForUpdate(PathAddress.EMPTY_ADDRESS).getModel();
currentValue = model.has(attributeName) ? model.get(attributeName) : new ModelNode();
} else {
currentValue = new ModelNode();
}
AuthorizationResult authorizationResult =
context.authorize(operation, attributeName, currentValue);
if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
throw ControllerLogger.ROOT_LOGGER.unauthorized(
operation.require(OP).asString(), address, authorizationResult.getExplanation());
}
if (attributeAccess.getStorageType() == AttributeAccess.Storage.CONFIGURATION
&& !registry.isRuntimeOnly()) {
// if the attribute is stored in the configuration, we can read its
// old and new value from the resource's model before and after executing its write handler
final ModelNode oldValue = currentValue.clone();
doExecuteInternal(
context,
operation,
attributeAccess,
attributeName,
currentValue,
useEnhancedSyntax,
attributeExpression);
ModelNode model = context.readResource(PathAddress.EMPTY_ADDRESS).getModel();
ModelNode newValue = model.has(attributeName) ? model.get(attributeName) : new ModelNode();
emitAttributeValueWrittenNotification(context, address, attributeName, oldValue, newValue);
} else {
assert attributeAccess.getStorageType() == AttributeAccess.Storage.RUNTIME;
// if the attribute is a runtime attribute, its old and new values must
// be read using the attribute's read handler and the write operation
// must be sandwiched between the 2 calls to the read handler.
// Each call to the read handlers will have their own results while
// the call to the write handler will use this OSH context result.
OperationContext.Stage currentStage = context.getCurrentStage();
final ModelNode readAttributeOperation =
Util.createOperation(READ_ATTRIBUTE_OPERATION, address);
readAttributeOperation.get(NAME.getName()).set(attributeName);
ReadAttributeHandler readAttributeHandler = new ReadAttributeHandler(null, null, false);
// create 2 model nodes to store the result of the read-attribute operations
// before and after writing the value
final ModelNode oldValue = new ModelNode();
final ModelNode newValue = new ModelNode();
// We're going to add a bunch of steps, but we want them to execute right away
// so we use the 'addFirst=true' param to addStep. That means we add them
// in reverse order of how they will execute
// 4th OSH is to emit the notification
context.addStep(
new OperationStepHandler() {
@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
// aggregate data from the 2 read-attribute operations
emitAttributeValueWrittenNotification(
context, address, attributeName, oldValue.get(RESULT), newValue.get(RESULT));
}
},
currentStage,
true);
// 3rd OSH is to read the new value
context.addStep(newValue, readAttributeOperation, readAttributeHandler, currentStage, true);
// 2nd OSH is to write the value
context.addStep(
new OperationStepHandler() {
@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
doExecuteInternal(
context,
operation,
attributeAccess,
attributeName,
oldValue.get(RESULT),
useEnhancedSyntax,
attributeExpression);
}
},
currentStage,
true);
// 1st OSH is to read the old value
context.addStep(oldValue, readAttributeOperation, readAttributeHandler, currentStage, true);
}
}
}
