private static Boolean iamPermissionsAllow(
final AuthContextSupplier authContext,
final String[] requiredActions,
final String resourceType,
final String resourceId,
final long resourceAllocationSize) {
/* IAM checks: Is the user allowed within the account? */
// the Permissions.isAuthorized() handles the default deny for each action.
boolean iamAllow = true; // Evaluate each iam action required, all must be allowed
for (String action : requiredActions) {
// Any deny overrides an allow
// Note: explicitly set resourceOwnerAccount to null here, otherwise iam will reject even if
// the ACL checks
// were valid, let ACLs handle cross-account access.
iamAllow &=
Permissions.isAuthorized(
PolicySpec.VENDOR_S3, resourceType, resourceId, null, action, authContext)
&& Permissions.canAllocate(
PolicySpec.VENDOR_S3,
resourceType,
resourceId,
action,
authContext,
resourceAllocationSize);
}
return iamAllow;
}
private static void checkAuthorized() throws ReportingException {
final Context ctx = Contexts.lookup();
final User requestUser = ctx.getUser();
final AuthContextSupplier requestUserSupplier = ctx.getAuthContext();
if (!requestUser.isSystemUser()
|| !Permissions.isAuthorized(
VENDOR_REPORTING, "", "", null, getIamActionByMessageType(), requestUserSupplier)) {
throw new ReportingException(
HttpResponseStatus.UNAUTHORIZED, ReportingException.NOT_AUTHORIZED, "Not authorized");
}
}
private void checkActionPermission(final String actionType, final Context ctx)
throws EucalyptusCloudException {
if (!Permissions.isAuthorized(
PolicySpec.VENDOR_CLOUDWATCH,
actionType,
"",
ctx.getAccount(),
actionType,
ctx.getUser())) {
throw new EucalyptusCloudException("User does not have permission");
}
}
@Override
public boolean apply(final Allocation allocInfo) throws MetadataException {
final UserFullName ownerFullName = allocInfo.getOwnerFullName();
final String instanceProfileArn = allocInfo.getRequest().getIamInstanceProfileArn();
final String instanceProfileName = allocInfo.getRequest().getIamInstanceProfileName();
if (!Strings.isNullOrEmpty(instanceProfileArn)
|| !Strings.isNullOrEmpty(instanceProfileName)) {
final String profileAccount;
final String profileName;
if (!Strings.isNullOrEmpty(instanceProfileArn))
try {
final Ern name = Ern.parse(instanceProfileArn);
if (!(name instanceof EuareResourceName)) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile ARN: " + instanceProfileArn);
}
profileAccount = name.getAccount();
profileName = ((EuareResourceName) name).getName();
} catch (JSONException e) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile ARN: " + instanceProfileArn, e);
}
else {
profileAccount = ownerFullName.getAccountNumber();
profileName = instanceProfileName;
}
final InstanceProfile profile;
try {
profile = Accounts.lookupInstanceProfileByName(profileAccount, profileName);
} catch (AuthException e) {
throw new InvalidInstanceProfileMetadataException(
"Invalid IAM instance profile: " + profileAccount + "/" + profileName, e);
}
if (!Strings.isNullOrEmpty(instanceProfileName)
&& !instanceProfileName.equals(profile.getName())) {
throw new InvalidInstanceProfileMetadataException(
String.format(
"Invalid IAM instance profile name '%s' for ARN: %s",
profileName, instanceProfileArn));
}
try {
final AuthContextSupplier user = allocInfo.getAuthContext();
if (!Permissions.isAuthorized(
PolicySpec.VENDOR_IAM,
PolicySpec.IAM_RESOURCE_INSTANCE_PROFILE,
Accounts.getInstanceProfileFullName(profile),
AccountFullName.getInstance(profile.getAccountNumber()),
PolicySpec.IAM_LISTINSTANCEPROFILES,
user)) {
throw new IllegalMetadataAccessException(
String.format(
"Not authorized to access instance profile with ARN %s for %s",
profile.getInstanceProfileArn(), ownerFullName));
}
final Role role = profile.getRole();
if (role != null
&& !Permissions.isAuthorized(
PolicySpec.VENDOR_IAM,
PolicySpec.IAM_RESOURCE_ROLE,
Accounts.getRoleFullName(role),
AccountFullName.getInstance(role.getAccountNumber()),
PolicySpec.IAM_PASSROLE,
user)) {
throw new IllegalMetadataAccessException(
String.format(
"Not authorized to pass role with ARN %s for %s",
role.getRoleArn(), ownerFullName));
}
if (role != null) {
allocInfo.setInstanceProfileArn(profile.getInstanceProfileArn());
allocInfo.setIamInstanceProfileId(profile.getInstanceProfileId());
allocInfo.setIamRoleArn(role.getRoleArn());
} else {
throw new InvalidInstanceProfileMetadataException(
"Role not found for IAM instance profile ARN: " + profile.getInstanceProfileArn());
}
} catch (AuthException e) {
throw new MetadataException("IAM instance profile error", e);
}
}
return true;
}