public ResourceState autocreateAce(ResourceResponse createdResourceResponse) {
ResourceState createdEntries = new DefaultResourceState("createdEntries");
ResourcePath parentResourcePath = createdResourceResponse.inReplyTo().resourcePath();
String parentResourceURI = parentResourcePath.toString();
String createdResourceURI = parentResourceURI + "/" + createdResourceResponse.resource().id();
List<AutoRuleConfig> autoRules = this.policyConfig.get().getAutoRules();
autoRules
.stream()
.filter(
(autoRule) -> {
// We want exact matching (like "/storage/todos"), no support for wildcards for now
return autoRule.getResourcePath().equals(parentResourceURI);
})
.forEach(
(autoRule) -> {
ResourceState createdAceState =
createACE(
createdResourceURI,
createdResourceResponse.inReplyTo().requestContext().securityContext(),
autoRule);
createdEntries.addMember(createdAceState);
});
return createdEntries;
}
public ResourceState deleteAce(ResourceResponse deletedResourceResponse) {
ResourceState deletedEntries = new DefaultResourceState("deletedEntries");
ResourcePath deletedResourcePath = deletedResourceResponse.inReplyTo().resourcePath();
// Delete all ACE entries for this resource
DBObject query = new BasicDBObject();
query.put(ACE_RESOURCE_PATH, deletedResourcePath.toString());
this.aclCollection.remove(query);
log.debugf("Deleted ACEs for path: %s", deletedResourcePath);
return deletedEntries;
}
public AuthzDecision isAuthorized(RequestContext req) {
RequestType reqType = req.requestType();
ResourcePath resourcePath = req.resourcePath();
SecurityContext securityContext = req.securityContext();
BasicDBObject query = new BasicDBObject();
query.put(ACE_REALM, securityContext.getRealm());
query.put(ACE_RESOURCE_PATH, resourcePath.toString());
query.put(ACE_ACTIONS, reqType.toString());
// Pass if we find rule for either "userId" or some of his roles
List<DBObject> userRolesCondition = new LinkedList<>();
userRolesCondition.add(new BasicDBObject(ACE_USER_ID, securityContext.getSubject()));
if (securityContext.getRoles() != null) {
for (String role : securityContext.getRoles()) {
userRolesCondition.add(new BasicDBObject(ACE_ROLE_NAME, role));
}
}
query.put("$or", userRolesCondition);
if (log.isTraceEnabled()) {
log.trace("Sending ACE query: " + query);
}
DBCursor results = this.aclCollection.find(query);
AuthzDecision decision = AuthzDecision.IGNORE;
for (DBObject result : results) {
boolean currentDec = (Boolean) result.get(ACE_PERMITTED);
// For now, always merge. No rule priorities...
AuthzDecision currentDecision = currentDec ? AuthzDecision.ACCEPT : AuthzDecision.REJECT;
decision = decision.mergeDecision(currentDecision);
if (log.isTraceEnabled()) {
log.trace("Found result: " + result);
}
}
return decision;
}
protected ResourceState resource(String endpoint, Object[] properties, ResourceState... members)
throws URISyntaxException {
ResourcePath path = new ResourcePath(endpoint);
return resource(path.tail().toString(), path.parent().toString(), properties, members);
}