@Override
  public void execute(OperationContext context, ModelNode operation)
      throws OperationFailedException {

    String operationName = NAME.resolveModelAttribute(context, operation).asString();
    boolean accessControl = ACCESS_CONTROL.resolveModelAttribute(context, operation).asBoolean();

    final DescribedOp describedOp =
        getDescribedOp(context, operationName, operation, !accessControl);
    if (describedOp == null
        || (context.getProcessType() == ProcessType.DOMAIN_SERVER
            && !describedOp.flags.contains(OperationEntry.Flag.RUNTIME_ONLY))) {
      throw new OperationFailedException(
          ControllerLogger.ROOT_LOGGER.operationNotRegistered(
              operationName, context.getCurrentAddress()));
    } else {
      ModelNode result = describedOp.getDescription();

      if (accessControl) {
        final PathAddress address = context.getCurrentAddress();
        ModelNode operationToCheck = Util.createOperation(operationName, address);
        operationToCheck.get(OPERATION_HEADERS).set(operation.get(OPERATION_HEADERS));
        AuthorizationResult authorizationResult = context.authorizeOperation(operationToCheck);
        result
            .get(ACCESS_CONTROL.getName(), EXECUTE)
            .set(authorizationResult.getDecision() == Decision.PERMIT);
      }

      context.getResult().set(result);
    }
  }
  @Test
  public void testAuthorizerResourcePermit() {
    Action action =
        new Action(
            null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);

    assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
  }
  @Test
  public void testAuthorizerAttributeDeny() {
    Action action =
        new Action(
            null,
            null,
            EnumSet.of(
                Action.ActionEffect.ADDRESS,
                Action.ActionEffect.READ_CONFIG,
                Action.ActionEffect.WRITE_CONFIG));
    TargetResource targetResource =
        TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
    TargetAttribute targetAttribute =
        new TargetAttribute("test", null, new ModelNode(), targetResource);
    AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);

    assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
  }
Exemplo n.º 4
0
  @Override
  public void execute(OperationContext context, ModelNode operation)
      throws OperationFailedException {
    AuthorizationResult authorizationResult = context.authorize(operation);
    if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
      throw ControllerLogger.ROOT_LOGGER.unauthorized(
          operation.get(OP).asString(),
          context.getCurrentAddress(),
          authorizationResult.getExplanation());
    }

    try {
      SnapshotInfo info = persister.listSnapshots();
      ModelNode result = context.getResult();
      result.get(ModelDescriptionConstants.DIRECTORY).set(info.getSnapshotDirectory());
      result.get(ModelDescriptionConstants.NAMES).setEmptyList();
      for (String name : info.names()) {
        result.get(ModelDescriptionConstants.NAMES).add(name);
      }
    } catch (Exception e) {
      throw new OperationFailedException(e);
    }
    context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
  }
  @Override
  public void execute(OperationContext context, ModelNode operation)
      throws OperationFailedException {
    NAME.validateOperation(operation);
    final ModelNode nameModel =
        GlobalOperationAttributes.NAME.resolveModelAttribute(context, operation);
    final PathAddress address = context.getCurrentAddress();
    final ImmutableManagementResourceRegistration registry = context.getResourceRegistration();
    if (registry == null) {
      throw new OperationFailedException(ControllerLogger.ROOT_LOGGER.noSuchResourceType(address));
    }
    final boolean useEnhancedSyntax = containsEnhancedSyntax(nameModel.asString(), registry);
    final String attributeName;
    final String attributeExpression;
    if (useEnhancedSyntax) {
      attributeExpression = nameModel.asString();
      attributeName = extractAttributeName(nameModel.asString());
    } else {
      attributeName = nameModel.asString();
      attributeExpression = attributeName;
    }

    final AttributeAccess attributeAccess =
        registry.getAttributeAccess(PathAddress.EMPTY_ADDRESS, attributeName);
    if (attributeAccess == null) {
      throw new OperationFailedException(
          ControllerLogger.ROOT_LOGGER.unknownAttribute(attributeName));
    } else if (attributeAccess.getAccessType() != AttributeAccess.AccessType.READ_WRITE) {
      throw new OperationFailedException(
          ControllerLogger.ROOT_LOGGER.attributeNotWritable(attributeName));
    } else {

      // Authorize
      ModelNode currentValue;
      if (attributeAccess.getStorageType() == AttributeAccess.Storage.CONFIGURATION) {
        ModelNode model = context.readResourceForUpdate(PathAddress.EMPTY_ADDRESS).getModel();
        currentValue = model.has(attributeName) ? model.get(attributeName) : new ModelNode();
      } else {
        currentValue = new ModelNode();
      }
      AuthorizationResult authorizationResult =
          context.authorize(operation, attributeName, currentValue);
      if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
        throw ControllerLogger.ROOT_LOGGER.unauthorized(
            operation.require(OP).asString(), address, authorizationResult.getExplanation());
      }

      if (attributeAccess.getStorageType() == AttributeAccess.Storage.CONFIGURATION
          && !registry.isRuntimeOnly()) {
        // if the attribute is stored in the configuration, we can read its
        // old and new value from the resource's model before and after executing its write handler
        final ModelNode oldValue = currentValue.clone();
        doExecuteInternal(
            context,
            operation,
            attributeAccess,
            attributeName,
            currentValue,
            useEnhancedSyntax,
            attributeExpression);
        ModelNode model = context.readResource(PathAddress.EMPTY_ADDRESS).getModel();
        ModelNode newValue = model.has(attributeName) ? model.get(attributeName) : new ModelNode();
        emitAttributeValueWrittenNotification(context, address, attributeName, oldValue, newValue);

      } else {
        assert attributeAccess.getStorageType() == AttributeAccess.Storage.RUNTIME;

        // if the attribute is a runtime attribute, its old and new values must
        // be read using the attribute's read handler and the write operation
        // must be sandwiched between the 2 calls to the read handler.
        // Each call to the read handlers will have their own results while
        // the call to the write handler will use this OSH context result.

        OperationContext.Stage currentStage = context.getCurrentStage();

        final ModelNode readAttributeOperation =
            Util.createOperation(READ_ATTRIBUTE_OPERATION, address);
        readAttributeOperation.get(NAME.getName()).set(attributeName);
        ReadAttributeHandler readAttributeHandler = new ReadAttributeHandler(null, null, false);

        // create 2 model nodes to store the result of the read-attribute operations
        // before and after writing the value
        final ModelNode oldValue = new ModelNode();
        final ModelNode newValue = new ModelNode();

        // We're going to add a bunch of steps, but we want them to execute right away
        // so we use the 'addFirst=true' param to addStep. That means we add them
        // in reverse order of how they will execute

        // 4th OSH is to emit the notification
        context.addStep(
            new OperationStepHandler() {
              @Override
              public void execute(OperationContext context, ModelNode operation)
                  throws OperationFailedException {
                // aggregate data from the 2 read-attribute operations
                emitAttributeValueWrittenNotification(
                    context, address, attributeName, oldValue.get(RESULT), newValue.get(RESULT));
              }
            },
            currentStage,
            true);

        // 3rd OSH is to read the new value
        context.addStep(newValue, readAttributeOperation, readAttributeHandler, currentStage, true);

        // 2nd OSH is to write the value
        context.addStep(
            new OperationStepHandler() {
              @Override
              public void execute(OperationContext context, ModelNode operation)
                  throws OperationFailedException {
                doExecuteInternal(
                    context,
                    operation,
                    attributeAccess,
                    attributeName,
                    oldValue.get(RESULT),
                    useEnhancedSyntax,
                    attributeExpression);
              }
            },
            currentStage,
            true);

        // 1st OSH is to read the old value
        context.addStep(oldValue, readAttributeOperation, readAttributeHandler, currentStage, true);
      }
    }
  }