nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/security/authorization/StandardManagedAuthorizer.java - nifi - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.nifi.registry.security.authorization;

 import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
 import org.apache.nifi.registry.security.authorization.exception.UninheritableAuthorizationsException;
 import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
 import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
 import org.apache.nifi.registry.util.PropertyValue;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;

 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.XMLOutputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamWriter;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.StringWriter;
 import java.nio.charset.StandardCharsets;
 import java.util.Set;

 public class StandardManagedAuthorizer implements ManagedAuthorizer {

     private static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
     private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();

     private static final String USER_GROUP_PROVIDER_ELEMENT = "userGroupProvider";
     private static final String ACCESS_POLICY_PROVIDER_ELEMENT = "accessPolicyProvider";

     private AccessPolicyProviderLookup accessPolicyProviderLookup;
     private AccessPolicyProvider accessPolicyProvider;
     private UserGroupProvider userGroupProvider;

     public StandardManagedAuthorizer() {}

     // exposed for testing to inject mocks
     public StandardManagedAuthorizer(AccessPolicyProvider accessPolicyProvider, UserGroupProvider userGroupProvider) {
         this.accessPolicyProvider = accessPolicyProvider;
         this.userGroupProvider = userGroupProvider;
     }

     @Override
     public void initialize(AuthorizerInitializationContext initializationContext) throws SecurityProviderCreationException {
         accessPolicyProviderLookup = initializationContext.getAccessPolicyProviderLookup();
     }

     @Override
     public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
         final PropertyValue accessPolicyProviderKey = configurationContext.getProperty("Access Policy Provider");
         if (!accessPolicyProviderKey.isSet()) {
             throw new SecurityProviderCreationException("The Access Policy Provider must be set.");
         }

         accessPolicyProvider = accessPolicyProviderLookup.getAccessPolicyProvider(accessPolicyProviderKey.getValue());

         // ensure the desired access policy provider was found
         if (accessPolicyProvider == null) {
             throw new SecurityProviderCreationException(String.format("Unable to locate configured Access Policy Provider: %s", accessPolicyProviderKey));
         }

         userGroupProvider = accessPolicyProvider.getUserGroupProvider();

         // ensure the desired access policy provider has a user group provider
         if (userGroupProvider == null) {
             throw new SecurityProviderCreationException(String.format("Configured Access Policy Provider %s does not contain a User Group Provider", accessPolicyProviderKey));
         }
     }

     @Override
     public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
         final String resourceIdentifier = request.getResource().getIdentifier();
         final AccessPolicy policy = accessPolicyProvider.getAccessPolicy(resourceIdentifier, request.getAction());
         if (policy == null) {
             return AuthorizationResult.resourceNotFound();
         }

         final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity());

         final User user = userAndGroups.getUser();
         if (user == null) {
             return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
         }

         final Set<Group> userGroups = userAndGroups.getGroups();
         if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) {
             return AuthorizationResult.approved();
         }

         return AuthorizationResult.denied(request.getExplanationSupplier().get());
     }

     /**
      * Determines if the policy contains one of the user's groups.
      *
      * @param userGroups the set of the user's groups
      * @param policy the policy
      * @return true if one of the Groups in userGroups is contained in the policy
      */
     private boolean containsGroup(final Set<Group> userGroups, final AccessPolicy policy) {
         if (userGroups == null || userGroups.isEmpty() || policy.getGroups().isEmpty()) {
             return false;
         }

         for (Group userGroup : userGroups) {
             if (policy.getGroups().contains(userGroup.getIdentifier())) {
                 return true;
             }
         }

         return false;
     }

     @Override
     public String getFingerprint() throws AuthorizationAccessException {
         XMLStreamWriter writer = null;
         final StringWriter out = new StringWriter();
         try {
             writer = XML_OUTPUT_FACTORY.createXMLStreamWriter(out);
             writer.writeStartDocument();
             writer.writeStartElement("managedAuthorizations");

             writer.writeStartElement(ACCESS_POLICY_PROVIDER_ELEMENT);
             if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
                 writer.writeCharacters(((ConfigurableAccessPolicyProvider) accessPolicyProvider).getFingerprint());
             }
             writer.writeEndElement();

             writer.writeStartElement(USER_GROUP_PROVIDER_ELEMENT);
             if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
                 writer.writeCharacters(((ConfigurableUserGroupProvider) userGroupProvider).getFingerprint());
             }
             writer.writeEndElement();

             writer.writeEndElement();
             writer.writeEndDocument();
             writer.flush();
         } catch (XMLStreamException e) {
             throw new AuthorizationAccessException("Unable to generate fingerprint", e);
         } finally {
             if (writer != null) {
                 try {
                     writer.close();
                 } catch (XMLStreamException e) {
                     // nothing to do here
                 }
             }
         }

         return out.toString();
     }

     @Override
     public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
         if (StringUtils.isBlank(fingerprint)) {
             return;
         }

         final FingerprintHolder fingerprintHolder = parseFingerprint(fingerprint);

         if (StringUtils.isNotBlank(fingerprintHolder.getPolicyFingerprint()) && accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
             ((ConfigurableAccessPolicyProvider) accessPolicyProvider).inheritFingerprint(fingerprintHolder.getPolicyFingerprint());
         }

         if (StringUtils.isNotBlank(fingerprintHolder.getUserGroupFingerprint()) && userGroupProvider instanceof ConfigurableUserGroupProvider) {
             ((ConfigurableUserGroupProvider) userGroupProvider).inheritFingerprint(fingerprintHolder.getUserGroupFingerprint());
         }
     }

     @Override
     public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
         final FingerprintHolder fingerprintHolder = parseFingerprint(proposedFingerprint);

         if (StringUtils.isNotBlank(fingerprintHolder.getPolicyFingerprint())) {
             if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
                 ((ConfigurableAccessPolicyProvider) accessPolicyProvider).checkInheritability(fingerprintHolder.getPolicyFingerprint());
             } else {
                 throw new UninheritableAuthorizationsException("Policy fingerprint is not blank and the configured AccessPolicyProvider does not support fingerprinting.");
             }
         }

         if (StringUtils.isNotBlank(fingerprintHolder.getUserGroupFingerprint())) {
             if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
                 ((ConfigurableUserGroupProvider) userGroupProvider).checkInheritability(fingerprintHolder.getUserGroupFingerprint());
             } else {
                 throw new UninheritableAuthorizationsException("User/Group fingerprint is not blank and the configured UserGroupProvider does not support fingerprinting.");
             }
         }
     }

     private final FingerprintHolder parseFingerprint(final String fingerprint) throws AuthorizationAccessException {
         final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8);

         try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) {
             final DocumentBuilder docBuilder = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
             final Document document = docBuilder.parse(in);
             final Element rootElement = document.getDocumentElement();

             final NodeList accessPolicyProviderList = rootElement.getElementsByTagName(ACCESS_POLICY_PROVIDER_ELEMENT);
             if (accessPolicyProviderList.getLength() != 1) {
                 throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", ACCESS_POLICY_PROVIDER_ELEMENT, fingerprint));
             }

             final NodeList userGroupProviderList = rootElement.getElementsByTagName(USER_GROUP_PROVIDER_ELEMENT);
             if (userGroupProviderList.getLength() != 1) {
                 throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", USER_GROUP_PROVIDER_ELEMENT, fingerprint));
             }

             final Node accessPolicyProvider = accessPolicyProviderList.item(0);
             final Node userGroupProvider = userGroupProviderList.item(0);
             return new FingerprintHolder(accessPolicyProvider.getTextContent(), userGroupProvider.getTextContent());
         } catch (SAXException | ParserConfigurationException | IOException e) {
             throw new AuthorizationAccessException("Unable to parse fingerprint", e);
         }
     }

     @Override
     public AccessPolicyProvider getAccessPolicyProvider() {
         return accessPolicyProvider;
     }

     @Override
     public void preDestruction() throws SecurityProviderDestructionException {

     }

     private static class FingerprintHolder {
         private final String policyFingerprint;
         private final String userGroupFingerprint;

         public FingerprintHolder(String policyFingerprint, String userGroupFingerprint) {
             this.policyFingerprint = policyFingerprint;
             this.userGroupFingerprint = userGroupFingerprint;
         }

         public String getPolicyFingerprint() {
             return policyFingerprint;
         }

         public String getUserGroupFingerprint() {
             return userGroupFingerprint;
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.nifi.registry.security.authorization;

	import org.apache.commons.lang3.StringUtils;
	import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
	import org.apache.nifi.registry.security.authorization.exception.UninheritableAuthorizationsException;
	import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
	import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
	import org.apache.nifi.registry.util.PropertyValue;
	import org.w3c.dom.Document;
	import org.w3c.dom.Element;
	import org.w3c.dom.Node;
	import org.w3c.dom.NodeList;
	import org.xml.sax.SAXException;

	import javax.xml.parsers.DocumentBuilder;
	import javax.xml.parsers.DocumentBuilderFactory;
	import javax.xml.parsers.ParserConfigurationException;
	import javax.xml.stream.XMLOutputFactory;
	import javax.xml.stream.XMLStreamException;
	import javax.xml.stream.XMLStreamWriter;
	import java.io.ByteArrayInputStream;
	import java.io.IOException;
	import java.io.StringWriter;
	import java.nio.charset.StandardCharsets;
	import java.util.Set;

	public class StandardManagedAuthorizer implements ManagedAuthorizer {

	private static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
	private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();

	private static final String USER_GROUP_PROVIDER_ELEMENT = "userGroupProvider";
	private static final String ACCESS_POLICY_PROVIDER_ELEMENT = "accessPolicyProvider";

	private AccessPolicyProviderLookup accessPolicyProviderLookup;
	private AccessPolicyProvider accessPolicyProvider;
	private UserGroupProvider userGroupProvider;

	public StandardManagedAuthorizer() {}

	// exposed for testing to inject mocks
	public StandardManagedAuthorizer(AccessPolicyProvider accessPolicyProvider, UserGroupProvider userGroupProvider) {
	this.accessPolicyProvider = accessPolicyProvider;
	this.userGroupProvider = userGroupProvider;
	}

	@Override
	public void initialize(AuthorizerInitializationContext initializationContext) throws SecurityProviderCreationException {
	accessPolicyProviderLookup = initializationContext.getAccessPolicyProviderLookup();
	}

	@Override
	public void onConfigured(AuthorizerConfigurationContext configurationContext) throws SecurityProviderCreationException {
	final PropertyValue accessPolicyProviderKey = configurationContext.getProperty("Access Policy Provider");
	if (!accessPolicyProviderKey.isSet()) {
	throw new SecurityProviderCreationException("The Access Policy Provider must be set.");
	}

	accessPolicyProvider = accessPolicyProviderLookup.getAccessPolicyProvider(accessPolicyProviderKey.getValue());

	// ensure the desired access policy provider was found
	if (accessPolicyProvider == null) {
	throw new SecurityProviderCreationException(String.format("Unable to locate configured Access Policy Provider: %s", accessPolicyProviderKey));
	}

	userGroupProvider = accessPolicyProvider.getUserGroupProvider();

	// ensure the desired access policy provider has a user group provider
	if (userGroupProvider == null) {
	throw new SecurityProviderCreationException(String.format("Configured Access Policy Provider %s does not contain a User Group Provider", accessPolicyProviderKey));
	}
	}

	@Override
	public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException {
	final String resourceIdentifier = request.getResource().getIdentifier();
	final AccessPolicy policy = accessPolicyProvider.getAccessPolicy(resourceIdentifier, request.getAction());
	if (policy == null) {
	return AuthorizationResult.resourceNotFound();
	}

	final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity());

	final User user = userAndGroups.getUser();
	if (user == null) {
	return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity()));
	}

	final Set<Group> userGroups = userAndGroups.getGroups();
	if (policy.getUsers().contains(user.getIdentifier()) \|\| containsGroup(userGroups, policy)) {
	return AuthorizationResult.approved();
	}

	return AuthorizationResult.denied(request.getExplanationSupplier().get());
	}

	/**
	* Determines if the policy contains one of the user's groups.
	*
	* @param userGroups the set of the user's groups
	* @param policy the policy
	* @return true if one of the Groups in userGroups is contained in the policy
	*/
	private boolean containsGroup(final Set<Group> userGroups, final AccessPolicy policy) {
	if (userGroups == null \|\| userGroups.isEmpty() \|\| policy.getGroups().isEmpty()) {
	return false;
	}

	for (Group userGroup : userGroups) {
	if (policy.getGroups().contains(userGroup.getIdentifier())) {
	return true;
	}
	}

	return false;
	}

	@Override
	public String getFingerprint() throws AuthorizationAccessException {
	XMLStreamWriter writer = null;
	final StringWriter out = new StringWriter();
	try {
	writer = XML_OUTPUT_FACTORY.createXMLStreamWriter(out);
	writer.writeStartDocument();
	writer.writeStartElement("managedAuthorizations");

	writer.writeStartElement(ACCESS_POLICY_PROVIDER_ELEMENT);
	if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
	writer.writeCharacters(((ConfigurableAccessPolicyProvider) accessPolicyProvider).getFingerprint());
	}
	writer.writeEndElement();

	writer.writeStartElement(USER_GROUP_PROVIDER_ELEMENT);
	if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
	writer.writeCharacters(((ConfigurableUserGroupProvider) userGroupProvider).getFingerprint());
	}
	writer.writeEndElement();

	writer.writeEndElement();
	writer.writeEndDocument();
	writer.flush();
	} catch (XMLStreamException e) {
	throw new AuthorizationAccessException("Unable to generate fingerprint", e);
	} finally {
	if (writer != null) {
	try {
	writer.close();
	} catch (XMLStreamException e) {
	// nothing to do here
	}
	}
	}

	return out.toString();
	}

	@Override
	public void inheritFingerprint(String fingerprint) throws AuthorizationAccessException {
	if (StringUtils.isBlank(fingerprint)) {
	return;
	}

	final FingerprintHolder fingerprintHolder = parseFingerprint(fingerprint);

	if (StringUtils.isNotBlank(fingerprintHolder.getPolicyFingerprint()) && accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
	((ConfigurableAccessPolicyProvider) accessPolicyProvider).inheritFingerprint(fingerprintHolder.getPolicyFingerprint());
	}

	if (StringUtils.isNotBlank(fingerprintHolder.getUserGroupFingerprint()) && userGroupProvider instanceof ConfigurableUserGroupProvider) {
	((ConfigurableUserGroupProvider) userGroupProvider).inheritFingerprint(fingerprintHolder.getUserGroupFingerprint());
	}
	}

	@Override
	public void checkInheritability(String proposedFingerprint) throws AuthorizationAccessException, UninheritableAuthorizationsException {
	final FingerprintHolder fingerprintHolder = parseFingerprint(proposedFingerprint);

	if (StringUtils.isNotBlank(fingerprintHolder.getPolicyFingerprint())) {
	if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
	((ConfigurableAccessPolicyProvider) accessPolicyProvider).checkInheritability(fingerprintHolder.getPolicyFingerprint());
	} else {
	throw new UninheritableAuthorizationsException("Policy fingerprint is not blank and the configured AccessPolicyProvider does not support fingerprinting.");
	}
	}

	if (StringUtils.isNotBlank(fingerprintHolder.getUserGroupFingerprint())) {
	if (userGroupProvider instanceof ConfigurableUserGroupProvider) {
	((ConfigurableUserGroupProvider) userGroupProvider).checkInheritability(fingerprintHolder.getUserGroupFingerprint());
	} else {
	throw new UninheritableAuthorizationsException("User/Group fingerprint is not blank and the configured UserGroupProvider does not support fingerprinting.");
	}
	}
	}

	private final FingerprintHolder parseFingerprint(final String fingerprint) throws AuthorizationAccessException {
	final byte[] fingerprintBytes = fingerprint.getBytes(StandardCharsets.UTF_8);

	try (final ByteArrayInputStream in = new ByteArrayInputStream(fingerprintBytes)) {
	final DocumentBuilder docBuilder = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
	final Document document = docBuilder.parse(in);
	final Element rootElement = document.getDocumentElement();

	final NodeList accessPolicyProviderList = rootElement.getElementsByTagName(ACCESS_POLICY_PROVIDER_ELEMENT);
	if (accessPolicyProviderList.getLength() != 1) {
	throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", ACCESS_POLICY_PROVIDER_ELEMENT, fingerprint));
	}

	final NodeList userGroupProviderList = rootElement.getElementsByTagName(USER_GROUP_PROVIDER_ELEMENT);
	if (userGroupProviderList.getLength() != 1) {
	throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", USER_GROUP_PROVIDER_ELEMENT, fingerprint));
	}

	final Node accessPolicyProvider = accessPolicyProviderList.item(0);
	final Node userGroupProvider = userGroupProviderList.item(0);
	return new FingerprintHolder(accessPolicyProvider.getTextContent(), userGroupProvider.getTextContent());
	} catch (SAXException \| ParserConfigurationException \| IOException e) {
	throw new AuthorizationAccessException("Unable to parse fingerprint", e);
	}
	}

	@Override
	public AccessPolicyProvider getAccessPolicyProvider() {
	return accessPolicyProvider;
	}

	@Override
	public void preDestruction() throws SecurityProviderDestructionException {

	}

	private static class FingerprintHolder {
	private final String policyFingerprint;
	private final String userGroupFingerprint;

	public FingerprintHolder(String policyFingerprint, String userGroupFingerprint) {
	this.policyFingerprint = policyFingerprint;
	this.userGroupFingerprint = userGroupFingerprint;
	}

	public String getPolicyFingerprint() {
	return policyFingerprint;
	}

	public String getUserGroupFingerprint() {
	return userGroupFingerprint;
	}
	}
	}