PermissionsManager.java example

Explorer
hydra-master
/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.addthis.hydra.job.auth;

import javax.annotation.Nonnull;

import java.io.Closeable;
import java.io.IOException;

import com.google.common.io.Closer;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Wrapper class around authentication and authorization. Provides convenience methods
 * for authorization operations that must first be authenticated.
 */
public final class PermissionsManager implements Closeable {

    private static final Logger log = LoggerFactory.getLogger(PermissionsManager.class);

    @Nonnull
    private final AuthenticationManager authentication;

    @Nonnull
    private final AuthorizationManager authorization;

    @Nonnull
    private final Closer closer;

    private static PermissionsManager ALLOW_ALL = new PermissionsManager(
            new AuthenticationManagerAllowAll(), new AuthorizationManagerAllowAll());

    public static PermissionsManager createManagerAllowAll() {
        return ALLOW_ALL;
    }

    @JsonCreator
    public PermissionsManager(@JsonProperty(value = "authentication", required = true) AuthenticationManager authentication,
                              @JsonProperty(value = "authorization", required = true) AuthorizationManager authorization) {
        this.authentication = authentication;
        this.authorization = authorization;
        this.closer = Closer.create();
        closer.register(authentication);
        closer.register(authorization);
    }

    /**
     * Authorization checks that are common to all endpoints.
     * If the user is null then authorization fails. If the user's
     * sudo token matches the static sudo token returned by the
     * authentication manager then authorization succeeds.
     *
     * @param user
     * @param sudo
     * @return outcome of authorization or null to continue processing
     */
    private Boolean authorizationCommon(User user, String sudo) {
        if (user == null) {
            return Boolean.FALSE;
        } else if ((sudo != null) && sudo.equals(authentication.sudoToken(user.name()))) {
            return Boolean.TRUE;
        }
        return null;
    }

    public boolean isWritable(String username, String secret, String sudo, WritableAsset asset) {
        User user = authentication.authenticate(username, secret);
        Boolean result = authorizationCommon(user, sudo);
        if (result != null) return result;
        return authorization.isWritable(user, sudo, asset);
    }

    public boolean isExecutable(String username, String secret, String sudo, ExecutableAsset asset) {
        User user = authentication.authenticate(username, secret);
        Boolean result = authorizationCommon(user, sudo);
        if (result != null) return result;
        return authorization.isExecutable(user, sudo, asset);
    }

    public boolean canModifyPermissions(String username, String secret, String sudo, WritableAsset asset) {
        User user = authentication.authenticate(username, secret);
        Boolean result = authorizationCommon(user, sudo);
        if (result != null) return result;
        return authorization.canModifyPermissions(user, sudo, asset);
    }

    public boolean adminAction(String username, String secret, String sudo) {
        User user = authentication.authenticate(username, secret);
        Boolean result = authorizationCommon(user, sudo);
        if (result != null) return result;
        return authorization.adminAction(user, sudo);
    }

    public User authenticate(String username, String secret) {
        return authentication.authenticate(username, secret);
    }

    public String login(String username, String password, boolean ssl) {
        return authentication.login(username, password, ssl);
    }

    public String sudo(String username, String password, boolean ssl) {
        boolean success = authentication.verify(username, password, ssl);
        User user = success ? authentication.getUser(username) : null;
        if (user == null) {
            return null;
        } else {
            String staticToken = authentication.sudoToken(username);
            if (staticToken != null) {
                return staticToken;
            } else {
                return authorization.sudo(user, authentication.isAdmin(user));
            }
        }
    }

    public boolean evict(String username) {
        User user = authentication.getUser(username);
        if (user != null) {
            authentication.evict(username);
            authorization.logout(username);
            return true;
        } else {
            return false;
        }
    }

    public void logout(String username, String secret) {
        User user = authentication.authenticate(username, secret);
        if (user != null) {
            authentication.logout(username, secret);
            authorization.logout(username);
        }
    }

    @Override
    public void close() throws IOException {
        closer.close();
    }

}