package com.thinkbiganalytics.security.rest.controller;
/*-
* #%L
* thinkbig-security-controller
* %%
* Copyright (C) 2017 ThinkBig Analytics
* %%
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* #L%
*/
import com.thinkbiganalytics.metadata.api.MetadataAccess;
import com.thinkbiganalytics.rest.model.RestResponseStatus;
import com.thinkbiganalytics.security.AccessController;
import com.thinkbiganalytics.security.action.Action;
import com.thinkbiganalytics.security.action.AllowedActions;
import com.thinkbiganalytics.security.action.AllowedEntityActionsProvider;
import com.thinkbiganalytics.security.rest.model.ActionGroup;
import com.thinkbiganalytics.security.rest.model.PermissionsChange;
import com.thinkbiganalytics.security.rest.model.PermissionsChange.ChangeType;
import com.thinkbiganalytics.security.service.user.UsersGroupsAccessContol;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response.Status;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import io.swagger.annotations.SwaggerDefinition;
import io.swagger.annotations.Tag;
/**
* Obtain and manage access control information for users and groups.
*/
@Component
@Api(tags = "Security - Access Control", produces = "application/json")
@Path(AccessControlController.BASE)
@SwaggerDefinition(tags = @Tag(name = "Security - Access Control", description = "manage access controls"))
public class AccessControlController {
public static final String BASE = "/v1/security/actions";
@Inject
private MetadataAccess metadata;
@Inject
private AllowedEntityActionsProvider actionsProvider;
@Inject
@Named("actionsModelTransform")
private SecurityModelTransform actionsTransform;
@Inject
AccessController accessController;
@GET
@Path("entity-access-controlled")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation("Return true/false if entity access is enabled or not")
@ApiResponses({
@ApiResponse(code = 200, message = "Returns true/false.", response = Boolean.class)
})
public Boolean isEntityAccessControlled() {
return accessController.isEntityAccessControlled();
}
@GET
@Path("{name}/available")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation("Gets the list of available actions.")
@ApiResponses({
@ApiResponse(code = 200, message = "Returns the actions.", response = ActionGroup.class),
@ApiResponse(code = 404, message = "The given name was not found.", response = RestResponseStatus.class)
})
public ActionGroup getAvailableActions(@PathParam("name") String moduleName) {
return metadata.read(() -> {
return actionsProvider.getAvailableActions(moduleName)
.map(this.actionsTransform.toActionGroup(AllowedActions.SERVICES))
.orElseThrow(() -> new WebApplicationException("The available service actions were not found",
Status.NOT_FOUND));
});
}
@GET
@Path("{name}/allowed")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation("Gets the list of allowed actions for a principal.")
@ApiResponses({
@ApiResponse(code = 200, message = "Returns the actions.", response = ActionGroup.class),
@ApiResponse(code = 404, message = "The given name was not found.", response = RestResponseStatus.class)
})
public ActionGroup getAllowedActions(@PathParam("name") String moduleName,
@QueryParam("user") Set<String> userNames,
@QueryParam("group") Set<String> groupNames) {
Set<? extends Principal> users = Arrays.stream(this.actionsTransform.asUserPrincipals(userNames)).collect(Collectors.toSet());
Set<? extends Principal> groups = Arrays.stream(this.actionsTransform.asGroupPrincipals(groupNames)).collect(Collectors.toSet());
Principal[] principals = Stream.concat(users.stream(), groups.stream()).toArray(Principal[]::new);
// Retrieve the allowed actions by executing the query as the specified user/groups
return metadata.read(() -> {
return actionsProvider.getAllowedActions(moduleName)
.map(this.actionsTransform.toActionGroup(AllowedActions.SERVICES))
.orElseThrow(() -> new WebApplicationException("The available service actions were not found",
Status.NOT_FOUND));
}, principals);
}
@POST
@Path("{name}/allowed")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation("Modifies the permissions of a principal.")
@ApiResponses({
@ApiResponse(code = 200, message = "Returns the updated permissions.", response = ActionGroup.class),
@ApiResponse(code = 500, message = "The permissions could not be changed.", response = RestResponseStatus.class)
})
public ActionGroup postPermissionsChange(@PathParam("name") String moduleName,
PermissionsChange changes) {
// Check if changing permissions is permitted by this user
accessController.checkPermission(AccessController.SERVICES, UsersGroupsAccessContol.ADMIN_GROUPS);
Set<Action> actionSet = collectActions(changes);
Set<Principal> principals = collectPrincipals(changes);
final Consumer<Principal> permChange;
switch (changes.getChange()) {
case ADD:
permChange = (principal -> {
actionsProvider.getAllowedActions(moduleName).ifPresent(allowed -> allowed.enable(principal, actionSet));
});
break;
case REMOVE:
permChange = (principal -> {
actionsProvider.getAllowedActions(moduleName).ifPresent(allowed -> allowed.disable(principal, actionSet));
});
break;
default:
permChange = (principal -> {
actionsProvider.getAllowedActions(moduleName).ifPresent(allowed -> allowed.enableOnly(principal, actionSet));
});
}
// Currently the permission changes must be done using privileged credentials
metadata.commit(() -> {
principals.stream().forEach(permChange);
}, MetadataAccess.SERVICE);
return getAllowedActions(moduleName, changes.getUsers(), changes.getGroups());
}
@GET
@Path("{name}/change/allowed")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation("Gets the permissions that may be changed.")
@ApiResponses({
@ApiResponse(code = 200, message = "Returns the permissions.", response = PermissionsChange.class),
@ApiResponse(code = 400, message = "The type is not valid.", response = RestResponseStatus.class),
@ApiResponse(code = 404, message = "The given name was not found.", response = RestResponseStatus.class)
})
public PermissionsChange getAllowedPermissionsChange(@PathParam("name") String moduleName,
@QueryParam("type") String changeType,
@QueryParam("user") Set<String> users,
@QueryParam("group") Set<String> groups) {
accessController.checkPermission(AccessController.SERVICES, UsersGroupsAccessContol.ADMIN_GROUPS);
if (StringUtils.isBlank(changeType)) {
throw new WebApplicationException("The query parameter \"type\" is required", Status.BAD_REQUEST);
}
return metadata.read(() -> {
return actionsProvider.getAvailableActions(moduleName)
.map(this.actionsTransform.toPermissionsChange(ChangeType.valueOf(changeType.toUpperCase()), moduleName, users, groups))
.orElseThrow(() -> new WebApplicationException("The available service actions were not found",
Status.NOT_FOUND));
});
}
private Set<Principal> collectPrincipals(PermissionsChange changes) {
Set<Principal> set = new HashSet<>();
Collections.addAll(set, this.actionsTransform.asUserPrincipals(changes.getUsers()));
Collections.addAll(set, this.actionsTransform.asGroupPrincipals(changes.getGroups()));
return set;
}
/**
* Creates a set of domain actions from the REST model actions. The resulting set will
* contain only the leaf actions from the domain action hierarchy.
*/
private Set<Action> collectActions(PermissionsChange changes) {
Set<Action> set = new HashSet<>();
for (com.thinkbiganalytics.security.rest.model.Action modelAction : changes.getActionSet().getActions()) {
loadActionSet(modelAction, Action.create(modelAction.getSystemName(), modelAction.getTitle(), modelAction.getDescription()), set);
}
return set;
}
/**
* Adds an new domain action to the set if the REST model action represents a leaf of the action hierarchy.
* Otherwise, it loads the child actions recursively.
*/
private void loadActionSet(com.thinkbiganalytics.security.rest.model.Action modelAction, Action action, Set<Action> set) {
if (modelAction.getActions().isEmpty()) {
set.add(action);
} else {
for (com.thinkbiganalytics.security.rest.model.Action modelChild : modelAction.getActions()) {
loadActionSet(modelChild, action.subAction(modelChild.getSystemName(), modelChild.getTitle(), modelChild.getDescription()), set);
}
}
}
}