-
Notifications
You must be signed in to change notification settings - Fork 2.6k
/
AuthorizationRequest.java
245 lines (214 loc) · 8.01 KB
/
AuthorizationRequest.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.nifi.authorization;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Supplier;
/**
* Represents an authorization request for a given user/entity performing an action against a resource within some userContext.
*/
public class AuthorizationRequest {
public static final String DEFAULT_EXPLANATION = "Unable to perform the desired action.";
private final Resource resource;
private final Resource requestedResource;
private final String identity;
private final Set<String> groups;
private final RequestAction action;
private final boolean isAccessAttempt;
private final boolean isAnonymous;
private final Map<String, String> userContext;
private final Map<String, String> resourceContext;
private final Supplier<String> explanationSupplier;
private AuthorizationRequest(final Builder builder) {
Objects.requireNonNull(builder.resource, "The resource is required when creating an authorization request");
Objects.requireNonNull(builder.action, "The action is required when creating an authorization request");
Objects.requireNonNull(builder.isAccessAttempt, "Whether this request is an access attempt is request");
Objects.requireNonNull(builder.isAnonymous, "Whether this request is being performed by an anonymous user is required");
this.resource = builder.resource;
this.identity = builder.identity;
this.groups = builder.groups == null ? null : Collections.unmodifiableSet(builder.groups);
this.action = builder.action;
this.isAccessAttempt = builder.isAccessAttempt;
this.isAnonymous = builder.isAnonymous;
this.userContext = builder.userContext == null ? null : Collections.unmodifiableMap(builder.userContext);
this.resourceContext = builder.resourceContext == null ? null : Collections.unmodifiableMap(builder.resourceContext);
this.explanationSupplier = () -> {
final String explanation = builder.explanationSupplier.get();
// ensure the specified supplier returns non null
if (explanation == null) {
return DEFAULT_EXPLANATION;
} else {
return explanation;
}
};
if (builder.requestedResource == null) {
this.requestedResource = builder.resource;
} else {
this.requestedResource = builder.requestedResource;
}
}
/**
* The Resource being authorized. Not null.
*
* @return The resource
*/
public Resource getResource() {
return resource;
}
/**
* The original Resource being requested. In cases with inherited policies, this will be a ancestor resource of
* of the current resource. The initial request, and cases without inheritance, the requested resource will be
* the same as the current resource.
*
* @return The requested resource
*/
public Resource getRequestedResource() {
return requestedResource;
}
/**
* The identity accessing the Resource. May be null if the user could not authenticate.
*
* @return The identity
*/
public String getIdentity() {
return identity;
}
/**
* The groups the user making this request belongs to. May be null if this NiFi is not configured to load user
* groups or empty if the user has no groups
*
* @return The groups
*/
public Set<String> getGroups() {
return groups;
}
/**
* Whether this is a direct access attempt of the Resource if if it's being checked as part of another response.
*
* @return if this is a direct access attempt
*/
public boolean isAccessAttempt() {
return isAccessAttempt;
}
/**
* Whether the entity accessing is anonymous.
*
* @return whether the entity is anonymous
*/
public boolean isAnonymous() {
return isAnonymous;
}
/**
* The action being taken against the Resource. Not null.
*
* @return The action
*/
public RequestAction getAction() {
return action;
}
/**
* The userContext of the user request to make additional access decisions. May be null.
*
* @return The userContext of the user request
*/
public Map<String, String> getUserContext() {
return userContext;
}
/**
* The event attributes to make additional access decisions for provenance events. May be null.
*
* @return The event attributes
*/
public Map<String, String> getResourceContext() {
return resourceContext;
}
/**
* A supplier for the explanation if access is denied. Non null.
*
* @return The explanation supplier if access is denied
*/
public Supplier<String> getExplanationSupplier() {
return explanationSupplier;
}
/**
* AuthorizationRequest builder.
*/
public static final class Builder {
private Resource resource;
private Resource requestedResource;
private String identity;
private Set<String> groups;
private Boolean isAnonymous;
private Boolean isAccessAttempt;
private RequestAction action;
private Map<String, String> userContext;
private Map<String, String> resourceContext;
private Supplier<String> explanationSupplier = () -> DEFAULT_EXPLANATION;
public Builder resource(final Resource resource) {
this.resource = resource;
return this;
}
public Builder requestedResource(final Resource requestedResource) {
this.requestedResource = requestedResource;
return this;
}
public Builder identity(final String identity) {
this.identity = identity;
return this;
}
public Builder groups(final Set<String> groups) {
this.groups = groups;
return this;
}
public Builder anonymous(final Boolean isAnonymous) {
this.isAnonymous = isAnonymous;
return this;
}
public Builder accessAttempt(final Boolean isAccessAttempt) {
this.isAccessAttempt = isAccessAttempt;
return this;
}
public Builder action(final RequestAction action) {
this.action = action;
return this;
}
public Builder userContext(final Map<String, String> userContext) {
if (userContext != null) {
this.userContext = new HashMap<>(userContext);
}
return this;
}
public Builder resourceContext(final Map<String, String> resourceContext) {
if (resourceContext != null) {
this.resourceContext = new HashMap<>(resourceContext);
}
return this;
}
public Builder explanationSupplier(final Supplier<String> explanationSupplier) {
if (explanationSupplier != null) {
this.explanationSupplier = explanationSupplier;
}
return this;
}
public AuthorizationRequest build() {
return new AuthorizationRequest(this);
}
}
}