-
Notifications
You must be signed in to change notification settings - Fork 66
/
AccessControlEvaluationService.java
120 lines (104 loc) · 4.46 KB
/
AccessControlEvaluationService.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
/**
* ContainerProxy
*
* Copyright (C) 2016-2024 Open Analytics
*
* ===========================================================================
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the Apache License as published by
* The Apache Software Foundation, either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* Apache License for more details.
*
* You should have received a copy of the Apache License
* along with this program. If not, see <http://www.apache.org/licenses/>
*/
package eu.openanalytics.containerproxy.service;
import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.model.spec.AccessControl;
import eu.openanalytics.containerproxy.model.spec.ProxySpec;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
import org.apache.commons.lang3.ArrayUtils;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Service;
@Service
public class AccessControlEvaluationService {
private final IAuthenticationBackend authBackend;
private final UserService userService;
private final SpecExpressionResolver specExpressionResolver;
public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend, UserService userService, SpecExpressionResolver specExpressionResolver) {
this.authBackend = authBackend;
this.userService = userService;
this.specExpressionResolver = specExpressionResolver;
}
public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
if (auth instanceof AnonymousAuthenticationToken) {
// if anonymous -> only allow access if the backend has no authorization enabled
return !authBackend.hasAuthorization();
}
if (hasAccessControl(accessControl)) {
return true;
}
if (allowedByGroups(auth, accessControl)) {
return true;
}
if (allowedByUsers(auth, accessControl)) {
return true;
}
return allowedByExpression(auth, spec, accessControl, objects);
}
public boolean hasAccessControl(AccessControl accessControl) {
if (accessControl == null) {
return true;
}
return !accessControl.hasGroupAccess()
&& !accessControl.hasUserAccess()
&& !accessControl.hasExpressionAccess();
}
public boolean allowedByGroups(Authentication auth, AccessControl accessControl) {
if (!accessControl.hasGroupAccess()) {
// no groups defined -> this user has no access based on the groups
return false;
}
for (String group : accessControl.getGroups()) {
if (userService.isMember(auth, group)) {
return true;
}
}
return false;
}
public boolean allowedByUsers(Authentication auth, AccessControl accessControl) {
if (!accessControl.hasUserAccess()) {
// no users defined -> this user has no access based on the users
return false;
}
for (String user : accessControl.getUsers()) {
if (auth.getName().equals(user)) {
return true;
}
}
return false;
}
public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
if (!accessControl.hasExpressionAccess()) {
// no expression defined -> this user has no access based on the expression
return false;
}
Object[] args;
if (auth == null) {
args = ArrayUtils.addAll(new Object[]{spec}, objects);
} else {
args = ArrayUtils.addAll(new Object[]{auth, auth.getPrincipal(), auth.getCredentials(), spec}, objects);
}
SpecExpressionContext context = SpecExpressionContext.create(args);
return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), context);
}
}