Merge 29f99a6 into 3e167e0

server/src/main/java/keywhiz/service/permissions/AlwaysAllowDelegatingPermissionCheck.java

@@ -7,11 +7,12 @@
 
 public class AlwaysAllowDelegatingPermissionCheck implements PermissionCheck {
   private static final Logger logger = LoggerFactory.getLogger(AlwaysAllowDelegatingPermissionCheck.class);
-  private static final String successMetricName = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "success", "histogram");
-  private static final String failureMetricName = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "failure", "histogram");
 
-  private PermissionCheck delegate;
-  private MetricRegistry metricRegistry;
+  private static final String SUCCESS_METRIC_NAME = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "success", "histogram");
+  private static final String FAILURE_METRIC_NAME = MetricRegistry.name(AlwaysAllowDelegatingPermissionCheck.class, "failure", "histogram");
+
+  private final PermissionCheck delegate;
+  private final MetricRegistry metricRegistry;
 
   @Inject
   public AlwaysAllowDelegatingPermissionCheck(MetricRegistry metricRegistry, PermissionCheck delegate) {
@@ -47,9 +48,9 @@ public void checkAllowedOrThrow(Object source, String action, Object target) {
 
   private void emitHistogramMetrics(Boolean isPermitted) {
     int hasPermissionSuccessMetricInt = isPermitted ? 1 : 0;
-    metricRegistry.histogram(successMetricName).update(hasPermissionSuccessMetricInt);
+    metricRegistry.histogram(SUCCESS_METRIC_NAME).update(hasPermissionSuccessMetricInt);
 
     int hasPermissionFailureMetricInt = isPermitted ? 0 : 1;
-    metricRegistry.histogram(failureMetricName).update(hasPermissionFailureMetricInt);
+    metricRegistry.histogram(FAILURE_METRIC_NAME).update(hasPermissionFailureMetricInt);
   }
 }

server/src/main/java/keywhiz/service/permissions/AutomationClientPermissionCheck.java

@@ -7,12 +7,12 @@
 import org.slf4j.LoggerFactory;
 
 public class AutomationClientPermissionCheck implements PermissionCheck{
-  private static final Logger logger = LoggerFactory.getLogger(
-      AutomationClientPermissionCheck.class);
-  private static final String successMetricName = MetricRegistry.name(AutomationClientPermissionCheck.class, "success", "histogram");
-  private static final String failureMetricName = MetricRegistry.name(AutomationClientPermissionCheck.class, "failure", "histogram");
+  private static final Logger logger = LoggerFactory.getLogger(AutomationClientPermissionCheck.class);
 
-  private MetricRegistry metricRegistry;
+  private static final String SUCCESS_METRIC_NAME = MetricRegistry.name(AutomationClientPermissionCheck.class, "success", "histogram");
+  private static final String FAILURE_METRIC_NAME = MetricRegistry.name(AutomationClientPermissionCheck.class, "failure", "histogram");
+
+  private final MetricRegistry metricRegistry;
 
   @Inject
   public AutomationClientPermissionCheck(MetricRegistry metricRegistry) {
@@ -42,9 +42,9 @@ private boolean isAutomation(Object source) {
 
   private void emitHistogramMetrics(Boolean isPermitted) {
     int hasPermissionSuccessMetricInt = isPermitted ? 1 : 0;
-    metricRegistry.histogram(successMetricName).update(hasPermissionSuccessMetricInt);
+    metricRegistry.histogram(SUCCESS_METRIC_NAME).update(hasPermissionSuccessMetricInt);
 
     int hasPermissionFailureMetricInt = isPermitted ? 0 : 1;
-    metricRegistry.histogram(failureMetricName).update(hasPermissionFailureMetricInt);
+    metricRegistry.histogram(FAILURE_METRIC_NAME).update(hasPermissionFailureMetricInt);
   }
 }

server/src/main/java/keywhiz/service/permissions/OwnershipPermissionCheck.java

@@ -0,0 +1,67 @@
+package keywhiz.service.permissions;
+
+import com.codahale.metrics.MetricRegistry;
+import com.google.inject.Inject;
+import java.util.Set;
+import keywhiz.api.model.Client;
+import keywhiz.api.model.Group;
+import keywhiz.api.model.Secret;
+import keywhiz.service.daos.AclDAO;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class OwnershipPermissionCheck implements PermissionCheck{
+  private static final Logger logger = LoggerFactory.getLogger(OwnershipPermissionCheck.class);
+
+  private static final String SUCCESS_METRIC_NAME = MetricRegistry.name(OwnershipPermissionCheck.class, "success", "histogram");
+  private static final String FAILURE_METRIC_NAME = MetricRegistry.name(OwnershipPermissionCheck.class, "failure", "histogram");
+
+  private final MetricRegistry metricRegistry;
+  private final AclDAO aclDAO;
+
+  @Inject
+  public OwnershipPermissionCheck(MetricRegistry metricRegistry, AclDAO.AclDAOFactory aclDAOFactory) {
+    this.metricRegistry = metricRegistry;
+    this.aclDAO = aclDAOFactory.readwrite();
+  }
+
+  public boolean isAllowed(Object source, String action, Object target) {
+    boolean hasPermission = false;
+
+    if (isClient(source) && isSecret(target)) {
+      Set<Group> clientGroups = aclDAO.getGroupsFor((Client) source);
+      String secretOwner = ((Secret) target).getOwner();
+
+      for (Group group : clientGroups) {
+        if (group.getName().equals(secretOwner)) {
+          hasPermission = true;
+          break;
+        }
+      }
+    }
+
+    emitHistogramMetrics(hasPermission);
+
+    logger.info(
+        String.format("isAllowed Actor: %s, Action: %s, Target: %s, Result: %s", source, action, target,
+            hasPermission));
+
+    return hasPermission;
+  }
+
+  private boolean isClient(Object source) {
+    return source instanceof Client;
+  }
+
+  private boolean isSecret(Object target) {
+    return target instanceof Secret;
+  }
+
+  private void emitHistogramMetrics(Boolean isPermitted) {
+    int hasPermissionSuccessMetricInt = isPermitted ? 1 : 0;
+    metricRegistry.histogram(SUCCESS_METRIC_NAME).update(hasPermissionSuccessMetricInt);
+
+    int hasPermissionFailureMetricInt = isPermitted ? 0 : 1;
+    metricRegistry.histogram(FAILURE_METRIC_NAME).update(hasPermissionFailureMetricInt);
+  }
+}