Java Code Examples for org.jboss.as.controller.OperationContext#authorize()

The following examples show how to use org.jboss.as.controller.OperationContext#authorize() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: LegacyConfigurationChangeResourceDefinition.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
/**
 * Secure the operation : - if the caller can address the resource we check if he can see the operation
 * parameters. - otherwise we return the operation without its address and parameters.
 *
 * @param context the operation context.
 * @param operation the operation we are securing.
 * @return the secured opreation aka trimmed of all sensitive data.
 * @throws OperationFailedException
 */
private ModelNode secureOperation(OperationContext context, ModelNode operation) throws OperationFailedException {
    PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR));
    for (int i = 0; i < address.size(); i++) {
        if (!isAccessPermitted(context, address.subAddress(0, i).toModelNode())) {
            return accessDenied(operation);
        }
    }
    ModelNode fakeOperation = new ModelNode();
    fakeOperation.get(OP).set(READ_RESOURCE_OPERATION);
    fakeOperation.get(OP_ADDR).set(address.toModelNode());
    AuthorizationResult authResult = context.authorize(fakeOperation, ADDRESS_EFFECT);
    if (authResult.getDecision() == AuthorizationResult.Decision.PERMIT) {
        return secureOperationParameters(context, operation);
    }
    return accessDenied(operation);
}
 
Example 2
Source File: AbstractDeploymentUploadHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
/**
 * {@inheritDoc}
 */
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {

    if (contentRepository != null) {
        // Trigger authz
        AuthorizationResult authorizationResult = context.authorize(operation, ACTION_EFFECT_SET);
        authorizationResult.failIfDenied(operation, context.getCurrentAddress());

        try {
            InputStream is = getContentInputStream(context, operation);
            try {
                byte[] hash = contentRepository.addContent(is);
                context.getResult().set(hash);
            }
            finally {
                safeClose(is);
            }
        }
        catch (IOException e) {
            throw ROOT_LOGGER.caughtIOExceptionUploadingContent(e);
        }
    }
    // else this is a slave domain controller and we should ignore this operation
}
 
Example 3
Source File: ConfigurationPublishHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {

    AuthorizationResult authorizationResult = context.authorize(operation);
    if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
        throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.get(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation());
    }

    String name = null;
    if(operation.hasDefined(LOCATION.getName())) {
        name = LOCATION.resolveModelAttribute(context, operation).asString();
    }
    try {
        context.getResult().set(persister.publish(name));
    } catch (ConfigurationPersistenceException e) {
        throw new OperationFailedException(e);
    }
    context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
 
Example 4
Source File: SnapshotDeleteHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {

    AuthorizationResult authorizationResult = context.authorize(operation);
    if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
        throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.get(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation());
    }

    String name = operation.require(ModelDescriptionConstants.NAME).asString();
    try {
        persister.deleteSnapshot(name);
    } catch (Exception e) {
        throw new OperationFailedException(e);
    }
    context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
 
Example 5
Source File: GenericSubsystemDescribeHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void execute(final OperationContext context, final ModelNode operation) throws OperationFailedException {
    final ModelNode address;
    final PathAddress pa = context.getCurrentAddress();

    AuthorizationResult authResult = context.authorize(operation, DESCRIBE_EFFECTS);
    if (authResult.getDecision() != AuthorizationResult.Decision.PERMIT) {
        throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.require(OP).asString(), pa, authResult.getExplanation());
    }

    if (pa.size() > 0) {
        address = new ModelNode().add(pa.getLastElement().getKey(), pa.getLastElement().getValue());
    } else {
        address = new ModelNode().setEmptyList();
    }
    final Resource resource = context.readResource(PathAddress.EMPTY_ADDRESS);
    final ModelNode result = context.getResult();
    describe(context.getAttachment(OrderedChildTypesAttachment.KEY), resource,
            address, result, context.getResourceRegistration());
}
 
Example 6
Source File: SnapshotListHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
    AuthorizationResult authorizationResult = context.authorize(operation);
    if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
        throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.get(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation());
    }

    try {
        SnapshotInfo info = persister.listSnapshots();
        ModelNode result = context.getResult();
        result.get(ModelDescriptionConstants.DIRECTORY).set(info.getSnapshotDirectory());
        result.get(ModelDescriptionConstants.NAMES).setEmptyList();
        for (String name : info.names()) {
            result.get(ModelDescriptionConstants.NAMES).add(name);
        }
    } catch (Exception e) {
        throw new OperationFailedException(e);
    }
    context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
 
Example 7
Source File: SnapshotTakeHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
    AuthorizationResult authorizationResult = context.authorize(operation);
    if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
        throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.get(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation());
    }
    ModelNode commentNode = COMMENT.resolveModelAttribute(context, operation);
    ModelNode snapshotNode = SNAPSHOT_NAME.resolveModelAttribute(context, operation);
    String comment = commentNode.asStringOrNull();
    String snapshot = snapshotNode.asStringOrNull();
    try {
        String name = persister.snapshot(snapshot, comment);
        context.getResult().set(name);
    } catch (ConfigurationPersistenceException e) {
        throw new OperationFailedException(e);
    }
    context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
 
Example 8
Source File: AbstractDeploymentUploadHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
/**
 * {@inheritDoc}
 */
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
    try {
        attribute.validateOperation(operation);
        // Trigger authz
        AuthorizationResult authorizationResult = context.authorize(operation, ACTION_EFFECT_SET);
        authorizationResult.failIfDenied(operation, context.getCurrentAddress());

        InputStream is = getContentInputStream(context, operation);
        try {
            byte[] hash = contentRepository.addContent(is);
            context.getResult().set(hash);
        }
        finally {
            safeClose(is);
        }
    }
    catch (IOException e) {
        throw ServerLogger.ROOT_LOGGER.caughtIOExceptionUploadingContent(e);
    }
}
 
Example 9
Source File: ConfigurationChangeResourceDefinition.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
/**
 * Secure the operation : - if the caller can address the resource we check if he can see the operation
 * parameters. - otherwise we return the operation without its address and parameters.
 *
 * @param context the operation context.
 * @param operation the operation we are securing.
 * @return the secured opreation aka trimmed of all sensitive data.
 * @throws OperationFailedException
 */
private ModelNode secureOperation(OperationContext context, ModelNode operation) throws OperationFailedException {
    PathAddress address = PathAddress.pathAddress(operation.get(OP_ADDR));
    for (int i = 0; i < address.size(); i++) {
        if (!isAccessPermitted(context, address.subAddress(0, i).toModelNode())) {
            return accessDenied(operation);
        }
    }
    ModelNode fakeOperation = new ModelNode();
    fakeOperation.get(OP).set(READ_RESOURCE_OPERATION);
    fakeOperation.get(OP_ADDR).set(address.toModelNode());
    AuthorizationResult authResult = context.authorize(fakeOperation, ADDRESS_EFFECT);
    if (authResult.getDecision() == AuthorizationResult.Decision.PERMIT) {
        return secureOperationParameters(context, operation);
    }
    return accessDenied(operation);
}
 
Example 10
Source File: LegacyConfigurationChangeResourceDefinition.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
private boolean isAccessPermitted(OperationContext context, ModelNode address) {
    ModelNode fakeOperation = new ModelNode();
    fakeOperation.get(OP).set(READ_RESOURCE_OPERATION);
    fakeOperation.get(OP_ADDR).set(address);
    AuthorizationResult authResult = context.authorize(fakeOperation, READ_EFFECT);
    return (authResult.getDecision() == AuthorizationResult.Decision.PERMIT);
}
 
Example 11
Source File: ProfileDescribeHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
    final AuthorizationResult authResult = context.authorize(operation, DESCRIBE_EFFECTS);
    authResult.failIfDenied(operation, context.getCurrentAddress());

    // WFCORE-1353. If this op is being used as part of a server launch, pass that info
    // to any subsystem describe handlers.
    if (SERVER_LAUNCH.resolveModelAttribute(context, operation).asBoolean()) {
        context.attach(GenericSubsystemDescribeHandler.SERVER_LAUNCH_KEY, Boolean.TRUE);
    }

    super.execute(context, operation);
}
 
Example 12
Source File: ReadAttributeHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
private void doExecuteInternal(OperationContext context, ModelNode operation) throws OperationFailedException {
    ModelNode value = context.hasResult() ? context.getResult().clone() : new ModelNode();
    AuthorizationResult authorizationResult = context.authorize(operation, operation.require(NAME).asString(), value);
    if (authorizationResult.getDecision() == AuthorizationResult.Decision.DENY) {
        context.getResult().clear();
        throw ControllerLogger.ROOT_LOGGER.unauthorized(operation.require(OP).asString(), context.getCurrentAddress(), authorizationResult.getExplanation());
    }
}
 
Example 13
Source File: AuthorizedAddress.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
public static AuthorizedAddress authorizeAddress(OperationContext context, ModelNode operation) {
    ModelNode address = operation.get(ModelDescriptionConstants.OP_ADDR);
    ModelNode testOp = new ModelNode();
    testOp.get(OP).set(READ_RESOURCE_OPERATION);
    testOp.get(OP_ADDR).set(address);

    AuthorizationResult authResult = context.authorize(testOp, ADDRESS_EFFECT);
    if (authResult.getDecision() == AuthorizationResult.Decision.PERMIT) {
        return new AuthorizedAddress(address, false);
    }

    // Failed. Now we need to see how far we can go
    ModelNode partialAddress = new ModelNode().setEmptyList();
    ModelNode elidedAddress = new ModelNode().setEmptyList();
    for (Property prop : address.asPropertyList()) {
        partialAddress.add(prop);
        testOp.get(OP_ADDR).set(partialAddress);
        authResult = context.authorize(testOp, ADDRESS_EFFECT);
        if (authResult.getDecision() == AuthorizationResult.Decision.DENY) {
            elidedAddress.add(prop.getName(), HIDDEN);
            return new AuthorizedAddress(elidedAddress, true);
        } else {
            elidedAddress.add(prop);
        }
    }

    // Should not be reachable, but in case of a bug, be conservative and hide data
    ModelNode strange = new ModelNode();
    strange.add(HIDDEN, HIDDEN);
    return new AuthorizedAddress(strange, true);
}
 
Example 14
Source File: ConfigurationChangeResourceDefinition.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
private boolean isAccessPermitted(OperationContext context, ModelNode address) {
    ModelNode fakeOperation = new ModelNode();
    fakeOperation.get(OP).set(READ_RESOURCE_OPERATION);
    fakeOperation.get(OP_ADDR).set(address);
    AuthorizationResult authResult = context.authorize(fakeOperation, READ_EFFECT);
    return (authResult.getDecision() == AuthorizationResult.Decision.PERMIT);
}
 
Example 15
Source File: ValidateOperationHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 4 votes vote down vote up
private AuthorizationResult authorize(OperationContext context, ModelNode authOp, ModelNode opWithHeaders) {
    authOp.get(OPERATION_HEADERS).set(opWithHeaders.get(OPERATION_HEADERS));
    return context.authorize(authOp, Collections.singleton(ActionEffect.ADDRESS));
}
 
Example 16
Source File: ValidateAddressOperationHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 4 votes vote down vote up
private AuthorizationResult authorize(OperationContext context, PathAddress address, ModelNode operation) {
    ModelNode authOp = operation.clone();
    authOp.get(OP).set(READ_RESOURCE_OPERATION);
    authOp.get(OP_ADDR).set(address.toModelNode());
    return context.authorize(authOp, Collections.singleton(ActionEffect.ADDRESS));
}