http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/StandardRootGroupPort.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/StandardRootGroupPort.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/StandardRootGroupPort.java index 873cd33..ea79675 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/StandardRootGroupPort.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/main/java/org/apache/nifi/remote/StandardRootGroupPort.java @@ -16,24 +16,6 @@ */ package org.apache.nifi.remote; -import static java.util.Objects.requireNonNull; - -import java.io.IOException; -import java.net.SocketTimeoutException; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashSet; -import java.util.List; -import java.util.Set; -import java.util.concurrent.ArrayBlockingQueue; -import java.util.concurrent.BlockingQueue; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.atomic.AtomicBoolean; -import java.util.concurrent.atomic.AtomicReference; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantLock; - import org.apache.nifi.authorization.AuthorizationResult; import org.apache.nifi.authorization.AuthorizationResult.Result; import org.apache.nifi.authorization.Authorizer; @@ -41,9 +23,10 @@ import org.apache.nifi.authorization.RequestAction; import org.apache.nifi.authorization.resource.Authorizable; import org.apache.nifi.authorization.resource.DataTransferAuthorizable; import org.apache.nifi.authorization.user.NiFiUser; -import org.apache.nifi.authorization.user.StandardNiFiUser; +import org.apache.nifi.authorization.user.StandardNiFiUser.Builder; import org.apache.nifi.authorization.util.IdentityMapping; import org.apache.nifi.authorization.util.IdentityMappingUtil; +import org.apache.nifi.authorization.util.UserGroupUtil; import org.apache.nifi.components.ValidationResult; import org.apache.nifi.connectable.ConnectableType; import org.apache.nifi.controller.AbstractPort; @@ -73,6 +56,24 @@ import org.apache.nifi.util.NiFiProperties; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.IOException; +import java.net.SocketTimeoutException; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import java.util.concurrent.ArrayBlockingQueue; +import java.util.concurrent.BlockingQueue; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicReference; +import java.util.concurrent.locks.Lock; +import java.util.concurrent.locks.ReentrantLock; + +import static java.util.Objects.requireNonNull; + public class StandardRootGroupPort extends AbstractPort implements RootGroupPort { private static final String CATEGORY = "Site to Site"; @@ -362,8 +363,8 @@ public class StandardRootGroupPort extends AbstractPort implements RootGroupPort } final String identity = IdentityMappingUtil.mapIdentity(dn, identityMappings); - - return checkUserAuthorization(new StandardNiFiUser(identity)); + final Set<String> groups = UserGroupUtil.getUserGroups(authorizer, identity); + return checkUserAuthorization(new Builder().identity(identity).groups(groups).build()); } @Override
http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java index dbb2aaf..36a9524 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiServiceFacade.java @@ -2559,6 +2559,7 @@ public class StandardNiFiServiceFacade implements NiFiServiceFacade { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getDataTransferResource(port.getResource())) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(false) .action(RequestAction.WRITE) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiWebConfigurationContext.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiWebConfigurationContext.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiWebConfigurationContext.java index cbae778..1444040 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiWebConfigurationContext.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/StandardNiFiWebConfigurationContext.java @@ -17,20 +17,6 @@ package org.apache.nifi.web; import com.sun.jersey.core.util.MultivaluedMapImpl; -import java.io.UnsupportedEncodingException; -import java.net.URI; -import java.net.URISyntaxException; -import java.net.URLEncoder; -import java.util.Collection; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Objects; -import javax.ws.rs.HttpMethod; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.core.Response; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.action.Action; import org.apache.nifi.action.Component; @@ -79,6 +65,21 @@ import org.apache.nifi.web.util.ClientResponseUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.ws.rs.HttpMethod; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; +import java.io.UnsupportedEncodingException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.URLEncoder; +import java.util.Collection; +import java.util.Date; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Objects; + /** * Implements the NiFiWebConfigurationContext interface to support a context in both standalone and clustered environments. */ @@ -110,6 +111,7 @@ public class StandardNiFiWebConfigurationContext implements NiFiWebConfiguration final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getFlowResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java index 999c832..689ce7b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/AccessPolicyResource.java @@ -23,8 +23,8 @@ import com.wordnik.swagger.annotations.ApiResponse; import com.wordnik.swagger.annotations.ApiResponses; import com.wordnik.swagger.annotations.Authorization; import org.apache.commons.lang3.StringUtils; -import org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer; import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.AuthorizerCapabilityDetection; import org.apache.nifi.authorization.RequestAction; import org.apache.nifi.authorization.resource.Authorizable; import org.apache.nifi.authorization.user.NiFiUserUtils; @@ -140,8 +140,8 @@ public class AccessPolicyResource extends ApplicationResource { ) @PathParam("resource") String rawResource) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } // parse the action and resource type @@ -203,8 +203,8 @@ public class AccessPolicyResource extends ApplicationResource { ) final AccessPolicyEntity requestAccessPolicyEntity) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_POLICIES); } if (requestAccessPolicyEntity == null || requestAccessPolicyEntity.getComponent() == null) { @@ -294,8 +294,8 @@ public class AccessPolicyResource extends ApplicationResource { @PathParam("id") final String id) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } if (isReplicateRequest()) { @@ -356,8 +356,8 @@ public class AccessPolicyResource extends ApplicationResource { ) final AccessPolicyEntity requestAccessPolicyEntity) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_POLICIES); } if (requestAccessPolicyEntity == null || requestAccessPolicyEntity.getComponent() == null) { @@ -454,8 +454,8 @@ public class AccessPolicyResource extends ApplicationResource { @PathParam("id") final String id) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_POLICIES); } if (isReplicateRequest()) { http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java index cb87ca2..0a3b0e0 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ControllerResource.java @@ -110,6 +110,7 @@ public class ControllerResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getControllerResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(action) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/CountersResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/CountersResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/CountersResource.java index 3d6c3be..2a2c2b9 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/CountersResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/CountersResource.java @@ -94,6 +94,7 @@ public class CountersResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getCountersResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(action) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java index a380aa7..14f2108 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/FlowResource.java @@ -217,6 +217,7 @@ public class FlowResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getFlowResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) @@ -2236,6 +2237,7 @@ public class FlowResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getControllerResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceResource.java index 10663be..2aff9ca 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ProvenanceResource.java @@ -114,6 +114,7 @@ public class ProvenanceResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getProvenanceResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ResourceResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ResourceResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ResourceResource.java index cd41ed9..56c62bc 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ResourceResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ResourceResource.java @@ -74,6 +74,7 @@ public class ResourceResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getResourceResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SiteToSiteResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SiteToSiteResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SiteToSiteResource.java index 744a9f4..ce5b327 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SiteToSiteResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SiteToSiteResource.java @@ -112,6 +112,7 @@ public class SiteToSiteResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getSiteToSiteResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SystemDiagnosticsResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SystemDiagnosticsResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SystemDiagnosticsResource.java index 04e8683..b000060 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SystemDiagnosticsResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/SystemDiagnosticsResource.java @@ -77,6 +77,7 @@ public class SystemDiagnosticsResource extends ApplicationResource { final AuthorizationRequest request = new AuthorizationRequest.Builder() .resource(ResourceFactory.getSystemResource()) .identity(user.getIdentity()) + .groups(user.getGroups()) .anonymous(user.isAnonymous()) .accessAttempt(true) .action(RequestAction.READ) http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TenantsResource.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TenantsResource.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TenantsResource.java index ab82ace..d489009 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TenantsResource.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/TenantsResource.java @@ -23,8 +23,8 @@ import com.wordnik.swagger.annotations.ApiResponse; import com.wordnik.swagger.annotations.ApiResponses; import com.wordnik.swagger.annotations.Authorization; import org.apache.commons.lang3.StringUtils; -import org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer; import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.AuthorizerCapabilityDetection; import org.apache.nifi.authorization.RequestAction; import org.apache.nifi.authorization.resource.Authorizable; import org.apache.nifi.authorization.user.NiFiUserUtils; @@ -149,8 +149,8 @@ public class TenantsResource extends ApplicationResource { ) final UserEntity requestUserEntity) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_USERS); } if (requestUserEntity == null || requestUserEntity.getComponent() == null) { @@ -234,8 +234,8 @@ public class TenantsResource extends ApplicationResource { @PathParam("id") final String id) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } if (isReplicateRequest()) { @@ -284,8 +284,8 @@ public class TenantsResource extends ApplicationResource { public Response getUsers() { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } if (isReplicateRequest()) { @@ -352,8 +352,8 @@ public class TenantsResource extends ApplicationResource { ) final UserEntity requestUserEntity) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_USERS); } if (requestUserEntity == null || requestUserEntity.getComponent() == null) { @@ -448,8 +448,8 @@ public class TenantsResource extends ApplicationResource { @PathParam("id") final String id) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_USERS); } if (isReplicateRequest()) { @@ -538,8 +538,8 @@ public class TenantsResource extends ApplicationResource { ) final UserGroupEntity requestUserGroupEntity) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_USERS); } if (requestUserGroupEntity == null || requestUserGroupEntity.getComponent() == null) { @@ -623,8 +623,8 @@ public class TenantsResource extends ApplicationResource { @PathParam("id") final String id) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } if (isReplicateRequest()) { @@ -673,8 +673,8 @@ public class TenantsResource extends ApplicationResource { public Response getUserGroups() { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } if (isReplicateRequest()) { @@ -740,8 +740,8 @@ public class TenantsResource extends ApplicationResource { ) final UserGroupEntity requestUserGroupEntity) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_USERS); } if (requestUserGroupEntity == null || requestUserGroupEntity.getComponent() == null) { @@ -836,8 +836,8 @@ public class TenantsResource extends ApplicationResource { @PathParam("id") final String id) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_CONFIGURABLE_USERS); } if (isReplicateRequest()) { @@ -897,7 +897,7 @@ public class TenantsResource extends ApplicationResource { @ApiResponse(code = 409, message = "The request was valid but NiFi was not in the appropriate state to process it. Retrying the same request later may be successful.") } ) - public Response searchCluster( + public Response searchTenants( @ApiParam( value = "Identity to search for.", required = true @@ -905,8 +905,8 @@ public class TenantsResource extends ApplicationResource { @QueryParam("q") @DefaultValue(StringUtils.EMPTY) String value) { // ensure we're running with a configurable authorizer - if (!(authorizer instanceof AbstractPolicyBasedAuthorizer)) { - throw new IllegalStateException(AccessPolicyDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + if (!AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + throw new IllegalStateException(AccessPolicyDAO.MSG_NON_MANAGED_AUTHORIZER); } if (isReplicateRequest()) { http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java index 9c5ba4d..47b28d9 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/config/AccessDeniedExceptionMapper.java @@ -55,7 +55,7 @@ public class AccessDeniedExceptionMapper implements ExceptionMapper<AccessDenied if (user == null) { identity = "<no user found>"; } else { - identity = user.getIdentity(); + identity = user.toString(); } logger.info(String.format("%s does not have permission to access the requested resource. %s Returning %s response.", identity, exception.getMessage(), status)); http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/dto/DtoFactory.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/dto/DtoFactory.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/dto/DtoFactory.java index 95b1ebc..4b59de9 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/dto/DtoFactory.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/dto/DtoFactory.java @@ -38,9 +38,9 @@ import org.apache.nifi.annotation.behavior.Stateful; import org.apache.nifi.annotation.documentation.CapabilityDescription; import org.apache.nifi.annotation.documentation.DeprecationNotice; import org.apache.nifi.annotation.documentation.Tags; -import org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer; import org.apache.nifi.authorization.AccessPolicy; import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.AuthorizerCapabilityDetection; import org.apache.nifi.authorization.Group; import org.apache.nifi.authorization.RequestAction; import org.apache.nifi.authorization.Resource; @@ -220,7 +220,9 @@ public final class DtoFactory { // get the refresh interval final long refreshInterval = FormatUtils.getTimeDuration(autoRefreshInterval, TimeUnit.SECONDS); dto.setAutoRefreshIntervalSeconds(refreshInterval); - dto.setSupportsConfigurableAuthorizer(authorizer instanceof AbstractPolicyBasedAuthorizer); + dto.setSupportsManagedAuthorizer(AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)); + dto.setSupportsConfigurableUsersAndGroups(AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(authorizer)); + dto.setSupportsConfigurableAuthorizer(AuthorizerCapabilityDetection.isConfigurableAccessPolicyProvider(authorizer)); final Date now = new Date(); dto.setTimeOffset(TimeZone.getDefault().getOffset(now.getTime())); http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java index 1d48ee0..853ee41 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/AccessPolicyDAO.java @@ -23,7 +23,9 @@ import org.apache.nifi.web.api.dto.AccessPolicyDTO; public interface AccessPolicyDAO { - String MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER = "This NiFi is not configured to internally manage users, groups, and policies. Please contact your system administrator."; + String MSG_NON_MANAGED_AUTHORIZER = "This NiFi is not configured to internally manage users, groups, or policies. Please contact your system administrator."; + String MSG_NON_CONFIGURABLE_POLICIES = "This NiFi is not configured to allow configurable policies. Please contact your system administrator."; + String MSG_NON_CONFIGURABLE_USERS = "This NiFi is not configured to allow configurable users and groups. Please contact your system administrator."; /** * Whether or not NiFi supports a configurable authorizer. http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java index a47c051..9290470 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAO.java @@ -16,15 +16,21 @@ */ package org.apache.nifi.web.dao.impl; -import org.apache.nifi.authorization.AbstractPolicyBasedAuthorizer; import org.apache.nifi.authorization.AccessPolicy; +import org.apache.nifi.authorization.AccessPolicyProvider; +import org.apache.nifi.authorization.AccessPolicyProviderInitializationContext; import org.apache.nifi.authorization.Authorizer; +import org.apache.nifi.authorization.AuthorizerCapabilityDetection; import org.apache.nifi.authorization.AuthorizerConfigurationContext; -import org.apache.nifi.authorization.AuthorizerInitializationContext; import org.apache.nifi.authorization.Group; +import org.apache.nifi.authorization.ManagedAuthorizer; +import org.apache.nifi.authorization.ConfigurableAccessPolicyProvider; +import org.apache.nifi.authorization.ConfigurableUserGroupProvider; import org.apache.nifi.authorization.RequestAction; import org.apache.nifi.authorization.User; -import org.apache.nifi.authorization.UsersAndAccessPolicies; +import org.apache.nifi.authorization.UserAndGroups; +import org.apache.nifi.authorization.UserGroupProvider; +import org.apache.nifi.authorization.UserGroupProviderInitializationContext; import org.apache.nifi.authorization.exception.AuthorizationAccessException; import org.apache.nifi.authorization.exception.AuthorizerCreationException; import org.apache.nifi.authorization.exception.AuthorizerDestructionException; @@ -44,118 +50,101 @@ import java.util.stream.Collectors; public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGroupDAO, UserDAO { - private final AbstractPolicyBasedAuthorizer authorizer; - private final boolean supportsConfigurableAuthorizer; + private final AccessPolicyProvider accessPolicyProvider; + private final UserGroupProvider userGroupProvider; public StandardPolicyBasedAuthorizerDAO(final Authorizer authorizer) { - if (authorizer instanceof AbstractPolicyBasedAuthorizer) { - this.authorizer = (AbstractPolicyBasedAuthorizer) authorizer; - this.supportsConfigurableAuthorizer = true; + if (AuthorizerCapabilityDetection.isManagedAuthorizer(authorizer)) { + accessPolicyProvider = ((ManagedAuthorizer) authorizer).getAccessPolicyProvider(); } else { - this.authorizer = new AbstractPolicyBasedAuthorizer() { + accessPolicyProvider = new AccessPolicyProvider() { @Override - public Group doAddGroup(final Group group) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); } @Override - public Group getGroup(final String identifier) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); } @Override - public Group doUpdateGroup(final Group group) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); } @Override - public Group deleteGroup(final Group group) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + public UserGroupProvider getUserGroupProvider() { + return new UserGroupProvider() { + @Override + public Set<User> getUsers() throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); + } - @Override - public Set<Group> getGroups() throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public User getUser(String identifier) throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); + } - @Override - public User doAddUser(final User user) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public User getUserByIdentity(String identity) throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); + } - @Override - public User getUser(final String identifier) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public Set<Group> getGroups() throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); + } - @Override - public User getUserByIdentity(final String identity) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public Group getGroup(String identifier) throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); + } - @Override - public User doUpdateUser(final User user) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public UserAndGroups getUserAndGroups(String identity) throws AuthorizationAccessException { + throw new IllegalStateException(MSG_NON_MANAGED_AUTHORIZER); + } - @Override - public User deleteUser(final User user) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public void initialize(UserGroupProviderInitializationContext initializationContext) throws AuthorizerCreationException { - @Override - public Set<User> getUsers() throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + } - @Override - public AccessPolicy doAddAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException { - @Override - public AccessPolicy getAccessPolicy(final String identifier) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + } - @Override - public AccessPolicy updateAccessPolicy(final AccessPolicy accessPolicy) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + @Override + public void preDestruction() throws AuthorizerDestructionException { - @Override - public AccessPolicy deleteAccessPolicy(final AccessPolicy policy) throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); + } + }; } @Override - public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); - } + public void initialize(AccessPolicyProviderInitializationContext initializationContext) throws AuthorizerCreationException { - @Override - public UsersAndAccessPolicies getUsersAndAccessPolicies() throws AuthorizationAccessException { - throw new IllegalStateException(MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER); } @Override - public void initialize(final AuthorizerInitializationContext initializationContext) throws AuthorizerCreationException { - } + public void onConfigured(AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException { - @Override - public void doOnConfigured(final AuthorizerConfigurationContext configurationContext) throws AuthorizerCreationException { } @Override public void preDestruction() throws AuthorizerDestructionException { + } }; - this.supportsConfigurableAuthorizer = false; } + + userGroupProvider = accessPolicyProvider.getUserGroupProvider(); } private AccessPolicy findAccessPolicy(final RequestAction requestAction, final String resource) { - return authorizer.getAccessPolicies().stream() + return accessPolicyProvider.getAccessPolicies().stream() .filter(policy -> policy.getAction().equals(requestAction) && policy.getResource().equals(resource)) .findFirst() .orElse(null); @@ -163,23 +152,28 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public boolean supportsConfigurableAuthorizer() { - return supportsConfigurableAuthorizer; + return accessPolicyProvider instanceof ConfigurableAccessPolicyProvider; } @Override public boolean hasAccessPolicy(final String accessPolicyId) { - return authorizer.getAccessPolicy(accessPolicyId) != null; + return accessPolicyProvider.getAccessPolicy(accessPolicyId) != null; } @Override public AccessPolicy createAccessPolicy(final AccessPolicyDTO accessPolicyDTO) { - return authorizer.addAccessPolicy(buildAccessPolicy(accessPolicyDTO.getId(), - accessPolicyDTO.getResource(), RequestAction.valueOfValue(accessPolicyDTO.getAction()), accessPolicyDTO)); + if (supportsConfigurableAuthorizer()) { + final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; + return configurableAccessPolicyProvider.addAccessPolicy(buildAccessPolicy(accessPolicyDTO.getId(), + accessPolicyDTO.getResource(), RequestAction.valueOfValue(accessPolicyDTO.getAction()), accessPolicyDTO)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_POLICIES); + } } @Override public AccessPolicy getAccessPolicy(final String accessPolicyId) { - final AccessPolicy accessPolicy = authorizer.getAccessPolicy(accessPolicyId); + final AccessPolicy accessPolicy = accessPolicyProvider.getAccessPolicy(accessPolicyId); if (accessPolicy == null) { throw new ResourceNotFoundException(String.format("Unable to find access policy with id '%s'.", accessPolicyId)); } @@ -210,14 +204,25 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public AccessPolicy updateAccessPolicy(final AccessPolicyDTO accessPolicyDTO) { - final AccessPolicy currentAccessPolicy = getAccessPolicy(accessPolicyDTO.getId()); - return authorizer.updateAccessPolicy(buildAccessPolicy(currentAccessPolicy.getIdentifier(), - currentAccessPolicy.getResource(), currentAccessPolicy.getAction(), accessPolicyDTO)); + if (supportsConfigurableAuthorizer()) { + final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; + + final AccessPolicy currentAccessPolicy = getAccessPolicy(accessPolicyDTO.getId()); + return configurableAccessPolicyProvider.updateAccessPolicy(buildAccessPolicy(currentAccessPolicy.getIdentifier(), + currentAccessPolicy.getResource(), currentAccessPolicy.getAction(), accessPolicyDTO)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_POLICIES); + } } @Override public AccessPolicy deleteAccessPolicy(final String accessPolicyId) { - return authorizer.deleteAccessPolicy(getAccessPolicy(accessPolicyId)); + if (supportsConfigurableAuthorizer()) { + final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; + return configurableAccessPolicyProvider.deleteAccessPolicy(getAccessPolicy(accessPolicyId)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_POLICIES); + } } private AccessPolicy buildAccessPolicy(final String identifier, final String resource, final RequestAction action, final AccessPolicyDTO accessPolicyDTO) { @@ -238,17 +243,22 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public boolean hasUserGroup(final String userGroupId) { - return authorizer.getGroup(userGroupId) != null; + return userGroupProvider.getGroup(userGroupId) != null; } @Override public Group createUserGroup(final UserGroupDTO userGroupDTO) { - return authorizer.addGroup(buildUserGroup(userGroupDTO.getId(), userGroupDTO)); + if (userGroupProvider instanceof ConfigurableUserGroupProvider) { + final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; + return configurableUserGroupProvider.addGroup(buildUserGroup(userGroupDTO.getId(), userGroupDTO)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); + } } @Override public Group getUserGroup(final String userGroupId) { - final Group userGroup = authorizer.getGroup(userGroupId); + final Group userGroup = userGroupProvider.getGroup(userGroupId); if (userGroup == null) { throw new ResourceNotFoundException(String.format("Unable to find user group with id '%s'.", userGroupId)); } @@ -257,14 +267,14 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public Set<Group> getUserGroupsForUser(String userId) { - return authorizer.getGroups().stream() + return userGroupProvider.getGroups().stream() .filter(g -> g.getUsers().contains(userId)) .collect(Collectors.toSet()); } @Override public Set<AccessPolicy> getAccessPoliciesForUser(String userId) { - return authorizer.getAccessPolicies().stream() + return accessPolicyProvider.getAccessPolicies().stream() .filter(p -> { // policy contains the user if (p.getUsers().contains(userId)) { @@ -272,14 +282,14 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr } // policy contains a group with the user - return !p.getGroups().stream().filter(g -> authorizer.getGroup(g).getUsers().contains(userId)).collect(Collectors.toSet()).isEmpty(); + return !p.getGroups().stream().filter(g -> userGroupProvider.getGroup(g).getUsers().contains(userId)).collect(Collectors.toSet()).isEmpty(); }) .collect(Collectors.toSet()); } @Override public Set<AccessPolicy> getAccessPoliciesForUserGroup(String userGroupId) { - return authorizer.getAccessPolicies().stream() + return accessPolicyProvider.getAccessPolicies().stream() .filter(p -> { // policy contains the user group return p.getGroups().contains(userGroupId); @@ -289,17 +299,46 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public Set<Group> getUserGroups() { - return authorizer.getGroups(); + return userGroupProvider.getGroups(); } @Override public Group updateUserGroup(final UserGroupDTO userGroupDTO) { - return authorizer.updateGroup(buildUserGroup(getUserGroup(userGroupDTO.getId()).getIdentifier(), userGroupDTO)); + if (userGroupProvider instanceof ConfigurableUserGroupProvider) { + final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; + return configurableUserGroupProvider.updateGroup(buildUserGroup(getUserGroup(userGroupDTO.getId()).getIdentifier(), userGroupDTO)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); + } } @Override public Group deleteUserGroup(final String userGroupId) { - return authorizer.deleteGroup(getUserGroup(userGroupId)); + if (userGroupProvider instanceof ConfigurableUserGroupProvider) { + final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; + + final Group group = getUserGroup(userGroupId); + final Group removedGroup = configurableUserGroupProvider.deleteGroup(group); + + // ensure the user was removed + if (removedGroup == null) { + throw new ResourceNotFoundException(String.format("Unable to find user group with id '%s'.", removedGroup)); + } + + // remove any references to the user group being deleted from policies if possible + if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) { + for (AccessPolicy policy : accessPolicyProvider.getAccessPolicies()) { + if (policy.getGroups().contains(removedGroup.getIdentifier())) { + final AccessPolicy.Builder builder = new AccessPolicy.Builder(policy).removeGroup(removedGroup.getIdentifier()); + ((ConfigurableAccessPolicyProvider) accessPolicyProvider).updateAccessPolicy(builder.build()); + } + } + } + + return removedGroup; + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); + } } private Group buildUserGroup(final String identifier, final UserGroupDTO userGroupDTO) { @@ -313,17 +352,22 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public boolean hasUser(final String userId) { - return authorizer.getUser(userId) != null; + return userGroupProvider.getUser(userId) != null; } @Override public User createUser(final UserDTO userDTO) { - return authorizer.addUser(buildUser(userDTO.getId(), userDTO)); + if (userGroupProvider instanceof ConfigurableUserGroupProvider) { + final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; + return configurableUserGroupProvider.addUser(buildUser(userDTO.getId(), userDTO)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); + } } @Override public User getUser(final String userId) { - final User user = authorizer.getUser(userId); + final User user = userGroupProvider.getUser(userId); if (user == null) { throw new ResourceNotFoundException(String.format("Unable to find user with id '%s'.", userId)); } @@ -332,18 +376,46 @@ public class StandardPolicyBasedAuthorizerDAO implements AccessPolicyDAO, UserGr @Override public Set<User> getUsers() { - return authorizer.getUsers(); + return userGroupProvider.getUsers(); } @Override public User updateUser(final UserDTO userDTO) { - return authorizer.updateUser(buildUser(getUser(userDTO.getId()).getIdentifier(), userDTO)); + if (userGroupProvider instanceof ConfigurableUserGroupProvider) { + final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; + return configurableUserGroupProvider.updateUser(buildUser(getUser(userDTO.getId()).getIdentifier(), userDTO)); + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); + } } @Override public User deleteUser(final String userId) { - final User user = getUser(userId); - return authorizer.deleteUser(user); + if (userGroupProvider instanceof ConfigurableUserGroupProvider) { + final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; + + final User user = getUser(userId); + final User removedUser = configurableUserGroupProvider.deleteUser(user); + + // ensure the user was removed + if (removedUser == null) { + throw new ResourceNotFoundException(String.format("Unable to find user with id '%s'.", userId)); + } + + // remove any references to the user being deleted from policies if possible + if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) { + for (AccessPolicy policy : accessPolicyProvider.getAccessPolicies()) { + if (policy.getUsers().contains(removedUser.getIdentifier())) { + final AccessPolicy.Builder builder = new AccessPolicy.Builder(policy).removeUser(removedUser.getIdentifier()); + ((ConfigurableAccessPolicyProvider) accessPolicyProvider).updateAccessPolicy(builder.build()); + } + } + } + + return removedUser; + } else { + throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); + } } private User buildUser(final String identifier, final UserDTO userDTO) { http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/StandardNiFiServiceFacadeSpec.groovy ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/StandardNiFiServiceFacadeSpec.groovy b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/StandardNiFiServiceFacadeSpec.groovy index 29ab83a..a830a87 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/StandardNiFiServiceFacadeSpec.groovy +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/StandardNiFiServiceFacadeSpec.groovy @@ -16,35 +16,51 @@ */ package org.apache.nifi.web -import org.apache.nifi.authorization.* +import org.apache.nifi.authorization.AccessDeniedException +import org.apache.nifi.authorization.AccessPolicy +import org.apache.nifi.authorization.AuthorizableLookup +import org.apache.nifi.authorization.AuthorizationResult +import org.apache.nifi.authorization.Authorizer +import org.apache.nifi.authorization.Group +import org.apache.nifi.authorization.RequestAction +import org.apache.nifi.authorization.Resource +import org.apache.nifi.authorization.User import org.apache.nifi.authorization.resource.Authorizable import org.apache.nifi.authorization.resource.ResourceFactory import org.apache.nifi.authorization.user.NiFiUser -import org.apache.nifi.authorization.user.StandardNiFiUser import org.apache.nifi.authorization.user.NiFiUserDetails +import org.apache.nifi.authorization.user.StandardNiFiUser import org.apache.nifi.controller.service.ControllerServiceProvider import org.apache.nifi.reporting.Bulletin import org.apache.nifi.reporting.BulletinRepository -import org.apache.nifi.reporting.ComponentType -import org.apache.nifi.web.api.dto.* +import org.apache.nifi.web.api.dto.AccessPolicyDTO +import org.apache.nifi.web.api.dto.BulletinDTO +import org.apache.nifi.web.api.dto.DtoFactory +import org.apache.nifi.web.api.dto.EntityFactory +import org.apache.nifi.web.api.dto.RevisionDTO +import org.apache.nifi.web.api.dto.UserDTO +import org.apache.nifi.web.api.dto.UserGroupDTO import org.apache.nifi.web.api.entity.BulletinEntity import org.apache.nifi.web.api.entity.UserEntity import org.apache.nifi.web.controller.ControllerFacade import org.apache.nifi.web.dao.AccessPolicyDAO import org.apache.nifi.web.dao.UserDAO import org.apache.nifi.web.dao.UserGroupDAO -import org.apache.nifi.web.revision.* +import org.apache.nifi.web.revision.DeleteRevisionTask +import org.apache.nifi.web.revision.ReadOnlyRevisionCallback +import org.apache.nifi.web.revision.RevisionClaim +import org.apache.nifi.web.revision.RevisionManager +import org.apache.nifi.web.revision.UpdateRevisionTask import org.apache.nifi.web.security.token.NiFiAuthenticationToken import org.springframework.security.core.context.SecurityContextHolder import spock.lang.Ignore import spock.lang.Specification import spock.lang.Unroll - class StandardNiFiServiceFacadeSpec extends Specification { def setup() { - final NiFiUser user = new StandardNiFiUser("nifi-user"); + final NiFiUser user = new StandardNiFiUser.Builder().identity("nifi-user").build(); final NiFiAuthenticationToken auth = new NiFiAuthenticationToken(new NiFiUserDetails(user)); SecurityContextHolder.getContext().setAuthentication(auth); } http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAOSpec.groovy ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAOSpec.groovy b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAOSpec.groovy index 340f6f9..5a4cc3b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAOSpec.groovy +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/groovy/org/apache/nifi/web/dao/impl/StandardPolicyBasedAuthorizerDAOSpec.groovy @@ -27,6 +27,14 @@ import spock.lang.Unroll class StandardPolicyBasedAuthorizerDAOSpec extends Specification { + private AbstractPolicyBasedAuthorizer mockAuthorizer() { + def authorizer = Mock AbstractPolicyBasedAuthorizer + authorizer.getAccessPolicyProvider() >> { + callRealMethod(); + } + return authorizer; + } + @Unroll def "test non-policy-based authorizer #method throws IllegalStateException"() { when: @@ -34,31 +42,57 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { then: def e = thrown(IllegalStateException) - assert e.message.equalsIgnoreCase(StandardPolicyBasedAuthorizerDAO.MSG_NON_ABSTRACT_POLICY_BASED_AUTHORIZER) + assert e.message.equalsIgnoreCase(StandardPolicyBasedAuthorizerDAO.MSG_NON_MANAGED_AUTHORIZER) where: method | daoMethod - 'createAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).createAccessPolicy(new AccessPolicyDTO(id: '1', resource: '/1', action: "read")) } - 'createUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).createUser(new UserDTO(id: '1', identity: 'a')) } - 'createUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).createUserGroup(new UserGroupDTO(id: '1', identity: 'a')) } - 'deleteAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).deleteAccessPolicy('1') } - 'deleteUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).deleteUser('1') } - 'deleteUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).deleteUserGroup('1') } 'getAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).getAccessPolicy('1') } 'getUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).getUser('1') } 'getUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).getUserGroup('1') } 'hasAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).hasAccessPolicy('1') } 'hasUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).hasUser('1') } 'hasUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).hasUserGroup('1') } - 'updateAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).updateAccessPolicy(new AccessPolicyDTO(id: '1', resource: '/1', action: "read")) } + } + + @Unroll + def "test non-configurable user group provider #method throws IllegalStateException"() { + when: + daoMethod() + + then: + def e = thrown(IllegalStateException) + assert e.message.equalsIgnoreCase(StandardPolicyBasedAuthorizerDAO.MSG_NON_CONFIGURABLE_USERS) + + where: + method | daoMethod + 'createUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).createUser(new UserDTO(id: '1', identity: 'a')) } + 'createUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).createUserGroup(new UserGroupDTO(id: '1', identity: 'a')) } + 'deleteUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).deleteUser('1') } + 'deleteUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).deleteUserGroup('1') } 'updateUser' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).updateUser(new UserDTO(id: '1', identity: 'a')) } 'updateUserGroup' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).updateUserGroup(new UserGroupDTO(id: '1', identity: 'a')) } } @Unroll + def "test non-configurable access policy provider #method throws IllegalStateException"() { + when: + daoMethod() + + then: + def e = thrown(IllegalStateException) + assert e.message.equalsIgnoreCase(StandardPolicyBasedAuthorizerDAO.MSG_NON_CONFIGURABLE_POLICIES) + + where: + method | daoMethod + 'createAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).createAccessPolicy(new AccessPolicyDTO(id: '1', resource: '/1', action: "read")) } + 'deleteAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).deleteAccessPolicy('1') } + 'updateAccessPolicy' | { new StandardPolicyBasedAuthorizerDAO(Mock(Authorizer)).updateAccessPolicy(new AccessPolicyDTO(id: '1', resource: '/1', action: "read")) } + } + + @Unroll def "HasAccessPolicy: accessPolicy: #accessPolicy"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -79,7 +113,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "CreateAccessPolicy: accessPolicy=#accessPolicy"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new AccessPolicyDTO(id: 'policy-id-1', resource: '/fake/resource', action: "read", users: [new TenantEntity(id: 'user-id-1')] as Set, @@ -92,7 +126,6 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { noExceptionThrown() then: - 1 * authorizer.getAccessPolicies() >> accessPolicies 1 * authorizer.doAddAccessPolicy(accessPolicy) >> accessPolicy 0 * _ result?.equals accessPolicy @@ -106,7 +139,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetAccessPolicy: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -126,7 +159,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetAccessPolicy: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -141,7 +174,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "UpdateAccessPolicy: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new AccessPolicyDTO(id: 'policy-id-1', resource: '/fake/resource', action: "read", users: [new TenantEntity(id: 'user-id-1')] as Set, @@ -165,7 +198,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "UpdateAccessPolicy: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new AccessPolicyDTO(id: 'policy-id-1', resource: '/fake/resource', action: "read", users: [new TenantEntity(id: 'user-id-1')] as Set, @@ -183,7 +216,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "DeleteAccessPolicy: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -204,7 +237,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "DeleteAccessPolicy: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -219,7 +252,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "HasUserGroup: userGroup=#userGroup"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -239,7 +272,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "CreateUserGroup: userGroup=#userGroup"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new UserGroupDTO(id: 'user-group-id-1', identity: 'user group identity', users: [new TenantEntity(id: 'user-id-1')] as Set) @@ -250,8 +283,6 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { noExceptionThrown() then: - 1 * authorizer.getUsers() >> users - 1 * authorizer.getGroups() >> groups 1 * authorizer.doAddGroup(userGroup) >> userGroup 0 * _ result?.equals userGroup @@ -265,7 +296,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetUserGroup: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -284,7 +315,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetUserGroup: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -299,7 +330,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetUserGroups: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -318,7 +349,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "UpdateUserGroup: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new UserGroupDTO(id: 'user-group-id-1', identity: 'user group identity', users: [new TenantEntity(id: 'user-id-1')] as Set) @@ -327,8 +358,6 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { then: 1 * authorizer.getGroup(requestDTO.id) >> userGroup - 1 * authorizer.getUsers() >> users - 1 * authorizer.getGroups() >> groups 1 * authorizer.doUpdateGroup(userGroup) >> userGroup 0 * _ result?.equals(userGroup) @@ -342,7 +371,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "UpdateUserGroup: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new UserGroupDTO(id: 'user-group-id-1', identity: 'user group identity', users: [new TenantEntity(id: 'user-id-1')] as Set) @@ -358,7 +387,10 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "DeleteUserGroup: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() + authorizer.getAccessPolicyProvider().getAccessPolicies() >> { + callRealMethod(); + } def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -367,6 +399,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { then: 1 * authorizer.getGroup('user-group-id-1') >> userGroup 1 * authorizer.deleteGroup(userGroup) >> userGroup + 1 * authorizer.getAccessPolicies() >> [] 0 * _ assert result?.equals(userGroup) @@ -378,7 +411,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "DeleteUserGroup: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -393,7 +426,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "HasUser: user=#user"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -412,7 +445,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "CreateUser: user=#user"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new UserDTO(id: 'user-id-1', identity: 'user identity', userGroups: [new TenantEntity(id: 'user-group-id-1')] as Set) @@ -423,8 +456,6 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { noExceptionThrown() then: - 1 * authorizer.getUsers() >> users - 1 * authorizer.getGroups() >> groups 1 * authorizer.doAddUser(user) >> user 0 * _ result?.equals user @@ -438,7 +469,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetUser: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -457,7 +488,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetUser: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -472,7 +503,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "GetUsers: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -491,7 +522,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "UpdateUser: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new UserDTO(id: 'user-id-1', identity: 'user identity', userGroups: [new TenantEntity(id: 'user-group-id-1')] as Set) @@ -500,8 +531,6 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { then: 1 * authorizer.getUser(requestDTO.id) >> user - 1 * authorizer.getUsers() >> users - 1 * authorizer.getGroups() >> groups 1 * authorizer.doUpdateUser(user) >> user 0 * _ result?.equals(user) @@ -515,7 +544,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "UpdateUser: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) def requestDTO = new UserDTO(id: 'user-id-1', identity: 'user identity', userGroups: [new TenantEntity(id: 'user-group-id-1')] as Set) @@ -531,7 +560,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "DeleteUser: success"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: @@ -540,6 +569,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { then: 1 * authorizer.getUser('user-id-1') >> user 1 * authorizer.deleteUser(user) >> user + 1 * authorizer.getAccessPolicies() >> [] 0 * _ result?.equals(user) @@ -551,7 +581,7 @@ class StandardPolicyBasedAuthorizerDAOSpec extends Specification { @Unroll def "DeleteUser: failure"() { given: - def authorizer = Mock AbstractPolicyBasedAuthorizer + def authorizer = mockAuthorizer() def dao = new StandardPolicyBasedAuthorizerDAO(authorizer) when: http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/audit/TestRemoteProcessGroupAuditor.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/audit/TestRemoteProcessGroupAuditor.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/audit/TestRemoteProcessGroupAuditor.java index ea7fa7d..68be1cd 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/audit/TestRemoteProcessGroupAuditor.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/audit/TestRemoteProcessGroupAuditor.java @@ -25,7 +25,7 @@ import org.apache.nifi.action.details.ConfigureDetails; import org.apache.nifi.admin.service.AuditService; import org.apache.nifi.authorization.user.NiFiUser; import org.apache.nifi.authorization.user.NiFiUserDetails; -import org.apache.nifi.authorization.user.StandardNiFiUser; +import org.apache.nifi.authorization.user.StandardNiFiUser.Builder; import org.apache.nifi.groups.RemoteProcessGroup; import org.apache.nifi.remote.RemoteGroupPort; import org.apache.nifi.remote.protocol.SiteToSiteTransportProtocol; @@ -62,7 +62,7 @@ public class TestRemoteProcessGroupAuditor { final SecurityContext securityContext = SecurityContextHolder.getContext(); final Authentication authentication = mock(Authentication.class); securityContext.setAuthentication(authentication); - final NiFiUser user = new StandardNiFiUser("user-id"); + final NiFiUser user = new Builder().identity("user-id").build(); final NiFiUserDetails userDetail = new NiFiUserDetails(user); when(authentication.getPrincipal()).thenReturn(userDetail); http://git-wip-us.apache.org/repos/asf/nifi/blob/4ed7511b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/web/StandardNiFiServiceFacadeTest.java ---------------------------------------------------------------------- diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/web/StandardNiFiServiceFacadeTest.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/web/StandardNiFiServiceFacadeTest.java index 9933d4b..05e4451 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/web/StandardNiFiServiceFacadeTest.java +++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/web/StandardNiFiServiceFacadeTest.java @@ -31,7 +31,7 @@ import org.apache.nifi.authorization.resource.Authorizable; import org.apache.nifi.authorization.resource.ResourceFactory; import org.apache.nifi.authorization.resource.ResourceType; import org.apache.nifi.authorization.user.NiFiUserDetails; -import org.apache.nifi.authorization.user.StandardNiFiUser; +import org.apache.nifi.authorization.user.StandardNiFiUser.Builder; import org.apache.nifi.controller.FlowController; import org.apache.nifi.history.History; import org.apache.nifi.history.HistoryQuery; @@ -190,7 +190,7 @@ public class StandardNiFiServiceFacadeTest { @Test public void testGetActionApprovedThroughAction() throws Exception { // set the user - final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser(USER_1))); + final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_1).build())); SecurityContextHolder.getContext().setAuthentication(authentication); // get the action @@ -218,7 +218,7 @@ public class StandardNiFiServiceFacadeTest { @Test(expected = AccessDeniedException.class) public void testGetActionDeniedDespiteControllerAccess() throws Exception { // set the user - final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser(USER_2))); + final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_2).build())); SecurityContextHolder.getContext().setAuthentication(authentication); try { @@ -245,7 +245,7 @@ public class StandardNiFiServiceFacadeTest { @Test public void testGetActionApprovedThroughController() throws Exception { // set the user - final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser(USER_2))); + final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_2).build())); SecurityContextHolder.getContext().setAuthentication(authentication); // get the action @@ -273,7 +273,7 @@ public class StandardNiFiServiceFacadeTest { @Test public void testGetActionsForUser1() throws Exception { // set the user - final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser(USER_1))); + final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_1).build())); SecurityContextHolder.getContext().setAuthentication(authentication); final HistoryDTO dto = serviceFacade.getActions(new HistoryQueryDTO()); @@ -292,7 +292,7 @@ public class StandardNiFiServiceFacadeTest { @Test public void testGetActionsForUser2() throws Exception { // set the user - final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser(USER_2))); + final Authentication authentication = new NiFiAuthenticationToken(new NiFiUserDetails(new Builder().identity(USER_2).build())); SecurityContextHolder.getContext().setAuthentication(authentication); final HistoryDTO dto = serviceFacade.getActions(new HistoryQueryDTO());
