Skip to content

Commit

Permalink
[WFLY-490] Add access-control for resources to read-resource-description
Browse files Browse the repository at this point in the history
  • Loading branch information
@kabir @bstansberry
kabir authored and bstansberry committed Aug 7, 2013
1 parent fb84038 commit 4b85b75
Show file tree
Hide file tree
Showing 16 changed files with 1,764 additions and 80 deletions.
7 changes: 7 additions & 0 deletions controller/src/main/java/org/jboss/as/controller/OperationContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import java.util.Set;

import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.AuthorizationResponse;
import org.jboss.as.controller.access.AuthorizationResult;
import org.jboss.as.controller.client.MessageSeverity;
import org.jboss.as.controller.registry.ImmutableManagementResourceRegistration;
Expand Down Expand Up @@ -666,10 +667,16 @@ public interface OperationContext extends ExpressionResolver {

AuthorizationResult authorize(ModelNode operation, Set<Action.ActionEffect> effects);

AuthorizationResponse authorizeResource(boolean attributes);

//TODO javadoc attributes
AuthorizationResult authorize(ModelNode operation, String attribute, ModelNode currentValue);

AuthorizationResult authorize(ModelNode operation, String attribute, ModelNode currentValue, Set<Action.ActionEffect> effects);

//TODO javadoc operations
AuthorizationResult authorizeOperation(ModelNode operation, boolean access);

/**
* The stage at which a step should apply.
*/
Expand Down
174 changes: 161 additions & 13 deletions controller/src/main/java/org/jboss/as/controller/OperationContextImpl.java
View file

Large diffs are not rendered by default.

10 changes: 10 additions & 0 deletions controller/src/main/java/org/jboss/as/controller/ParallelBootOperationContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import java.util.Set;

import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.AuthorizationResponse;
import org.jboss.as.controller.access.AuthorizationResult;
import org.jboss.as.controller.client.MessageSeverity;
import org.jboss.as.controller.persistence.ConfigurationPersistenceException;
Expand Down Expand Up @@ -377,4 +378,13 @@ public AuthorizationResult authorize(ModelNode operation, String attribute, Mode
return primaryContext.authorize(operation, attribute, currentValue, effects);
}

@Override
public AuthorizationResult authorizeOperation(ModelNode operation, boolean access) {
return primaryContext.authorizeOperation(operation, access);
}

@Override
public AuthorizationResponse authorizeResource(boolean attributes) {
return primaryContext.authorizeResource(attributes);
}
}
20 changes: 15 additions & 5 deletions controller/src/main/java/org/jboss/as/controller/ReadOnlyContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,13 @@

package org.jboss.as.controller;

import static org.jboss.as.controller.ControllerMessages.MESSAGES;

import java.io.InputStream;
import java.util.Set;

import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.AuthorizationResponse;
import org.jboss.as.controller.access.AuthorizationResult;
import org.jboss.as.controller.client.MessageSeverity;
import org.jboss.as.controller.persistence.ConfigurationPersistenceException;
Expand All @@ -36,11 +42,6 @@
import org.jboss.msc.service.ServiceRegistry;
import org.jboss.msc.service.ServiceTarget;

import java.io.InputStream;
import java.util.Set;

import static org.jboss.as.controller.ControllerMessages.MESSAGES;

/**
* A read-only {@linkplain OperationContext}, allowing read-only access to the current write model from a different
* operation, preventing any writes from this context. Operations can acquire a controller lock to prevent other
Expand Down Expand Up @@ -307,4 +308,13 @@ IllegalStateException readOnlyContext() {
return ControllerMessages.MESSAGES.readOnlyContext();
}

@Override
public AuthorizationResult authorizeOperation(ModelNode operation, boolean access) {
return primaryContext.authorizeOperation(operation, access);
}

@Override
public AuthorizationResponse authorizeResource(boolean attributes) {
return primaryContext.authorizeResource(attributes);
}
}
29 changes: 29 additions & 0 deletions controller/src/main/java/org/jboss/as/controller/access/AuthorizationResponse.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2012, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.controller.access;


public interface AuthorizationResponse {
AuthorizationResult getResourceResult(Action.ActionEffect actionEffect);
AuthorizationResult getAttributeResult(String attribute, Action.ActionEffect actionEffect);
AuthorizationResult getOperationResult(String operationName, boolean access);
}
2 changes: 1 addition & 1 deletion controller/src/main/java/org/jboss/as/controller/access/constraint/AuditConstraint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@
package org.jboss.as.controller.access.constraint;

import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.rbac.StandardRole;
import org.jboss.as.controller.access.TargetAttribute;
import org.jboss.as.controller.access.TargetResource;
import org.jboss.as.controller.access.rbac.StandardRole;

/**
* {@link Constraint} related to whether a resource, attribute or operation is
Expand Down
2 changes: 1 addition & 1 deletion controller/src/main/java/org/jboss/as/controller/access/constraint/ConstraintFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@
package org.jboss.as.controller.access.constraint;

import org.jboss.as.controller.access.Action;
import org.jboss.as.controller.access.rbac.StandardRole;
import org.jboss.as.controller.access.TargetAttribute;
import org.jboss.as.controller.access.TargetResource;
import org.jboss.as.controller.access.rbac.StandardRole;

/**
* A factory for constraints.
Expand Down
3 changes: 3 additions & 0 deletions controller/src/main/java/org/jboss/as/controller/descriptions/ModelDescriptionConstants.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ public class ModelDescriptionConstants {

public static final String ACCESS_CONSTRAINT = "access-constraint";
public static final String ACCESS_CONSTRAINTS = "access-constraints";
public static final String ACCESS_CONTROL = "access-control";
/** The key for {@link org.jboss.as.controller.registry.AttributeAccess.AccessType} fields. */
public static final String ACCESS_TYPE = "access-type";
public static final String ADD = "add";
Expand Down Expand Up @@ -108,6 +109,7 @@ public class ModelDescriptionConstants {
public static final String DUMP_SERVICES = "dump-services";
public static final String ENABLE = "enable";
public static final String ENABLED = "enabled";
public static final String EXECUTE = "execute";
public static final String EXPRESSIONS_ALLOWED = "expressions-allowed";
public static final String EXTENSION = "extension";
public static final String FAILED = "failed";
Expand Down Expand Up @@ -339,6 +341,7 @@ public class ModelDescriptionConstants {
public static final String WILDCARD = "wildcard";
public static final String WRITE_ATTRIBUTE_OPERATION = "write-attribute";
public static final String XML_NAMESPACES = "xml-namespaces";
public static final String CHECK_RESOURCE_ACCESS = "check-resource-access";

private ModelDescriptionConstants() {
}
Expand Down
15 changes: 14 additions & 1 deletion ...ller/src/main/java/org/jboss/as/controller/operations/global/GlobalOperationHandlers.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,12 @@ public class GlobalOperationHandlers {
.setDefaultValue(new ModelNode(false))
.build();

static final SimpleAttributeDefinition ACCESS_CONTROL = new SimpleAttributeDefinitionBuilder(ModelDescriptionConstants.ACCESS_CONTROL, ModelType.BOOLEAN)
.setAllowNull(true)
.setDefaultValue(new ModelNode(false))
.build();


static final SimpleAttributeDefinition NAME = new SimpleAttributeDefinitionBuilder(ModelDescriptionConstants.NAME, ModelType.STRING)
.setValidator(new StringLengthValidator(1))
.setAllowNull(false)
Expand All @@ -111,7 +117,6 @@ public class GlobalOperationHandlers {
.setAllowNull(true)
.build();


public static void registerGlobalOperations(ManagementResourceRegistration root, ProcessType processType) {
root.registerOperationHandler(org.jboss.as.controller.operations.global.ReadResourceHandler.DEFINITION,
org.jboss.as.controller.operations.global.ReadResourceHandler.INSTANCE, true);
Expand All @@ -123,6 +128,14 @@ public static void registerGlobalOperations(ManagementResourceRegistration root,
root.registerOperationHandler(ReadChildrenResourcesHandler.DEFINITION, ReadChildrenResourcesHandler.INSTANCE, true);
root.registerOperationHandler(ReadOperationNamesHandler.DEFINITION, ReadOperationNamesHandler.INSTANCE, true);
root.registerOperationHandler(ReadOperationDescriptionHandler.DEFINITION, ReadOperationDescriptionHandler.INSTANCE, true);
root.registerOperationHandler(ReadResourceDescriptionHandler.CheckResourceAccessHandler.DEFINITION, new OperationStepHandler() {
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
//Just use an empty operation handler here, people who need
throw new OperationFailedException("This should never be called");
}
}, true);

if (processType != ProcessType.DOMAIN_SERVER) {
root.registerOperationHandler(org.jboss.as.controller.operations.global.WriteAttributeHandler.DEFINITION,
org.jboss.as.controller.operations.global.WriteAttributeHandler.INSTANCE, true);
Expand Down
Loading

0 comments on commit 4b85b75

Please sign in to comment.