Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.nifi.audit; import org.apache.commons.lang3.StringUtils; import org.apache.nifi.action.Action; import org.apache.nifi.action.Component; import org.apache.nifi.action.FlowChangeAction; import org.apache.nifi.action.Operation; import org.apache.nifi.action.details.ActionDetails; import org.apache.nifi.action.details.FlowChangeConfigureDetails; import org.apache.nifi.authorization.AccessPolicy; import org.apache.nifi.authorization.user.NiFiUser; import org.apache.nifi.authorization.user.NiFiUserUtils; import org.apache.nifi.web.api.dto.AccessPolicyDTO; import org.apache.nifi.web.dao.AccessPolicyDAO; import org.aspectj.lang.ProceedingJoinPoint; import org.aspectj.lang.annotation.Around; import org.aspectj.lang.annotation.Aspect; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.text.Collator; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; /** * Audits policy creation/removal and configuration changes. */ @Aspect public class AccessPolicyAuditor extends NiFiAuditor { private static final Logger logger = LoggerFactory.getLogger(AccessPolicyAuditor.class); private static final String USERS = "Users"; private static final String USER_GROUPS = "User Groups"; /** * Audits the creation of policies via createAccessPolicy(). * * This method only needs to be run 'after returning'. However, in Java 7 the order in which these methods are returned from Class.getDeclaredMethods (even though there is no order guaranteed) * seems to differ from Java 6. SpringAOP depends on this ordering to determine advice precedence. By normalizing all advice into Around advice we can alleviate this issue. * * @param proceedingJoinPoint join point * @return node * @throws Throwable ex */ @Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy createAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO))") public AccessPolicy createAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint) throws Throwable { // create the access policy AccessPolicy policy = (AccessPolicy) proceedingJoinPoint.proceed(); // if no exceptions were thrown, add the policy action... final Action action = generateAuditRecord(policy, Operation.Add); // save the actions if (action != null) { saveAction(action, logger); } return policy; } /** * Audits the configuration of a single policy. * * @param proceedingJoinPoint join point * @param accessPolicyDTO dto * @param accessPolicyDAO dao * @return node * @throws Throwable ex */ @Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy updateAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO)) && " + "args(accessPolicyDTO) && " + "target(accessPolicyDAO)") public AccessPolicy updateAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint, AccessPolicyDTO accessPolicyDTO, AccessPolicyDAO accessPolicyDAO) throws Throwable { // determine the initial values for each property/setting that's changing AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyDTO.getId()); final Map<String, String> values = extractConfiguredPropertyValues(accessPolicy, accessPolicyDTO); // update the policy state final AccessPolicy updatedAccessPolicy = (AccessPolicy) proceedingJoinPoint.proceed(); // if no exceptions were thrown, add the policy action... accessPolicy = accessPolicyDAO.getAccessPolicy(updatedAccessPolicy.getIdentifier()); // get the current user NiFiUser user = NiFiUserUtils.getNiFiUser(); // ensure the user was found if (user != null) { // determine the updated values Map<String, String> updatedValues = extractConfiguredPropertyValues(accessPolicy, accessPolicyDTO); // create a policy action Date actionTimestamp = new Date(); Collection<Action> actions = new ArrayList<>(); // go through each updated value for (String property : updatedValues.keySet()) { String newValue = updatedValues.get(property); String oldValue = values.get(property); Operation operation = null; // determine the type of operation if (oldValue == null || newValue == null || !newValue.equals(oldValue)) { operation = Operation.Configure; } // create a configuration action accordingly if (operation != null) { final FlowChangeConfigureDetails actionDetails = new FlowChangeConfigureDetails(); actionDetails.setName(property); actionDetails.setValue(newValue); actionDetails.setPreviousValue(oldValue); // create a configuration action FlowChangeAction configurationAction = new FlowChangeAction(); configurationAction.setUserIdentity(user.getIdentity()); configurationAction.setOperation(operation); configurationAction.setTimestamp(actionTimestamp); configurationAction.setSourceId(accessPolicy.getIdentifier()); configurationAction.setSourceName(formatPolicyName(accessPolicy)); configurationAction.setSourceType(Component.AccessPolicy); configurationAction.setActionDetails(actionDetails); actions.add(configurationAction); } } // ensure there are actions to record if (!actions.isEmpty()) { // save the actions saveActions(actions, logger); } } return updatedAccessPolicy; } /** * Audits the removal of a policy via deleteAccessPolicy(). * * @param proceedingJoinPoint join point * @param policyId policy id * @param accessPolicyDAO dao * @throws Throwable ex */ @Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && " + "execution(org.apache.nifi.authorization.AccessPolicy deleteAccessPolicy(java.lang.String)) && " + "args(policyId) && " + "target(accessPolicyDAO)") public AccessPolicy removePolicyAdvice(ProceedingJoinPoint proceedingJoinPoint, String policyId, AccessPolicyDAO accessPolicyDAO) throws Throwable { // get the policy before removing it AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(policyId); // remove the policy final AccessPolicy removedAccessPolicy = (AccessPolicy) proceedingJoinPoint.proceed(); // if no exceptions were thrown, add removal actions... // audit the policy removal final Action action = generateAuditRecord(accessPolicy, Operation.Remove); // save the actions if (action != null) { saveAction(action, logger); } return removedAccessPolicy; } /** * Generates an audit record for the creation of a policy. * * @param policy policy * @param operation operation * @return action */ public Action generateAuditRecord(AccessPolicy policy, Operation operation) { return generateAuditRecord(policy, operation, null); } /** * Generates an audit record for the creation of a policy. * * @param policy policy * @param operation operation * @param actionDetails details * @return action */ public Action generateAuditRecord(AccessPolicy policy, Operation operation, ActionDetails actionDetails) { FlowChangeAction action = null; // get the current user NiFiUser user = NiFiUserUtils.getNiFiUser(); // ensure the user was found if (user != null) { // create the policy action for adding this policy action = new FlowChangeAction(); action.setUserIdentity(user.getIdentity()); action.setOperation(operation); action.setTimestamp(new Date()); action.setSourceId(policy.getIdentifier()); action.setSourceName(formatPolicyName(policy)); action.setSourceType(Component.AccessPolicy); if (actionDetails != null) { action.setActionDetails(actionDetails); } } return action; } /** * Formats the name of the specified policy. * * @param policy policy * @return formatted name */ private String formatPolicyName(final AccessPolicy policy) { return policy.getAction().toString() + " " + policy.getResource(); } /** * Extracts the values for the configured properties from the specified policy. */ private Map<String, String> extractConfiguredPropertyValues(AccessPolicy policy, AccessPolicyDTO policyDTO) { Map<String, String> values = new HashMap<>(); if (policyDTO.getUsers() != null) { // get each of the auto terminated relationship names final List<String> currentUsers = new ArrayList<>(policy.getUsers()); // sort them and include in the configuration Collections.sort(currentUsers, Collator.getInstance(Locale.US)); values.put(USERS, StringUtils.join(currentUsers, ", ")); } if (policyDTO.getUserGroups() != null) { // get each of the auto terminated relationship names final List<String> currentUserGroups = new ArrayList<>(policy.getGroups()); // sort them and include in the configuration Collections.sort(currentUserGroups, Collator.getInstance(Locale.US)); values.put(USER_GROUPS, StringUtils.join(currentUserGroups, ", ")); } return values; } }