org.apache.nifi.audit.AccessPolicyAuditor.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.nifi.audit.AccessPolicyAuditor.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.nifi.audit;

import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.action.Action;
import org.apache.nifi.action.Component;
import org.apache.nifi.action.FlowChangeAction;
import org.apache.nifi.action.Operation;
import org.apache.nifi.action.details.ActionDetails;
import org.apache.nifi.action.details.FlowChangeConfigureDetails;
import org.apache.nifi.authorization.AccessPolicy;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.web.api.dto.AccessPolicyDTO;
import org.apache.nifi.web.dao.AccessPolicyDAO;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.text.Collator;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;

/**
 * Audits policy creation/removal and configuration changes.
 */
@Aspect
public class AccessPolicyAuditor extends NiFiAuditor {

    private static final Logger logger = LoggerFactory.getLogger(AccessPolicyAuditor.class);

    private static final String USERS = "Users";
    private static final String USER_GROUPS = "User Groups";

    /**
     * Audits the creation of policies via createAccessPolicy().
     *
     * This method only needs to be run 'after returning'. However, in Java 7 the order in which these methods are returned from Class.getDeclaredMethods (even though there is no order guaranteed)
     * seems to differ from Java 6. SpringAOP depends on this ordering to determine advice precedence. By normalizing all advice into Around advice we can alleviate this issue.
     *
     * @param proceedingJoinPoint join point
     * @return node
     * @throws Throwable ex
     */
    @Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && "
            + "execution(org.apache.nifi.authorization.AccessPolicy createAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO))")
    public AccessPolicy createAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        // create the access policy
        AccessPolicy policy = (AccessPolicy) proceedingJoinPoint.proceed();

        // if no exceptions were thrown, add the policy action...
        final Action action = generateAuditRecord(policy, Operation.Add);

        // save the actions
        if (action != null) {
            saveAction(action, logger);
        }

        return policy;
    }

    /**
     * Audits the configuration of a single policy.
     *
     * @param proceedingJoinPoint join point
     * @param accessPolicyDTO dto
     * @param accessPolicyDAO dao
     * @return node
     * @throws Throwable ex
     */
    @Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && "
            + "execution(org.apache.nifi.authorization.AccessPolicy updateAccessPolicy(org.apache.nifi.web.api.dto.AccessPolicyDTO)) && "
            + "args(accessPolicyDTO) && " + "target(accessPolicyDAO)")
    public AccessPolicy updateAccessPolicyAdvice(ProceedingJoinPoint proceedingJoinPoint,
            AccessPolicyDTO accessPolicyDTO, AccessPolicyDAO accessPolicyDAO) throws Throwable {
        // determine the initial values for each property/setting that's changing
        AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyDTO.getId());
        final Map<String, String> values = extractConfiguredPropertyValues(accessPolicy, accessPolicyDTO);

        // update the policy state
        final AccessPolicy updatedAccessPolicy = (AccessPolicy) proceedingJoinPoint.proceed();

        // if no exceptions were thrown, add the policy action...
        accessPolicy = accessPolicyDAO.getAccessPolicy(updatedAccessPolicy.getIdentifier());

        // get the current user
        NiFiUser user = NiFiUserUtils.getNiFiUser();

        // ensure the user was found
        if (user != null) {
            // determine the updated values
            Map<String, String> updatedValues = extractConfiguredPropertyValues(accessPolicy, accessPolicyDTO);

            // create a policy action
            Date actionTimestamp = new Date();
            Collection<Action> actions = new ArrayList<>();

            // go through each updated value
            for (String property : updatedValues.keySet()) {
                String newValue = updatedValues.get(property);
                String oldValue = values.get(property);
                Operation operation = null;

                // determine the type of operation
                if (oldValue == null || newValue == null || !newValue.equals(oldValue)) {
                    operation = Operation.Configure;
                }

                // create a configuration action accordingly
                if (operation != null) {
                    final FlowChangeConfigureDetails actionDetails = new FlowChangeConfigureDetails();
                    actionDetails.setName(property);
                    actionDetails.setValue(newValue);
                    actionDetails.setPreviousValue(oldValue);

                    // create a configuration action
                    FlowChangeAction configurationAction = new FlowChangeAction();
                    configurationAction.setUserIdentity(user.getIdentity());
                    configurationAction.setOperation(operation);
                    configurationAction.setTimestamp(actionTimestamp);
                    configurationAction.setSourceId(accessPolicy.getIdentifier());
                    configurationAction.setSourceName(formatPolicyName(accessPolicy));
                    configurationAction.setSourceType(Component.AccessPolicy);
                    configurationAction.setActionDetails(actionDetails);
                    actions.add(configurationAction);
                }
            }

            // ensure there are actions to record
            if (!actions.isEmpty()) {
                // save the actions
                saveActions(actions, logger);
            }
        }

        return updatedAccessPolicy;
    }

    /**
     * Audits the removal of a policy via deleteAccessPolicy().
     *
     * @param proceedingJoinPoint join point
     * @param policyId policy id
     * @param accessPolicyDAO dao
     * @throws Throwable ex
     */
    @Around("within(org.apache.nifi.web.dao.AccessPolicyDAO+) && "
            + "execution(org.apache.nifi.authorization.AccessPolicy deleteAccessPolicy(java.lang.String)) && "
            + "args(policyId) && " + "target(accessPolicyDAO)")
    public AccessPolicy removePolicyAdvice(ProceedingJoinPoint proceedingJoinPoint, String policyId,
            AccessPolicyDAO accessPolicyDAO) throws Throwable {
        // get the policy before removing it
        AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(policyId);

        // remove the policy
        final AccessPolicy removedAccessPolicy = (AccessPolicy) proceedingJoinPoint.proceed();

        // if no exceptions were thrown, add removal actions...
        // audit the policy removal
        final Action action = generateAuditRecord(accessPolicy, Operation.Remove);

        // save the actions
        if (action != null) {
            saveAction(action, logger);
        }

        return removedAccessPolicy;
    }

    /**
     * Generates an audit record for the creation of a policy.
     *
     * @param policy policy
     * @param operation operation
     * @return action
     */
    public Action generateAuditRecord(AccessPolicy policy, Operation operation) {
        return generateAuditRecord(policy, operation, null);
    }

    /**
     * Generates an audit record for the creation of a policy.
     *
     * @param policy policy
     * @param operation operation
     * @param actionDetails details
     * @return action
     */
    public Action generateAuditRecord(AccessPolicy policy, Operation operation, ActionDetails actionDetails) {
        FlowChangeAction action = null;

        // get the current user
        NiFiUser user = NiFiUserUtils.getNiFiUser();

        // ensure the user was found
        if (user != null) {
            // create the policy action for adding this policy
            action = new FlowChangeAction();
            action.setUserIdentity(user.getIdentity());
            action.setOperation(operation);
            action.setTimestamp(new Date());
            action.setSourceId(policy.getIdentifier());
            action.setSourceName(formatPolicyName(policy));
            action.setSourceType(Component.AccessPolicy);

            if (actionDetails != null) {
                action.setActionDetails(actionDetails);
            }
        }

        return action;
    }

    /**
     * Formats the name of the specified policy.
     *
     * @param policy policy
     * @return formatted name
     */
    private String formatPolicyName(final AccessPolicy policy) {
        return policy.getAction().toString() + " " + policy.getResource();
    }

    /**
     * Extracts the values for the configured properties from the specified policy.
     */
    private Map<String, String> extractConfiguredPropertyValues(AccessPolicy policy, AccessPolicyDTO policyDTO) {
        Map<String, String> values = new HashMap<>();

        if (policyDTO.getUsers() != null) {
            // get each of the auto terminated relationship names
            final List<String> currentUsers = new ArrayList<>(policy.getUsers());

            // sort them and include in the configuration
            Collections.sort(currentUsers, Collator.getInstance(Locale.US));
            values.put(USERS, StringUtils.join(currentUsers, ", "));
        }
        if (policyDTO.getUserGroups() != null) {
            // get each of the auto terminated relationship names
            final List<String> currentUserGroups = new ArrayList<>(policy.getGroups());

            // sort them and include in the configuration
            Collections.sort(currentUserGroups, Collator.getInstance(Locale.US));
            values.put(USER_GROUPS, StringUtils.join(currentUserGroups, ", "));
        }

        return values;
    }

}