com.yahoo.bard.webservice.web.security

Class RoleDimensionApiFilterRequestMapper

java.lang.Object

com.yahoo.bard.webservice.web.RequestMapper<T>

com.yahoo.bard.webservice.web.security.ChainingRequestMapper<DataApiRequest>

com.yahoo.bard.webservice.web.security.RoleDimensionApiFilterRequestMapper

public class RoleDimensionApiFilterRequestMapper
extends ChainingRequestMapper<DataApiRequest>

A request mapper that ensures that a user has at least one relevant role on a dimension and applies access filters based on roles for that user. This mapper is intended to route based on user-category style roles such as routing super-user access to a different mapping chain.

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_SECURITY_MESSAGE
static String	SECURITY_SIGNUP_MESSAGE_KEY

Constructor Summary

Constructors

Constructor and Description
RoleDimensionApiFilterRequestMapper(ResourceDictionaries resourceDictionaries, Dimension dimension, Map<String,Set<ApiFilter>> roleApiFilters, RequestMapper<DataApiRequest> next) Constructor.

Method Summary

Modifier and Type	Method and Description
protected Set<ApiFilter>	buildSecurityFilters(javax.ws.rs.core.SecurityContext securityContext) Collect all the whitelist filters generated by roles in this security context.
protected DataApiRequest	internalApply(DataApiRequest request, javax.ws.rs.container.ContainerRequestContext context) Rewrite and Validate the ApiRequest(e.g.
protected ApiFilters	mergeSecurityFilters(Map<Dimension,Set<ApiFilter>> requestFilters, Set<ApiFilter> securityFilters) Merge the request filters with the dimension filters for this request.
protected static Set<ApiFilter>	unionMergeFilterValues(Stream<ApiFilter> filterStream) For a set of ApiFilters collect by dimension, field and operation, and union their value sets.
protected void	validateSecurityFilters(Principal userPrincipal, Set<ApiFilter> mergedSecurityFilters) Verify that, given this user, that at least some of the whitelisted filters have been collected.

Methods inherited from class com.yahoo.bard.webservice.web.security.ChainingRequestMapper

apply

Methods inherited from class com.yahoo.bard.webservice.web.RequestMapper

getResourceDictionaries

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SECURITY_SIGNUP_MESSAGE_KEY

public static final String SECURITY_SIGNUP_MESSAGE_KEY

See Also:

Constant Field Values

DEFAULT_SECURITY_MESSAGE

public static final String DEFAULT_SECURITY_MESSAGE

See Also:

Constant Field Values

Constructor Detail

RoleDimensionApiFilterRequestMapper

public RoleDimensionApiFilterRequestMapper(ResourceDictionaries resourceDictionaries,
                                           Dimension dimension,
                                           Map<String,Set<ApiFilter>> roleApiFilters,
                                           RequestMapper<DataApiRequest> next)

Constructor.

Parameters:

resourceDictionaries - The dictionaries to use for request mapping.

dimension - The dimension whose roles are being matched

roleApiFilters - ApiFilters by role for a given dimension

next - The next request mapper to process this ApiRequest

Method Detail

internalApply

protected DataApiRequest internalApply(DataApiRequest request,
                                       javax.ws.rs.container.ContainerRequestContext context)
                                throws RequestValidationException

Description copied from class: ChainingRequestMapper

Rewrite and Validate the ApiRequest(e.g. Security check, permission check).

This should throw an exception if the given/converted request is not valid.

Specified by:

internalApply in class ChainingRequestMapper<DataApiRequest>

Parameters:

request - the apiRequest to rewrite

context - the ContainerRequestContext containing user and request information

Returns:

a reference to an apiRequest, either the original one or a rewritten one

Throws:

RequestValidationException - with the HTTP status and user-facing error msg to abort with if the request is not valid

mergeSecurityFilters

protected ApiFilters mergeSecurityFilters(Map<Dimension,Set<ApiFilter>> requestFilters,
                                          Set<ApiFilter> securityFilters)

Merge the request filters with the dimension filters for this request.

Parameters:

requestFilters - The set of all ApiFilters from a request

securityFilters - The filters produced by merging role-based filters

Returns:

A set of request filters supplemented with filters from this request.

validateSecurityFilters

protected void validateSecurityFilters(Principal userPrincipal,
                                       Set<ApiFilter> mergedSecurityFilters)
                                throws RequestValidationException

Verify that, given this user, that at least some of the whitelisted filters have been collected. Failure to have any whitelisted filters indicate a user has not been authorized for values with this dimension.

Parameters:

userPrincipal - The userPrincipal being validated

mergedSecurityFilters - The combined security filters for this request

Throws:

RequestValidationException - An http request exception documenting the lack of privileges

buildSecurityFilters

protected Set<ApiFilter> buildSecurityFilters(javax.ws.rs.core.SecurityContext securityContext)

Collect all the whitelist filters generated by roles in this security context.

Parameters:

securityContext - The security context of the request.

Returns:

A set of filters whitelisting access to this dimension.

unionMergeFilterValues

protected static Set<ApiFilter> unionMergeFilterValues(Stream<ApiFilter> filterStream)

For a set of ApiFilters collect by dimension, field and operation, and union their value sets.

Parameters:

filterStream - Stream of ApiFilters whose values are to be unioned

Returns:

A set of filters with the same operations but values unioned