mocana avatar mocana committed 60e5fac

Updated test for public bucket when mounting.

Comments (0)

Files changed (2)

dm-webservice/src/main/java/org/genomespace/datamanager/S3ServiceCall.java

 	}
 
 	private AWSCredentials getAWSCredentials() {
+		if(awsAccessId == null && awsSecretKey == null)return null;
 		return new AWSCredentials(awsAccessId, awsSecretKey);
 	}
 

dm-webservice/src/main/java/org/genomespace/datamanager/StorageSpecManagerImpl.java

 
 import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.BasicAWSCredentials;
+import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient;
+import com.amazonaws.services.identitymanagement.model.GetUserResult;
 import com.amazonaws.services.s3.AmazonS3Client;
 import com.amazonaws.services.s3.model.BucketTaggingConfiguration;
 import com.googlecode.ehcache.annotations.Cacheable;
 			if(!spec.equals(findDefaultS3StorageSpec()) && spec.getFilePermissions().contains(Permission.WRITE)){
 				throw new ForbiddenException("Only read-only buckets are supported at this time");
 			}
-			if(!isBucketReadable(bucketName)){
+			if(!isBucketPubliclyReadable(bucketName)){
 				throw new ForbiddenException("Bucket is not readable. Please update access rules on bucket before attempting to mount again");
 			}else{
 				if(isGenomespaceAccountHolderBucketOwner(bucketName) && !isBucketPublic(bucketName)){
 		return (theBucket != null &&theBucket.getOwner().getId().equals(genomespaceAccountHolderId));
 
 	}
+	public boolean isGenomespaceAccountHolderControlFile(final String bucketName,final String filePathString){
+
+		AccessControlList theBucket = null;
+		try{
+		theBucket = (new S3ServiceCall<AccessControlList>(accessId, secretKey) {
+			public AccessControlList execute(RestS3Service s3Service) throws S3ServiceException {
+				return s3Service.getObjectAcl(bucketName, filePathString);
+			}
+		}).doIt();
+		}catch(ServerErrorException e){
+			log.info("Could not get to the file "+filePathString+" in bucket "+filePathString,e);
+			return false;
+		}
+		if (theBucket == null) {
+			String msg = "Could not retrieve bucket with name:" + bucketName;
+			log.error("getBucketAcl:" + msg);
+			throw new NotFoundException(msg);
+		}
+		GrantAndPermission[] grantsAndPermissions = theBucket.getGrantAndPermissions();
+		Set<org.jets3t.service.acl.Permission> assignedPermissions = new LinkedHashSet<org.jets3t.service.acl.Permission>();
+		//if(grantsAndPermissions == null)return assignedPermissions;
+		String[] awsIdentifiers = {genomespaceAccountHolderId};
+		Set<String> awsIdentifiersCollection = new HashSet<String>(Arrays.asList(awsIdentifiers));
+		for(GrantAndPermission gAndP : grantsAndPermissions){
+			if(awsIdentifiersCollection.contains(gAndP.getGrantee().getIdentifier())){
+				assignedPermissions.add(gAndP.getPermission());
+			}
+		}
+		org.jets3t.service.acl.Permission[] requiredPermissions = {org.jets3t.service.acl.Permission.PERMISSION_READ,org.jets3t.service.acl.Permission.PERMISSION_READ_ACP,org.jets3t.service.acl.Permission.PERMISSION_WRITE_ACP};
+		return assignedPermissions.contains(org.jets3t.service.acl.Permission.PERMISSION_FULL_CONTROL) 
+				|| assignedPermissions.containsAll(Arrays.asList(requiredPermissions));
+
+	
+	}
 	@SuppressWarnings("unused")
-	private boolean isGenomespaceAccountHolderPermitted(String s3BucketName) {		
+	public boolean isGenomespaceAccountHolderPermitted(String s3BucketName) {		
 		Set<org.jets3t.service.acl.Permission> genomespaceAccountHolderPermisions = findPermissionsForBucket(s3BucketName,genomespaceAccountHolderId);
 		return genomespaceAccountHolderPermisions.contains(org.jets3t.service.acl.Permission.PERMISSION_FULL_CONTROL) || genomespaceAccountHolderPermisions.contains(org.jets3t.service.acl.Permission.PERMISSION_READ);
 		/*
 		return (accountHolderPermissions.contains(Permission.PERMISSION_FULL_CONTROL)) || accountHolderPermissions.contains(org.jets3t.service.acl.Permission.PERMISSION_READ)));
 		*/
 	}
+	public boolean isBucketReadable(final String bucketName,final String accessId,String accessKey) {
+		try {
+			S3ObjectsChunk chunk = (new S3ServiceCall<S3ObjectsChunk>(accessId,accessKey) {
+				public S3ObjectsChunk execute(RestS3Service s3Service) throws S3ServiceException {
+					S3ObjectsChunk chunk = s3Service.listObjectsChunked(bucketName, null, "/", 10l, null);
+					int i = 0;
+					if (chunk.getObjects().length == 0 && chunk.getCommonPrefixes().length == 0)
+						return null;
+					for (S3Object theObject : chunk.getObjects()) {
+						chunk.getObjects()[i] = s3Service.getObject(bucketName, theObject.getKey());
+						S3Object objDetails = s3Service.getObjectDetails(bucketName, theObject.getKey());
+						chunk.getObjects()[i] = objDetails;
+					}
+					return chunk;
+				}
+			}).doIt();
+			
+			if(chunk == null){
+				log.info("Bucket with name" + bucketName + " was empty. Could not test that it was readable");
+				return false;
+			}
+			for(final String prefix : chunk.getCommonPrefixes()){
+				try{
+				(new S3ServiceCall<S3Object>(accessId, accessKey) {
+					public S3Object execute(RestS3Service s3Service) throws S3ServiceException {
+							return s3Service.getObjectDetails(bucketName, prefix);
+					}
+				}).doIt();
+				}catch(NotFoundException e){
+					;//this is OK
+				}
+			}
+		} catch (ServerErrorException e) {
+			log.info("Bucket with name" + bucketName + "was not readable", e);
+			return false;
+		}
+		return true;
+
+	}
+	
 	/**
-	 * We will determine if a bucket is readable by actually trying to read the bucket.
-	 * APIs to access metadata for a bucket not owned by the caller might not be sufficient in many cases.
+	 * We will determine if a bucket is readable by actually trying to read the bucket without any credentials
 	 * @param bucketName
-	 * @return
+	 * @return whether our testing completed succesfully or not
 	 */
-	private boolean isBucketReadable(final String bucketName) {
+	public boolean isBucketPubliclyReadable(final String bucketName) {
 		try {
-			S3ObjectsChunk chunk = (new S3ServiceCall<S3ObjectsChunk>(accessId, secretKey) {
+			S3ObjectsChunk chunk = (new S3ServiceCall<S3ObjectsChunk>(null,null) {
 				public S3ObjectsChunk execute(RestS3Service s3Service) throws S3ServiceException {
 					S3ObjectsChunk chunk = s3Service.listObjectsChunked(bucketName, null, "/", 10l, null);
 					int i = 0;
 		}
 		return true;
 
+	
+		
 	}
 
 	private boolean isBucketPublic(String s3BucketName){
 			BucketTaggingConfiguration tagConfig = client.getBucketTaggingConfiguration(bucketName);
 			return tagConfig.getTagSet().getAllTags();
 	}
+	public String getAWSCredentialsUser(String accessId, String secretKey){
+		AWSCredentials credentials = new BasicAWSCredentials(accessId, secretKey);
+		AmazonIdentityManagementClient client = new AmazonIdentityManagementClient(credentials);
+		GetUserResult theUser = client.getUser();
+		return theUser.getUser().getUserName();
+	}
+	public String getAWSCredentialsUser(){
+		AWSCredentials credentials = new BasicAWSCredentials(this.accessId, this.secretKey);
+		AmazonIdentityManagementClient client = new AmazonIdentityManagementClient(credentials);
+		GetUserResult theUser = client.getUser();
+		return theUser.getUser().getUserName();
+	}
 	
 
 	private AccessControlList getBucketAcl(final String bucketName) {
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.