Skip to content

Commit

Permalink
#140 - Added ACL checks to Findings, Metrics, and Policy Violation re…
Browse files Browse the repository at this point in the history 
…sources
  • Loading branch information
@stevespringett
stevespringett committed Aug 2, 2021
1 parent e026a5f commit 17e08aa
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 30 deletions.
26 changes: 18 additions & 8 deletions src/main/java/org/dependencytrack/resources/v1/FindingResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ public class FindingResource extends AlpineResource {
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.VULNERABILITY_ANALYSIS)
Expand All @@ -72,9 +73,13 @@ public Response getFindingsByProject(@PathParam("uuid") String uuid,
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
//final long totalCount = qm.getVulnerabilityCount(project, suppressed);
final List<Finding> findings = qm.getFindings(project, suppressed);
return Response.ok(findings).header(TOTAL_COUNT_HEADER, findings.size()).build();
if (qm.hasAccess(super.getPrincipal(), project)) {
//final long totalCount = qm.getVulnerabilityCount(project, suppressed);
final List<Finding> findings = qm.getFindings(project, suppressed);
return Response.ok(findings).header(TOTAL_COUNT_HEADER, findings.size()).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The project could not be found.").build();
}
Expand All @@ -89,18 +94,23 @@ public Response getFindingsByProject(@PathParam("uuid") String uuid,
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.VULNERABILITY_ANALYSIS)
public Response exportFindingsByProject(@PathParam("uuid") String uuid) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
final List<Finding> findings = qm.getFindings(project);
final FindingPackagingFormat fpf = new FindingPackagingFormat(UUID.fromString(uuid), findings);
final Response.ResponseBuilder rb = Response.ok(fpf.getDocument().toString(), "application/json");
rb.header("Content-Disposition", "inline; filename=findings-" + uuid + ".fpf");
return rb.build();
if (qm.hasAccess(super.getPrincipal(), project)) {
final List<Finding> findings = qm.getFindings(project);
final FindingPackagingFormat fpf = new FindingPackagingFormat(UUID.fromString(uuid), findings);
final Response.ResponseBuilder rb = Response.ok(fpf.getDocument().toString(), "application/json");
rb.header("Content-Disposition", "inline; filename=findings-" + uuid + ".fpf");
return rb.build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The project could not be found.").build();
}
Expand Down
68 changes: 50 additions & 18 deletions src/main/java/org/dependencytrack/resources/v1/MetricsResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,17 +169,22 @@ public Response RefreshPortfolioMetrics() {
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO)
public Response getProjectCurrentMetrics(
@ApiParam(value = "The UUID of the project to retrieve metrics for", required = true)
@PathParam("uuid") String uuid) {
try (QueryManager qm = new QueryManager()) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
final ProjectMetrics metrics = qm.getMostRecentProjectMetrics(project);
return Response.ok(metrics).build();
if (qm.hasAccess(super.getPrincipal(), project)) {
final ProjectMetrics metrics = qm.getMostRecentProjectMetrics(project);
return Response.ok(metrics).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The project could not be found.").build();
}
Expand All @@ -197,6 +202,7 @@ public Response getProjectCurrentMetrics(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO)
Expand All @@ -220,6 +226,7 @@ public Response getProjectMetricsSince(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO)
Expand All @@ -241,17 +248,22 @@ public Response getProjectMetricsXDays(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT)
public Response RefreshProjectMetrics(
@ApiParam(value = "The UUID of the project to refresh metrics on", required = true)
@PathParam("uuid") String uuid) {
try (QueryManager qm = new QueryManager()) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
Event.dispatch(new MetricsUpdateEvent(project));
return Response.ok().build();
if (qm.hasAccess(super.getPrincipal(), project)) {
Event.dispatch(new MetricsUpdateEvent(project));
return Response.ok().build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The project could not be found.").build();
}
Expand All @@ -267,17 +279,22 @@ public Response RefreshProjectMetrics(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified component is forbidden"),
@ApiResponse(code = 404, message = "The component could not be found")
})
@PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO)
public Response getComponentCurrentMetrics(
@ApiParam(value = "The UUID of the component to retrieve metrics for", required = true)
@PathParam("uuid") String uuid) {
try (QueryManager qm = new QueryManager()) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Component component = qm.getObjectByUuid(Component.class, uuid);
if (component != null) {
final DependencyMetrics metrics = qm.getMostRecentDependencyMetrics(component);
return Response.ok(metrics).build();
if (qm.hasAccess(super.getPrincipal(), component.getProject())) {
final DependencyMetrics metrics = qm.getMostRecentDependencyMetrics(component);
return Response.ok(metrics).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified component is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The component could not be found.").build();
}
Expand All @@ -295,6 +312,7 @@ public Response getComponentCurrentMetrics(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified component is forbidden"),
@ApiResponse(code = 404, message = "The component could not be found")
})
@PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO)
Expand All @@ -321,6 +339,7 @@ public Response getComponentMetricsSince(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified component is forbidden"),
@ApiResponse(code = 404, message = "The component could not be found")
})
@PermissionRequired(Permissions.Constants.VIEW_PORTFOLIO)
Expand All @@ -342,17 +361,22 @@ public Response getComponentMetricsXDays(
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified component is forbidden"),
@ApiResponse(code = 404, message = "The component could not be found")
})
@PermissionRequired(Permissions.Constants.PORTFOLIO_MANAGEMENT)
public Response RefreshComponentMetrics(
@ApiParam(value = "The UUID of the component to refresh metrics on", required = true)
@PathParam("uuid") String uuid) {
try (QueryManager qm = new QueryManager()) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Component component = qm.getObjectByUuid(Component.class, uuid);
if (component != null) {
Event.dispatch(new MetricsUpdateEvent(component));
return Response.ok().build();
if (qm.hasAccess(super.getPrincipal(), component.getProject())) {
Event.dispatch(new MetricsUpdateEvent(component));
return Response.ok().build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified component is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The component could not be found.").build();
}
Expand All @@ -367,11 +391,15 @@ public Response RefreshComponentMetrics(
* @return a Response object
*/
private Response getProjectMetrics(String uuid, Date since) {
try (QueryManager qm = new QueryManager()) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
final List<ProjectMetrics> metrics = qm.getProjectMetricsSince(project, since);
return Response.ok(metrics).build();
if (qm.hasAccess(super.getPrincipal(), project)) {
final List<ProjectMetrics> metrics = qm.getProjectMetricsSince(project, since);
return Response.ok(metrics).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The project could not be found.").build();
}
Expand All @@ -386,11 +414,15 @@ private Response getProjectMetrics(String uuid, Date since) {
* @return a Response object
*/
private Response getComponentMetrics(String uuid, Date since) {
try (QueryManager qm = new QueryManager()) {
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Component component = qm.getObjectByUuid(Component.class, uuid);
if (component != null) {
final List<DependencyMetrics> metrics = qm.getDependencyMetricsSince(component, since);
return Response.ok(metrics).build();
if (qm.hasAccess(super.getPrincipal(), component.getProject())) {
final List<DependencyMetrics> metrics = qm.getDependencyMetricsSince(component, since);
return Response.ok(metrics).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified component is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The component could not be found.").build();
}
Expand Down
18 changes: 14 additions & 4 deletions src/main/java/org/dependencytrack/resources/v1/PolicyViolationResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ public Response getViolations(@ApiParam(value = "Optionally includes suppressed
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified project is forbidden"),
@ApiResponse(code = 404, message = "The project could not be found")
})
@PermissionRequired(Permissions.Constants.POLICY_VIOLATION_ANALYSIS)
Expand All @@ -91,8 +92,12 @@ public Response getViolationsByProject(@PathParam("uuid") String uuid,
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Project project = qm.getObjectByUuid(Project.class, uuid);
if (project != null) {
final PaginatedResult result = qm.getPolicyViolations(project, suppressed);
return Response.ok(result.getObjects()).header(TOTAL_COUNT_HEADER, result.getTotal()).build();
if (qm.hasAccess(super.getPrincipal(), project)) {
final PaginatedResult result = qm.getPolicyViolations(project, suppressed);
return Response.ok(result.getObjects()).header(TOTAL_COUNT_HEADER, result.getTotal()).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified project is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The project could not be found.").build();
}
Expand All @@ -110,6 +115,7 @@ public Response getViolationsByProject(@PathParam("uuid") String uuid,
)
@ApiResponses(value = {
@ApiResponse(code = 401, message = "Unauthorized"),
@ApiResponse(code = 403, message = "Access to the specified component is forbidden"),
@ApiResponse(code = 404, message = "The component could not be found")
})
@PermissionRequired(Permissions.Constants.POLICY_VIOLATION_ANALYSIS)
Expand All @@ -119,8 +125,12 @@ public Response getViolationsByComponent(@PathParam("uuid") String uuid,
try (QueryManager qm = new QueryManager(getAlpineRequest())) {
final Component component = qm.getObjectByUuid(Component.class, uuid);
if (component != null) {
final PaginatedResult result = qm.getPolicyViolations(component, suppressed);
return Response.ok(result.getObjects()).header(TOTAL_COUNT_HEADER, result.getTotal()).build();
if (qm.hasAccess(super.getPrincipal(), component.getProject())) {
final PaginatedResult result = qm.getPolicyViolations(component, suppressed);
return Response.ok(result.getObjects()).header(TOTAL_COUNT_HEADER, result.getTotal()).build();
} else {
return Response.status(Response.Status.FORBIDDEN).entity("Access to the specified component is forbidden").build();
}
} else {
return Response.status(Response.Status.NOT_FOUND).entity("The component could not be found.").build();
}
Expand Down

0 comments on commit 17e08aa

Please sign in to comment.