in gateway-provider-security-authz-path-acls/src/main/java/org/apache/knox/gateway/filter/PathAclsAuthorizationFilter.java [202:258]
private boolean checkACLs(final AclParser aclParser,
final ServletRequest request) {
if (aclParser.users.isEmpty() && aclParser.groups.isEmpty()
&& aclParser.ipv.getIPAddresses().isEmpty()) {
return true;
}
boolean groupAccess = false;
boolean ipAddrAccess;
final Subject subject = SubjectUtils.getCurrentSubject();
final String effectivePrincipalName = SubjectUtils.getEffectivePrincipalName(
subject);
log.effectivePrincipal(effectivePrincipalName);
boolean userAccess = checkUserAcls(effectivePrincipalName, aclParser);
log.effectivePrincipalHasAccess(userAccess);
Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
if (groups.length > 0) {
groupAccess = checkGroupAcls(groups, aclParser);
log.groupPrincipalHasAccess(groupAccess);
} else {
// if we have no groups in the subject then make
// it true if there is an anyGroup acl
// for AND mode and acls like *;*;127.0.0.* we need to
// make it pass
if (aclParser.anyGroup && "AND".equals(aclProcessingMode)) {
groupAccess = true;
}
}
log.remoteIPAddress(((HttpServletRequest) request).getRemoteAddr());
ipAddrAccess = checkRemoteIpAcls(
((HttpServletRequest) request).getRemoteAddr(), aclParser);
log.remoteIPAddressHasAccess(ipAddrAccess);
if ("OR".equals(aclProcessingMode)) {
// need to interpret '*' as excluded for OR semantics
// to make sense and not grant access to everyone by mistake.
// exclusion in OR is equivalent to denied
// so, let's set each one that contains '*' to false.
if (aclParser.anyUser) {
userAccess = false;
}
if (aclParser.anyGroup) {
groupAccess = false;
}
if (aclParser.ipv.allowsAnyIP()) {
ipAddrAccess = false;
}
return (userAccess || groupAccess || ipAddrAccess);
} else if ("AND".equals(aclProcessingMode)) {
return (userAccess && groupAccess && ipAddrAccess);
}
return false;
}