Examples with AuthorizationException com.evolveum.midpoint.util.exception.AuthorizationException used on opensource projects

Search in sources :

Example 1 with AuthorizationException

use of com.evolveum.midpoint.util.exception.AuthorizationException in project midpoint by Evolveum.

the class WebModelServiceUtils method loadObject.

@Nullable
public static <T extends ObjectType> PrismObject<T> loadObject(Class<T> type, String oid, Collection<SelectorOptions<GetOperationOptions>> options, boolean allowNotFound, PageBase page, Task task, OperationResult result) {
    LOGGER.debug("Loading {} with oid {}, options {}", type.getSimpleName(), oid, options);
    OperationResult subResult;
    if (result != null) {
        subResult = result.createMinorSubresult(OPERATION_LOAD_OBJECT);
    } else {
        subResult = new OperationResult(OPERATION_LOAD_OBJECT);
    }
    PrismObject<T> object = null;
    try {
        if (options == null) {
            options = SelectorOptions.createCollection(GetOperationOptions.createResolveNames());
        } else {
            GetOperationOptions getOpts = SelectorOptions.findRootOptions(options);
            if (getOpts == null) {
                options.add(new SelectorOptions<>(GetOperationOptions.createResolveNames()));
            } else {
                getOpts.setResolveNames(Boolean.TRUE);
            }
        }
        object = page.getModelService().getObject(type, oid, options, task, subResult);
    } catch (AuthorizationException e) {
        // Not authorized to access the object. This is probably caused by a reference that
        // point to an object that the current user cannot read. This is no big deal.
        // Just do not display that object.
        subResult.recordHandledError(e);
        LOGGER.debug("User {} is not authorized to read {} {}", task.getOwner() != null ? task.getOwner().getName() : null, type.getSimpleName(), oid);
        return null;
    } catch (ObjectNotFoundException e) {
        if (allowNotFound) {
            // Object does not exist. It was deleted in the meanwhile, or not created yet. This could happen quite often.
            subResult.recordHandledError(e);
            LOGGER.debug("{} {} does not exist", type.getSimpleName(), oid, e);
            return null;
        } else {
            subResult.recordFatalError("WebModelUtils.couldntLoadObject", e);
            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't load object", e);
        }
    } catch (Exception ex) {
        subResult.recordFatalError("WebModelUtils.couldntLoadObject", ex);
        LoggingUtils.logUnexpectedException(LOGGER, "Couldn't load object", ex);
    } finally {
        subResult.computeStatus();
    }
    // TODO reconsider this part: until recently, the condition was always 'false'
    if (WebComponentUtil.showResultInPage(subResult)) {
        page.showResult(subResult);
    }
    LOGGER.debug("Loaded {} with result {}", object, subResult);
    return object;
}
Also used : GetOperationOptions(com.evolveum.midpoint.schema.GetOperationOptions) AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException) OperationResult(com.evolveum.midpoint.schema.result.OperationResult) PolicyViolationException(com.evolveum.midpoint.util.exception.PolicyViolationException) ConfigurationException(com.evolveum.midpoint.util.exception.ConfigurationException) SchemaException(com.evolveum.midpoint.util.exception.SchemaException) ExpressionEvaluationException(com.evolveum.midpoint.util.exception.ExpressionEvaluationException) AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException) RestartResponseException(org.apache.wicket.RestartResponseException) ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException) ObjectAlreadyExistsException(com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException) CommunicationException(com.evolveum.midpoint.util.exception.CommunicationException) Nullable(org.jetbrains.annotations.Nullable)

Example 2 with AuthorizationException

use of com.evolveum.midpoint.util.exception.AuthorizationException in project midpoint by Evolveum.

the class SecurityEnforcerImpl method failAuthorization.

@Override
public <O extends ObjectType, T extends ObjectType> void failAuthorization(String operationUrl, AuthorizationPhaseType phase, PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OperationResult result) throws SecurityViolationException {
    MidPointPrincipal principal = getPrincipal();
    String username = getQuotedUsername(principal);
    String message;
    if (target == null && object == null) {
        message = "User '" + username + "' not authorized for operation " + operationUrl;
    } else if (target == null) {
        message = "User '" + username + "' not authorized for operation " + operationUrl + " on " + object;
    } else {
        message = "User '" + username + "' not authorized for operation " + operationUrl + " on " + object + " with target " + target;
    }
    LOGGER.error("{}", message);
    AuthorizationException e = new AuthorizationException(message);
    result.recordFatalError(e.getMessage(), e);
    throw e;
}
Also used : AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException)

Example 3 with AuthorizationException

use of com.evolveum.midpoint.util.exception.AuthorizationException in project midpoint by Evolveum.

the class PageAdminObjectDetails method loadParentOrgs.

private void loadParentOrgs(ObjectWrapper<O> wrapper, Task task, OperationResult result) {
    OperationResult subResult = result.createMinorSubresult(OPERATION_LOAD_PARENT_ORGS);
    PrismObject<O> focus = wrapper.getObject();
    // to better handle (ignore) errors.
    for (ObjectReferenceType parentOrgRef : focus.asObjectable().getParentOrgRef()) {
        PrismObject<OrgType> parentOrg = null;
        try {
            parentOrg = getModelService().getObject(OrgType.class, parentOrgRef.getOid(), null, task, subResult);
            LOGGER.trace("Loaded parent org with result {}", new Object[] { subResult.getLastSubresult() });
        } catch (AuthorizationException e) {
            // This can happen if the user has permission to read parentOrgRef but it does not have
            // the permission to read target org
            // It is OK to just ignore it.
            subResult.muteLastSubresultError();
            LOGGER.debug("User {} does not have permission to read parent org unit {} (ignoring error)", task.getOwner().getName(), parentOrgRef.getOid());
        } catch (Exception ex) {
            subResult.recordWarning("Cannot load parent org " + parentOrgRef.getOid(), ex);
            LOGGER.warn("Cannot load parent org {}: {}", parentOrgRef.getOid(), ex.getMessage(), ex);
        }
        if (parentOrg != null) {
            wrapper.getParentOrgs().add(parentOrg);
        }
    }
    subResult.computeStatus();
}
Also used : ObjectReferenceType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType) AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) OrgType(com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType) OperationResult(com.evolveum.midpoint.schema.result.OperationResult) SchemaException(com.evolveum.midpoint.util.exception.SchemaException) AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) RestartResponseException(org.apache.wicket.RestartResponseException) ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException) SystemException(com.evolveum.midpoint.util.exception.SystemException)

Example 4 with AuthorizationException

use of com.evolveum.midpoint.util.exception.AuthorizationException in project midpoint by Evolveum.

the class Clockwork method authorizeElementContext.

private <F extends ObjectType, O extends ObjectType> ObjectSecurityConstraints authorizeElementContext(LensContext<F> context, LensElementContext<O> elementContext, OwnerResolver ownerResolver, boolean isFocus, Task task, OperationResult result) throws SecurityViolationException, SchemaException {
    ObjectDelta<O> primaryDelta = elementContext.getPrimaryDelta();
    // If there is no delta then there is no request to authorize
    if (primaryDelta != null) {
        primaryDelta = primaryDelta.clone();
        PrismObject<O> object = elementContext.getObjectCurrent();
        if (object == null) {
            // This may happen when object is being added. 
            // But also in cases such as assignment of account and modification of 
            // the same account in one operation
            object = elementContext.getObjectNew();
        }
        String operationUrl = ModelUtils.getOperationUrlFromDelta(primaryDelta);
        ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, ownerResolver);
        if (securityConstraints == null) {
            throw new AuthorizationException("Access denied");
        }
        if (isFocus) {
            // Process assignments first. If the assignments are allowed then we
            // have to ignore the assignment item in subsequent security checks
            ContainerDelta<Containerable> assignmentDelta = primaryDelta.findContainerDelta(FocusType.F_ASSIGNMENT);
            if (assignmentDelta != null) {
                AuthorizationDecisionType assignmentItemDecision = securityConstraints.findItemDecision(new ItemPath(FocusType.F_ASSIGNMENT), operationUrl, getRequestAuthorizationPhase(context));
                if (assignmentItemDecision == AuthorizationDecisionType.ALLOW) {
                // Nothing to do, operation is allowed for all values
                } else if (assignmentItemDecision == AuthorizationDecisionType.DENY) {
                    throw new AuthorizationException("Access denied");
                } else {
                    AuthorizationDecisionType actionDecision = securityConstraints.getActionDecision(operationUrl, getRequestAuthorizationPhase(context));
                    if (actionDecision == AuthorizationDecisionType.ALLOW) {
                    // Nothing to do, operation is allowed for all values
                    } else if (actionDecision == AuthorizationDecisionType.DENY) {
                        throw new AuthorizationException("Access denied");
                    } else {
                        // No explicit decision for assignment modification yet
                        // process each assignment individually
                        DeltaSetTriple<EvaluatedAssignmentImpl<?>> evaluatedAssignmentTriple = context.getEvaluatedAssignmentTriple();
                        authorizeAssignmentRequest(context, ModelAuthorizationAction.ASSIGN.getUrl(), object, ownerResolver, evaluatedAssignmentTriple.getPlusSet(), true, result);
                        // We want to allow unassignment even if there are policies. Otherwise we would not be able to get
                        // rid of that assignment
                        authorizeAssignmentRequest(context, ModelAuthorizationAction.UNASSIGN.getUrl(), object, ownerResolver, evaluatedAssignmentTriple.getMinusSet(), false, result);
                    }
                }
                // authorization
                if (primaryDelta.isAdd()) {
                    PrismObject<O> objectToAdd = primaryDelta.getObjectToAdd();
                    objectToAdd.removeContainer(FocusType.F_ASSIGNMENT);
                } else if (primaryDelta.isModify()) {
                    primaryDelta.removeContainerModification(FocusType.F_ASSIGNMENT);
                }
            }
        }
        if (!primaryDelta.isDelete()) {
            if (primaryDelta.isAdd()) {
                PrismObject<O> objectToAdd = primaryDelta.getObjectToAdd();
                PrismContainer<CredentialsType> credentialsContainer = objectToAdd.findContainer(UserType.F_CREDENTIALS);
                if (credentialsContainer != null) {
                    for (Item<?, ?> item : credentialsContainer.getValue().getItems()) {
                        ContainerDelta<?> cdelta = new ContainerDelta(item.getPath(), (PrismContainerDefinition) item.getDefinition(), prismContext);
                        cdelta.addValuesToAdd(((PrismContainer) item).getValue().clone());
                        AuthorizationDecisionType cdecision = evaluateCredentialDecision(context, securityConstraints, cdelta);
                        LOGGER.trace("AUTZ: credential add {} decision: {}", item.getPath(), cdecision);
                        if (cdecision == AuthorizationDecisionType.ALLOW) {
                            // Remove it from primary delta, so it will not be evaluated later
                            objectToAdd.removeContainer(item.getPath());
                        } else if (cdecision == AuthorizationDecisionType.DENY) {
                            throw new AuthorizationException("Access denied");
                        } else {
                        // Do nothing. The access will be evaluated later in a normal way
                        }
                    }
                }
            } else {
                // modify
                Collection<? extends ItemDelta<?, ?>> credentialChanges = primaryDelta.findItemDeltasSubPath(new ItemPath(UserType.F_CREDENTIALS));
                for (ItemDelta credentialChange : credentialChanges) {
                    AuthorizationDecisionType cdecision = evaluateCredentialDecision(context, securityConstraints, credentialChange);
                    LOGGER.trace("AUTZ: credential delta {} decision: {}", credentialChange.getPath(), cdecision);
                    if (cdecision == AuthorizationDecisionType.ALLOW) {
                        // Remove it from primary delta, so it will not be evaluated later
                        primaryDelta.removeModification(credentialChange);
                    } else if (cdecision == AuthorizationDecisionType.DENY) {
                        throw new AuthorizationException("Access denied");
                    } else {
                    // Do nothing. The access will be evaluated later in a normal way
                    }
                }
            }
        }
        if (primaryDelta != null && !primaryDelta.isEmpty()) {
            // TODO: optimize, avoid evaluating the constraints twice
            securityEnforcer.authorize(operationUrl, getRequestAuthorizationPhase(context), object, primaryDelta, null, ownerResolver, result);
        }
        return securityConstraints;
    } else {
        return null;
    }
}
Also used : AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) ObjectSecurityConstraints(com.evolveum.midpoint.security.api.ObjectSecurityConstraints) ItemPath(com.evolveum.midpoint.prism.path.ItemPath)

Example 5 with AuthorizationException

use of com.evolveum.midpoint.util.exception.AuthorizationException in project midpoint by Evolveum.

the class SchemaTransformer method applySchemasAndSecurityPhase.

private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O> object, ObjectSecurityConstraints securityConstraints, PrismObjectDefinition<O> objectDefinition, GetOperationOptions rootOptions, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
    Validate.notNull(phase);
    try {
        AuthorizationDecisionType globalReadDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase);
        if (globalReadDecision == AuthorizationDecisionType.DENY) {
            // shortcut
            SecurityUtil.logSecurityDeny(object, "because the authorization denies access");
            throw new AuthorizationException("Access denied");
        }
        AuthorizationDecisionType globalAddDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase);
        AuthorizationDecisionType globalModifyDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase);
        applySecurityConstraints((List) object.getValue().getItems(), securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase);
        if (object.isEmpty()) {
            // let's make it explicit
            SecurityUtil.logSecurityDeny(object, "because the subject has not access to any item");
            throw new AuthorizationException("Access denied");
        }
        applySecurityConstraintsItemDef(objectDefinition, ItemPath.EMPTY_PATH, securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase);
    } catch (SecurityViolationException | RuntimeException e) {
        result.recordFatalError(e);
        throw e;
    }
}
Also used : SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException) AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)

Aggregations

AuthorizationException (com.evolveum.midpoint.util.exception.AuthorizationException)6 OperationResult (com.evolveum.midpoint.schema.result.OperationResult)3 ObjectNotFoundException (com.evolveum.midpoint.util.exception.ObjectNotFoundException)3 SchemaException (com.evolveum.midpoint.util.exception.SchemaException)3 SecurityViolationException (com.evolveum.midpoint.util.exception.SecurityViolationException)3 ObjectSecurityConstraints (com.evolveum.midpoint.security.api.ObjectSecurityConstraints)2 ConfigurationException (com.evolveum.midpoint.util.exception.ConfigurationException)2 RestartResponseException (org.apache.wicket.RestartResponseException)2 ItemPath (com.evolveum.midpoint.prism.path.ItemPath)1 GetOperationOptions (com.evolveum.midpoint.schema.GetOperationOptions)1 CommunicationException (com.evolveum.midpoint.util.exception.CommunicationException)1 ExpressionEvaluationException (com.evolveum.midpoint.util.exception.ExpressionEvaluationException)1 ObjectAlreadyExistsException (com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException)1 PolicyViolationException (com.evolveum.midpoint.util.exception.PolicyViolationException)1 SystemException (com.evolveum.midpoint.util.exception.SystemException)1 AuthorizationDecisionType (com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)1 ObjectReferenceType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType)1 ObjectTemplateType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType)1 OrgType (com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType)1 Nullable (org.jetbrains.annotations.Nullable)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial