Example 1 with IdmAuthorizationPolicyDto
use of eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto in project CzechIdMng by bcvsolutions.
the class AuthorizationPolicyDeletePermissionsChangeProcessor method process.
@Override
public EventResult<IdmAuthorizationPolicyDto> process(EntityEvent<IdmAuthorizationPolicyDto> event) {
IdmAuthorizationPolicyDto entity = event.getContent();
Set<GrantedAuthority> currentRolePermissions = service.getEnabledRoleAuthorities(null, entity.getRole());
Set<GrantedAuthority> persistedRolePermissions = service.getEnabledPersistedRoleAuthorities(null, entity.getRole());
//
if (!currentRolePermissions.equals(persistedRolePermissions)) {
updateIdentitiesAuthChangeInRole(entity.getRole());
}
//
return new DefaultEventResult<>(event, this);
}
Also used :
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
DefaultEventResult(eu.bcvsolutions.idm.core.api.event.DefaultEventResult)
IdmAuthorizationPolicyDto(eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)
Example 2 with IdmAuthorizationPolicyDto
use of eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto in project CzechIdMng by bcvsolutions.
the class AuthorizationPolicySaveProcessor method process.
@Override
public EventResult<IdmAuthorizationPolicyDto> process(EntityEvent<IdmAuthorizationPolicyDto> event) {
IdmAuthorizationPolicyDto dto = event.getContent();
dto = service.saveInternal(dto);
event.setContent(dto);
//
return new DefaultEventResult<>(event, this);
}
Also used :
DefaultEventResult(eu.bcvsolutions.idm.core.api.event.DefaultEventResult)
IdmAuthorizationPolicyDto(eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)
Example 3 with IdmAuthorizationPolicyDto
use of eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto in project CzechIdMng by bcvsolutions.
the class DefaultIdmAuthorizationPolicyService method getGrantedAuthorities.
@Override
@Transactional(readOnly = true)
public Set<GrantedAuthority> getGrantedAuthorities(UUID identityId, List<IdmAuthorizationPolicyDto> policies) {
final Set<GrantedAuthority> authorities = new HashSet<>();
// find all active policies and return their authority by authorizable type
for (IdmAuthorizationPolicyDto policy : policies) {
// evaluate policy permissions - authorities are eveluated on null entity
String groupPermission = policy.getGroupPermission();
Set<String> baseAuthorities = getAuthorizationManager().getAuthorities(identityId, policy);
//
if (IdmGroupPermission.APP.getName().equals(groupPermission) || (StringUtils.isEmpty(groupPermission) && baseAuthorities.contains(IdmBasePermission.ADMIN.getName()))) {
// admin
return Sets.newHashSet(new DefaultGrantedAuthority(IdmGroupPermission.APP.getName(), IdmBasePermission.ADMIN.getName()));
}
if (StringUtils.isEmpty(groupPermission)) {
if (baseAuthorities.contains(IdmBasePermission.ADMIN.getName())) {
// all groups => synonym to APP_ADMIN
authorities.add(new DefaultGrantedAuthority(IdmGroupPermission.APP.getName(), IdmBasePermission.ADMIN.getName()));
} else {
// some base permission only
moduleService.getAvailablePermissions().forEach(availableGroupPermission -> {
if (IdmGroupPermission.APP != availableGroupPermission) {
// app is wildcard only - skipping
for (String permission : baseAuthorities) {
authorities.add(new DefaultGrantedAuthority(availableGroupPermission.getName(), permission));
}
;
}
});
}
} else if (baseAuthorities.contains(IdmBasePermission.ADMIN.getName())) {
authorities.add(new DefaultGrantedAuthority(groupPermission, IdmBasePermission.ADMIN.getName()));
} else {
for (String permission : baseAuthorities) {
authorities.add(new DefaultGrantedAuthority(groupPermission, permission));
}
;
}
}
//
return authorities;
}
Also used :
DefaultGrantedAuthority(eu.bcvsolutions.idm.core.security.api.domain.DefaultGrantedAuthority)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
IdmAuthorizationPolicyDto(eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)
DefaultGrantedAuthority(eu.bcvsolutions.idm.core.security.api.domain.DefaultGrantedAuthority)
HashSet(java.util.HashSet)
Transactional(org.springframework.transaction.annotation.Transactional)
Example 4 with IdmAuthorizationPolicyDto
use of eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto in project CzechIdMng by bcvsolutions.
the class DefaultIdmAuthorizationPolicyService method getDefaultPolicies.
@Override
@Transactional(readOnly = true)
public List<IdmAuthorizationPolicyDto> getDefaultPolicies(Class<? extends Identifiable> entityType) {
IdmRoleDto defaultRole = roleService.getDefaultRole();
if (defaultRole == null) {
LOG.debug("Default role not found, no default authorization policies will be added. Change configuration [{}].", IdmRoleService.PROPERTY_DEFAULT_ROLE);
return Collections.<IdmAuthorizationPolicyDto>emptyList();
}
if (defaultRole.isDisabled()) {
LOG.debug("Default role [{}] is disabled, no default authorization policies will be added.", defaultRole.getName());
return Collections.<IdmAuthorizationPolicyDto>emptyList();
}
//
IdmAuthorizationPolicyFilter filter = new IdmAuthorizationPolicyFilter();
filter.setRoleId(defaultRole.getId());
filter.setDisabled(Boolean.FALSE);
if (entityType != null) {
// optional
filter.setAuthorizableType(entityType.getCanonicalName());
}
List<IdmAuthorizationPolicyDto> defaultPolicies = find(filter, null).getContent();
//
LOG.debug("Found [{}] default policies", defaultPolicies.size());
return defaultPolicies;
}
Also used :
IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)
IdmAuthorizationPolicyDto(eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)
IdmAuthorizationPolicyFilter(eu.bcvsolutions.idm.core.api.dto.filter.IdmAuthorizationPolicyFilter)
Transactional(org.springframework.transaction.annotation.Transactional)
Example 5 with IdmAuthorizationPolicyDto
use of eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto in project CzechIdMng by bcvsolutions.
the class DefaultAuthorizationManager method evaluate.
@Override
public <E extends Identifiable> boolean evaluate(E entity, BasePermission... permission) {
Assert.notNull(entity);
Assert.notNull(permission);
// check super admin
if (securityService.isAdmin()) {
LOG.debug("Logged as admin [{}], authorization granted", securityService.getCurrentUsername());
return true;
}
//
for (IdmAuthorizationPolicyDto policy : service.getEnabledPolicies(securityService.getCurrentId(), entity.getClass())) {
if (!supportsEntityType(policy, entity.getClass())) {
// TODO: compatibility issues - agendas without authorization support
continue;
}
AuthorizationEvaluator<E> evaluator = getEvaluator(policy);
if (evaluator != null && evaluator.supports(entity.getClass()) && evaluator.evaluate(entity, policy, permission)) {
return true;
}
}
return false;
}
Also used :
IdmAuthorizationPolicyDto(eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)
Aggregations
IdmAuthorizationPolicyDto (eu.bcvsolutions.idm.core.api.dto.IdmAuthorizationPolicyDto)41
Test (org.junit.Test)25
IdmRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)23
IdmIdentityDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)22
AbstractIntegrationTest (eu.bcvsolutions.idm.test.api.AbstractIntegrationTest)18
IdmRole (eu.bcvsolutions.idm.core.model.entity.IdmRole)16
LoginDto (eu.bcvsolutions.idm.core.security.api.dto.LoginDto)14
GuardedString (eu.bcvsolutions.idm.core.security.api.domain.GuardedString)11
AbstractUnitTest (eu.bcvsolutions.idm.test.api.AbstractUnitTest)7
AccAccount (eu.bcvsolutions.idm.acc.entity.AccAccount)6
AccAccountDto (eu.bcvsolutions.idm.acc.dto.AccAccountDto)5
SysSystemDto (eu.bcvsolutions.idm.acc.dto.SysSystemDto)5
UUID (java.util.UUID)5
Transactional (org.springframework.transaction.annotation.Transactional)5
IdmIdentityContractDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)4
IdmConfiguration (eu.bcvsolutions.idm.core.model.entity.IdmConfiguration)4
IdmIdentity (eu.bcvsolutions.idm.core.model.entity.IdmIdentity)4
IcConnectorObject (eu.bcvsolutions.idm.ic.api.IcConnectorObject)4
LocalDateTime (org.joda.time.LocalDateTime)4
AccIdentityAccountDto (eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)3
