Examples with AccessDecision com.evolveum.midpoint.schema.AccessDecision used on opensource projects
Example 6 with AccessDecision
use of com.evolveum.midpoint.schema.AccessDecision in project midpoint by Evolveum.
the class SecurityEnforcerImpl method determineContainerDeltaDecision.
private <C extends Containerable, O extends ObjectType> AccessDecision determineContainerDeltaDecision(ContainerDelta<C> cdelta, PrismObject<O> currentObject, ItemDecisionFunction itemDecitionFunction) {
AccessDecision decision = null;
ItemPath path = cdelta.getPath();
// Everything is plain and simple for add. No need for any additional checks.
Collection<PrismContainerValue<C>> valuesToAdd = cdelta.getValuesToAdd();
if (valuesToAdd != null) {
for (PrismContainerValue<C> cval : valuesToAdd) {
AccessDecision subdecision = determineContainerDecision(cval, itemDecitionFunction, false, "delta add");
decision = AccessDecision.combine(decision, subdecision);
}
}
// For deleted container values watch out for id-only deltas. Those deltas do not have
// any subitems in them. So we need to use data from currentObject for autz evaluation.
Collection<PrismContainerValue<C>> valuesToDelete = cdelta.getValuesToDelete();
if (valuesToDelete != null) {
for (PrismContainerValue<C> cval : valuesToDelete) {
AccessDecision subdecision = null;
if (cval.isIdOnly()) {
PrismContainerValue<C> currentObjectCval = determineContainerValueFromCurrentObject(path, cval.getId(), currentObject);
if (currentObjectCval != null) {
subdecision = determineContainerDecision(currentObjectCval, itemDecitionFunction, true, "delta delete (current value)");
}
} else {
subdecision = determineContainerDecision(cval, itemDecitionFunction, true, "delta delete");
}
if (subdecision != null) {
decision = AccessDecision.combine(decision, subdecision);
}
}
}
// Values to replace should pass the ordinary check. But we also need to check old values
// in currentObject, because those values are efficiently deleted.
Collection<PrismContainerValue<C>> valuesToReplace = cdelta.getValuesToReplace();
if (valuesToReplace != null) {
for (PrismContainerValue<C> cval : valuesToReplace) {
AccessDecision subdecision = determineContainerDecision(cval, itemDecitionFunction, false, "delta replace");
decision = AccessDecision.combine(decision, subdecision);
}
Collection<PrismContainerValue<C>> oldCvals = determineContainerValuesFromCurrentObject(path, currentObject);
if (oldCvals != null) {
for (PrismContainerValue<C> cval : oldCvals) {
AccessDecision subdecision = determineContainerDecision(cval, itemDecitionFunction, true, "delta replace (removed current value)");
decision = AccessDecision.combine(decision, subdecision);
}
}
}
return decision;
}
Also used :
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Example 7 with AccessDecision
use of com.evolveum.midpoint.schema.AccessDecision in project midpoint by Evolveum.
the class SecurityEnforcerImpl method subitemDecide.
private AccessDecision subitemDecide(ItemPath nameOnlyItemPath, boolean removingContainer, ObjectSecurityConstraints securityConstraints, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath) {
if (removingContainer && isInList(nameOnlyItemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) {
return null;
}
if (AuthorizationPhaseType.EXECUTION.equals(phase) && isInList(nameOnlyItemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) {
return null;
}
if (subitemRootPath != null && !subitemRootPath.isSubPathOrEquivalent(nameOnlyItemPath)) {
// LOGGER.trace("subitem decision: {} <=> {} (not under root) : {}", subitemRootPath, nameOnlyItemPath, null);
return null;
}
AuthorizationDecisionType authorizationDecisionType = securityConstraints.findItemDecision(nameOnlyItemPath, operationUrl, phase);
AccessDecision decision = AccessDecision.translate(authorizationDecisionType);
// LOGGER.trace("subitem decision: {} <=> {} : {}", subitemRootPath, nameOnlyItemPath, decision);
return decision;
}
Also used :
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
Example 8 with AccessDecision
use of com.evolveum.midpoint.schema.AccessDecision in project midpoint by Evolveum.
the class SecurityEnforcerImpl method determineSubitemDecision.
@Override
public <C extends Containerable> AccessDecision determineSubitemDecision(ObjectSecurityConstraints securityConstraints, PrismContainerValue<C> containerValue, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath, PlusMinusZero plusMinusZero, String decisionContextDesc) {
boolean removingContainer = false;
if (plusMinusZero == PlusMinusZero.MINUS) {
removingContainer = true;
}
return determineContainerDecision(containerValue, (nameOnlyItemPath, lRemovingContainer) -> {
if (lRemovingContainer && isInList(nameOnlyItemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) {
return null;
}
if (AuthorizationPhaseType.EXECUTION.equals(phase) && isInList(nameOnlyItemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) {
return null;
}
if (subitemRootPath != null && !subitemRootPath.isSubPathOrEquivalent(nameOnlyItemPath)) {
// LOGGER.trace("subitem decision: {} <=> {} (not under root) : {}", subitemRootPath, nameOnlyItemPath, null);
return null;
}
AuthorizationDecisionType authorizationDecisionType = securityConstraints.findItemDecision(nameOnlyItemPath, operationUrl, phase);
AccessDecision decision = AccessDecision.translate(authorizationDecisionType);
// LOGGER.trace("subitem decision: {} <=> {} : {}", subitemRootPath, nameOnlyItemPath, decision);
return decision;
}, removingContainer, decisionContextDesc);
}
Also used :
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
Example 9 with AccessDecision
use of com.evolveum.midpoint.schema.AccessDecision in project midpoint by Evolveum.
the class SecurityEnforcerImpl method createDonorPrincipal.
@Override
public <F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<F> donor, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
if (attorneyPrincipal.getAttorney() != null) {
throw new UnsupportedOperationException("Transitive attorney is not supported yet");
}
AuthorizationLimitationsCollector limitationsCollector = new AuthorizationLimitationsCollector();
AuthorizationParameters<F, ObjectType> autzParams = AuthorizationParameters.Builder.buildObject(donor);
AccessDecision decision = isAuthorizedInternal(attorneyPrincipal, attorneyAuthorizationAction, null, autzParams, null, limitationsCollector, task, result);
if (!decision.equals(AccessDecision.ALLOW)) {
failAuthorization(attorneyAuthorizationAction, null, autzParams, result);
}
MidPointPrincipal donorPrincipal = securityContextManager.getUserProfileService().getPrincipal(donor, limitationsCollector, result);
donorPrincipal.setAttorney(attorneyPrincipal.getFocus());
// chain principals so we can easily drop the power of attorney and return back to original identity
donorPrincipal.setPreviousPrincipal(attorneyPrincipal);
return donorPrincipal;
}
Also used :
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
Example 10 with AccessDecision
use of com.evolveum.midpoint.schema.AccessDecision in project midpoint by Evolveum.
the class SandboxTypeCheckingExtension method decideClass.
private AccessDecision decideClass(String className, String methodName) {
AccessDecision decision = GroovyScriptEvaluator.decideGroovyBuiltin(className, methodName);
LOGGER.trace("decideClass: builtin [{},{}] : {}", className, methodName, decision);
if (decision != AccessDecision.DEFAULT) {
return decision;
}
ScriptExpressionProfile scriptExpressionProfile = getContext().getScriptExpressionProfile();
if (scriptExpressionProfile == null) {
LOGGER.trace("decideClass: profile==null [{},{}] : ALLOW", className, methodName);
return AccessDecision.ALLOW;
}
decision = scriptExpressionProfile.decideClassAccess(className, methodName);
LOGGER.trace("decideClass: profile({}) [{},{}] : {}", getContext().getExpressionProfile().getIdentifier(), className, methodName, decision);
return decision;
}
Also used :
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
ScriptExpressionProfile(com.evolveum.midpoint.schema.expression.ScriptExpressionProfile)
Aggregations
AccessDecision (com.evolveum.midpoint.schema.AccessDecision)10
ItemPath (com.evolveum.midpoint.prism.path.ItemPath)3
AuthorizationException (com.evolveum.midpoint.util.exception.AuthorizationException)2
ObjectNotFoundException (com.evolveum.midpoint.util.exception.ObjectNotFoundException)2
QName (javax.xml.namespace.QName)2
com.evolveum.midpoint.prism (com.evolveum.midpoint.prism)1
PrismContainerValue (com.evolveum.midpoint.prism.PrismContainerValue)1
PrismObjectValue.asObjectable (com.evolveum.midpoint.prism.PrismObjectValue.asObjectable)1
ContainerDelta (com.evolveum.midpoint.prism.delta.ContainerDelta)1
ItemDelta (com.evolveum.midpoint.prism.delta.ItemDelta)1
ObjectDelta (com.evolveum.midpoint.prism.delta.ObjectDelta)1
PlusMinusZero (com.evolveum.midpoint.prism.delta.PlusMinusZero)1
ItemName (com.evolveum.midpoint.prism.path.ItemName)1
com.evolveum.midpoint.prism.query (com.evolveum.midpoint.prism.query)1
S_AtomicFilterExit (com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit)1
S_FilterEntryOrEmpty (com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty)1
ObjectDeltaObject (com.evolveum.midpoint.prism.util.ObjectDeltaObject)1
XsdTypeMapper (com.evolveum.midpoint.prism.xml.XsdTypeMapper)1
RepositoryService (com.evolveum.midpoint.repo.api.RepositoryService)1
ObjectFilterExpressionEvaluator (com.evolveum.midpoint.repo.api.query.ObjectFilterExpressionEvaluator)1
