use of com.evolveum.midpoint.security.api.Authorization in project midpoint by Evolveum.
the class AssignmentEvaluator method evaluateSegmentTarget.
private void evaluateSegmentTarget(AssignmentPathSegmentImpl segment, PlusMinusZero relativeMode, boolean isValid, FocusType targetType, QName relation, EvaluationContext ctx) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, PolicyViolationException {
assertSourceNotNull(segment.source, ctx.evalAssignment);
assert ctx.assignmentPath.last() == segment;
segment.setTarget(targetType);
// probably not needed
segment.setRelation(relation);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Evaluating segment TARGET:\n{}", segment.debugDump(1));
}
checkRelationWithTarget(segment, targetType, relation);
if (!LensUtil.isFocusValid(targetType, now, activationComputer)) {
LOGGER.trace("Skipping evaluation of {} because it is not valid", targetType);
return;
}
if (targetType instanceof AbstractRoleType) {
MappingType roleCondition = ((AbstractRoleType) targetType).getCondition();
if (roleCondition != null) {
AssignmentPathVariables assignmentPathVariables = LensUtil.computeAssignmentPathVariables(ctx.assignmentPath);
PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> conditionTriple = evaluateCondition(roleCondition, null, segment.source, assignmentPathVariables, ctx);
boolean condOld = ExpressionUtil.computeConditionResult(conditionTriple.getNonPositiveValues());
boolean condNew = ExpressionUtil.computeConditionResult(conditionTriple.getNonNegativeValues());
PlusMinusZero modeFromCondition = ExpressionUtil.computeConditionResultMode(condOld, condNew);
if (modeFromCondition == null) {
// removed "|| (condMode == PlusMinusZero.ZERO && !condNew)" because it's always false
LOGGER.trace("Skipping evaluation of {} because of condition result ({} -> {}: null)", targetType, condOld, condNew);
return;
}
PlusMinusZero origMode = relativeMode;
relativeMode = PlusMinusZero.compute(relativeMode, modeFromCondition);
LOGGER.trace("Evaluated condition in {}: {} -> {}: {} + {} = {}", targetType, condOld, condNew, origMode, modeFromCondition, relativeMode);
}
}
EvaluatedAssignmentTargetImpl evalAssignmentTarget = new EvaluatedAssignmentTargetImpl(targetType.asPrismObject(), // evaluateConstructions: exact meaning of this is to be revised
segment.isMatchingOrder(), ctx.assignmentPath.clone(), segment.getAssignment(), isValid);
ctx.evalAssignment.addRole(evalAssignmentTarget, relativeMode);
if ((isNonNegative(relativeMode)) && segment.isProcessMembership()) {
collectMembership(targetType, relation, ctx);
}
if (targetType instanceof AbstractRoleType) {
for (AssignmentType roleInducement : ((AbstractRoleType) targetType).getInducement()) {
evaluateInducement(segment, relativeMode, isValid, ctx, targetType, roleInducement);
}
}
for (AssignmentType roleAssignment : targetType.getAssignment()) {
evaluateAssignment(segment, relativeMode, isValid, ctx, targetType, relation, roleAssignment);
}
//boolean matchesOrder = AssignmentPathSegmentImpl.computeMatchingOrder(segment.getEvaluationOrder(), 1, Collections.emptyList());
if (segment.isMatchingOrder() && targetType instanceof AbstractRoleType && isNonNegative(relativeMode)) {
for (AuthorizationType authorizationType : ((AbstractRoleType) targetType).getAuthorization()) {
Authorization authorization = createAuthorization(authorizationType, targetType.toString());
if (!ctx.evalAssignment.getAuthorizations().contains(authorization)) {
ctx.evalAssignment.addAuthorization(authorization);
}
}
AdminGuiConfigurationType adminGuiConfiguration = ((AbstractRoleType) targetType).getAdminGuiConfiguration();
if (adminGuiConfiguration != null && !ctx.evalAssignment.getAdminGuiConfigurations().contains(adminGuiConfiguration)) {
ctx.evalAssignment.addAdminGuiConfiguration(adminGuiConfiguration);
}
PolicyConstraintsType policyConstraints = ((AbstractRoleType) targetType).getPolicyConstraints();
if (policyConstraints != null) {
ctx.evalAssignment.addLegacyPolicyConstraints(policyConstraints, ctx.assignmentPath.clone(), targetType);
}
}
LOGGER.trace("Evaluating segment target DONE for {}", segment);
}
use of com.evolveum.midpoint.security.api.Authorization in project midpoint by Evolveum.
the class AssignmentEvaluator method createAuthorization.
private Authorization createAuthorization(AuthorizationType authorizationType, String sourceDesc) {
Authorization authorization = new Authorization(authorizationType);
authorization.setSourceDescription(sourceDesc);
return authorization;
}
use of com.evolveum.midpoint.security.api.Authorization in project midpoint by Evolveum.
the class InitialDataImport method init.
public void init() throws SchemaException {
LOGGER.info("Starting initial object import (if necessary).");
OperationResult mainResult = new OperationResult(OPERATION_INITIAL_OBJECTS_IMPORT);
Task task = taskManager.createTaskInstance(OPERATION_INITIAL_OBJECTS_IMPORT);
task.setChannel(SchemaConstants.CHANNEL_GUI_INIT_URI);
int count = 0;
int errors = 0;
File[] files = getInitialImportObjects();
LOGGER.debug("Files to be imported: {}.", Arrays.toString(files));
// We need to provide a fake Spring security context here.
// We have to fake it because we do not have anything in the repository yet. And to get
// something to the repository we need a context. Chicken and egg. So we fake the egg.
SecurityContext securityContext = SecurityContextHolder.getContext();
UserType userAdministrator = new UserType();
prismContext.adopt(userAdministrator);
userAdministrator.setName(new PolyStringType(new PolyString("initAdmin", "initAdmin")));
MidPointPrincipal principal = new MidPointPrincipal(userAdministrator);
AuthorizationType superAutzType = new AuthorizationType();
prismContext.adopt(superAutzType, RoleType.class, new ItemPath(RoleType.F_AUTHORIZATION));
superAutzType.getAction().add(AuthorizationConstants.AUTZ_ALL_URL);
Authorization superAutz = new Authorization(superAutzType);
Collection<Authorization> authorities = principal.getAuthorities();
authorities.add(superAutz);
Authentication authentication = new PreAuthenticatedAuthenticationToken(principal, null);
securityContext.setAuthentication(authentication);
for (File file : files) {
try {
LOGGER.debug("Considering initial import of file {}.", file.getName());
PrismObject object = prismContext.parseObject(file);
if (ReportType.class.equals(object.getCompileTimeClass())) {
ReportTypeUtil.applyDefinition(object, prismContext);
}
Boolean importObject = importObject(object, file, task, mainResult);
if (importObject == null) {
continue;
}
if (importObject) {
count++;
} else {
errors++;
}
} catch (Exception ex) {
LoggingUtils.logUnexpectedException(LOGGER, "Couldn't import file {}", ex, file.getName());
mainResult.recordFatalError("Couldn't import file '" + file.getName() + "'", ex);
}
}
securityContext.setAuthentication(null);
mainResult.recomputeStatus("Couldn't import objects.");
LOGGER.info("Initial object import finished ({} objects imported, {} errors)", count, errors);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Initialization status:\n" + mainResult.debugDump());
}
}
use of com.evolveum.midpoint.security.api.Authorization in project midpoint by Evolveum.
the class UserProfileServiceMock method initializePrincipalFromAssignments.
private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration) {
OperationResult result = new OperationResult(UserProfileServiceMock.class.getName() + ".addAuthorizations");
principal.setApplicableSecurityPolicy(locateSecurityPolicy(principal, systemConfiguration, result));
if (systemConfiguration != null) {
principal.setAdminGuiConfiguration(systemConfiguration.asObjectable().getAdminGuiConfiguration());
}
AuthorizationType authorizationType = new AuthorizationType();
authorizationType.getAction().add("FAKE");
principal.getAuthorities().add(new Authorization(authorizationType));
ActivationType activation = principal.getUser().getActivation();
if (activation != null) {
activationComputer.computeEffective(principal.getUser().getLifecycleState(), activation);
}
}
use of com.evolveum.midpoint.security.api.Authorization in project midpoint by Evolveum.
the class PageResetPasswordConfirmation method init.
private void init(final PageParameters pageParameters) {
PageParameters params = pageParameters;
if (params == null) {
params = getPageParameters();
}
OperationResult result = new OperationResult(OPERATION_FINISH_REGISTRATION);
if (params == null) {
LOGGER.error("Confirmation link is not valid. No credentials provided in it");
String msg = createStringResource("PageSelfRegistration.invalid.registration.link").getString();
getSession().error(createStringResource(msg));
result.recordFatalError(msg);
initLayout(result);
return;
}
StringValue userNameValue = params.get(SchemaConstants.USER_ID);
Validate.notEmpty(userNameValue.toString());
StringValue tokenValue = params.get(SchemaConstants.TOKEN);
Validate.notEmpty(tokenValue.toString());
UsernamePasswordAuthenticationToken token = authenticateUser(userNameValue.toString(), tokenValue.toString(), result);
if (token == null) {
initLayout(result);
return;
} else {
// SecurityContextHolder.getContext().setAuthentication(token);
MidPointPrincipal principal = (MidPointPrincipal) token.getPrincipal();
Collection<Authorization> authz = principal.getAuthorities();
if (authz != null) {
Iterator<Authorization> authzIterator = authz.iterator();
while (authzIterator.hasNext()) {
Authorization authzI = authzIterator.next();
Iterator<String> actionIterator = authzI.getAction().iterator();
while (actionIterator.hasNext()) {
String action = actionIterator.next();
if (action.contains(AuthorizationConstants.NS_AUTHORIZATION_UI)) {
actionIterator.remove();
}
}
}
}
AuthorizationType authorizationType = new AuthorizationType();
authorizationType.getAction().add(AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL);
Authorization selfServiceCredentialsAuthz = new Authorization(authorizationType);
authz.add(selfServiceCredentialsAuthz);
SecurityContextHolder.getContext().setAuthentication(token);
setResponsePage(PageResetPassword.class);
}
initLayout(result);
}
Aggregations