Example 1 with DelegatorWithOtherPrivilegesLimitations
use of com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations in project midpoint by Evolveum.
the class QueryUtils method getPotentialAssigneesForUser.
private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPrincipal principal, QName limitationItemName) throws SchemaException {
List<PrismReferenceValue> rv = new ArrayList<>();
rv.add(new PrismReferenceValue(principal.getOid(), UserType.COMPLEX_TYPE));
for (DelegatorWithOtherPrivilegesLimitations delegator : principal.getDelegatorWithOtherPrivilegesLimitationsCollection()) {
if (DeputyUtils.limitationsAllow(delegator.getLimitations(), limitationItemName)) {
rv.add(ObjectTypeUtil.createObjectRef(delegator.getDelegator()).asReferenceValue());
}
}
return rv;
}
Also used :
PrismReferenceValue(com.evolveum.midpoint.prism.PrismReferenceValue)
ArrayList(java.util.ArrayList)
DelegatorWithOtherPrivilegesLimitations(com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations)
Example 2 with DelegatorWithOtherPrivilegesLimitations
use of com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations in project midpoint by Evolveum.
the class GuiProfileCompiler method collect.
private void collect(List<AdminGuiConfigurationType> adminGuiConfigurations, GuiProfiledPrincipal principal, AuthorizationTransformer authorizationTransformer, Task task, OperationResult result) throws SchemaException {
FocusType focusType = principal.getFocus();
Collection<? extends EvaluatedAssignment<? extends FocusType>> evaluatedAssignments = assignmentCollector.collect(focusType.asPrismObject(), true, task, result);
Collection<Authorization> authorizations = principal.getAuthorities();
for (EvaluatedAssignment<? extends FocusType> assignment : evaluatedAssignments) {
if (assignment.isValid()) {
addAuthorizations(authorizations, assignment.getAuthorizations(), authorizationTransformer);
adminGuiConfigurations.addAll(assignment.getAdminGuiConfigurations());
}
for (EvaluatedAssignmentTarget target : assignment.getRoles().getNonNegativeValues()) {
// MID-6403
if (target.isValid() && target.getTarget().asObjectable() instanceof UserType && DeputyUtils.isDelegationPath(target.getAssignmentPath(), relationRegistry)) {
List<OtherPrivilegesLimitationType> limitations = DeputyUtils.extractLimitations(target.getAssignmentPath());
principal.addDelegatorWithOtherPrivilegesLimitations(new DelegatorWithOtherPrivilegesLimitations((UserType) target.getTarget().asObjectable(), limitations));
}
}
}
if (focusType instanceof UserType && ((UserType) focusType).getAdminGuiConfiguration() != null) {
// config from the user object should go last (to be applied as the last one)
adminGuiConfigurations.add(((UserType) focusType).getAdminGuiConfiguration());
}
}
Also used :
Authorization(com.evolveum.midpoint.security.api.Authorization)
EvaluatedAssignmentTarget(com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget)
DelegatorWithOtherPrivilegesLimitations(com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations)
Example 3 with DelegatorWithOtherPrivilegesLimitations
use of com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations in project midpoint by Evolveum.
the class QueryUtils method getPotentialAssigneesForUser.
private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPrincipal principal, QName limitationItemName, RelationRegistry relationRegistry) {
// As for relations, WorkItem.assigneeRef should contain only the default ones.
QName defaultRelation = relationRegistry.getDefaultRelation();
List<PrismReferenceValue> rv = new ArrayList<>();
rv.add(ObjectTypeUtil.createObjectRef(principal.getOid(), ObjectTypes.USER).relation(defaultRelation).asReferenceValue());
for (DelegatorWithOtherPrivilegesLimitations delegator : principal.getDelegatorWithOtherPrivilegesLimitationsCollection()) {
if (SchemaDeputyUtil.limitationsAllow(delegator.getLimitations(), limitationItemName)) {
rv.add(ObjectTypeUtil.createObjectRef(delegator.getDelegator(), defaultRelation).asReferenceValue());
}
}
return rv;
}
Also used :
PrismReferenceValue(com.evolveum.midpoint.prism.PrismReferenceValue)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
DelegatorWithOtherPrivilegesLimitations(com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations)
Example 4 with DelegatorWithOtherPrivilegesLimitations
use of com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations in project midpoint by Evolveum.
the class UserProfileServiceImpl method initializePrincipalFromAssignments.
private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration) throws SchemaException {
UserType userType = principal.getUser();
Collection<Authorization> authorizations = principal.getAuthorities();
List<AdminGuiConfigurationType> adminGuiConfigurations = new ArrayList<>();
Task task = taskManager.createTaskInstance(UserProfileServiceImpl.class.getName() + ".initializePrincipalFromAssignments");
OperationResult result = task.getResult();
principal.setApplicableSecurityPolicy(securityHelper.locateSecurityPolicy(userType.asPrismObject(), systemConfiguration, task, result));
if (!userType.getAssignment().isEmpty()) {
LensContext<UserType> lensContext = new LensContextPlaceholder<>(userType.asPrismObject(), prismContext);
AssignmentEvaluator.Builder<UserType> builder = new AssignmentEvaluator.Builder<UserType>().repository(repositoryService).focusOdo(new ObjectDeltaObject<>(userType.asPrismObject(), null, userType.asPrismObject())).channel(null).objectResolver(objectResolver).systemObjectCache(systemObjectCache).prismContext(prismContext).mappingFactory(mappingFactory).mappingEvaluator(mappingEvaluator).activationComputer(activationComputer).now(clock.currentTimeXMLGregorianCalendar()).loginMode(true).lensContext(lensContext);
AssignmentEvaluator<UserType> assignmentEvaluator = builder.build();
try {
RepositoryCache.enter();
for (AssignmentType assignmentType : userType.getAssignment()) {
try {
ItemDeltaItem<PrismContainerValue<AssignmentType>, PrismContainerDefinition<AssignmentType>> assignmentIdi = new ItemDeltaItem<>();
assignmentIdi.setItemOld(LensUtil.createAssignmentSingleValueContainerClone(assignmentType));
assignmentIdi.recompute();
EvaluatedAssignment<UserType> assignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userType, userType.toString(), task, result);
if (assignment.isValid()) {
authorizations.addAll(assignment.getAuthorizations());
adminGuiConfigurations.addAll(assignment.getAdminGuiConfigurations());
}
for (EvaluatedAssignmentTarget target : assignment.getRoles().getNonNegativeValues()) {
if (target.getTarget() != null && target.getTarget().asObjectable() instanceof UserType && DeputyUtils.isDelegationPath(target.getAssignmentPath())) {
List<OtherPrivilegesLimitationType> limitations = DeputyUtils.extractLimitations(target.getAssignmentPath());
principal.addDelegatorWithOtherPrivilegesLimitations(new DelegatorWithOtherPrivilegesLimitations((UserType) target.getTarget().asObjectable(), limitations));
}
}
} catch (SchemaException e) {
LOGGER.error("Schema violation while processing assignment of {}: {}; assignment: {}", userType, e.getMessage(), assignmentType, e);
} catch (ObjectNotFoundException e) {
LOGGER.error("Object not found while processing assignment of {}: {}; assignment: {}", userType, e.getMessage(), assignmentType, e);
} catch (ExpressionEvaluationException e) {
LOGGER.error("Evaluation error while processing assignment of {}: {}; assignment: {}", userType, e.getMessage(), assignmentType, e);
} catch (PolicyViolationException e) {
LOGGER.error("Policy violation while processing assignment of {}: {}; assignment: {}", userType, e.getMessage(), assignmentType, e);
}
}
} finally {
RepositoryCache.exit();
}
}
if (userType.getAdminGuiConfiguration() != null) {
// config from the user object should go last (to be applied as the last one)
adminGuiConfigurations.add(userType.getAdminGuiConfiguration());
}
principal.setAdminGuiConfiguration(AdminGuiConfigTypeUtil.compileAdminGuiConfiguration(adminGuiConfigurations, systemConfiguration));
}
Also used :
Task(com.evolveum.midpoint.task.api.Task)
ExpressionEvaluationException(com.evolveum.midpoint.util.exception.ExpressionEvaluationException)
QueryBuilder(com.evolveum.midpoint.prism.query.builder.QueryBuilder)
ArrayList(java.util.ArrayList)
LensContextPlaceholder(com.evolveum.midpoint.model.impl.lens.LensContextPlaceholder)
OperationResult(com.evolveum.midpoint.schema.result.OperationResult)
Authorization(com.evolveum.midpoint.security.api.Authorization)
AssignmentEvaluator(com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator)
ItemDeltaItem(com.evolveum.midpoint.repo.common.expression.ItemDeltaItem)
EvaluatedAssignmentTarget(com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget)
PolicyViolationException(com.evolveum.midpoint.util.exception.PolicyViolationException)
SchemaException(com.evolveum.midpoint.util.exception.SchemaException)
PrismContainerValue(com.evolveum.midpoint.prism.PrismContainerValue)
ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException)
PrismContainerDefinition(com.evolveum.midpoint.prism.PrismContainerDefinition)
DelegatorWithOtherPrivilegesLimitations(com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations)
Example 5 with DelegatorWithOtherPrivilegesLimitations
use of com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations in project midpoint by Evolveum.
the class TestGuiProfiledPrincipalManager method executeDeputyLimitationsTest.
private void executeDeputyLimitationsTest(List<OtherPrivilegesLimitationType> expectedLimitations, Consumer<AssignmentType> assignmentModifier) throws CommonException {
// GIVEN
AssignmentType assignment = new AssignmentType().targetRef(USER_JACK_OID, UserType.COMPLEX_TYPE, SchemaConstants.ORG_DEPUTY);
if (assignmentModifier != null) {
assignmentModifier.accept(assignment);
}
UserType deputy = prismContext.createObjectable(UserType.class).name("deputy").oid("deputy").assignment(assignment);
// WHEN
when();
AbstractIntegrationTest.display("Logging in as", deputy);
login(deputy.asPrismObject());
// THEN
then();
MidPointPrincipal principal = securityContextManager.getPrincipal();
Collection<DelegatorWithOtherPrivilegesLimitations> delegators = principal.getDelegatorWithOtherPrivilegesLimitationsCollection();
AbstractIntegrationTest.display("delegators with other privileges limitations", delegators);
if (expectedLimitations == null) {
AssertJUnit.assertEquals("Wrong # of delegator records: " + DebugUtil.debugDump(delegators), 0, delegators.size());
} else {
AssertJUnit.assertEquals("Wrong # of delegator records: " + DebugUtil.debugDump(delegators), 1, delegators.size());
DelegatorWithOtherPrivilegesLimitations record = delegators.iterator().next();
AssertJUnit.assertEquals("Unexpected limitations: " + DebugUtil.debugDump(delegators), new HashSet<>(expectedLimitations), new HashSet<>(record.getLimitations()));
}
}
Also used :
DelegatorWithOtherPrivilegesLimitations(com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations)
MidPointPrincipal(com.evolveum.midpoint.security.api.MidPointPrincipal)
Aggregations
DelegatorWithOtherPrivilegesLimitations (com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations)5
ArrayList (java.util.ArrayList)3
EvaluatedAssignmentTarget (com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget)2
PrismReferenceValue (com.evolveum.midpoint.prism.PrismReferenceValue)2
Authorization (com.evolveum.midpoint.security.api.Authorization)2
AssignmentEvaluator (com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator)1
LensContextPlaceholder (com.evolveum.midpoint.model.impl.lens.LensContextPlaceholder)1
PrismContainerDefinition (com.evolveum.midpoint.prism.PrismContainerDefinition)1
PrismContainerValue (com.evolveum.midpoint.prism.PrismContainerValue)1
QueryBuilder (com.evolveum.midpoint.prism.query.builder.QueryBuilder)1
ItemDeltaItem (com.evolveum.midpoint.repo.common.expression.ItemDeltaItem)1
OperationResult (com.evolveum.midpoint.schema.result.OperationResult)1
MidPointPrincipal (com.evolveum.midpoint.security.api.MidPointPrincipal)1
Task (com.evolveum.midpoint.task.api.Task)1
ExpressionEvaluationException (com.evolveum.midpoint.util.exception.ExpressionEvaluationException)1
ObjectNotFoundException (com.evolveum.midpoint.util.exception.ObjectNotFoundException)1
PolicyViolationException (com.evolveum.midpoint.util.exception.PolicyViolationException)1
SchemaException (com.evolveum.midpoint.util.exception.SchemaException)1
QName (javax.xml.namespace.QName)1
