Search in sources :

Example 6 with ObjectSecurityConstraints

use of com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints in project midpoint by Evolveum.

the class SchemaTransformer method applySchemasAndSecurity.

/**
 * Validate the objects, apply security to the object definition, remove any non-visible properties (security),
 * apply object template definitions and so on. This method is called for
 * any object that is returned from the Model Service.
 */
<O extends ObjectType> void applySchemasAndSecurity(PrismObject<O> object, GetOperationOptions rootOptions, Collection<SelectorOptions<GetOperationOptions>> options, AuthorizationPhaseType phase, Task task, OperationResult parentResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
    LOGGER.trace("applySchemasAndSecurity({}) starting", object);
    OperationResult result = parentResult.createMinorSubresult(OP_APPLY_SCHEMAS_AND_SECURITY);
    authorizeOptions(rootOptions, object, null, phase, task, result);
    validateObject(object, rootOptions, result);
    ObjectSecurityConstraints securityConstraints = compileSecurityConstraints(object, task, result);
    transform(object, new DefinitionsToTransformable());
    PrismObjectDefinition<O> objectDefinition = object.getDefinition();
    if (phase == null) {
        if (!GetOperationOptions.isExecutionPhase(rootOptions)) {
            applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, AuthorizationPhaseType.REQUEST, task, result);
        }
        applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, AuthorizationPhaseType.EXECUTION, task, result);
    } else {
        if (phase == AuthorizationPhaseType.REQUEST && GetOperationOptions.isExecutionPhase(rootOptions)) {
        // Skip application of security constraints for request phase.
        // The caller asked to skip evaluation of request authorization, so everything is allowed here.
        } else {
            applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, phase, task, result);
        }
    }
    // we do not need to process object template when processing REQUEST in RAW mode.
    if (!GetOperationOptions.isRaw(rootOptions)) {
        ObjectTemplateType objectTemplateType;
        try {
            objectTemplateType = determineObjectTemplate(object, AuthorizationPhaseType.REQUEST, result);
        } catch (ConfigurationException | SchemaException | ObjectNotFoundException e) {
            result.recordFatalError(e);
            throw e;
        }
        applyObjectTemplateToObject(object, objectTemplateType, result);
    }
    if (CollectionUtils.isNotEmpty(options)) {
        Map<DefinitionProcessingOption, Collection<UniformItemPath>> definitionProcessing = SelectorOptions.extractOptionValues(options, (o) -> o.getDefinitionProcessing(), prismContext);
        if (CollectionUtils.isNotEmpty(definitionProcessing.get(DefinitionProcessingOption.NONE))) {
            throw new UnsupportedOperationException("'NONE' definition processing is not supported now");
        }
        Collection<UniformItemPath> onlyIfExists = definitionProcessing.get(DefinitionProcessingOption.ONLY_IF_EXISTS);
        if (CollectionUtils.isNotEmpty(onlyIfExists)) {
            if (onlyIfExists.size() != 1 || !ItemPath.isEmpty(onlyIfExists.iterator().next())) {
                throw new UnsupportedOperationException("'ONLY_IF_EXISTS' definition processing is currently supported on root level only; not on " + onlyIfExists);
            }
            Collection<UniformItemPath> full = definitionProcessing.get(DefinitionProcessingOption.FULL);
            object.trimDefinitionTree(full);
        }
    }
    result.computeStatus();
    result.recordSuccessIfUnknown();
    LOGGER.trace("applySchemasAndSecurity finishing");
}
Also used : DefinitionProcessingOption(com.evolveum.midpoint.schema.DefinitionProcessingOption) OperationResult(com.evolveum.midpoint.schema.result.OperationResult) DefinitionsToTransformable(com.evolveum.midpoint.model.impl.schema.transform.DefinitionsToTransformable) ObjectSecurityConstraints(com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints) GetOperationOptions.createReadOnlyCollection(com.evolveum.midpoint.schema.GetOperationOptions.createReadOnlyCollection) UniformItemPath(com.evolveum.midpoint.prism.path.UniformItemPath)

Example 7 with ObjectSecurityConstraints

use of com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints in project midpoint by Evolveum.

the class SchemaTransformer method applySchemasAndSecurityFocus.

private <O extends ObjectType> void applySchemasAndSecurityFocus(LensContext<O> context, AuthorizationPhaseType phase, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
    LensFocusContext<O> focusContext = context.getFocusContext();
    if (focusContext == null) {
        return;
    }
    ObjectSecurityConstraints securityConstraints = applySchemasAndSecurityElementContext(context, focusContext, phase, task, result);
    AuthorizationDecisionType assignmentDecision = securityConstraints.findItemDecision(SchemaConstants.PATH_ASSIGNMENT, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase);
    if (!AuthorizationDecisionType.ALLOW.equals(assignmentDecision)) {
        PrismObject<O> object = focusContext.getObjectAny();
        LOGGER.trace("Logged in user isn't authorized to read (or get) assignment item of the object: {}", object);
        result.recordWarning("Logged in user isn't authorized to read (or get) assignment item of the object: " + object);
        context.setEvaluatedAssignmentTriple(null);
    }
}
Also used : ObjectSecurityConstraints(com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints)

Aggregations

ObjectSecurityConstraints (com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints)7 ItemPath (com.evolveum.midpoint.prism.path.ItemPath)3 OperationResult (com.evolveum.midpoint.schema.result.OperationResult)3 DefinitionsToTransformable (com.evolveum.midpoint.model.impl.schema.transform.DefinitionsToTransformable)1 PrismContainer (com.evolveum.midpoint.prism.PrismContainer)1 UniformItemPath (com.evolveum.midpoint.prism.path.UniformItemPath)1 DefinitionProcessingOption (com.evolveum.midpoint.schema.DefinitionProcessingOption)1 GetOperationOptions (com.evolveum.midpoint.schema.GetOperationOptions)1 GetOperationOptions.createReadOnlyCollection (com.evolveum.midpoint.schema.GetOperationOptions.createReadOnlyCollection)1 MidPointPrincipal (com.evolveum.midpoint.security.api.MidPointPrincipal)1 AuthorizationException (com.evolveum.midpoint.util.exception.AuthorizationException)1 AuthorizationDecisionType (com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)1 CredentialsType (com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType)1 ArrayList (java.util.ArrayList)1