use of com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints in project midpoint by Evolveum.
the class SchemaTransformer method applySchemasAndSecurity.
/**
* Validate the objects, apply security to the object definition, remove any non-visible properties (security),
* apply object template definitions and so on. This method is called for
* any object that is returned from the Model Service.
*/
<O extends ObjectType> void applySchemasAndSecurity(PrismObject<O> object, GetOperationOptions rootOptions, Collection<SelectorOptions<GetOperationOptions>> options, AuthorizationPhaseType phase, Task task, OperationResult parentResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
LOGGER.trace("applySchemasAndSecurity({}) starting", object);
OperationResult result = parentResult.createMinorSubresult(OP_APPLY_SCHEMAS_AND_SECURITY);
authorizeOptions(rootOptions, object, null, phase, task, result);
validateObject(object, rootOptions, result);
ObjectSecurityConstraints securityConstraints = compileSecurityConstraints(object, task, result);
transform(object, new DefinitionsToTransformable());
PrismObjectDefinition<O> objectDefinition = object.getDefinition();
if (phase == null) {
if (!GetOperationOptions.isExecutionPhase(rootOptions)) {
applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, AuthorizationPhaseType.REQUEST, task, result);
}
applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, AuthorizationPhaseType.EXECUTION, task, result);
} else {
if (phase == AuthorizationPhaseType.REQUEST && GetOperationOptions.isExecutionPhase(rootOptions)) {
// Skip application of security constraints for request phase.
// The caller asked to skip evaluation of request authorization, so everything is allowed here.
} else {
applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, phase, task, result);
}
}
// we do not need to process object template when processing REQUEST in RAW mode.
if (!GetOperationOptions.isRaw(rootOptions)) {
ObjectTemplateType objectTemplateType;
try {
objectTemplateType = determineObjectTemplate(object, AuthorizationPhaseType.REQUEST, result);
} catch (ConfigurationException | SchemaException | ObjectNotFoundException e) {
result.recordFatalError(e);
throw e;
}
applyObjectTemplateToObject(object, objectTemplateType, result);
}
if (CollectionUtils.isNotEmpty(options)) {
Map<DefinitionProcessingOption, Collection<UniformItemPath>> definitionProcessing = SelectorOptions.extractOptionValues(options, (o) -> o.getDefinitionProcessing(), prismContext);
if (CollectionUtils.isNotEmpty(definitionProcessing.get(DefinitionProcessingOption.NONE))) {
throw new UnsupportedOperationException("'NONE' definition processing is not supported now");
}
Collection<UniformItemPath> onlyIfExists = definitionProcessing.get(DefinitionProcessingOption.ONLY_IF_EXISTS);
if (CollectionUtils.isNotEmpty(onlyIfExists)) {
if (onlyIfExists.size() != 1 || !ItemPath.isEmpty(onlyIfExists.iterator().next())) {
throw new UnsupportedOperationException("'ONLY_IF_EXISTS' definition processing is currently supported on root level only; not on " + onlyIfExists);
}
Collection<UniformItemPath> full = definitionProcessing.get(DefinitionProcessingOption.FULL);
object.trimDefinitionTree(full);
}
}
result.computeStatus();
result.recordSuccessIfUnknown();
LOGGER.trace("applySchemasAndSecurity finishing");
}
use of com.evolveum.midpoint.security.enforcer.api.ObjectSecurityConstraints in project midpoint by Evolveum.
the class SchemaTransformer method applySchemasAndSecurityFocus.
private <O extends ObjectType> void applySchemasAndSecurityFocus(LensContext<O> context, AuthorizationPhaseType phase, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
LensFocusContext<O> focusContext = context.getFocusContext();
if (focusContext == null) {
return;
}
ObjectSecurityConstraints securityConstraints = applySchemasAndSecurityElementContext(context, focusContext, phase, task, result);
AuthorizationDecisionType assignmentDecision = securityConstraints.findItemDecision(SchemaConstants.PATH_ASSIGNMENT, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase);
if (!AuthorizationDecisionType.ALLOW.equals(assignmentDecision)) {
PrismObject<O> object = focusContext.getObjectAny();
LOGGER.trace("Logged in user isn't authorized to read (or get) assignment item of the object: {}", object);
result.recordWarning("Logged in user isn't authorized to read (or get) assignment item of the object: " + object);
context.setEvaluatedAssignmentTriple(null);
}
}
Aggregations