Example 1 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class SchemaTransformer method applySecurityConstraintsPhase.
private <D extends ItemDefinition> void applySecurityConstraintsPhase(D itemDefinition, ObjectSecurityConstraints securityConstraints, AuthorizationPhaseType phase) {
Validate.notNull(phase);
AuthorizationDecisionType defaultReadDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase);
AuthorizationDecisionType defaultAddDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase);
AuthorizationDecisionType defaultModifyDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase);
LOGGER.trace("applySecurityConstraints(itemDefs): def={}, phase={}, defaults R={}, A={}, M={}", new Object[] { itemDefinition, phase, defaultReadDecision, defaultAddDecision, defaultModifyDecision });
applySecurityConstraintsItemDef(itemDefinition, ItemPath.EMPTY_PATH, securityConstraints, defaultReadDecision, defaultAddDecision, defaultModifyDecision, phase);
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
Example 2 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class AbstractModelIntegrationTest method assertAllowRequestItems.
protected void assertAllowRequestItems(String userOid, String targetRoleOid, AuthorizationDecisionType expectedDefaultDecision, QName... expectedAllowedItemQNames) throws SchemaException, SecurityViolationException, CommunicationException, ObjectNotFoundException, ConfigurationException, ExpressionEvaluationException {
PrismObject<UserType> user = getUser(userOid);
PrismObject<RoleType> target = getRole(targetRoleOid);
ItemSecurityDecisions decisions = modelInteractionService.getAllowedRequestAssignmentItems(user, target);
display("Request decisions for " + target, decisions);
assertEquals("Wrong assign default decision", expectedDefaultDecision, decisions.getDefaultDecision());
assertEquals("Unexpected number of allowed items", expectedAllowedItemQNames.length, decisions.getItemDecisionMap().size());
decisions.getItemDecisionMap().forEach((path, decision) -> {
assertEquals("wrong item " + path + " decision", AuthorizationDecisionType.ALLOW, decision);
QName lastPathName = path.lastNamed().getName();
if (!Arrays.stream(expectedAllowedItemQNames).anyMatch(qname -> QNameUtil.match(qname, lastPathName))) {
AssertJUnit.fail("Unexpected path " + path);
}
});
}
Also used :
StringUtils(org.apache.commons.lang.StringUtils)
AuditReferenceValue(com.evolveum.midpoint.audit.api.AuditReferenceValue)
Autowired(org.springframework.beans.factory.annotation.Autowired)
SchemaException(com.evolveum.midpoint.util.exception.SchemaException)
Entry(org.opends.server.types.Entry)
Map(java.util.Map)
UserProfileService(com.evolveum.midpoint.security.api.UserProfileService)
SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder)
ObjectQueryUtil(com.evolveum.midpoint.schema.util.ObjectQueryUtil)
AssignmentType(com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType)
ObjectDelta(com.evolveum.midpoint.prism.delta.ObjectDelta)
PrismProperty(com.evolveum.midpoint.prism.PrismProperty)
ObjectAlreadyExistsException(com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException)
RepositoryDiag(com.evolveum.midpoint.schema.RepositoryDiag)
ShadowKindType(com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType)
ModelService(com.evolveum.midpoint.model.api.ModelService)
PolyStringType(com.evolveum.prism.xml.ns._public.types_3.PolyStringType)
FilterInvocation(org.springframework.security.web.FilterInvocation)
SystemObjectCache(com.evolveum.midpoint.model.common.SystemObjectCache)
PropertyDelta(com.evolveum.midpoint.prism.delta.PropertyDelta)
CommunicationException(com.evolveum.midpoint.util.exception.CommunicationException)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
Clock(com.evolveum.midpoint.common.Clock)
FocusTypeUtil(com.evolveum.midpoint.schema.util.FocusTypeUtil)
PolicyViolationException(com.evolveum.midpoint.util.exception.PolicyViolationException)
ResourceAttributeContainer(com.evolveum.midpoint.schema.processor.ResourceAttributeContainer)
ItemDefinition(com.evolveum.midpoint.prism.ItemDefinition)
PrismObjectDefinition(com.evolveum.midpoint.prism.PrismObjectDefinition)
ItemDelta(com.evolveum.midpoint.prism.delta.ItemDelta)
SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException)
HookRegistry(com.evolveum.midpoint.model.api.hooks.HookRegistry)
TestUtil(com.evolveum.midpoint.test.util.TestUtil)
ConnectException(java.net.ConnectException)
PrismContainerDefinition(com.evolveum.midpoint.prism.PrismContainerDefinition)
AuthorizationType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType)
AbstractRoleType(com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType)
AfterClass(org.testng.annotations.AfterClass)
PrismPropertyDefinition(com.evolveum.midpoint.prism.PrismPropertyDefinition)
SecurityContextImpl(org.springframework.security.core.context.SecurityContextImpl)
IOException(java.io.IOException)
RefinedObjectClassDefinition(com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition)
ModelElementContext(com.evolveum.midpoint.model.api.context.ModelElementContext)
MidPointPrincipal(com.evolveum.midpoint.security.api.MidPointPrincipal)
SearchResultList(com.evolveum.midpoint.schema.SearchResultList)
SystemObjectsType(com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType)
ObjectTypes(com.evolveum.midpoint.schema.constants.ObjectTypes)
ObjectQuery(com.evolveum.midpoint.prism.query.ObjectQuery)
ObjectDeltaOperation(com.evolveum.midpoint.schema.ObjectDeltaOperation)
PrismValue(com.evolveum.midpoint.prism.PrismValue)
NotificationManager(com.evolveum.midpoint.notifications.api.NotificationManager)
ObjectType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType)
Date(java.util.Date)
AuthorizationConstants(com.evolveum.midpoint.security.api.AuthorizationConstants)
ConstructionType(com.evolveum.midpoint.xml.ns._public.common.common_3.ConstructionType)
DisplayableValue(com.evolveum.midpoint.util.DisplayableValue)
RoleType(com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType)
ResourceAttribute(com.evolveum.midpoint.schema.processor.ResourceAttribute)
SystemConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType)
ConflictException(com.evolveum.icf.dummy.resource.ConflictException)
DummyAccount(com.evolveum.icf.dummy.resource.DummyAccount)
SelectorOptions(com.evolveum.midpoint.schema.SelectorOptions)
PrismAsserts(com.evolveum.midpoint.prism.util.PrismAsserts)
ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException)
Collection(java.util.Collection)
AssignmentSelectorType(com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentSelectorType)
MiscUtil(com.evolveum.midpoint.util.MiscUtil)
Collectors(java.util.stream.Collectors)
JAXBException(javax.xml.bind.JAXBException)
MetadataType(com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType)
SecurityContext(org.springframework.security.core.context.SecurityContext)
NameItemPathSegment(com.evolveum.midpoint.prism.path.NameItemPathSegment)
ObjectSynchronizationType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectSynchronizationType)
FocusType(com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType)
ProvisioningService(com.evolveum.midpoint.provisioning.api.ProvisioningService)
SecurityConfig(org.springframework.security.access.SecurityConfig)
AnonymousAuthenticationToken(org.springframework.security.authentication.AnonymousAuthenticationToken)
Checker(com.evolveum.midpoint.test.Checker)
ObjectReferenceType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType)
AssertJUnit(org.testng.AssertJUnit)
AbstractIntegrationTest(com.evolveum.midpoint.test.AbstractIntegrationTest)
AdminGuiConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.AdminGuiConfigurationType)
OrgType(com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType)
PasswordType(com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType)
PrismContainer(com.evolveum.midpoint.prism.PrismContainer)
SchemaTestConstants(com.evolveum.midpoint.schema.util.SchemaTestConstants)
DummyAuditService(com.evolveum.midpoint.test.DummyAuditService)
OrgFilter(com.evolveum.midpoint.prism.query.OrgFilter)
DebugUtil(com.evolveum.midpoint.util.DebugUtil)
DummyResourceContoller(com.evolveum.midpoint.test.DummyResourceContoller)
ExpressionEvaluationException(com.evolveum.midpoint.util.exception.ExpressionEvaluationException)
HashSet(java.util.HashSet)
ModelContext(com.evolveum.midpoint.model.api.context.ModelContext)
ObjectTypeUtil(com.evolveum.midpoint.schema.util.ObjectTypeUtil)
IntegrationTestTools(com.evolveum.midpoint.test.IntegrationTestTools)
ModelExecuteOptions(com.evolveum.midpoint.model.api.ModelExecuteOptions)
RefinedAttributeDefinition(com.evolveum.midpoint.common.refinery.RefinedAttributeDefinition)
AuthorizationPhaseType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType)
FileInputStream(java.io.FileInputStream)
IdItemPathSegment(com.evolveum.midpoint.prism.path.IdItemPathSegment)
TunnelException(com.evolveum.midpoint.util.exception.TunnelException)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Consumer(java.util.function.Consumer)
ItemSecurityDecisions(com.evolveum.midpoint.security.api.ItemSecurityDecisions)
MatchingRule(com.evolveum.midpoint.prism.match.MatchingRule)
PrismReference(com.evolveum.midpoint.prism.PrismReference)
ReferenceDelta(com.evolveum.midpoint.prism.delta.ReferenceDelta)
Arrays(java.util.Arrays)
ChangeType(com.evolveum.midpoint.prism.delta.ChangeType)
AssertJUnit.assertTrue(org.testng.AssertJUnit.assertTrue)
PrismTestUtil(com.evolveum.midpoint.prism.util.PrismTestUtil)
AssertJUnit.assertNull(org.testng.AssertJUnit.assertNull)
MidpointFunctions(com.evolveum.midpoint.model.api.expr.MidpointFunctions)
CredentialsType(com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType)
ModelProjectionContext(com.evolveum.midpoint.model.api.context.ModelProjectionContext)
DummyGroup(com.evolveum.icf.dummy.resource.DummyGroup)
ResultHandler(com.evolveum.midpoint.schema.ResultHandler)
Holder(com.evolveum.midpoint.util.Holder)
Set(java.util.Set)
Task(com.evolveum.midpoint.task.api.Task)
TriggerType(com.evolveum.midpoint.xml.ns._public.common.common_3.TriggerType)
SystemException(com.evolveum.midpoint.util.exception.SystemException)
QName(javax.xml.namespace.QName)
ObjectPolicyConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType)
ProtectedStringType(com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType)
PrismReferenceValue(com.evolveum.midpoint.prism.PrismReferenceValue)
Authorization(com.evolveum.midpoint.security.api.Authorization)
SchemaViolationException(com.evolveum.icf.dummy.resource.SchemaViolationException)
Trace(com.evolveum.midpoint.util.logging.Trace)
AuditEventStage(com.evolveum.midpoint.audit.api.AuditEventStage)
ArrayList(java.util.ArrayList)
RefinedResourceSchema(com.evolveum.midpoint.common.refinery.RefinedResourceSchema)
RefinedResourceSchemaImpl(com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl)
PrismContext(com.evolveum.midpoint.prism.PrismContext)
SynchronizationType(com.evolveum.midpoint.xml.ns._public.common.common_3.SynchronizationType)
ContainerDelta(com.evolveum.midpoint.prism.delta.ContainerDelta)
AssertJUnit.assertFalse(org.testng.AssertJUnit.assertFalse)
PrismObject(com.evolveum.midpoint.prism.PrismObject)
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
File(java.io.File)
ModelDiagnosticService(com.evolveum.midpoint.model.api.ModelDiagnosticService)
CommonException(com.evolveum.midpoint.util.exception.CommonException)
AuditEventType(com.evolveum.midpoint.audit.api.AuditEventType)
PrismContainerValue(com.evolveum.midpoint.prism.PrismContainerValue)
ShadowUtil(com.evolveum.midpoint.schema.util.ShadowUtil)
ResourceType(com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType)
MidPointAsserts(com.evolveum.midpoint.test.util.MidPointAsserts)
AssertJUnit.assertNotNull(org.testng.AssertJUnit.assertNotNull)
AssertJUnit.assertEquals(org.testng.AssertJUnit.assertEquals)
ModelAuditService(com.evolveum.midpoint.model.api.ModelAuditService)
ActivationType(com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType)
AuthorityUtils(org.springframework.security.core.authority.AuthorityUtils)
TraceManager(com.evolveum.midpoint.util.logging.TraceManager)
ResourceAttributeDefinition(com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition)
ConfigurationException(com.evolveum.midpoint.util.exception.ConfigurationException)
TaskExecutionStatusType(com.evolveum.midpoint.xml.ns._public.common.common_3.TaskExecutionStatusType)
InternalsConfig(com.evolveum.midpoint.schema.internals.InternalsConfig)
QNameUtil(com.evolveum.midpoint.util.QNameUtil)
MiscSchemaUtil(com.evolveum.midpoint.schema.util.MiscSchemaUtil)
DirectoryException(org.opends.server.types.DirectoryException)
AuditEventRecord(com.evolveum.midpoint.audit.api.AuditEventRecord)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
XmlTypeConverter(com.evolveum.midpoint.prism.xml.XmlTypeConverter)
ModelInteractionService(com.evolveum.midpoint.model.api.ModelInteractionService)
ResourceTypeUtil(com.evolveum.midpoint.schema.util.ResourceTypeUtil)
FileNotFoundException(java.io.FileNotFoundException)
TaskType(com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType)
List(java.util.List)
Optional(java.util.Optional)
Authentication(org.springframework.security.core.Authentication)
ShadowType(com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType)
Item(com.evolveum.midpoint.prism.Item)
SchemaConstants(com.evolveum.midpoint.schema.constants.SchemaConstants)
OperationResult(com.evolveum.midpoint.schema.result.OperationResult)
SecurityEnforcer(com.evolveum.midpoint.security.api.SecurityEnforcer)
HashMap(java.util.HashMap)
EncryptionException(com.evolveum.midpoint.prism.crypto.EncryptionException)
RoleSelectionSpecification(com.evolveum.midpoint.model.api.RoleSelectionSpecification)
ModelPortType(com.evolveum.midpoint.xml.ns._public.model.model_3.ModelPortType)
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
RepositoryService(com.evolveum.midpoint.repo.api.RepositoryService)
Containerable(com.evolveum.midpoint.prism.Containerable)
PolyString(com.evolveum.midpoint.prism.polystring.PolyString)
ActivationStatusType(com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType)
DeltaBuilder(com.evolveum.midpoint.prism.delta.builder.DeltaBuilder)
DummyResource(com.evolveum.icf.dummy.resource.DummyResource)
TaskExecutionStatus(com.evolveum.midpoint.task.api.TaskExecutionStatus)
IntegrationTestTools.display(com.evolveum.midpoint.test.IntegrationTestTools.display)
Message(com.evolveum.midpoint.notifications.api.transports.Message)
QueryBuilder(com.evolveum.midpoint.prism.query.builder.QueryBuilder)
FailableProcessor(com.evolveum.midpoint.util.FailableProcessor)
SynchronizationSituationType(com.evolveum.midpoint.xml.ns._public.common.common_3.SynchronizationSituationType)
GetOperationOptions(com.evolveum.midpoint.schema.GetOperationOptions)
UserType(com.evolveum.midpoint.xml.ns._public.common.common_3.UserType)
Collections(java.util.Collections)
AbstractRoleType(com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType)
RoleType(com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType)
QName(javax.xml.namespace.QName)
ItemSecurityDecisions(com.evolveum.midpoint.security.api.ItemSecurityDecisions)
UserType(com.evolveum.midpoint.xml.ns._public.common.common_3.UserType)
Example 3 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class SecurityEnforcerImpl method isAuthorizedPhase.
private <O extends ObjectType, T extends ObjectType> AccessDecision isAuthorizedPhase(MidPointPrincipal midPointPrincipal, String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O, T> params, OwnerResolver ownerResolver, Consumer<Authorization> applicableAutzConsumer, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
if (AuthorizationConstants.AUTZ_NO_ACCESS_URL.equals(operationUrl)) {
return AccessDecision.DENY;
}
if (phase == null) {
throw new IllegalArgumentException("No phase");
}
AccessDecision decision = AccessDecision.DEFAULT;
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("AUTZ: evaluating authorization principal={}, op={}, phase={}, {}", getUsername(midPointPrincipal), operationUrl, phase, params.shortDump());
}
final AutzItemPaths allowedItems = new AutzItemPaths();
Collection<Authorization> authorities = getAuthorities(midPointPrincipal);
if (authorities != null) {
for (GrantedAuthority authority : authorities) {
if (authority instanceof Authorization) {
Authorization autz = (Authorization) authority;
String autzHumanReadableDesc = autz.getHumanReadableDesc();
LOGGER.trace(" Evaluating {}", autzHumanReadableDesc);
// action
if (!autz.getAction().contains(operationUrl) && !autz.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) {
LOGGER.trace(" {} not applicable for operation {}", autzHumanReadableDesc, operationUrl);
continue;
}
// phase
if (autz.getPhase() == null) {
LOGGER.trace(" {} is applicable for all phases (continuing evaluation)", autzHumanReadableDesc);
} else {
if (autz.getPhase() != phase) {
LOGGER.trace(" {} is not applicable for phases {} (breaking evaluation)", autzHumanReadableDesc, phase);
continue;
} else {
LOGGER.trace(" {} is applicable for phases {} (continuing evaluation)", autzHumanReadableDesc, phase);
}
}
// relation
if (!isApplicableRelation(autz, params.getRelation())) {
LOGGER.trace(" {} not applicable for relation {}", autzHumanReadableDesc, params.getRelation());
continue;
}
// orderConstraints
if (!isApplicableOrderConstraints(autz, params.getOrderConstraints())) {
if (LOGGER.isTraceEnabled()) {
LOGGER.trace(" {} not applicable for orderConstraints {}", autzHumanReadableDesc, SchemaDebugUtil.shortDumpOrderConstraintsList(params.getOrderConstraints()));
}
continue;
}
// object
if (isApplicableObject(autz, params.getOdo(), midPointPrincipal, ownerResolver, autzHumanReadableDesc, task, result)) {
LOGGER.trace(" {} applicable for object {} (continuing evaluation)", autzHumanReadableDesc, params.getAnyObject());
} else {
LOGGER.trace(" {} not applicable for object {}, none of the object specifications match (breaking evaluation)", autzHumanReadableDesc, params.getAnyObject());
continue;
}
// target
if (isApplicable(autz.getTarget(), params.getTarget(), midPointPrincipal, ownerResolver, "target", autzHumanReadableDesc, task, result)) {
LOGGER.trace(" {} applicable for target {} (continuing evaluation)", autzHumanReadableDesc, params.getAnyObject());
} else {
LOGGER.trace(" {} not applicable for target {}, none of the target specifications match (breaking evaluation)", autzHumanReadableDesc, params.getAnyObject());
continue;
}
if (applicableAutzConsumer != null) {
applicableAutzConsumer.accept(autz);
}
// authority is applicable to this situation. now we can process the decision.
AuthorizationDecisionType autzDecision = autz.getDecision();
if (autzDecision == null || autzDecision.equals(AuthorizationDecisionType.ALLOW)) {
allowedItems.collectItems(autz);
LOGGER.trace(" {}: ALLOW operation {} (but continue evaluation)", autzHumanReadableDesc, operationUrl);
decision = AccessDecision.ALLOW;
// Do NOT break here. Other authorization statements may still deny the operation
} else {
// item
if (isApplicableItem(autz, params.getOldObject(), params.getDelta())) {
LOGGER.trace(" {}: Deny authorization applicable for items (continuing evaluation)", autzHumanReadableDesc);
} else {
LOGGER.trace(" {} not applicable for items (breaking evaluation)", autzHumanReadableDesc);
continue;
}
LOGGER.trace(" {}: DENY operation {}", autzHumanReadableDesc, operationUrl);
decision = AccessDecision.DENY;
// Break right here. Deny cannot be overridden by allow. This decision cannot be changed.
break;
}
} else {
LOGGER.warn("Unknown authority type {} in user {}", authority.getClass(), getUsername(midPointPrincipal));
}
}
}
if (decision == AccessDecision.ALLOW) {
// Still check allowedItems. We may still deny the operation.
if (allowedItems.isAllItems()) {
// This means all items are allowed. No need to check anything
LOGGER.trace(" Empty list of allowed items, operation allowed");
} else {
// all items in the object and delta must be allowed
LOGGER.trace(" Checking for allowed items: {}", allowedItems);
ItemDecisionFunction itemDecisionFunction = (itemPath, removingContainer) -> decideAllowedItems(itemPath, allowedItems, phase, removingContainer);
AccessDecision itemsDecision = null;
if (params.hasDelta()) {
// Behave as if this is execution phase for delete delta authorizations. We do not want to avoid deleting objects just because there
// are automatic/operational items that were generated by midPoint. Otherwise we won't be really able to delete any object.
ItemDecisionFunction itemDecisionFunctionDelete = (itemPath, removingContainer) -> decideAllowedItems(itemPath, allowedItems, AuthorizationPhaseType.EXECUTION, removingContainer);
itemsDecision = determineDeltaDecision(params.getDelta(), params.getOldObject(), itemDecisionFunction, itemDecisionFunctionDelete);
} else if (params.hasObject()) {
itemsDecision = determineObjectDecision(params.getAnyObject(), itemDecisionFunction);
}
if (itemsDecision != AccessDecision.ALLOW) {
LOGGER.trace(" NOT ALLOWED operation because the item decision is {}", itemsDecision);
decision = AccessDecision.DEFAULT;
}
}
}
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("AUTZ result: principal={}, operation={}: {}", getUsername(midPointPrincipal), prettyActionUrl(operationUrl), decision);
}
return decision;
}
Also used :
com.evolveum.midpoint.prism.query(com.evolveum.midpoint.prism.query)
Autowired(org.springframework.beans.factory.annotation.Autowired)
ConfigurationException(com.evolveum.midpoint.util.exception.ConfigurationException)
SchemaException(com.evolveum.midpoint.util.exception.SchemaException)
InternalsConfig(com.evolveum.midpoint.schema.internals.InternalsConfig)
ExpressionConstants(com.evolveum.midpoint.schema.constants.ExpressionConstants)
AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException)
BooleanUtils(org.apache.commons.lang.BooleanUtils)
QNameUtil(com.evolveum.midpoint.util.QNameUtil)
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder)
com.evolveum.midpoint.prism(com.evolveum.midpoint.prism)
ObjectDelta(com.evolveum.midpoint.prism.delta.ObjectDelta)
ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException)
Collection(java.util.Collection)
Task(com.evolveum.midpoint.task.api.Task)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
PlusMinusZero(com.evolveum.midpoint.prism.delta.PlusMinusZero)
List(java.util.List)
ExpressionFactory(com.evolveum.midpoint.repo.common.expression.ExpressionFactory)
ExpressionUtil(com.evolveum.midpoint.repo.common.expression.ExpressionUtil)
XsdTypeMapper(com.evolveum.midpoint.prism.xml.XsdTypeMapper)
CommunicationException(com.evolveum.midpoint.util.exception.CommunicationException)
QName(javax.xml.namespace.QName)
NotNull(org.jetbrains.annotations.NotNull)
Authentication(org.springframework.security.core.Authentication)
PrismObjectValue.asObjectable(com.evolveum.midpoint.prism.PrismObjectValue.asObjectable)
CaseTypeUtil(com.evolveum.midpoint.schema.util.cases.CaseTypeUtil)
com.evolveum.midpoint.xml.ns._public.common.common_3(com.evolveum.midpoint.xml.ns._public.common.common_3)
ObjectFilterExpressionEvaluator(com.evolveum.midpoint.repo.api.query.ObjectFilterExpressionEvaluator)
ObjectDeltaObject(com.evolveum.midpoint.prism.util.ObjectDeltaObject)
SchemaConstants(com.evolveum.midpoint.schema.constants.SchemaConstants)
OperationResult(com.evolveum.midpoint.schema.result.OperationResult)
Trace(com.evolveum.midpoint.util.logging.Trace)
TaskManager(com.evolveum.midpoint.task.api.TaskManager)
DebugUtil(com.evolveum.midpoint.util.DebugUtil)
ExpressionEvaluationException(com.evolveum.midpoint.util.exception.ExpressionEvaluationException)
CollectionUtils(org.apache.commons.collections4.CollectionUtils)
ArrayList(java.util.ArrayList)
ItemDelta(com.evolveum.midpoint.prism.delta.ItemDelta)
HashSet(java.util.HashSet)
SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException)
RelationRegistry(com.evolveum.midpoint.schema.RelationRegistry)
Qualifier(org.springframework.beans.factory.annotation.Qualifier)
VariablesMap(com.evolveum.midpoint.schema.expression.VariablesMap)
com.evolveum.midpoint.security.api(com.evolveum.midpoint.security.api)
RepositoryService(com.evolveum.midpoint.repo.api.RepositoryService)
DebugDumpable(com.evolveum.midpoint.util.DebugDumpable)
ContainerDelta(com.evolveum.midpoint.prism.delta.ContainerDelta)
Collections.emptySet(java.util.Collections.emptySet)
S_AtomicFilterExit(com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
LoggingUtils(com.evolveum.midpoint.util.logging.LoggingUtils)
Consumer(java.util.function.Consumer)
Component(org.springframework.stereotype.Component)
ItemName(com.evolveum.midpoint.prism.path.ItemName)
com.evolveum.midpoint.security.enforcer.api(com.evolveum.midpoint.security.enforcer.api)
SearchFilterType(com.evolveum.prism.xml.ns._public.query_3.SearchFilterType)
S_FilterEntryOrEmpty(com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty)
TraceManager(com.evolveum.midpoint.util.logging.TraceManager)
com.evolveum.midpoint.schema.util(com.evolveum.midpoint.schema.util)
ItemPathType(com.evolveum.prism.xml.ns._public.types_3.ItemPathType)
AccessDecision(com.evolveum.midpoint.schema.AccessDecision)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
Example 4 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class ObjectSecurityConstraintsImpl method findItemDecision.
public AuthorizationDecisionType findItemDecision(ItemPath itemPath, String actionUrl, AuthorizationPhaseType phase) {
// We return DENY immediately, and ALLOW only if no DENY is present. So here we remember if we should return ALLOW or null at the end.
boolean allow = false;
for (Map.Entry<ItemPath, ItemSecurityConstraintsImpl> entry : itemConstraintMap.entrySet()) {
ItemPath entryPath = entry.getKey();
if (entryPath.isSubPathOrEquivalent(itemPath)) {
ItemSecurityConstraintsImpl itemSecurityConstraints = entry.getValue();
if (itemSecurityConstraints == null) {
continue;
}
AuthorizationDecisionType actionDecision = getSimpleActionDecision(itemSecurityConstraints.getActionDecisionMap(), actionUrl, phase);
AuthorizationDecisionType allDecision = getSimpleActionDecision(itemSecurityConstraints.getActionDecisionMap(), AuthorizationConstants.AUTZ_ALL_URL, phase);
if (actionDecision == AuthorizationDecisionType.DENY || allDecision == AuthorizationDecisionType.DENY) {
return AuthorizationDecisionType.DENY;
}
if (actionDecision == AuthorizationDecisionType.ALLOW || allDecision == AuthorizationDecisionType.ALLOW) {
allow = true;
}
}
}
if (allow) {
return AuthorizationDecisionType.ALLOW;
} else {
return null;
}
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
Map(java.util.Map)
HashMap(java.util.HashMap)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Example 5 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class ObjectSecurityConstraintsImpl method getActionDecision.
@Override
public AuthorizationDecisionType getActionDecision(String actionUrl, AuthorizationPhaseType phase) {
AuthorizationDecisionType actionDecision = getSimpleActionDecision(actionDecisionMap, actionUrl, phase);
AuthorizationDecisionType allDecision = getSimpleActionDecision(actionDecisionMap, AuthorizationConstants.AUTZ_ALL_URL, phase);
if (actionDecision == null && allDecision == null) {
return null;
}
if (actionDecision == AuthorizationDecisionType.DENY || allDecision == AuthorizationDecisionType.DENY) {
return AuthorizationDecisionType.DENY;
}
if (actionDecision != null) {
return actionDecision;
}
return allDecision;
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
Aggregations
AuthorizationDecisionType (com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)10
ItemPath (com.evolveum.midpoint.prism.path.ItemPath)6
AuthorizationException (com.evolveum.midpoint.util.exception.AuthorizationException)3
SecurityViolationException (com.evolveum.midpoint.util.exception.SecurityViolationException)3
ArrayList (java.util.ArrayList)3
ContainerDelta (com.evolveum.midpoint.prism.delta.ContainerDelta)2
ItemDelta (com.evolveum.midpoint.prism.delta.ItemDelta)2
ObjectDelta (com.evolveum.midpoint.prism.delta.ObjectDelta)2
RepositoryService (com.evolveum.midpoint.repo.api.RepositoryService)2
SchemaConstants (com.evolveum.midpoint.schema.constants.SchemaConstants)2
InternalsConfig (com.evolveum.midpoint.schema.internals.InternalsConfig)2
OperationResult (com.evolveum.midpoint.schema.result.OperationResult)2
Task (com.evolveum.midpoint.task.api.Task)2
DebugUtil (com.evolveum.midpoint.util.DebugUtil)2
QNameUtil (com.evolveum.midpoint.util.QNameUtil)2
CommunicationException (com.evolveum.midpoint.util.exception.CommunicationException)2
ConfigurationException (com.evolveum.midpoint.util.exception.ConfigurationException)2
ExpressionEvaluationException (com.evolveum.midpoint.util.exception.ExpressionEvaluationException)2
ObjectNotFoundException (com.evolveum.midpoint.util.exception.ObjectNotFoundException)2
SchemaException (com.evolveum.midpoint.util.exception.SchemaException)2
