Example 6 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class SchemaTransformer method applySecurityConstraints.
public void applySecurityConstraints(List<Item<?, ?>> items, ObjectSecurityConstraints securityConstraints, AuthorizationDecisionType defaultReadDecision, AuthorizationDecisionType defaultAddDecision, AuthorizationDecisionType defaultModifyDecision, AuthorizationPhaseType phase) {
LOGGER.trace("applySecurityConstraints(items): items={}, phase={}, defaults R={}, A={}, M={}", items, phase, defaultReadDecision, defaultAddDecision, defaultModifyDecision);
if (items == null) {
return;
}
Iterator<Item<?, ?>> iterator = items.iterator();
while (iterator.hasNext()) {
Item<?, ?> item = iterator.next();
ItemPath itemPath = item.getPath();
AuthorizationDecisionType itemReadDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.READ.getUrl(), defaultReadDecision, phase);
AuthorizationDecisionType itemAddDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.ADD.getUrl(), defaultReadDecision, phase);
AuthorizationDecisionType itemModifyDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.MODIFY.getUrl(), defaultReadDecision, phase);
LOGGER.trace("applySecurityConstraints(item): {}: decisions R={}, A={}, M={}", itemPath, itemReadDecision, itemAddDecision, itemModifyDecision);
ItemDefinition<?> itemDef = item.getDefinition();
if (itemDef != null) {
if (itemReadDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDef).setCanRead(false);
}
if (itemAddDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDef).setCanAdd(false);
}
if (itemModifyDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDef).setCanModify(false);
}
}
if (item instanceof PrismContainer<?>) {
if (itemReadDecision == AuthorizationDecisionType.DENY) {
// Explicitly denied access to the entire container
iterator.remove();
} else {
// No explicit decision (even ALLOW is not final here as something may be denied deeper inside)
AuthorizationDecisionType subDefaultReadDecision = defaultReadDecision;
if (itemReadDecision == AuthorizationDecisionType.ALLOW) {
// This means allow to all subitems unless otherwise denied.
subDefaultReadDecision = AuthorizationDecisionType.ALLOW;
}
// to prevent removal of originally empty items
boolean itemWasEmpty = item.isEmpty();
List<? extends PrismContainerValue<?>> values = ((PrismContainer<?>) item).getValues();
Iterator<? extends PrismContainerValue<?>> vi = values.iterator();
while (vi.hasNext()) {
PrismContainerValue<?> cval = vi.next();
List<Item<?, ?>> subitems = cval.getItems();
if (subitems != null && !subitems.isEmpty()) {
// second condition is to prevent removal of originally empty values
applySecurityConstraints(subitems, securityConstraints, subDefaultReadDecision, itemAddDecision, itemModifyDecision, phase);
if (subitems.isEmpty()) {
vi.remove();
}
}
}
if (!itemWasEmpty && item.isEmpty()) {
iterator.remove();
}
}
} else {
if (itemReadDecision == AuthorizationDecisionType.DENY || (itemReadDecision == null && defaultReadDecision == null)) {
iterator.remove();
}
}
}
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Example 7 with AuthorizationDecisionType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType in project midpoint by Evolveum.
the class SchemaTransformer method applySecurityConstraintsItemDef.
private <D extends ItemDefinition> void applySecurityConstraintsItemDef(D itemDefinition, ItemPath itemPath, ObjectSecurityConstraints securityConstraints, AuthorizationDecisionType defaultReadDecision, AuthorizationDecisionType defaultAddDecision, AuthorizationDecisionType defaultModifyDecision, AuthorizationPhaseType phase) {
AuthorizationDecisionType readDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.READ.getUrl(), defaultReadDecision, phase);
AuthorizationDecisionType addDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.ADD.getUrl(), defaultAddDecision, phase);
AuthorizationDecisionType modifyDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.MODIFY.getUrl(), defaultModifyDecision, phase);
boolean anySubElementRead = false;
boolean anySubElementAdd = false;
boolean anySubElementModify = false;
if (itemDefinition instanceof PrismContainerDefinition<?>) {
PrismContainerDefinition<?> containerDefinition = (PrismContainerDefinition<?>) itemDefinition;
List<? extends ItemDefinition> subDefinitions = ((PrismContainerDefinition<?>) containerDefinition).getDefinitions();
for (ItemDefinition subDef : subDefinitions) {
if (!subDef.getName().equals(ShadowType.F_ATTRIBUTES)) {
// Shadow attributes have special handling
applySecurityConstraintsItemDef(subDef, new ItemPath(itemPath, subDef.getName()), securityConstraints, readDecision, addDecision, modifyDecision, phase);
}
if (subDef.canRead()) {
anySubElementRead = true;
}
if (subDef.canAdd()) {
anySubElementAdd = true;
}
if (subDef.canModify()) {
anySubElementModify = true;
}
}
}
LOGGER.trace("applySecurityConstraints(itemDef): {}: decisions R={}, A={}, M={}; subelements R={}, A={}, M={}", itemPath, readDecision, addDecision, modifyDecision, anySubElementRead, anySubElementAdd, anySubElementModify);
if (readDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDefinition).setCanRead(false);
}
if (addDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDefinition).setCanAdd(false);
}
if (modifyDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDefinition).setCanModify(false);
}
if (anySubElementRead) {
((ItemDefinitionImpl) itemDefinition).setCanRead(true);
}
if (anySubElementAdd) {
((ItemDefinitionImpl) itemDefinition).setCanAdd(true);
}
if (anySubElementModify) {
((ItemDefinitionImpl) itemDefinition).setCanModify(true);
}
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Aggregations
AuthorizationDecisionType (com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)7
ItemPath (com.evolveum.midpoint.prism.path.ItemPath)3
ConflictException (com.evolveum.icf.dummy.resource.ConflictException)1
DummyAccount (com.evolveum.icf.dummy.resource.DummyAccount)1
DummyGroup (com.evolveum.icf.dummy.resource.DummyGroup)1
DummyResource (com.evolveum.icf.dummy.resource.DummyResource)1
SchemaViolationException (com.evolveum.icf.dummy.resource.SchemaViolationException)1
AuditEventRecord (com.evolveum.midpoint.audit.api.AuditEventRecord)1
AuditEventStage (com.evolveum.midpoint.audit.api.AuditEventStage)1
AuditEventType (com.evolveum.midpoint.audit.api.AuditEventType)1
AuditReferenceValue (com.evolveum.midpoint.audit.api.AuditReferenceValue)1
Clock (com.evolveum.midpoint.common.Clock)1
RefinedAttributeDefinition (com.evolveum.midpoint.common.refinery.RefinedAttributeDefinition)1
RefinedObjectClassDefinition (com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition)1
RefinedResourceSchema (com.evolveum.midpoint.common.refinery.RefinedResourceSchema)1
RefinedResourceSchemaImpl (com.evolveum.midpoint.common.refinery.RefinedResourceSchemaImpl)1
ModelAuditService (com.evolveum.midpoint.model.api.ModelAuditService)1
ModelDiagnosticService (com.evolveum.midpoint.model.api.ModelDiagnosticService)1
ModelExecuteOptions (com.evolveum.midpoint.model.api.ModelExecuteOptions)1
ModelInteractionService (com.evolveum.midpoint.model.api.ModelInteractionService)1
