use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method applySecurityConstraintsPhase.
private <D extends ItemDefinition> void applySecurityConstraintsPhase(D itemDefinition, ObjectSecurityConstraints securityConstraints, AuthorizationPhaseType phase) {
Validate.notNull(phase);
AuthorizationDecisionType defaultReadDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase);
AuthorizationDecisionType defaultAddDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase);
AuthorizationDecisionType defaultModifyDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase);
LOGGER.trace("applySecurityConstraints(itemDefs): def={}, phase={}, defaults R={}, A={}, M={}", new Object[] { itemDefinition, phase, defaultReadDecision, defaultAddDecision, defaultModifyDecision });
applySecurityConstraintsItemDef(itemDefinition, ItemPath.EMPTY_PATH, securityConstraints, defaultReadDecision, defaultAddDecision, defaultModifyDecision, phase);
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class ObjectSecurityConstraintsImpl method findItemDecision.
public AuthorizationDecisionType findItemDecision(ItemPath itemPath, String actionUrl, AuthorizationPhaseType phase) {
// We return DENY immediately, and ALLOW only if no DENY is present. So here we remember if we should return ALLOW or null at the end.
boolean allow = false;
for (Map.Entry<ItemPath, ItemSecurityConstraintsImpl> entry : itemConstraintMap.entrySet()) {
ItemPath entryPath = entry.getKey();
if (entryPath.isSubPathOrEquivalent(itemPath)) {
ItemSecurityConstraintsImpl itemSecurityConstraints = entry.getValue();
if (itemSecurityConstraints == null) {
continue;
}
AuthorizationDecisionType actionDecision = getSimpleActionDecision(itemSecurityConstraints.getActionDecisionMap(), actionUrl, phase);
AuthorizationDecisionType allDecision = getSimpleActionDecision(itemSecurityConstraints.getActionDecisionMap(), AuthorizationConstants.AUTZ_ALL_URL, phase);
if (actionDecision == AuthorizationDecisionType.DENY || allDecision == AuthorizationDecisionType.DENY) {
return AuthorizationDecisionType.DENY;
}
if (actionDecision == AuthorizationDecisionType.ALLOW || allDecision == AuthorizationDecisionType.ALLOW) {
allow = true;
}
}
}
if (allow) {
return AuthorizationDecisionType.ALLOW;
} else {
return null;
}
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class ObjectSecurityConstraintsImpl method getActionDecision.
@Override
public AuthorizationDecisionType getActionDecision(String actionUrl, AuthorizationPhaseType phase) {
AuthorizationDecisionType actionDecision = getSimpleActionDecision(actionDecisionMap, actionUrl, phase);
AuthorizationDecisionType allDecision = getSimpleActionDecision(actionDecisionMap, AuthorizationConstants.AUTZ_ALL_URL, phase);
if (actionDecision == null && allDecision == null) {
return null;
}
if (actionDecision == AuthorizationDecisionType.DENY || allDecision == AuthorizationDecisionType.DENY) {
return AuthorizationDecisionType.DENY;
}
if (actionDecision != null) {
return actionDecision;
}
return allDecision;
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method determineObjectTemplate.
public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(PrismObject<O> object, AuthorizationPhaseType phase, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException {
PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
if (systemConfiguration == null) {
return null;
}
ObjectPolicyConfigurationType objectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(object, systemConfiguration.asObjectable());
if (objectPolicyConfiguration == null) {
return null;
}
ObjectReferenceType objectTemplateRef = objectPolicyConfiguration.getObjectTemplateRef();
if (objectTemplateRef == null) {
return null;
}
PrismObject<ObjectTemplateType> template = cacheRepositoryService.getObject(ObjectTemplateType.class, objectTemplateRef.getOid(), null, result);
return template.asObjectable();
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method applySchemasAndSecurityPhase.
private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O> object, ObjectSecurityConstraints securityConstraints, PrismObjectDefinition<O> objectDefinition, GetOperationOptions rootOptions, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
Validate.notNull(phase);
try {
AuthorizationDecisionType globalReadDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase);
if (globalReadDecision == AuthorizationDecisionType.DENY) {
// shortcut
SecurityUtil.logSecurityDeny(object, "because the authorization denies access");
throw new AuthorizationException("Access denied");
}
AuthorizationDecisionType globalAddDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase);
AuthorizationDecisionType globalModifyDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase);
applySecurityConstraints((List) object.getValue().getItems(), securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase);
if (object.isEmpty()) {
// let's make it explicit
SecurityUtil.logSecurityDeny(object, "because the subject has not access to any item");
throw new AuthorizationException("Access denied");
}
applySecurityConstraintsItemDef(objectDefinition, ItemPath.EMPTY_PATH, securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase);
} catch (SecurityViolationException | RuntimeException e) {
result.recordFatalError(e);
throw e;
}
}
Aggregations