Search in sources :

Example 1 with AuthorizationPhaseType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.

the class SchemaTransformer method applySecurityConstraintsPhase.

private <D extends ItemDefinition> void applySecurityConstraintsPhase(D itemDefinition, ObjectSecurityConstraints securityConstraints, AuthorizationPhaseType phase) {
    Validate.notNull(phase);
    AuthorizationDecisionType defaultReadDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase);
    AuthorizationDecisionType defaultAddDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase);
    AuthorizationDecisionType defaultModifyDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase);
    LOGGER.trace("applySecurityConstraints(itemDefs): def={}, phase={}, defaults R={}, A={}, M={}", new Object[] { itemDefinition, phase, defaultReadDecision, defaultAddDecision, defaultModifyDecision });
    applySecurityConstraintsItemDef(itemDefinition, ItemPath.EMPTY_PATH, securityConstraints, defaultReadDecision, defaultAddDecision, defaultModifyDecision, phase);
}
Also used : AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)

Example 2 with AuthorizationPhaseType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.

the class ObjectSecurityConstraintsImpl method findItemDecision.

public AuthorizationDecisionType findItemDecision(ItemPath itemPath, String actionUrl, AuthorizationPhaseType phase) {
    // We return DENY immediately, and ALLOW only if no DENY is present. So here we remember if we should return ALLOW or null at the end.
    boolean allow = false;
    for (Map.Entry<ItemPath, ItemSecurityConstraintsImpl> entry : itemConstraintMap.entrySet()) {
        ItemPath entryPath = entry.getKey();
        if (entryPath.isSubPathOrEquivalent(itemPath)) {
            ItemSecurityConstraintsImpl itemSecurityConstraints = entry.getValue();
            if (itemSecurityConstraints == null) {
                continue;
            }
            AuthorizationDecisionType actionDecision = getSimpleActionDecision(itemSecurityConstraints.getActionDecisionMap(), actionUrl, phase);
            AuthorizationDecisionType allDecision = getSimpleActionDecision(itemSecurityConstraints.getActionDecisionMap(), AuthorizationConstants.AUTZ_ALL_URL, phase);
            if (actionDecision == AuthorizationDecisionType.DENY || allDecision == AuthorizationDecisionType.DENY) {
                return AuthorizationDecisionType.DENY;
            }
            if (actionDecision == AuthorizationDecisionType.ALLOW || allDecision == AuthorizationDecisionType.ALLOW) {
                allow = true;
            }
        }
    }
    if (allow) {
        return AuthorizationDecisionType.ALLOW;
    } else {
        return null;
    }
}
Also used : AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType) Map(java.util.Map) HashMap(java.util.HashMap) ItemPath(com.evolveum.midpoint.prism.path.ItemPath)

Example 3 with AuthorizationPhaseType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.

the class ObjectSecurityConstraintsImpl method getActionDecision.

@Override
public AuthorizationDecisionType getActionDecision(String actionUrl, AuthorizationPhaseType phase) {
    AuthorizationDecisionType actionDecision = getSimpleActionDecision(actionDecisionMap, actionUrl, phase);
    AuthorizationDecisionType allDecision = getSimpleActionDecision(actionDecisionMap, AuthorizationConstants.AUTZ_ALL_URL, phase);
    if (actionDecision == null && allDecision == null) {
        return null;
    }
    if (actionDecision == AuthorizationDecisionType.DENY || allDecision == AuthorizationDecisionType.DENY) {
        return AuthorizationDecisionType.DENY;
    }
    if (actionDecision != null) {
        return actionDecision;
    }
    return allDecision;
}
Also used : AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)

Example 4 with AuthorizationPhaseType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.

the class SchemaTransformer method determineObjectTemplate.

public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(PrismObject<O> object, AuthorizationPhaseType phase, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException {
    PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
    if (systemConfiguration == null) {
        return null;
    }
    ObjectPolicyConfigurationType objectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(object, systemConfiguration.asObjectable());
    if (objectPolicyConfiguration == null) {
        return null;
    }
    ObjectReferenceType objectTemplateRef = objectPolicyConfiguration.getObjectTemplateRef();
    if (objectTemplateRef == null) {
        return null;
    }
    PrismObject<ObjectTemplateType> template = cacheRepositoryService.getObject(ObjectTemplateType.class, objectTemplateRef.getOid(), null, result);
    return template.asObjectable();
}
Also used : ObjectReferenceType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType) ObjectPolicyConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType) ObjectTemplateType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType) SystemConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType)

Example 5 with AuthorizationPhaseType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.

the class SchemaTransformer method applySchemasAndSecurityPhase.

private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O> object, ObjectSecurityConstraints securityConstraints, PrismObjectDefinition<O> objectDefinition, GetOperationOptions rootOptions, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
    Validate.notNull(phase);
    try {
        AuthorizationDecisionType globalReadDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), phase);
        if (globalReadDecision == AuthorizationDecisionType.DENY) {
            // shortcut
            SecurityUtil.logSecurityDeny(object, "because the authorization denies access");
            throw new AuthorizationException("Access denied");
        }
        AuthorizationDecisionType globalAddDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.ADD.getUrl(), phase);
        AuthorizationDecisionType globalModifyDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase);
        applySecurityConstraints((List) object.getValue().getItems(), securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase);
        if (object.isEmpty()) {
            // let's make it explicit
            SecurityUtil.logSecurityDeny(object, "because the subject has not access to any item");
            throw new AuthorizationException("Access denied");
        }
        applySecurityConstraintsItemDef(objectDefinition, ItemPath.EMPTY_PATH, securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase);
    } catch (SecurityViolationException | RuntimeException e) {
        result.recordFatalError(e);
        throw e;
    }
}
Also used : SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException) AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException) AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)

Aggregations

AuthorizationDecisionType (com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)6 ItemPath (com.evolveum.midpoint.prism.path.ItemPath)3 ObjectTemplateType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType)3 AuthorizationException (com.evolveum.midpoint.util.exception.AuthorizationException)2 SecurityViolationException (com.evolveum.midpoint.util.exception.SecurityViolationException)2 ObjectPolicyConfigurationType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType)2 ObjectReferenceType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType)2 SystemConfigurationType (com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType)2 OperationResult (com.evolveum.midpoint.schema.result.OperationResult)1 ObjectSecurityConstraints (com.evolveum.midpoint.security.api.ObjectSecurityConstraints)1 ConfigurationException (com.evolveum.midpoint.util.exception.ConfigurationException)1 ObjectNotFoundException (com.evolveum.midpoint.util.exception.ObjectNotFoundException)1 SchemaException (com.evolveum.midpoint.util.exception.SchemaException)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1