Example 6 with AuthorizationPhaseType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method applySchemasAndSecurity.
/**
* Validate the objects, apply security to the object definition, remove any non-visible properties (security),
* apply object template definitions and so on. This method is called for
* any object that is returned from the Model Service.
*/
public <O extends ObjectType> void applySchemasAndSecurity(PrismObject<O> object, GetOperationOptions rootOptions, AuthorizationPhaseType phase, Task task, OperationResult parentResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException {
OperationResult result = parentResult.createMinorSubresult(SchemaTransformer.class.getName() + ".applySchemasAndSecurity");
validateObject(object, rootOptions, result);
PrismObjectDefinition<O> objectDefinition = object.deepCloneDefinition(true);
ObjectSecurityConstraints securityConstraints;
try {
securityConstraints = securityEnforcer.compileSecurityConstraints(object, null);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Security constrains for {}:\n{}", object, securityConstraints == null ? "null" : securityConstraints.debugDump());
}
if (securityConstraints == null) {
SecurityUtil.logSecurityDeny(object, "because no security constraints are defined (default deny)");
throw new AuthorizationException("Access denied");
}
} catch (SecurityViolationException | SchemaException | RuntimeException e) {
result.recordFatalError(e);
throw e;
}
if (phase == null) {
applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, AuthorizationPhaseType.REQUEST, task, result);
applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, AuthorizationPhaseType.EXECUTION, task, result);
} else {
applySchemasAndSecurityPhase(object, securityConstraints, objectDefinition, rootOptions, phase, task, result);
}
ObjectTemplateType objectTemplateType;
try {
objectTemplateType = determineObjectTemplate(object, AuthorizationPhaseType.REQUEST, result);
} catch (ConfigurationException | ObjectNotFoundException e) {
result.recordFatalError(e);
throw e;
}
applyObjectTemplateToObject(object, objectTemplateType, result);
result.computeStatus();
result.recordSuccessIfUnknown();
}
Also used :
SchemaException(com.evolveum.midpoint.util.exception.SchemaException)
SecurityViolationException(com.evolveum.midpoint.util.exception.SecurityViolationException)
AuthorizationException(com.evolveum.midpoint.util.exception.AuthorizationException)
OperationResult(com.evolveum.midpoint.schema.result.OperationResult)
ObjectSecurityConstraints(com.evolveum.midpoint.security.api.ObjectSecurityConstraints)
ConfigurationException(com.evolveum.midpoint.util.exception.ConfigurationException)
ObjectTemplateType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType)
ObjectNotFoundException(com.evolveum.midpoint.util.exception.ObjectNotFoundException)
Example 7 with AuthorizationPhaseType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method applySecurityConstraints.
public void applySecurityConstraints(List<Item<?, ?>> items, ObjectSecurityConstraints securityConstraints, AuthorizationDecisionType defaultReadDecision, AuthorizationDecisionType defaultAddDecision, AuthorizationDecisionType defaultModifyDecision, AuthorizationPhaseType phase) {
LOGGER.trace("applySecurityConstraints(items): items={}, phase={}, defaults R={}, A={}, M={}", items, phase, defaultReadDecision, defaultAddDecision, defaultModifyDecision);
if (items == null) {
return;
}
Iterator<Item<?, ?>> iterator = items.iterator();
while (iterator.hasNext()) {
Item<?, ?> item = iterator.next();
ItemPath itemPath = item.getPath();
AuthorizationDecisionType itemReadDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.READ.getUrl(), defaultReadDecision, phase);
AuthorizationDecisionType itemAddDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.ADD.getUrl(), defaultReadDecision, phase);
AuthorizationDecisionType itemModifyDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.MODIFY.getUrl(), defaultReadDecision, phase);
LOGGER.trace("applySecurityConstraints(item): {}: decisions R={}, A={}, M={}", itemPath, itemReadDecision, itemAddDecision, itemModifyDecision);
ItemDefinition<?> itemDef = item.getDefinition();
if (itemDef != null) {
if (itemReadDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDef).setCanRead(false);
}
if (itemAddDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDef).setCanAdd(false);
}
if (itemModifyDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDef).setCanModify(false);
}
}
if (item instanceof PrismContainer<?>) {
if (itemReadDecision == AuthorizationDecisionType.DENY) {
// Explicitly denied access to the entire container
iterator.remove();
} else {
// No explicit decision (even ALLOW is not final here as something may be denied deeper inside)
AuthorizationDecisionType subDefaultReadDecision = defaultReadDecision;
if (itemReadDecision == AuthorizationDecisionType.ALLOW) {
// This means allow to all subitems unless otherwise denied.
subDefaultReadDecision = AuthorizationDecisionType.ALLOW;
}
// to prevent removal of originally empty items
boolean itemWasEmpty = item.isEmpty();
List<? extends PrismContainerValue<?>> values = ((PrismContainer<?>) item).getValues();
Iterator<? extends PrismContainerValue<?>> vi = values.iterator();
while (vi.hasNext()) {
PrismContainerValue<?> cval = vi.next();
List<Item<?, ?>> subitems = cval.getItems();
if (subitems != null && !subitems.isEmpty()) {
// second condition is to prevent removal of originally empty values
applySecurityConstraints(subitems, securityConstraints, subDefaultReadDecision, itemAddDecision, itemModifyDecision, phase);
if (subitems.isEmpty()) {
vi.remove();
}
}
}
if (!itemWasEmpty && item.isEmpty()) {
iterator.remove();
}
}
} else {
if (itemReadDecision == AuthorizationDecisionType.DENY || (itemReadDecision == null && defaultReadDecision == null)) {
iterator.remove();
}
}
}
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Example 8 with AuthorizationPhaseType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method determineObjectTemplate.
public <O extends ObjectType> ObjectTemplateType determineObjectTemplate(Class<O> objectClass, AuthorizationPhaseType phase, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException {
PrismObject<SystemConfigurationType> systemConfiguration = systemObjectCache.getSystemConfiguration(result);
if (systemConfiguration == null) {
return null;
}
ObjectPolicyConfigurationType objectPolicyConfiguration = ModelUtils.determineObjectPolicyConfiguration(objectClass, null, systemConfiguration.asObjectable());
if (objectPolicyConfiguration == null) {
return null;
}
ObjectReferenceType objectTemplateRef = objectPolicyConfiguration.getObjectTemplateRef();
if (objectTemplateRef == null) {
return null;
}
PrismObject<ObjectTemplateType> template = cacheRepositoryService.getObject(ObjectTemplateType.class, objectTemplateRef.getOid(), null, result);
return template.asObjectable();
}
Also used :
ObjectReferenceType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType)
ObjectPolicyConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType)
ObjectTemplateType(com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType)
SystemConfigurationType(com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType)
Example 9 with AuthorizationPhaseType
use of com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType in project midpoint by Evolveum.
the class SchemaTransformer method applySecurityConstraintsItemDef.
private <D extends ItemDefinition> void applySecurityConstraintsItemDef(D itemDefinition, ItemPath itemPath, ObjectSecurityConstraints securityConstraints, AuthorizationDecisionType defaultReadDecision, AuthorizationDecisionType defaultAddDecision, AuthorizationDecisionType defaultModifyDecision, AuthorizationPhaseType phase) {
AuthorizationDecisionType readDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.READ.getUrl(), defaultReadDecision, phase);
AuthorizationDecisionType addDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.ADD.getUrl(), defaultAddDecision, phase);
AuthorizationDecisionType modifyDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.MODIFY.getUrl(), defaultModifyDecision, phase);
boolean anySubElementRead = false;
boolean anySubElementAdd = false;
boolean anySubElementModify = false;
if (itemDefinition instanceof PrismContainerDefinition<?>) {
PrismContainerDefinition<?> containerDefinition = (PrismContainerDefinition<?>) itemDefinition;
List<? extends ItemDefinition> subDefinitions = ((PrismContainerDefinition<?>) containerDefinition).getDefinitions();
for (ItemDefinition subDef : subDefinitions) {
if (!subDef.getName().equals(ShadowType.F_ATTRIBUTES)) {
// Shadow attributes have special handling
applySecurityConstraintsItemDef(subDef, new ItemPath(itemPath, subDef.getName()), securityConstraints, readDecision, addDecision, modifyDecision, phase);
}
if (subDef.canRead()) {
anySubElementRead = true;
}
if (subDef.canAdd()) {
anySubElementAdd = true;
}
if (subDef.canModify()) {
anySubElementModify = true;
}
}
}
LOGGER.trace("applySecurityConstraints(itemDef): {}: decisions R={}, A={}, M={}; subelements R={}, A={}, M={}", itemPath, readDecision, addDecision, modifyDecision, anySubElementRead, anySubElementAdd, anySubElementModify);
if (readDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDefinition).setCanRead(false);
}
if (addDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDefinition).setCanAdd(false);
}
if (modifyDecision != AuthorizationDecisionType.ALLOW) {
((ItemDefinitionImpl) itemDefinition).setCanModify(false);
}
if (anySubElementRead) {
((ItemDefinitionImpl) itemDefinition).setCanRead(true);
}
if (anySubElementAdd) {
((ItemDefinitionImpl) itemDefinition).setCanAdd(true);
}
if (anySubElementModify) {
((ItemDefinitionImpl) itemDefinition).setCanModify(true);
}
}
Also used :
AuthorizationDecisionType(com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)
ItemPath(com.evolveum.midpoint.prism.path.ItemPath)
Aggregations
AuthorizationDecisionType (com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType)6
ItemPath (com.evolveum.midpoint.prism.path.ItemPath)3
ObjectTemplateType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectTemplateType)3
AuthorizationException (com.evolveum.midpoint.util.exception.AuthorizationException)2
SecurityViolationException (com.evolveum.midpoint.util.exception.SecurityViolationException)2
ObjectPolicyConfigurationType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectPolicyConfigurationType)2
ObjectReferenceType (com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType)2
SystemConfigurationType (com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType)2
OperationResult (com.evolveum.midpoint.schema.result.OperationResult)1
ObjectSecurityConstraints (com.evolveum.midpoint.security.api.ObjectSecurityConstraints)1
ConfigurationException (com.evolveum.midpoint.util.exception.ConfigurationException)1
ObjectNotFoundException (com.evolveum.midpoint.util.exception.ObjectNotFoundException)1
SchemaException (com.evolveum.midpoint.util.exception.SchemaException)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
