Example 6 with KeyValueCollectionPermission
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class FilterPlugin method processPreCreate.
@Override
public CreateRequest processPreCreate(CreateRequest input) throws StopProcessingException {
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.CREATE_ACTION);
List<Metacard> metacards = input.getMetacards();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> userNotPermittedTitles = new ArrayList<>();
List<String> systemNotPermittedTitles = new ArrayList<>();
for (Metacard metacard : metacards) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.CREATE_ACTION)) {
userNotPermittedTitles.add(metacard.getTitle());
}
if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.CREATE_ACTION)) {
systemNotPermittedTitles.add(metacard.getTitle());
}
}
if (!userNotPermittedTitles.isEmpty()) {
throw new StopProcessingException("Metacard creation not permitted for " + SubjectUtils.getName(subject) + ": [ " + listToString(userNotPermittedTitles) + " ]");
}
if (!systemNotPermittedTitles.isEmpty()) {
throw new StopProcessingException("Metacard creation not permitted for this system: [ " + listToString(systemNotPermittedTitles) + " ]");
}
return input;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Metacard(ddf.catalog.data.Metacard)
Attribute(ddf.catalog.data.Attribute)
ArrayList(java.util.ArrayList)
StopProcessingException(ddf.catalog.plugin.StopProcessingException)
Subject(org.apache.shiro.subject.Subject)
Example 7 with KeyValueCollectionPermission
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class FilterPlugin method processPostQuery.
@Override
public QueryResponse processPostQuery(QueryResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
}
Subject subject = getSubject(input);
List<Result> results = input.getResults();
List<Result> newResults = new ArrayList<>(results.size());
Metacard metacard;
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Result result : results) {
metacard = result.getMetacard();
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(new ResultImpl(filterResult.metacard()));
}
break;
//returned responses are ignored for queries
}
}
filteredMetacards++;
} else {
newResults.add(result);
}
}
if (filteredMetacards > 0) {
SecurityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
}
input.getResults().clear();
input.getResults().addAll(newResults);
newResults.clear();
return input;
}
Also used :
Metacard(ddf.catalog.data.Metacard)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Attribute(ddf.catalog.data.Attribute)
ArrayList(java.util.ArrayList)
FilterStrategy(ddf.catalog.security.FilterStrategy)
ResultImpl(ddf.catalog.data.impl.ResultImpl)
StopProcessingException(ddf.catalog.plugin.StopProcessingException)
FilterResult(ddf.catalog.security.FilterResult)
Subject(org.apache.shiro.subject.Subject)
FilterResult(ddf.catalog.security.FilterResult)
Result(ddf.catalog.data.Result)
Example 8 with KeyValueCollectionPermission
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class FilterPlugin method processPostDelete.
@Override
public DeleteResponse processPostDelete(DeleteResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
}
Subject subject = getSubject(input);
List<Metacard> results = input.getDeletedMetacards();
List<Metacard> newResults = new ArrayList<>(results.size());
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Metacard metacard : results) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(filterResult.metacard());
}
break;
//returned responses are ignored for deletes
}
}
filteredMetacards++;
} else {
newResults.add(metacard);
}
}
if (filteredMetacards > 0) {
SecurityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
}
input.getDeletedMetacards().clear();
input.getDeletedMetacards().addAll(newResults);
newResults.clear();
return input;
}
Also used :
Metacard(ddf.catalog.data.Metacard)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Attribute(ddf.catalog.data.Attribute)
ArrayList(java.util.ArrayList)
FilterStrategy(ddf.catalog.security.FilterStrategy)
StopProcessingException(ddf.catalog.plugin.StopProcessingException)
FilterResult(ddf.catalog.security.FilterResult)
Subject(org.apache.shiro.subject.Subject)
Example 9 with KeyValueCollectionPermission
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class FilterPlugin method processPreUpdate.
@Override
public UpdateRequest processPreUpdate(UpdateRequest input, Map<String, Metacard> metacards) throws StopProcessingException {
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.UPDATE_ACTION);
List<Map.Entry<Serializable, Metacard>> updates = input.getUpdates();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> unknownIds = new ArrayList<>();
List<String> userNotPermittedIds = new ArrayList<>();
List<String> systemNotPermittedIds = new ArrayList<>();
for (Map.Entry<Serializable, Metacard> entry : updates) {
Metacard newMetacard = entry.getValue();
Attribute attr = newMetacard.getAttribute(Metacard.SECURITY);
String id = null;
if (entry.getKey() != null && !entry.getKey().equals("null")) {
id = (String) entry.getKey();
} else if (newMetacard.getId() != null && !newMetacard.getId().equals("null")) {
id = newMetacard.getId();
}
Metacard oldMetacard = metacards.get(id);
if (oldMetacard == null) {
unknownIds.add(id);
} else {
Attribute oldAttr = oldMetacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.UPDATE_ACTION) || !checkPermissions(oldAttr, securityPermission, subject, CollectionPermission.UPDATE_ACTION)) {
userNotPermittedIds.add(newMetacard.getId());
}
if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.UPDATE_ACTION)) {
systemNotPermittedIds.add(newMetacard.getId());
}
}
}
if (!unknownIds.isEmpty() || !userNotPermittedIds.isEmpty()) {
throw new StopProcessingException("Update operation not permitted with bad data. Unknown metacards: [ " + listToString(unknownIds) + " ]. Not Permitted metacards: [ " + listToString(userNotPermittedIds) + " ]");
}
if (!systemNotPermittedIds.isEmpty()) {
throw new StopProcessingException("Update operation not permitted for this system metacards: [ " + listToString(systemNotPermittedIds) + " ]");
}
return input;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Serializable(java.io.Serializable)
Attribute(ddf.catalog.data.Attribute)
ArrayList(java.util.ArrayList)
StopProcessingException(ddf.catalog.plugin.StopProcessingException)
Subject(org.apache.shiro.subject.Subject)
Metacard(ddf.catalog.data.Metacard)
Map(java.util.Map)
TreeMap(java.util.TreeMap)
Example 10 with KeyValueCollectionPermission
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class OperationPlugin method checkOperation.
/**
* checkOperation will throw a StopProcessingException if the operation is not permitted
* based on the the subjects attributes and the operations property "operation.security"
*
* @param operation The operation to check
* @throws StopProcessingException
*/
private void checkOperation(Operation operation) throws StopProcessingException {
if (!operation.hasProperties() || !operation.containsPropertyName(PolicyPlugin.OPERATION_SECURITY)) {
return;
}
Object securityAssertion = operation.getPropertyValue(SecurityConstants.SECURITY_SUBJECT);
Subject subject;
if (securityAssertion instanceof Subject) {
subject = (Subject) securityAssertion;
} else {
throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
}
Map<String, Set<String>> perms = (Map<String, Set<String>>) operation.getPropertyValue(PolicyPlugin.OPERATION_SECURITY);
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION, perms);
if (!subject.isPermitted(securityPermission)) {
throw new StopProcessingException("User " + SubjectUtils.getName(subject, "UNKNOWN") + " does not have the required attributes " + perms);
}
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Set(java.util.Set)
StopProcessingException(ddf.catalog.plugin.StopProcessingException)
Map(java.util.Map)
Subject(ddf.security.Subject)
Aggregations
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)38
ArrayList (java.util.ArrayList)19
Test (org.junit.Test)18
KeyValuePermission (ddf.security.permission.KeyValuePermission)15
List (java.util.List)10
RequestType (oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)9
CollectionPermission (ddf.security.permission.CollectionPermission)8
HashMap (java.util.HashMap)7
Permission (org.apache.shiro.authz.Permission)7
StopProcessingException (ddf.catalog.plugin.StopProcessingException)6
Attribute (ddf.catalog.data.Attribute)5
Subject (org.apache.shiro.subject.Subject)5
Metacard (ddf.catalog.data.Metacard)4
PolicyExtension (ddf.security.policy.extension.PolicyExtension)4
FilterResult (ddf.catalog.security.FilterResult)3
FilterStrategy (ddf.catalog.security.FilterStrategy)3
Subject (ddf.security.Subject)3
UpdateRequest (ddf.catalog.operation.UpdateRequest)2
PdpException (ddf.security.pdp.realm.xacml.processor.PdpException)2
HashSet (java.util.HashSet)2
