Example 6 with KeyValuePermission
use of ddf.security.permission.KeyValuePermission in project ddf by codice.
the class AuthzRealm method isPermitted.
/**
* Checks if the corresponding Subject/user contained within the AuthorizationInfo object
* implies the given Permission.
*
* @param permission the permission being checked.
* @param authorizationInfo the application-specific subject/user identifier.
* @return true if the user is permitted
*/
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
Collection<Permission> perms = getPermissions(authorizationInfo);
String curUser = "<user>";
if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
curUser = subjectPrincipal.getPrimaryPrincipal().toString();
}
if (!CollectionUtils.isEmpty(perms)) {
if (permission instanceof KeyValuePermission) {
permission = new KeyValueCollectionPermission(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
}
if (permission != null && permission instanceof KeyValueCollectionPermission) {
KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
for (KeyValuePermission keyValuePermission : keyValuePermissions) {
String metacardKey = keyValuePermission.getKey();
// user specified this key in the match all list - remap key
if (matchAllMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), keyValuePermission.getValues());
matchAllPermissions.add(kvp);
// user specified this key in the match one list - remap key
} else if (matchOneMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), keyValuePermission.getValues());
matchOnePermissions.add(kvp);
// this key was not specified in either - default to match all with the
// same key value
} else {
//creating a KeyValuePermission list to try to quick match all of these permissions
//if that fails, then XACML will try to match them
//this covers the case where attributes on the user match up perfectly with the permissions being implied
//this also allows the xacml permissions to run through the policy extensions
matchAllPreXacmlPermissions.add(keyValuePermission);
}
}
CollectionPermission subjectAllCollection = new CollectionPermission(CollectionPermission.UNKNOWN_ACTION, perms);
KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPermissions);
KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchOnePermissions);
matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection);
matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection);
matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection);
MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
boolean matchAll = subjectAllCollection.implies(matchAllCollection);
boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
boolean matchOne = subjectOneCollection.implies(matchOneCollection);
if (!matchAll || !matchOne) {
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
}
//if we weren't able to automatically imply these permissions, call out to XACML
if (!matchAllXacml) {
KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
if (!matchAllXacml) {
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
}
}
return matchAll && matchOne && matchAllXacml;
}
for (Permission perm : perms) {
if (permission != null && perm.implies(permission)) {
return true;
}
}
}
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
return false;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Example 7 with KeyValuePermission
use of ddf.security.permission.KeyValuePermission in project ddf by codice.
the class XacmlPdp method createXACMLRequest.
protected RequestType createXACMLRequest(String subject, AuthorizationInfo info, CollectionPermission permission) {
LOGGER.debug("Creating XACML request for subject: {} and metacard permissions {}", subject, permission);
RequestType xacmlRequestType = new RequestType();
xacmlRequestType.setCombinedDecision(false);
xacmlRequestType.setReturnPolicyIdList(false);
// Adding filter action
AttributesType actionAttributes = new AttributesType();
actionAttributes.setCategory(XACMLConstants.ACTION_CATEGORY);
AttributeType actionAttribute = new AttributeType();
actionAttribute.setAttributeId(XACMLConstants.ACTION_ID);
actionAttribute.setIncludeInResult(false);
AttributeValueType actionValue = new AttributeValueType();
actionValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
LOGGER.trace("Adding action: {} for subject: {}", XACMLConstants.FILTER_ACTION, subject);
actionValue.getContent().add(permission.getAction());
actionAttribute.getAttributeValue().add(actionValue);
actionAttributes.getAttribute().add(actionAttribute);
xacmlRequestType.getAttributes().add(actionAttributes);
// Adding permissions for the calling subject
AttributesType subjectAttributes = createSubjectAttributes(subject, info);
xacmlRequestType.getAttributes().add(subjectAttributes);
// Adding permissions for the resource
AttributesType metadataAttributes = new AttributesType();
metadataAttributes.setCategory(XACMLConstants.RESOURCE_CATEGORY);
AttributesType environmentAttributesType = new AttributesType();
environmentAttributesType.setCategory(XACMLConstants.ENVIRONMENT_CATEGORY);
if (!CollectionUtils.isEmpty(environmentAttributes)) {
for (String envAttr : environmentAttributes) {
String[] attr = envAttr.split("=");
if (attr.length == 2) {
AttributeType attributeType = new AttributeType();
attributeType.setAttributeId(attr[0].trim());
String[] attrVals = attr[1].split(",");
for (String attrVal : attrVals) {
AttributeValueType attributeValueType = new AttributeValueType();
attributeValueType.setDataType(XACMLConstants.STRING_DATA_TYPE);
attributeValueType.getContent().add(attrVal.trim());
attributeType.getAttributeValue().add(attributeValueType);
}
environmentAttributesType.getAttribute().add(attributeType);
}
}
}
if (permission instanceof KeyValueCollectionPermission) {
List<KeyValuePermission> tmpList = ((KeyValueCollectionPermission) permission).getKeyValuePermissionList();
for (KeyValuePermission curPermission : tmpList) {
AttributeType resourceAttribute = new AttributeType();
resourceAttribute.setAttributeId(curPermission.getKey());
resourceAttribute.setIncludeInResult(false);
if (curPermission.getValues().size() > 0) {
for (String curPermValue : curPermission.getValues()) {
AttributeValueType resourceAttributeValue = new AttributeValueType();
resourceAttributeValue.setDataType(getXacmlDataType(curPermValue));
LOGGER.trace("Adding permission: {}:{} for incoming resource", new Object[] { curPermission.getKey(), curPermValue });
resourceAttributeValue.getContent().add(curPermValue);
resourceAttribute.getAttributeValue().add(resourceAttributeValue);
}
metadataAttributes.getAttribute().add(resourceAttribute);
}
}
xacmlRequestType.getAttributes().add(metadataAttributes);
if (!CollectionUtils.isEmpty(environmentAttributes)) {
xacmlRequestType.getAttributes().add(environmentAttributesType);
}
} else {
LOGGER.warn("Permission on the resource need to be of type KeyValueCollectionPermission, cannot process this resource.");
}
return xacmlRequestType;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
AttributeValueType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType)
AttributeType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeType)
AttributesType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributesType)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
RequestType(oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)
Example 8 with KeyValuePermission
use of ddf.security.permission.KeyValuePermission in project ddf by codice.
the class XacmlPdp method createSubjectAttributes.
private AttributesType createSubjectAttributes(String subject, AuthorizationInfo info) {
AttributesType subjectAttributes = new AttributesType();
subjectAttributes.setCategory(XACMLConstants.ACCESS_SUBJECT_CATEGORY);
AttributeType subjectAttribute = new AttributeType();
subjectAttribute.setAttributeId(XACMLConstants.SUBJECT_ID);
subjectAttribute.setIncludeInResult(false);
AttributeValueType subjectValue = new AttributeValueType();
subjectValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
LOGGER.debug("Adding subject: {}", subject);
subjectValue.getContent().add(subject);
subjectAttribute.getAttributeValue().add(subjectValue);
subjectAttributes.getAttribute().add(subjectAttribute);
AttributeType roleAttribute = new AttributeType();
roleAttribute.setAttributeId(XACMLConstants.ROLE_CLAIM);
roleAttribute.setIncludeInResult(false);
if (info.getRoles().size() > 0) {
for (String curRole : info.getRoles()) {
AttributeValueType roleValue = new AttributeValueType();
roleValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
LOGGER.trace("Adding role: {} for subject: {}", curRole, subject);
roleValue.getContent().add(curRole);
roleAttribute.getAttributeValue().add(roleValue);
}
subjectAttributes.getAttribute().add(roleAttribute);
}
for (Permission curPermission : info.getObjectPermissions()) {
if (curPermission instanceof KeyValuePermission) {
AttributeType subjAttr = new AttributeType();
subjAttr.setAttributeId(((KeyValuePermission) curPermission).getKey());
subjAttr.setIncludeInResult(false);
if (((KeyValuePermission) curPermission).getValues().size() > 0) {
for (String curPermValue : ((KeyValuePermission) curPermission).getValues()) {
AttributeValueType subjAttrValue = new AttributeValueType();
subjAttrValue.setDataType(getXacmlDataType(curPermValue));
LOGGER.trace("Adding permission: {}:{} for subject: {}", ((KeyValuePermission) curPermission).getKey(), curPermValue, subject);
subjAttrValue.getContent().add(curPermValue);
subjAttr.getAttributeValue().add(subjAttrValue);
}
subjectAttributes.getAttribute().add(subjAttr);
}
} else {
LOGGER.warn("Permissions for subject were not of type KeyValuePermission, cannot add any subject permissions to the request.");
}
}
return subjectAttributes;
}
Also used :
AttributeValueType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType)
AttributeType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeType)
AttributesType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributesType)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Example 9 with KeyValuePermission
use of ddf.security.permission.KeyValuePermission in project ddf by codice.
the class AbstractAuthorizingRealm method doGetAuthorizationInfo.
/**
* Takes the security attributes about the subject of the incoming security token and builds
* sets of permissions and roles for use in further checking.
*
* @param principalCollection holds the security assertions for the primary principal of this request
* @return a new collection of permissions and roles corresponding to the security assertions
* @throws AuthorizationException if there are no security assertions associated with this principal collection or
* if the token cannot be processed successfully.
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
LOGGER.debug("Retrieving authorization info for {}", principalCollection.getPrimaryPrincipal());
SecurityAssertion assertion = principalCollection.oneByType(SecurityAssertion.class);
if (assertion == null) {
String msg = "No assertion found, cannot retrieve authorization info.";
throw new AuthorizationException(msg);
}
List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
Set<Permission> permissions = new HashSet<>();
Set<String> roles = new HashSet<>();
Map<String, Set<String>> permissionsMap = new HashMap<>();
Collection<Expansion> expansionServices = getUserExpansionServices();
for (AttributeStatement curStatement : attributeStatements) {
addAttributesToMap(curStatement.getAttributes(), permissionsMap, expansionServices);
}
for (Map.Entry<String, Set<String>> entry : permissionsMap.entrySet()) {
permissions.add(new KeyValuePermission(entry.getKey(), entry.getValue()));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Adding permission: {} : {}", entry.getKey(), StringUtils.join(entry.getValue(), ","));
}
}
if (permissionsMap.containsKey(SAML_ROLE)) {
roles.addAll(permissionsMap.get(SAML_ROLE));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Adding roles to authorization info: {}", StringUtils.join(roles, ","));
}
}
info.setObjectPermissions(permissions);
info.setRoles(roles);
return info;
}
Also used :
SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)
HashSet(java.util.HashSet)
Set(java.util.Set)
AuthorizationException(org.apache.shiro.authz.AuthorizationException)
HashMap(java.util.HashMap)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
XSString(org.opensaml.core.xml.schema.XSString)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Expansion(ddf.security.expansion.Expansion)
HashMap(java.util.HashMap)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
HashSet(java.util.HashSet)
Example 10 with KeyValuePermission
use of ddf.security.permission.KeyValuePermission in project ddf by codice.
the class AbstractAuthorizingRealm method expandPermissions.
protected List<Permission> expandPermissions(List<Permission> permissions) {
Collection<Expansion> expansionServices = getMetacardExpansionServices();
if (CollectionUtils.isEmpty(expansionServices)) {
return permissions;
}
List<Permission> expandedPermissions = new ArrayList<>(permissions.size());
for (Permission permission : permissions) {
if (permission instanceof KeyValuePermission) {
for (Expansion expansionService : expansionServices) {
Set<String> expandedSet = expansionService.expand(((KeyValuePermission) permission).getKey(), new HashSet<>(((KeyValuePermission) permission).getValues()));
expandedPermissions.add(new KeyValuePermission(((KeyValuePermission) permission).getKey(), expandedSet));
}
} else if (permission instanceof KeyValueCollectionPermission) {
List<Permission> keyValuePermissionList = ((KeyValueCollectionPermission) permission).getKeyValuePermissionList();
List<Permission> expandedCollection = expandPermissions(keyValuePermissionList);
//we know that everything in a key value collection is a key value permission so just do the unchecked cast
List<KeyValuePermission> castedList = castToKeyValueList(expandedCollection);
expandedPermissions.add(new KeyValueCollectionPermission(((KeyValueCollectionPermission) permission).getAction(), castedList));
} else {
expandedPermissions.add(permission);
}
}
return expandedPermissions;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
List(java.util.List)
XSString(org.opensaml.core.xml.schema.XSString)
Expansion(ddf.security.expansion.Expansion)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Aggregations
KeyValuePermission (ddf.security.permission.KeyValuePermission)22
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)18
ArrayList (java.util.ArrayList)10
Test (org.junit.Test)10
CollectionPermission (ddf.security.permission.CollectionPermission)8
Permission (org.apache.shiro.authz.Permission)8
SimpleAuthorizationInfo (org.apache.shiro.authz.SimpleAuthorizationInfo)4
HashSet (java.util.HashSet)3
List (java.util.List)3
Expansion (ddf.security.expansion.Expansion)2
AuthzRealm (ddf.security.pdp.realm.AuthzRealm)2
HashMap (java.util.HashMap)2
AttributeType (oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeType)2
AttributeValueType (oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType)2
AttributesType (oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributesType)2
WildcardPermission (org.apache.shiro.authz.permission.WildcardPermission)2
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)2
XmlParser (org.codice.ddf.parser.xml.XmlParser)2
Before (org.junit.Before)2
XSString (org.opensaml.core.xml.schema.XSString)2
