Search in sources :

Example 1 with MatchOneCollectionPermission

use of ddf.security.permission.MatchOneCollectionPermission in project ddf by codice.

the class AuthzRealm method isPermitted.

/**
     * Checks if the corresponding Subject/user contained within the AuthorizationInfo object
     * implies the given Permission.
     *
     * @param permission        the permission being checked.
     * @param authorizationInfo the application-specific subject/user identifier.
     * @return true if the user is permitted
     */
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
    Collection<Permission> perms = getPermissions(authorizationInfo);
    String curUser = "<user>";
    if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
        curUser = subjectPrincipal.getPrimaryPrincipal().toString();
    }
    if (!CollectionUtils.isEmpty(perms)) {
        if (permission instanceof KeyValuePermission) {
            permission = new KeyValueCollectionPermission(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
            LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
        }
        if (permission != null && permission instanceof KeyValueCollectionPermission) {
            KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
            List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
            List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
            for (KeyValuePermission keyValuePermission : keyValuePermissions) {
                String metacardKey = keyValuePermission.getKey();
                // user specified this key in the match all list - remap key
                if (matchAllMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), keyValuePermission.getValues());
                    matchAllPermissions.add(kvp);
                // user specified this key in the match one list - remap key
                } else if (matchOneMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), keyValuePermission.getValues());
                    matchOnePermissions.add(kvp);
                // this key was not specified in either - default to match all with the
                // same key value
                } else {
                    //creating a KeyValuePermission list to try to quick match all of these permissions
                    //if that fails, then XACML will try to match them
                    //this covers the case where attributes on the user match up perfectly with the permissions being implied
                    //this also allows the xacml permissions to run through the policy extensions
                    matchAllPreXacmlPermissions.add(keyValuePermission);
                }
            }
            CollectionPermission subjectAllCollection = new CollectionPermission(CollectionPermission.UNKNOWN_ACTION, perms);
            KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPermissions);
            KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
            KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchOnePermissions);
            matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection);
            matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection);
            matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection);
            MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
            boolean matchAll = subjectAllCollection.implies(matchAllCollection);
            boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
            boolean matchOne = subjectOneCollection.implies(matchOneCollection);
            if (!matchAll || !matchOne) {
                SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
            }
            //if we weren't able to automatically imply these permissions, call out to XACML
            if (!matchAllXacml) {
                KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
                matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
                if (!matchAllXacml) {
                    SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
                }
            }
            return matchAll && matchOne && matchAllXacml;
        }
        for (Permission perm : perms) {
            if (permission != null && perm.implies(permission)) {
                return true;
            }
        }
    }
    SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
    return false;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission)

Aggregations

CollectionPermission (ddf.security.permission.CollectionPermission)1 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)1 KeyValuePermission (ddf.security.permission.KeyValuePermission)1 MatchOneCollectionPermission (ddf.security.permission.MatchOneCollectionPermission)1 ArrayList (java.util.ArrayList)1 Permission (org.apache.shiro.authz.Permission)1