Example 1 with MatchOneCollectionPermission
use of ddf.security.permission.MatchOneCollectionPermission in project ddf by codice.
the class AuthzRealm method isPermitted.
/**
* Checks if the corresponding Subject/user contained within the AuthorizationInfo object
* implies the given Permission.
*
* @param permission the permission being checked.
* @param authorizationInfo the application-specific subject/user identifier.
* @return true if the user is permitted
*/
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
Collection<Permission> perms = getPermissions(authorizationInfo);
String curUser = "<user>";
if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
curUser = subjectPrincipal.getPrimaryPrincipal().toString();
}
if (!CollectionUtils.isEmpty(perms)) {
if (permission instanceof KeyValuePermission) {
permission = new KeyValueCollectionPermission(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
}
if (permission != null && permission instanceof KeyValueCollectionPermission) {
KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
for (KeyValuePermission keyValuePermission : keyValuePermissions) {
String metacardKey = keyValuePermission.getKey();
// user specified this key in the match all list - remap key
if (matchAllMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), keyValuePermission.getValues());
matchAllPermissions.add(kvp);
// user specified this key in the match one list - remap key
} else if (matchOneMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), keyValuePermission.getValues());
matchOnePermissions.add(kvp);
// this key was not specified in either - default to match all with the
// same key value
} else {
//creating a KeyValuePermission list to try to quick match all of these permissions
//if that fails, then XACML will try to match them
//this covers the case where attributes on the user match up perfectly with the permissions being implied
//this also allows the xacml permissions to run through the policy extensions
matchAllPreXacmlPermissions.add(keyValuePermission);
}
}
CollectionPermission subjectAllCollection = new CollectionPermission(CollectionPermission.UNKNOWN_ACTION, perms);
KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPermissions);
KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchOnePermissions);
matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection);
matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection);
matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection);
MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
boolean matchAll = subjectAllCollection.implies(matchAllCollection);
boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
boolean matchOne = subjectOneCollection.implies(matchOneCollection);
if (!matchAll || !matchOne) {
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
}
//if we weren't able to automatically imply these permissions, call out to XACML
if (!matchAllXacml) {
KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
if (!matchAllXacml) {
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
}
}
return matchAll && matchOne && matchAllXacml;
}
for (Permission perm : perms) {
if (permission != null && perm.implies(permission)) {
return true;
}
}
}
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
return false;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Aggregations
CollectionPermission (ddf.security.permission.CollectionPermission)1
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)1
KeyValuePermission (ddf.security.permission.KeyValuePermission)1
MatchOneCollectionPermission (ddf.security.permission.MatchOneCollectionPermission)1
ArrayList (java.util.ArrayList)1
Permission (org.apache.shiro.authz.Permission)1
