use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.
the class AuthzRealm method isPermitted.
/**
* Checks if the corresponding Subject/user contained within the AuthorizationInfo object implies
* the given Permission.
*
* @param permission the permission being checked.
* @param authorizationInfo the application-specific subject/user identifier.
* @return true if the user is permitted
*/
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
Collection<Permission> perms = getPermissions(authorizationInfo);
String curUser = "<user>";
if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
curUser = subjectPrincipal.getPrimaryPrincipal().toString();
}
if (!CollectionUtils.isEmpty(perms)) {
if (permission instanceof KeyValuePermission) {
permission = new KeyValueCollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
}
if (permission != null && permission instanceof KeyValueCollectionPermission) {
KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
for (KeyValuePermission keyValuePermission : keyValuePermissions) {
String metacardKey = keyValuePermission.getKey();
// user specified this key in the match all list - remap key
if (matchAllMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermissionImpl(matchAllMap.get(metacardKey), keyValuePermission.getValues());
matchAllPermissions.add(kvp);
// user specified this key in the match one list - remap key
} else if (matchOneMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermissionImpl(matchOneMap.get(metacardKey), keyValuePermission.getValues());
matchOnePermissions.add(kvp);
// this key was not specified in either - default to match all with the
// same key value
} else {
// creating a KeyValuePermission list to try to quick match all of these permissions
// if that fails, then XACML will try to match them
// this covers the case where attributes on the user match up perfectly with the
// permissions being implied
// this also allows the xacml permissions to run through the policy extensions
matchAllPreXacmlPermissions.add(keyValuePermission);
}
}
CollectionPermission subjectAllCollection = new CollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, perms);
KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPermissions);
KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchOnePermissions);
matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection, kvcp);
matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection, kvcp);
matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection, kvcp);
MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
boolean matchAll = subjectAllCollection.implies(matchAllCollection);
boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
boolean matchOne = subjectOneCollection.implies(matchOneCollection);
if (!matchAll || !matchOne) {
securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
}
// if we weren't able to automatically imply these permissions, call out to XACML
if (!matchAllXacml) {
KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
configureXacmlPdp();
matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
if (!matchAllXacml) {
securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
}
}
return matchAll && matchOne && matchAllXacml;
}
for (Permission perm : perms) {
if (permission != null && perm.implies(permission)) {
return true;
}
}
}
securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
return false;
}
use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.
the class CollectionPermissionTest method testCollectionToString.
/**
* Tests that the string output of the collection has correct permissions.
*/
@Test
public void testCollectionToString() {
ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
CollectionPermission collection = new CollectionPermissionImpl("", permissionList);
// String outputs the correct collection permissions.
assertTrue(collection.toString().indexOf("key2") != -1);
// String does not output extra permissions
assertFalse(collection.toString().indexOf("key3") != -1);
}
use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.
the class CollectionPermissionTest method testAddAllCollection.
/**
* Tests that all of the items were added when calling addAll().
*/
@Test
public void testAddAllCollection() {
CollectionPermission collection = new CollectionPermissionImpl();
assertTrue(collection.getPermissionList().isEmpty());
ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
collection.addAll(permissionList);
assertFalse(collection.getPermissionList().isEmpty());
assertEquals(permissionList.size(), collection.getPermissionList().size());
}
use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.
the class CollectionPermissionTest method testCollectionImplies.
/**
* Tests the collection implying permissions and other collections.
*/
@Test
public void testCollectionImplies() {
// Permissions of the user
ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
permissionList.add(new KeyValuePermissionImpl("key3", Arrays.asList("val3")));
CollectionPermission userPermission = new CollectionPermissionImpl("", permissionList);
// user can create
assertTrue(userPermission.implies(new KeyValuePermissionImpl("key1", Arrays.asList("val1"))));
// user cannot delete
assertFalse(userPermission.implies(new KeyValuePermissionImpl("key2", Arrays.asList("somevalue"))));
// user can create and query
CollectionPermission task1Permission = new CollectionPermissionImpl("", new KeyValuePermissionImpl("key1", Arrays.asList("val1")), new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
assertTrue(userPermission.implies(task1Permission));
// user cannot create AND delete
CollectionPermission task2Permission = new CollectionPermissionImpl("", new KeyValuePermissionImpl("key1", Arrays.asList("val1")), new KeyValuePermissionImpl("somekey", Arrays.asList("somevalue")));
assertFalse(userPermission.implies(task2Permission));
// test empty collection (should always return false)
assertFalse(new CollectionPermissionImpl().implies(userPermission));
}
use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.
the class CollectionPermissionTest method testClearCollection.
/**
* Tests that the collection was properly cleared out after calling clear.
*/
@Test
public void testClearCollection() {
ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
CollectionPermission collection = new CollectionPermissionImpl("", permissionList);
collection.clear();
assertTrue(collection.getPermissionList().isEmpty());
}
Aggregations