Search in sources :

Example 1 with CollectionPermissionImpl

use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.

the class AuthzRealm method isPermitted.

/**
 * Checks if the corresponding Subject/user contained within the AuthorizationInfo object implies
 * the given Permission.
 *
 * @param permission the permission being checked.
 * @param authorizationInfo the application-specific subject/user identifier.
 * @return true if the user is permitted
 */
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
    Collection<Permission> perms = getPermissions(authorizationInfo);
    String curUser = "<user>";
    if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
        curUser = subjectPrincipal.getPrimaryPrincipal().toString();
    }
    if (!CollectionUtils.isEmpty(perms)) {
        if (permission instanceof KeyValuePermission) {
            permission = new KeyValueCollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
            LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
        }
        if (permission != null && permission instanceof KeyValueCollectionPermission) {
            KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
            List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
            List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
            for (KeyValuePermission keyValuePermission : keyValuePermissions) {
                String metacardKey = keyValuePermission.getKey();
                // user specified this key in the match all list - remap key
                if (matchAllMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermissionImpl(matchAllMap.get(metacardKey), keyValuePermission.getValues());
                    matchAllPermissions.add(kvp);
                // user specified this key in the match one list - remap key
                } else if (matchOneMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermissionImpl(matchOneMap.get(metacardKey), keyValuePermission.getValues());
                    matchOnePermissions.add(kvp);
                // this key was not specified in either - default to match all with the
                // same key value
                } else {
                    // creating a KeyValuePermission list to try to quick match all of these permissions
                    // if that fails, then XACML will try to match them
                    // this covers the case where attributes on the user match up perfectly with the
                    // permissions being implied
                    // this also allows the xacml permissions to run through the policy extensions
                    matchAllPreXacmlPermissions.add(keyValuePermission);
                }
            }
            CollectionPermission subjectAllCollection = new CollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, perms);
            KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPermissions);
            KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
            KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchOnePermissions);
            matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection, kvcp);
            matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection, kvcp);
            matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection, kvcp);
            MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
            boolean matchAll = subjectAllCollection.implies(matchAllCollection);
            boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
            boolean matchOne = subjectOneCollection.implies(matchOneCollection);
            if (!matchAll || !matchOne) {
                securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
            }
            // if we weren't able to automatically imply these permissions, call out to XACML
            if (!matchAllXacml) {
                KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
                configureXacmlPdp();
                matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
                if (!matchAllXacml) {
                    securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
                }
            }
            return matchAll && matchOne && matchAllXacml;
        }
        for (Permission perm : perms) {
            if (permission != null && perm.implies(permission)) {
                return true;
            }
        }
    }
    securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
    return false;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) CollectionPermission(ddf.security.permission.CollectionPermission) MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl)

Example 2 with CollectionPermissionImpl

use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.

the class CollectionPermissionTest method testCollectionToString.

/**
 * Tests that the string output of the collection has correct permissions.
 */
@Test
public void testCollectionToString() {
    ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
    permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
    permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
    CollectionPermission collection = new CollectionPermissionImpl("", permissionList);
    // String outputs the correct collection permissions.
    assertTrue(collection.toString().indexOf("key2") != -1);
    // String does not output extra permissions
    assertFalse(collection.toString().indexOf("key3") != -1);
}
Also used : KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) ArrayList(java.util.ArrayList) CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl) Test(org.junit.Test)

Example 3 with CollectionPermissionImpl

use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.

the class CollectionPermissionTest method testAddAllCollection.

/**
 * Tests that all of the items were added when calling addAll().
 */
@Test
public void testAddAllCollection() {
    CollectionPermission collection = new CollectionPermissionImpl();
    assertTrue(collection.getPermissionList().isEmpty());
    ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
    permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
    permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
    collection.addAll(permissionList);
    assertFalse(collection.getPermissionList().isEmpty());
    assertEquals(permissionList.size(), collection.getPermissionList().size());
}
Also used : KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) ArrayList(java.util.ArrayList) CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl) Test(org.junit.Test)

Example 4 with CollectionPermissionImpl

use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.

the class CollectionPermissionTest method testCollectionImplies.

/**
 * Tests the collection implying permissions and other collections.
 */
@Test
public void testCollectionImplies() {
    // Permissions of the user
    ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
    permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
    permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
    permissionList.add(new KeyValuePermissionImpl("key3", Arrays.asList("val3")));
    CollectionPermission userPermission = new CollectionPermissionImpl("", permissionList);
    // user can create
    assertTrue(userPermission.implies(new KeyValuePermissionImpl("key1", Arrays.asList("val1"))));
    // user cannot delete
    assertFalse(userPermission.implies(new KeyValuePermissionImpl("key2", Arrays.asList("somevalue"))));
    // user can create and query
    CollectionPermission task1Permission = new CollectionPermissionImpl("", new KeyValuePermissionImpl("key1", Arrays.asList("val1")), new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
    assertTrue(userPermission.implies(task1Permission));
    // user cannot create AND delete
    CollectionPermission task2Permission = new CollectionPermissionImpl("", new KeyValuePermissionImpl("key1", Arrays.asList("val1")), new KeyValuePermissionImpl("somekey", Arrays.asList("somevalue")));
    assertFalse(userPermission.implies(task2Permission));
    // test empty collection (should always return false)
    assertFalse(new CollectionPermissionImpl().implies(userPermission));
}
Also used : KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) ArrayList(java.util.ArrayList) CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl) Test(org.junit.Test)

Example 5 with CollectionPermissionImpl

use of ddf.security.permission.impl.CollectionPermissionImpl in project ddf by codice.

the class CollectionPermissionTest method testClearCollection.

/**
 * Tests that the collection was properly cleared out after calling clear.
 */
@Test
public void testClearCollection() {
    ArrayList<KeyValuePermission> permissionList = new ArrayList<KeyValuePermission>();
    permissionList.add(new KeyValuePermissionImpl("key1", Arrays.asList("val1")));
    permissionList.add(new KeyValuePermissionImpl("key2", Arrays.asList("val2")));
    CollectionPermission collection = new CollectionPermissionImpl("", permissionList);
    collection.clear();
    assertTrue(collection.getPermissionList().isEmpty());
}
Also used : KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) ArrayList(java.util.ArrayList) CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl) Test(org.junit.Test)

Aggregations

CollectionPermissionImpl (ddf.security.permission.impl.CollectionPermissionImpl)8 KeyValuePermissionImpl (ddf.security.permission.impl.KeyValuePermissionImpl)8 ArrayList (java.util.ArrayList)7 Test (org.junit.Test)6 CollectionPermission (ddf.security.permission.CollectionPermission)1 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)1 KeyValuePermission (ddf.security.permission.KeyValuePermission)1 KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)1 MatchOneCollectionPermission (ddf.security.permission.impl.MatchOneCollectionPermission)1 Permission (org.apache.shiro.authz.Permission)1 ContextPolicy (org.codice.ddf.security.policy.context.ContextPolicy)1