Example 6 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class XacmlPdpTest method testResourceIsNotPermitted.
@Test
public void testResourceIsNotPermitted() {
HashMap<String, List<String>> security = new HashMap<String, List<String>>();
security.put(RESOURCE_ACCESS, Arrays.asList(ACCESS_TYPE_A, ACCESS_TYPE_B, ACCESS_TYPE_C));
KeyValueCollectionPermission resourcePermissions = new KeyValueCollectionPermissionImpl(CollectionPermission.READ_ACTION, security);
RequestType request = testRealm.createXACMLRequest(USER_NAME, generateSubjectInfo(TEST_COUNTRY), resourcePermissions);
assertThat(testRealm.isPermitted(request), equalTo(false));
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
HashMap(java.util.HashMap)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
ArrayList(java.util.ArrayList)
List(java.util.List)
RequestType(oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)
Test(org.junit.Test)
Example 7 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class XacmlPdpTest method testActionBadAction.
@Test
public void testActionBadAction() {
RequestType request = testRealm.createXACMLRequest(USER_NAME, generateSubjectInfo(TEST_COUNTRY), new KeyValueCollectionPermissionImpl("bad"));
assertThat(testRealm.isPermitted(request), equalTo(false));
}
Also used :
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
RequestType(oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)
Test(org.junit.Test)
Example 8 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class AuthzRealm method isPermitted.
/**
* Checks if the corresponding Subject/user contained within the AuthorizationInfo object implies
* the given Permission.
*
* @param permission the permission being checked.
* @param authorizationInfo the application-specific subject/user identifier.
* @return true if the user is permitted
*/
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
Collection<Permission> perms = getPermissions(authorizationInfo);
String curUser = "<user>";
if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
curUser = subjectPrincipal.getPrimaryPrincipal().toString();
}
if (!CollectionUtils.isEmpty(perms)) {
if (permission instanceof KeyValuePermission) {
permission = new KeyValueCollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
}
if (permission != null && permission instanceof KeyValueCollectionPermission) {
KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
for (KeyValuePermission keyValuePermission : keyValuePermissions) {
String metacardKey = keyValuePermission.getKey();
// user specified this key in the match all list - remap key
if (matchAllMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermissionImpl(matchAllMap.get(metacardKey), keyValuePermission.getValues());
matchAllPermissions.add(kvp);
// user specified this key in the match one list - remap key
} else if (matchOneMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermissionImpl(matchOneMap.get(metacardKey), keyValuePermission.getValues());
matchOnePermissions.add(kvp);
// this key was not specified in either - default to match all with the
// same key value
} else {
// creating a KeyValuePermission list to try to quick match all of these permissions
// if that fails, then XACML will try to match them
// this covers the case where attributes on the user match up perfectly with the
// permissions being implied
// this also allows the xacml permissions to run through the policy extensions
matchAllPreXacmlPermissions.add(keyValuePermission);
}
}
CollectionPermission subjectAllCollection = new CollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, perms);
KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPermissions);
KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchOnePermissions);
matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection, kvcp);
matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection, kvcp);
matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection, kvcp);
MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
boolean matchAll = subjectAllCollection.implies(matchAllCollection);
boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
boolean matchOne = subjectOneCollection.implies(matchOneCollection);
if (!matchAll || !matchOne) {
securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
}
// if we weren't able to automatically imply these permissions, call out to XACML
if (!matchAllXacml) {
KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
configureXacmlPdp();
matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
if (!matchAllXacml) {
securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
}
}
return matchAll && matchOne && matchAllXacml;
}
for (Permission perm : perms) {
if (permission != null && perm.implies(permission)) {
return true;
}
}
}
securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
return false;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
CollectionPermission(ddf.security.permission.CollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl)
Example 9 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class AuthzRealm method isPermittedByExtensionOne.
private KeyValueCollectionPermission isPermittedByExtensionOne(CollectionPermission subjectAllCollection, KeyValueCollectionPermission matchOneCollection, KeyValueCollectionPermission allPermissionsCollection) {
if (!CollectionUtils.isEmpty(policyExtensions)) {
KeyValueCollectionPermission resultCollection = new KeyValueCollectionPermissionImpl();
resultCollection.addAll(matchOneCollection.getPermissionList());
resultCollection.setAction(matchOneCollection.getAction());
for (PolicyExtension policyExtension : policyExtensions) {
try {
resultCollection = policyExtension.isPermittedMatchOne(subjectAllCollection, resultCollection, allPermissionsCollection);
} catch (Exception e) {
securityLogger.auditWarn(POLICY_EXTENSION_WARNING_MSG, e);
LOGGER.warn(POLICY_EXTENSION_WARNING_MSG, e);
}
}
return resultCollection;
}
return matchOneCollection;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
PolicyExtension(ddf.security.policy.extension.PolicyExtension)
PdpException(ddf.security.pdp.realm.xacml.processor.PdpException)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
Example 10 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class FilterPluginTest method makeDecision.
public Answer<Boolean> makeDecision() {
Map<String, List<String>> testRoleMap = new HashMap<>();
List<String> testRoles = new ArrayList<>();
testRoles.add("A");
testRoles.add("B");
testRoleMap.put("Roles", testRoles);
final KeyValueCollectionPermission testUserPermission = new KeyValueCollectionPermissionImpl(CollectionPermission.READ_ACTION, testRoleMap);
return new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocation) {
Object[] args = invocation.getArguments();
Permission incomingPermission = (Permission) args[1];
return testUserPermission.implies(incomingPermission);
}
};
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Answer(org.mockito.stubbing.Answer)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
CollectionPermission(ddf.security.permission.CollectionPermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
List(java.util.List)
ArrayList(java.util.ArrayList)
Aggregations
KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)22
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)16
Test (org.junit.Test)13
ArrayList (java.util.ArrayList)12
RequestType (oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)8
KeyValuePermission (ddf.security.permission.KeyValuePermission)7
List (java.util.List)7
KeyValuePermissionImpl (ddf.security.permission.impl.KeyValuePermissionImpl)6
HashMap (java.util.HashMap)5
CollectionPermission (ddf.security.permission.CollectionPermission)4
Permission (org.apache.shiro.authz.Permission)4
PermissionsImpl (ddf.security.permission.impl.PermissionsImpl)3
PdpException (ddf.security.pdp.realm.xacml.processor.PdpException)2
PolicyExtension (ddf.security.policy.extension.PolicyExtension)2
AuthenticationException (org.apache.shiro.authc.AuthenticationException)2
Subject (ddf.security.Subject)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
Expansion (ddf.security.expansion.Expansion)1
CollectionPermissionImpl (ddf.security.permission.impl.CollectionPermissionImpl)1
MatchOneCollectionPermission (ddf.security.permission.impl.MatchOneCollectionPermission)1
