Search in sources :

Example 16 with KeyValueCollectionPermissionImpl

use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.

the class XacmlPdpTest method testActionGoodSiteName.

@Test
public void testActionGoodSiteName() {
    SimpleAuthorizationInfo blankUserInfo = new SimpleAuthorizationInfo(new HashSet<String>());
    blankUserInfo.setObjectPermissions(new HashSet<Permission>());
    RequestType request = testRealm.createXACMLRequest(USER_NAME, blankUserInfo, new KeyValueCollectionPermissionImpl(SITE_NAME_ACTION));
    assertThat(testRealm.isPermitted(request), equalTo(true));
}
Also used : SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) RequestType(oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType) Test(org.junit.Test)

Example 17 with KeyValueCollectionPermissionImpl

use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.

the class PEPAuthorizingInterceptor method handleMessage.

/**
 * Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next
 * interceptor - the interceptor chain will take care of this.
 *
 * @param message
 */
@Override
public void handleMessage(Message message) throws Fault {
    if (message != null) {
        // grab the SAML assertion associated with this Message from the
        // token store
        SecurityAssertion assertion = assertionRetriever.apply(message);
        boolean isPermitted = false;
        if ((assertion != null) && (assertion.getToken() != null)) {
            Subject user = null;
            CollectionPermission action = null;
            String actionURI = getActionUri(message);
            try {
                user = securityManager.getSubject(assertion.getToken());
                if (user == null) {
                    throw new AccessDeniedException(UNAUTH);
                }
                LOGGER.debug("Is user authenticated: {}", user.isAuthenticated());
                LOGGER.debug("Checking for permission");
                securityLogger.audit("Is Subject authenticated? " + user.isAuthenticated(), user);
                if (StringUtils.isEmpty(actionURI)) {
                    securityLogger.audit("Denying access to Subject for unknown action.", user);
                    throw new AccessDeniedException(UNAUTH);
                }
                action = new KeyValueCollectionPermissionImpl(actionURI);
                LOGGER.debug("Permission: {}", action);
                isPermitted = user.isPermitted(action);
                LOGGER.debug("Result of permission: {}", isPermitted);
                securityLogger.audit("Is Subject  permitted? " + isPermitted, user);
                // store the subject so the DDF framework can use it later
                ThreadContext.bind(user);
                message.put(SecurityConstants.SECURITY_TOKEN_KEY, user);
                LOGGER.debug("Added assertion information to message at key {}", SecurityConstants.SECURITY_TOKEN_KEY);
            } catch (SecurityServiceException e) {
                securityLogger.audit("Denying access : Caught exception when trying to authenticate user for service [" + actionURI + "]", e);
                throw new AccessDeniedException(UNAUTH);
            }
            if (!isPermitted) {
                securityLogger.audit("Denying access to Subject for service: " + action.getAction(), user);
                throw new AccessDeniedException(UNAUTH);
            }
        } else {
            securityLogger.audit("Unable to retrieve the security assertion associated with the web service call.");
            throw new AccessDeniedException(UNAUTH);
        }
    } else {
        securityLogger.audit("Unable to retrieve the current message associated with the web service call.");
        throw new AccessDeniedException(UNAUTH);
    }
}
Also used : AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) SecurityServiceException(ddf.security.service.SecurityServiceException) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) CollectionPermission(ddf.security.permission.CollectionPermission) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Example 18 with KeyValueCollectionPermissionImpl

use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.

the class Policy method getAllowedAttributePermissions.

@Override
public CollectionPermission getAllowedAttributePermissions() {
    List<KeyValuePermission> perms = new ArrayList<>();
    for (ContextAttributeMapping mapping : attributeMappings) {
        perms.add(mapping.getAttributePermission());
    }
    KeyValueCollectionPermission permissions = new KeyValueCollectionPermissionImpl(getContextPath());
    permissions.addAll(perms);
    return permissions;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) KeyValuePermission(ddf.security.permission.KeyValuePermission) ContextAttributeMapping(org.codice.ddf.security.policy.context.attributes.ContextAttributeMapping)

Example 19 with KeyValueCollectionPermissionImpl

use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.

the class AuthzRealmTest method testIsNotPermitted.

@Test
public void testIsNotPermitted() {
    HashMap<String, List<String>> security = new HashMap<String, List<String>>();
    security.put("country", Arrays.asList("AUS", "CAN", "GBR"));
    security.put("country2", Arrays.asList("CAN", "GBR"));
    security.put("rule", Arrays.asList("A", "B"));
    security.put("rule2", Arrays.asList("A", "B", "C"));
    KeyValueCollectionPermission kvcp = new KeyValueCollectionPermissionImpl("action", security);
    permissionList.clear();
    permissionList.add(kvcp);
    boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
    for (boolean permitted : permittedArray) {
        Assert.assertEquals(false, permitted);
    }
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) HashMap(java.util.HashMap) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) ArrayList(java.util.ArrayList) List(java.util.List) Test(org.junit.Test)

Example 20 with KeyValueCollectionPermissionImpl

use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.

the class AuthzRealmTest method testIsPermitted.

@Test
public void testIsPermitted() {
    permissionList.clear();
    KeyValueCollectionPermission kvcp = new KeyValueCollectionPermissionImpl("action", security);
    permissionList.add(kvcp);
    boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
    for (boolean permitted : permittedArray) {
        Assert.assertEquals(true, permitted);
    }
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) Test(org.junit.Test)

Aggregations

KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)22 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)16 Test (org.junit.Test)13 ArrayList (java.util.ArrayList)12 RequestType (oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)8 KeyValuePermission (ddf.security.permission.KeyValuePermission)7 List (java.util.List)7 KeyValuePermissionImpl (ddf.security.permission.impl.KeyValuePermissionImpl)6 HashMap (java.util.HashMap)5 CollectionPermission (ddf.security.permission.CollectionPermission)4 Permission (org.apache.shiro.authz.Permission)4 PermissionsImpl (ddf.security.permission.impl.PermissionsImpl)3 PdpException (ddf.security.pdp.realm.xacml.processor.PdpException)2 PolicyExtension (ddf.security.policy.extension.PolicyExtension)2 AuthenticationException (org.apache.shiro.authc.AuthenticationException)2 Subject (ddf.security.Subject)1 SecurityAssertion (ddf.security.assertion.SecurityAssertion)1 Expansion (ddf.security.expansion.Expansion)1 CollectionPermissionImpl (ddf.security.permission.impl.CollectionPermissionImpl)1 MatchOneCollectionPermission (ddf.security.permission.impl.MatchOneCollectionPermission)1