Examples with KeyValuePermissionImpl ddf.security.permission.impl.KeyValuePermissionImpl used on opensource projects

Example 1 with KeyValuePermissionImpl

use of ddf.security.permission.impl.KeyValuePermissionImpl in project ddf by codice.

the class AdminConfigPolicyTest method testRemoveSomePermissions.

@Test
public void testRemoveSomePermissions() {
    AdminConfigPolicy adminConfigPolicy = new AdminConfigPolicy();
    adminConfigPolicy.setPermissions(new PermissionsImpl());
    List<String> featurePolicyPermissions = getValidPolicyPermissions();
    List<String> servicePolicyPermissions = getValidPolicyPermissions();
    featurePolicyPermissions.add(TEST_PERMISSION_VALUE + UNAUTHORIZED + "=\"" + TEST_ATTRIBUTE_NAME + UNAUTHORIZED + "=" + TEST_ATTRIBUTE_VALUE + UNAUTHORIZED + "\"");
    servicePolicyPermissions.add(TEST_PERMISSION_VALUE + UNAUTHORIZED + "=\"" + TEST_ATTRIBUTE_NAME + UNAUTHORIZED + "=" + TEST_ATTRIBUTE_VALUE + UNAUTHORIZED + "\"");
    adminConfigPolicy.setFeaturePolicies(featurePolicyPermissions);
    adminConfigPolicy.setServicePolicies(servicePolicyPermissions);
    List<KeyValuePermission> matchOneFeaturePermissions = getMatchOnePermissions(AdminConfigPolicy.FEATURE_NAME);
    matchOneFeaturePermissions.add(new KeyValuePermissionImpl(AdminConfigPolicy.FEATURE_NAME, Sets.newHashSet(TEST_PERMISSION_VALUE + UNAUTHORIZED)));
    List<KeyValuePermission> matchOneServicePermissions = getMatchOnePermissions(AdminConfigPolicy.SERVICE_PID);
    matchOneServicePermissions.add(new KeyValuePermissionImpl(AdminConfigPolicy.SERVICE_PID, Sets.newHashSet(TEST_PERMISSION_VALUE + UNAUTHORIZED)));
    List<KeyValuePermission> matchOneInvalidActionPermission = new ArrayList<>();
    matchOneInvalidActionPermission.add(new KeyValuePermissionImpl("UNKNOWN_ACTION", Sets.newHashSet(TEST_PERMISSION_VALUE)));
    KeyValueCollectionPermission requestedFeaturePermissions = new KeyValueCollectionPermissionImpl(AdminConfigPolicy.VIEW_FEATURE_ACTION, matchOneFeaturePermissions.stream().toArray(KeyValuePermissionImpl[]::new));
    KeyValueCollectionPermission requestedServicePermissions = new KeyValueCollectionPermissionImpl(AdminConfigPolicy.VIEW_SERVICE_ACTION, matchOneServicePermissions.stream().toArray(KeyValuePermissionImpl[]::new));
    KeyValueCollectionPermission requestedInvalidActionPermissions = new KeyValueCollectionPermissionImpl("UNKNOWN_ACTION", matchOneInvalidActionPermission.stream().toArray(KeyValuePermissionImpl[]::new));
    assertEquals(1, adminConfigPolicy.isPermittedMatchOne(getSubjectPermissions(), requestedFeaturePermissions, requestedFeaturePermissions).getPermissionList().size());
    assertEquals(1, adminConfigPolicy.isPermittedMatchOne(getSubjectPermissions(), requestedServicePermissions, requestedServicePermissions).getPermissionList().size());
    assertEquals(1, adminConfigPolicy.isPermittedMatchOne(getSubjectPermissions(), requestedServicePermissions, requestedServicePermissions).getPermissionList().size());
    assertEquals(1, adminConfigPolicy.isPermittedMatchOne(getSubjectPermissions(), requestedInvalidActionPermissions, requestedInvalidActionPermissions).getPermissionList().size());
}

Example 2 with KeyValuePermissionImpl

use of ddf.security.permission.impl.KeyValuePermissionImpl in project ddf by codice.

the class AbstractAuthorizingRealm method expandPermissions.

protected List<Permission> expandPermissions(List<Permission> permissions) {
    Collection<Expansion> expansionServices = getMetacardExpansionServices();
    if (CollectionUtils.isEmpty(expansionServices)) {
        return permissions;
    }
    List<Permission> expandedPermissions = new ArrayList<>(permissions.size());
    for (Permission permission : permissions) {
        if (permission instanceof KeyValuePermission) {
            for (Expansion expansionService : expansionServices) {
                Set<String> expandedSet = expansionService.expand(((KeyValuePermission) permission).getKey(), new HashSet<>(((KeyValuePermission) permission).getValues()));
                expandedPermissions.add(new KeyValuePermissionImpl(((KeyValuePermission) permission).getKey(), expandedSet));
            }
        } else if (permission instanceof KeyValueCollectionPermission) {
            List<Permission> keyValuePermissionList = ((KeyValueCollectionPermission) permission).getKeyValuePermissionList();
            List<Permission> expandedCollection = expandPermissions(keyValuePermissionList);
            // we know that everything in a key value collection is a key value permission so just do
            // the unchecked cast
            List<KeyValuePermission> castedList = castToKeyValueList(expandedCollection);
            expandedPermissions.add(new KeyValueCollectionPermissionImpl(((KeyValueCollectionPermission) permission).getAction(), castedList));
        } else {
            expandedPermissions.add(permission);
        }
    }
    return expandedPermissions;
}

Example 3 with KeyValuePermissionImpl

use of ddf.security.permission.impl.KeyValuePermissionImpl in project ddf by codice.

the class AbstractAuthorizingRealm method doGetAuthorizationInfo.

/**
 * Takes the security attributes about the subject of the incoming security token and builds sets
 * of permissions and roles for use in further checking.
 *
 * @param principalCollection holds the security assertions for the primary principal of this
 *     request
 * @return a new collection of permissions and roles corresponding to the security assertions
 * @throws AuthorizationException if there are no security assertions associated with this
 *     principal collection or if the token cannot be processed successfully.
 */
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    LOGGER.debug("Retrieving authorization info for {}", principalCollection.getPrimaryPrincipal());
    Collection<SecurityAssertion> assertions = principalCollection.byType(SecurityAssertion.class);
    if (assertions.isEmpty()) {
        String msg = "No assertion found, cannot retrieve authorization info.";
        throw new AuthorizationException(msg);
    }
    List<AttributeStatement> attributeStatements = assertions.stream().map(SecurityAssertion::getAttributeStatements).flatMap(List::stream).collect(Collectors.toList());
    Set<Permission> permissions = new HashSet<>();
    Set<String> roles = new HashSet<>();
    Map<String, Set<String>> permissionsMap = new HashMap<>();
    Collection<Expansion> expansionServices = getUserExpansionServices();
    for (AttributeStatement curStatement : attributeStatements) {
        addAttributesToMap(curStatement.getAttributes(), permissionsMap, expansionServices);
    }
    for (Map.Entry<String, Set<String>> entry : permissionsMap.entrySet()) {
        permissions.add(new KeyValuePermissionImpl(entry.getKey(), entry.getValue()));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Adding permission: {} : {}", entry.getKey(), StringUtils.join(entry.getValue(), ","));
        }
    }
    if (permissionsMap.containsKey(SAML_ROLE)) {
        roles.addAll(permissionsMap.get(SAML_ROLE));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Adding roles to authorization info: {}", StringUtils.join(roles, ","));
        }
    }
    info.setObjectPermissions(permissions);
    info.setRoles(roles);
    return info;
}

Example 4 with KeyValuePermissionImpl

use of ddf.security.permission.impl.KeyValuePermissionImpl in project ddf by codice.

the class AuthzRealmTest method setup.

@Before
public void setup() throws PdpException {
    String ruleClaim = "FineAccessControls";
    String countryClaim = "CountryOfAffiliation";
    // setup the subject permissions
    List<Permission> permissions = new ArrayList<>();
    KeyValuePermission rulePermission = new KeyValuePermissionImpl(ruleClaim);
    rulePermission.addValue("A");
    rulePermission.addValue("B");
    permissions.add(rulePermission);
    KeyValuePermission countryPermission = new KeyValuePermissionImpl(countryClaim);
    countryPermission.addValue("AUS");
    permissions.add(countryPermission);
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    authorizationInfo.addObjectPermission(rulePermission);
    authorizationInfo.addObjectPermission(countryPermission);
    authorizationInfo.addObjectPermission(new KeyValuePermissionImpl("role", Arrays.asList("admin")));
    authorizationInfo.addRole("admin");
    authorizationInfo.addStringPermission("wild");
    testRealm = new AuthzRealm("src/test/resources/policies", new XmlParser()) {

        @Override
        public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
            return authorizationInfo;
        }
    };
    testRealm.setSecurityLogger(mock(SecurityLogger.class));
    mockSubjectPrincipal = mock(PrincipalCollection.class);
    when(mockSubjectPrincipal.getPrimaryPrincipal()).thenReturn("user");
    // setup the resource permissions
    permissionList = new ArrayList<>();
    security = new HashMap<>();
    security.put("country", Arrays.asList("AUS", "CAN", "GBR"));
    security.put("rule", Arrays.asList("A", "B"));
    testRealm.setMatchOneMappings(Arrays.asList("CountryOfAffiliation=country"));
    testRealm.setMatchAllMappings(Arrays.asList("FineAccessControls=rule"));
    testRealm.setRolePermissionResolver(roleString -> Arrays.asList(new KeyValuePermissionImpl("role", Arrays.asList(roleString))));
}

Example 5 with KeyValuePermissionImpl

use of ddf.security.permission.impl.KeyValuePermissionImpl in project ddf by codice.

the class AuthzRealm method isPermitted.

/**
 * Checks if the corresponding Subject/user contained within the AuthorizationInfo object implies
 * the given Permission.
 *
 * @param permission the permission being checked.
 * @param authorizationInfo the application-specific subject/user identifier.
 * @return true if the user is permitted
 */
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
    Collection<Permission> perms = getPermissions(authorizationInfo);
    String curUser = "<user>";
    if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
        curUser = subjectPrincipal.getPrimaryPrincipal().toString();
    }
    if (!CollectionUtils.isEmpty(perms)) {
        if (permission instanceof KeyValuePermission) {
            permission = new KeyValueCollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
            LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
        }
        if (permission != null && permission instanceof KeyValueCollectionPermission) {
            KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
            List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
            List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
            for (KeyValuePermission keyValuePermission : keyValuePermissions) {
                String metacardKey = keyValuePermission.getKey();
                // user specified this key in the match all list - remap key
                if (matchAllMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermissionImpl(matchAllMap.get(metacardKey), keyValuePermission.getValues());
                    matchAllPermissions.add(kvp);
                // user specified this key in the match one list - remap key
                } else if (matchOneMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermissionImpl(matchOneMap.get(metacardKey), keyValuePermission.getValues());
                    matchOnePermissions.add(kvp);
                // this key was not specified in either - default to match all with the
                // same key value
                } else {
                    // creating a KeyValuePermission list to try to quick match all of these permissions
                    // if that fails, then XACML will try to match them
                    // this covers the case where attributes on the user match up perfectly with the
                    // permissions being implied
                    // this also allows the xacml permissions to run through the policy extensions
                    matchAllPreXacmlPermissions.add(keyValuePermission);
                }
            }
            CollectionPermission subjectAllCollection = new CollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, perms);
            KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPermissions);
            KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
            KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchOnePermissions);
            matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection, kvcp);
            matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection, kvcp);
            matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection, kvcp);
            MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
            boolean matchAll = subjectAllCollection.implies(matchAllCollection);
            boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
            boolean matchOne = subjectOneCollection.implies(matchOneCollection);
            if (!matchAll || !matchOne) {
                securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
            }
            // if we weren't able to automatically imply these permissions, call out to XACML
            if (!matchAllXacml) {
                KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
                configureXacmlPdp();
                matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
                if (!matchAllXacml) {
                    securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
                }
            }
            return matchAll && matchOne && matchAllXacml;
        }
        for (Permission perm : perms) {
            if (permission != null && perm.implies(permission)) {
                return true;
            }
        }
    }
    securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
    return false;
}