Examples with MatchOneCollectionPermission ddf.security.permission.impl.MatchOneCollectionPermission used on opensource projects

Search in sources :

Example 1 with MatchOneCollectionPermission

use of ddf.security.permission.impl.MatchOneCollectionPermission in project ddf by codice.

the class AuthzRealm method isPermitted.

/**
 * Checks if the corresponding Subject/user contained within the AuthorizationInfo object implies
 * the given Permission.
 *
 * @param permission the permission being checked.
 * @param authorizationInfo the application-specific subject/user identifier.
 * @return true if the user is permitted
 */
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
    Collection<Permission> perms = getPermissions(authorizationInfo);
    String curUser = "<user>";
    if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
        curUser = subjectPrincipal.getPrimaryPrincipal().toString();
    }
    if (!CollectionUtils.isEmpty(perms)) {
        if (permission instanceof KeyValuePermission) {
            permission = new KeyValueCollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
            LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
        }
        if (permission != null && permission instanceof KeyValueCollectionPermission) {
            KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
            List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
            List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
            for (KeyValuePermission keyValuePermission : keyValuePermissions) {
                String metacardKey = keyValuePermission.getKey();
                // user specified this key in the match all list - remap key
                if (matchAllMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermissionImpl(matchAllMap.get(metacardKey), keyValuePermission.getValues());
                    matchAllPermissions.add(kvp);
                // user specified this key in the match one list - remap key
                } else if (matchOneMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermissionImpl(matchOneMap.get(metacardKey), keyValuePermission.getValues());
                    matchOnePermissions.add(kvp);
                // this key was not specified in either - default to match all with the
                // same key value
                } else {
                    // creating a KeyValuePermission list to try to quick match all of these permissions
                    // if that fails, then XACML will try to match them
                    // this covers the case where attributes on the user match up perfectly with the
                    // permissions being implied
                    // this also allows the xacml permissions to run through the policy extensions
                    matchAllPreXacmlPermissions.add(keyValuePermission);
                }
            }
            CollectionPermission subjectAllCollection = new CollectionPermissionImpl(CollectionPermission.UNKNOWN_ACTION, perms);
            KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPermissions);
            KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
            KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchOnePermissions);
            matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection, kvcp);
            matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection, kvcp);
            matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection, kvcp);
            MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
            boolean matchAll = subjectAllCollection.implies(matchAllCollection);
            boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
            boolean matchOne = subjectOneCollection.implies(matchOneCollection);
            if (!matchAll || !matchOne) {
                securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
            }
            // if we weren't able to automatically imply these permissions, call out to XACML
            if (!matchAllXacml) {
                KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermissionImpl(kvcp.getAction(), matchAllPreXacmlPermissions);
                configureXacmlPdp();
                matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
                if (!matchAllXacml) {
                    securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
                }
            }
            return matchAll && matchOne && matchAllXacml;
        }
        for (Permission perm : perms) {
            if (permission != null && perm.implies(permission)) {
                return true;
            }
        }
    }
    securityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
    return false;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) KeyValuePermissionImpl(ddf.security.permission.impl.KeyValuePermissionImpl) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) CollectionPermission(ddf.security.permission.CollectionPermission) MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) MatchOneCollectionPermission(ddf.security.permission.impl.MatchOneCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl) CollectionPermissionImpl(ddf.security.permission.impl.CollectionPermissionImpl)

Aggregations

CollectionPermission (ddf.security.permission.CollectionPermission)1 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)1 KeyValuePermission (ddf.security.permission.KeyValuePermission)1 CollectionPermissionImpl (ddf.security.permission.impl.CollectionPermissionImpl)1 KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)1 KeyValuePermissionImpl (ddf.security.permission.impl.KeyValuePermissionImpl)1 MatchOneCollectionPermission (ddf.security.permission.impl.MatchOneCollectionPermission)1 ArrayList (java.util.ArrayList)1 Permission (org.apache.shiro.authz.Permission)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial