Examples with ForbiddenEntityException eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException used on opensource projects

Search in sources :

Example 16 with ForbiddenEntityException

use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.

the class DefaultIdentityProjectionManager method saveIdentityRoles.

protected void saveIdentityRoles(EntityEvent<IdmIdentityProjectionDto> event, BasePermission... permission) {
    IdmIdentityProjectionDto dto = event.getContent();
    IdmIdentityProjectionDto previousProjection = event.getOriginalSource();
    IdmIdentityContractDto contract = dto.getContract();
    IdmIdentityDto identity = dto.getIdentity();
    // 
    if (previousProjection == null) {
        List<IdmConceptRoleRequestDto> concepts = new ArrayList<>(dto.getIdentityRoles().size());
        // 
        for (IdmIdentityRoleDto assignedRole : dto.getIdentityRoles()) {
            // create new identity role
            IdmConceptRoleRequestDto concept = new IdmConceptRoleRequestDto();
            if (assignedRole.getIdentityContract() != null) {
                concept.setIdentityContract(assignedRole.getIdentityContract());
            } else if (contract != null) {
                concept.setIdentityContract(contract.getId());
            } else {
                throw new ForbiddenEntityException("contract", IdmBasePermission.READ);
            }
            concept.setRole(assignedRole.getRole());
            concept.setOperation(ConceptRoleRequestOperation.ADD);
            concept.setValidFrom(assignedRole.getValidFrom());
            concept.setValidTill(assignedRole.getValidTill());
            concept.setEavs(assignedRole.getEavs());
            // 
            concepts.add(concept);
        }
        if (!concepts.isEmpty()) {
            IdmRoleRequestDto roleRequest = new IdmRoleRequestDto();
            roleRequest.setState(RoleRequestState.CONCEPT);
            roleRequest.setExecuteImmediately(false);
            roleRequest.setApplicant(identity.getId());
            roleRequest.setRequestedByType(RoleRequestedByType.MANUALLY);
            roleRequest = roleRequestService.save(roleRequest);
            // 
            for (IdmConceptRoleRequestDto concept : concepts) {
                concept.setRoleRequest(roleRequest.getId());
                // 
                conceptRoleRequestService.save(concept);
            }
            // 
            // start event with skip check authorities
            RoleRequestEvent requestEvent = new RoleRequestEvent(RoleRequestEventType.EXCECUTE, roleRequest);
            requestEvent.getProperties().put(IdmIdentityRoleService.SKIP_CHECK_AUTHORITIES, Boolean.TRUE);
            // frontend
            requestEvent.setPriority(event.getPriority());
            requestEvent.setParentId(event.getId());
            // prevent to start asynchronous event before previous update event is completed.
            requestEvent.setSuperOwnerId(identity.getId());
            // 
            roleRequestService.startRequestInternal(requestEvent);
        }
    }
}
Also used : ArrayList(java.util.ArrayList) IdmConceptRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto) RoleRequestEvent(eu.bcvsolutions.idm.core.model.event.RoleRequestEvent) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto) IdmIdentityProjectionDto(eu.bcvsolutions.idm.core.api.dto.projection.IdmIdentityProjectionDto) ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)

Example 17 with ForbiddenEntityException

use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.

the class DefaultIdentityProjectionManagerIntegrationTest method testSaveProjectionEavSecuredException.

@Test
@Transactional
public void testSaveProjectionEavSecuredException() {
    // 
    // create definition with two attributes
    IdmFormAttributeDto formAttributeOne = new IdmFormAttributeDto(getHelper().createName());
    IdmFormAttributeDto formAttributeTwo = new IdmFormAttributeDto(getHelper().createName());
    IdmFormDefinitionDto formDefinition = formService.createDefinition(IdmIdentityDto.class, getHelper().createName(), Lists.newArrayList(formAttributeOne, formAttributeTwo));
    formAttributeOne = formDefinition.getMappedAttributeByCode(formAttributeOne.getCode());
    formAttributeTwo = formDefinition.getMappedAttributeByCode(formAttributeTwo.getCode());
    // 
    // password is needed
    IdmIdentityDto identityOne = getHelper().createIdentity();
    // password is needed
    IdmIdentityDto identityTwo = getHelper().createIdentity();
    IdmIdentityDto identityOther = getHelper().createIdentity((GuardedString) null);
    // 
    // assign self identity authorization policy - READ - to identityOne
    IdmRoleDto roleReadIdentity = getHelper().createRole();
    getHelper().createAuthorizationPolicy(roleReadIdentity.getId(), CoreGroupPermission.IDENTITY, IdmIdentity.class, SelfIdentityEvaluator.class, IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
    // and other
    getHelper().createUuidPolicy(roleReadIdentity.getId(), identityOther.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
    getHelper().createIdentityRole(identityOne, roleReadIdentity);
    // 
    // assign self identity authorization policy - UPDATE - to identityOne
    IdmRoleDto roleUpdateIdentity = getHelper().createRole();
    getHelper().createAuthorizationPolicy(roleUpdateIdentity.getId(), CoreGroupPermission.IDENTITY, IdmIdentity.class, // self
    SelfIdentityEvaluator.class, IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ, IdmBasePermission.UPDATE);
    // and other
    getHelper().createUuidPolicy(roleUpdateIdentity.getId(), identityOther.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ, IdmBasePermission.UPDATE);
    getHelper().createIdentityRole(identityTwo, roleUpdateIdentity);
    // 
    // assign autocomplete to form definition
    getHelper().createUuidPolicy(roleReadIdentity.getId(), formDefinition.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
    // and other
    getHelper().createUuidPolicy(roleUpdateIdentity.getId(), formDefinition.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
    // 
    // save some values as admin to identity one
    IdmFormValueDto formValueOne = new IdmFormValueDto(formAttributeOne);
    formValueOne.setValue(getHelper().createName());
    IdmFormValueDto formValueTwo = new IdmFormValueDto(formAttributeTwo);
    formValueTwo.setValue(getHelper().createName());
    List<IdmFormValueDto> formValues = Lists.newArrayList(formValueOne, formValueTwo);
    identityOne.setEavs(Lists.newArrayList(new IdmFormInstanceDto(identityOne, formDefinition, formValues)));
    manager.publish(new IdentityProjectionEvent(IdentityProjectionEventType.UPDATE, new IdmIdentityProjectionDto(identityOne)));
    // 
    // values cannot be read as identity one
    getHelper().login(identityOne);
    try {
        IdmIdentityProjectionDto projection = manager.get(identityOne.getId(), IdmBasePermission.READ);
        IdmFormInstanceDto formInstance = projection.getIdentity().getEavs().stream().filter(i -> i.getFormDefinition().getId().equals(formDefinition.getId())).findFirst().get();
        Assert.assertTrue(formInstance.getValues().isEmpty());
        Assert.assertEquals(0, formInstance.getFormDefinition().getFormAttributes().size());
    } finally {
        logout();
    }
    getHelper().login(identityTwo);
    try {
        IdmIdentityProjectionDto projection = manager.get(identityOther.getId(), IdmBasePermission.READ);
        IdmFormInstanceDto formInstance = projection.getIdentity().getEavs().stream().filter(i -> i.getFormDefinition().getId().equals(formDefinition.getId())).findFirst().get();
        Assert.assertTrue(formInstance.getValues().isEmpty());
        Assert.assertEquals(0, formInstance.getFormDefinition().getFormAttributes().size());
    } finally {
        logout();
    }
    // 
    // configure authorization policy to read attribute one and edit attribute two - for self
    ConfigurationMap properties = new ConfigurationMap();
    properties.put(IdentityFormValueEvaluator.PARAMETER_FORM_DEFINITION, formDefinition.getId());
    properties.put(IdentityFormValueEvaluator.PARAMETER_FORM_ATTRIBUTES, formAttributeOne.getCode());
    properties.put(IdentityFormValueEvaluator.PARAMETER_SELF_ONLY, true);
    getHelper().createAuthorizationPolicy(roleReadIdentity.getId(), CoreGroupPermission.FORMVALUE, IdmIdentityFormValue.class, IdentityFormValueEvaluator.class, properties, IdmBasePermission.READ);
    // 
    // read self attribute one
    getHelper().login(identityOne);
    try {
        IdmIdentityProjectionDto projection = manager.get(identityOne.getId(), IdmBasePermission.READ);
        IdmFormInstanceDto formInstance = projection.getIdentity().getEavs().stream().filter(i -> i.getFormDefinition().getId().equals(formDefinition.getId())).findFirst().get();
        // 
        Assert.assertEquals(1, formInstance.getValues().size());
        Assert.assertEquals(formValueOne.getShortTextValue(), formInstance.getValues().get(0).getShortTextValue());
        Assert.assertEquals(1, formInstance.getFormDefinition().getFormAttributes().size());
        Assert.assertEquals(formAttributeOne.getCode(), formInstance.getFormDefinition().getFormAttributes().get(0).getCode());
    } finally {
        logout();
    }
    // 
    // update is forbidden
    getHelper().login(identityOne);
    try {
        identityOne.setEavs(Lists.newArrayList(new IdmFormInstanceDto(identityOne, formDefinition, Lists.newArrayList(formValueOne))));
        manager.publish(new IdentityProjectionEvent(IdentityProjectionEventType.UPDATE, new IdmIdentityProjectionDto(identityOne)), IdmBasePermission.UPDATE).getContent();
    } catch (ForbiddenEntityException ex) {
    // ok
    } finally {
        logout();
    }
    getHelper().login(identityOne);
    try {
        identityTwo.setEavs(Lists.newArrayList(new IdmFormInstanceDto(identityOne, formDefinition, Lists.newArrayList(formValueOne))));
        manager.publish(new IdentityProjectionEvent(IdentityProjectionEventType.UPDATE, new IdmIdentityProjectionDto(identityTwo)), IdmBasePermission.UPDATE).getContent();
    } catch (ForbiddenEntityException ex) {
    // ok
    } finally {
        logout();
    }
    // 
    // add policy to edit attribute two for identity one
    properties = new ConfigurationMap();
    properties.put(IdentityFormValueEvaluator.PARAMETER_FORM_DEFINITION, formDefinition.getId());
    properties.put(IdentityFormValueEvaluator.PARAMETER_FORM_ATTRIBUTES, formAttributeTwo.getCode());
    properties.put(IdentityFormValueEvaluator.PARAMETER_SELF_ONLY, true);
    getHelper().createAuthorizationPolicy(roleReadIdentity.getId(), CoreGroupPermission.FORMVALUE, IdmIdentityFormValue.class, IdentityFormValueEvaluator.class, properties, IdmBasePermission.READ, IdmBasePermission.UPDATE);
    // 
    String updatedValue = getHelper().createName();
    formValueTwo.setValue(updatedValue);
}
Also used : IdmFormInstanceDto(eu.bcvsolutions.idm.core.eav.api.dto.IdmFormInstanceDto) IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) IdmFormAttributeDto(eu.bcvsolutions.idm.core.eav.api.dto.IdmFormAttributeDto) IdmFormDefinitionDto(eu.bcvsolutions.idm.core.eav.api.dto.IdmFormDefinitionDto) IdmFormValueDto(eu.bcvsolutions.idm.core.eav.api.dto.IdmFormValueDto) IdentityProjectionEvent(eu.bcvsolutions.idm.core.eav.api.event.IdentityProjectionEvent) ConfigurationMap(eu.bcvsolutions.idm.core.api.domain.ConfigurationMap) GuardedString(eu.bcvsolutions.idm.core.security.api.domain.GuardedString) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityProjectionDto(eu.bcvsolutions.idm.core.api.dto.projection.IdmIdentityProjectionDto) ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException) AbstractRestTest(eu.bcvsolutions.idm.test.api.AbstractRestTest) Test(org.junit.Test) Transactional(org.springframework.transaction.annotation.Transactional)

Example 18 with ForbiddenEntityException

use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.

the class IdentityAddContractGuaranteeBulkAction method processDto.

@Override
protected OperationResult processDto(IdmIdentityDto identity) {
    Set<UUID> newGuarantees = getSelectedGuaranteeUuids(PROPERTY_NEW_GUARANTEE);
    Map<UUID, List<IdmContractGuaranteeDto>> currentGuarantees = getIdentityGuaranteesOrderedByContract(identity.getId());
    for (Map.Entry<UUID, List<IdmContractGuaranteeDto>> entry : currentGuarantees.entrySet()) {
        UUID contractId = entry.getKey();
        List<IdmContractGuaranteeDto> contractGuarantees = entry.getValue();
        Set<UUID> currentGuaranteesUuidSet = contractGuarantees.stream().map(IdmContractGuaranteeDto::getGuarantee).collect(Collectors.toSet());
        Set<UUID> guaranteesToAdd = Sets.difference(newGuarantees, currentGuaranteesUuidSet);
        // add all new contract guarantees
        for (UUID guaranteeId : guaranteesToAdd) {
            try {
                IdmContractGuaranteeDto guaranteeDto = createContractGuarantee(guaranteeId, contractId, IdmBasePermission.CREATE);
                logItemProcessed(guaranteeDto, new OperationResult.Builder(OperationState.EXECUTED).build());
            } catch (ForbiddenEntityException ex) {
                LOG.warn("Not authorized to set contract guarantee [{}] of contract [{}].", guaranteeId, contractId, ex);
                IdmIdentityContractDto dto = identityContractService.get(contractId);
                logContractGuaranteePermissionError(dto, guaranteeId, contractId, IdmBasePermission.CREATE, ex);
            } catch (ResultCodeException ex) {
                IdmIdentityContractDto dto = identityContractService.get(contractId);
                logResultCodeException(dto, ex);
            }
        }
    }
    return new OperationResult.Builder(OperationState.EXECUTED).build();
}
Also used : ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) OperationResult(eu.bcvsolutions.idm.core.api.entity.OperationResult) IdmContractGuaranteeDto(eu.bcvsolutions.idm.core.api.dto.IdmContractGuaranteeDto) List(java.util.List) UUID(java.util.UUID) Map(java.util.Map) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)

Example 19 with ForbiddenEntityException

use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.

the class IdmTreeTypeController method getConfigurations.

/**
 * Returns all configuration properties for given tree type.
 *
 * @param backendId
 * @return list of granted authorities
 */
@ResponseBody
@RequestMapping(value = "/{backendId}/configurations", method = RequestMethod.GET)
@PreAuthorize("hasAuthority('" + CoreGroupPermission.TREETYPE_AUTOCOMPLETE + "')" + " or hasAuthority('" + CoreGroupPermission.TREETYPE_READ + "')")
@ApiOperation(value = "Get tree type configuration items", nickname = "getTreeTypeConfigurations", tags = { IdmTreeTypeController.TAG }, authorizations = { @Authorization(value = SwaggerConfig.AUTHENTICATION_BASIC, scopes = { @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_AUTOCOMPLETE, description = ""), @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_READ, description = "") }), @Authorization(value = SwaggerConfig.AUTHENTICATION_CIDMST, scopes = { @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_AUTOCOMPLETE, description = ""), @AuthorizationScope(scope = CoreGroupPermission.TREETYPE_READ, description = "") }) })
public List<IdmConfigurationDto> getConfigurations(@ApiParam(value = "Type's uuid identifier or code.", required = true) @PathVariable String backendId) {
    IdmTreeType treeType = (IdmTreeType) getLookupService().lookupEntity(IdmTreeType.class, backendId);
    if (treeType == null) {
        throw new ResultCodeException(CoreResultCode.NOT_FOUND, ImmutableMap.of("entity", backendId));
    }
    Set<String> permissions = service.getPermissions(treeType.getId());
    if (!PermissionUtils.hasAnyPermission(permissions, IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ)) {
        throw new ForbiddenEntityException(treeType.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
    }
    // 
    return service.getConfigurations(treeType.getId());
}
Also used : ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) IdmTreeType(eu.bcvsolutions.idm.core.model.entity.IdmTreeType) ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException) ApiOperation(io.swagger.annotations.ApiOperation) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) ResponseBody(org.springframework.web.bind.annotation.ResponseBody) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 20 with ForbiddenEntityException

use of eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException in project CzechIdMng by bcvsolutions.

the class IdmTreeNodeController method getDefaultTreeNode.

/**
 * Returns default tree node or {@code null}, if no default tree node is defined
 *
 * @return
 */
@ResponseBody
@RequestMapping(value = "/search/default", method = RequestMethod.GET)
@PreAuthorize("hasAuthority('" + CoreGroupPermission.TREENODE_AUTOCOMPLETE + "')" + " or hasAuthority('" + CoreGroupPermission.TREENODE_READ + "')")
@ApiOperation(value = "Get default tree node detail", nickname = "getDefaultTreeNode", response = IdmTreeNodeDto.class, tags = { IdmTreeNodeController.TAG }, authorizations = { @Authorization(value = SwaggerConfig.AUTHENTICATION_BASIC, scopes = { @AuthorizationScope(scope = CoreGroupPermission.TREENODE_AUTOCOMPLETE, description = ""), @AuthorizationScope(scope = CoreGroupPermission.TREENODE_READ, description = "") }), @Authorization(value = SwaggerConfig.AUTHENTICATION_CIDMST, scopes = { @AuthorizationScope(scope = CoreGroupPermission.TREENODE_AUTOCOMPLETE, description = ""), @AuthorizationScope(scope = CoreGroupPermission.TREENODE_READ, description = "") }) })
public ResponseEntity<?> getDefaultTreeNode() {
    IdmTreeNodeDto defaultTreeNode = treeNodeService.getDefaultTreeNode();
    if (defaultTreeNode == null) {
        throw new ResultCodeException(CoreResultCode.NOT_FOUND, ImmutableMap.of("entity", "default tree type"));
    }
    Set<String> permissions = getService().getPermissions(defaultTreeNode.getId());
    if (!PermissionUtils.hasAnyPermission(permissions, IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ)) {
        throw new ForbiddenEntityException(defaultTreeNode.getId(), IdmBasePermission.AUTOCOMPLETE, IdmBasePermission.READ);
    }
    return new ResponseEntity<>(toResource(defaultTreeNode), HttpStatus.OK);
}
Also used : ResponseEntity(org.springframework.http.ResponseEntity) ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException) IdmTreeNodeDto(eu.bcvsolutions.idm.core.api.dto.IdmTreeNodeDto) ForbiddenEntityException(eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException) ApiOperation(io.swagger.annotations.ApiOperation) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) ResponseBody(org.springframework.web.bind.annotation.ResponseBody) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Aggregations

ForbiddenEntityException (eu.bcvsolutions.idm.core.api.exception.ForbiddenEntityException)21 IdmIdentityDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)12 ResultCodeException (eu.bcvsolutions.idm.core.api.exception.ResultCodeException)9 Test (org.junit.Test)8 IdmIdentityContractDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)7 IdmRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)7 UUID (java.util.UUID)7 OperationResult (eu.bcvsolutions.idm.core.api.entity.OperationResult)5 IdmBasePermission (eu.bcvsolutions.idm.core.security.api.domain.IdmBasePermission)5 AbstractEvaluatorIntegrationTest (eu.bcvsolutions.idm.test.api.AbstractEvaluatorIntegrationTest)5 IdmBulkActionDto (eu.bcvsolutions.idm.core.api.bulk.action.dto.IdmBulkActionDto)4 IdmConceptRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmConceptRoleRequestDto)4 IdmRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto)4 DefaultResultModel (eu.bcvsolutions.idm.core.api.dto.DefaultResultModel)3 IdmContractGuaranteeDto (eu.bcvsolutions.idm.core.api.dto.IdmContractGuaranteeDto)3 IdmIdentityRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto)3 IdmIdentityProjectionDto (eu.bcvsolutions.idm.core.api.dto.projection.IdmIdentityProjectionDto)3 IdmFormAttributeDto (eu.bcvsolutions.idm.core.eav.api.dto.IdmFormAttributeDto)3 BasePermission (eu.bcvsolutions.idm.core.security.api.domain.BasePermission)3 ArrayList (java.util.ArrayList)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial