Examples with Permission org.apache.shiro.authz.Permission used on opensource projects

Search in sources :

Example 11 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AuthzRealmTest method setup.

@Before
public void setup() throws PdpException {
    String ruleClaim = "FineAccessControls";
    String countryClaim = "CountryOfAffiliation";
    // setup the subject permissions
    List<Permission> permissions = new ArrayList<>();
    KeyValuePermission rulePermission = new KeyValuePermission(ruleClaim);
    rulePermission.addValue("A");
    rulePermission.addValue("B");
    permissions.add(rulePermission);
    KeyValuePermission countryPermission = new KeyValuePermission(countryClaim);
    countryPermission.addValue("AUS");
    permissions.add(countryPermission);
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    authorizationInfo.addObjectPermission(rulePermission);
    authorizationInfo.addObjectPermission(countryPermission);
    authorizationInfo.addObjectPermission(new KeyValuePermission("role", Arrays.asList("admin")));
    authorizationInfo.addRole("admin");
    authorizationInfo.addStringPermission("wild");
    testRealm = new AuthzRealm("src/test/resources/policies", new XmlParser()) {

        @Override
        public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
            return authorizationInfo;
        }
    };
    mockSubjectPrincipal = Mockito.mock(PrincipalCollection.class);
    when(mockSubjectPrincipal.getPrimaryPrincipal()).thenReturn("user");
    // setup the resource permissions
    permissionList = new ArrayList<>();
    security = new HashMap<>();
    security.put("country", Arrays.asList("AUS", "CAN", "GBR"));
    security.put("rule", Arrays.asList("A", "B"));
    testRealm.setMatchOneMappings(Arrays.asList("CountryOfAffiliation=country"));
    testRealm.setMatchAllMappings(Arrays.asList("FineAccessControls=rule"));
    testRealm.setRolePermissionResolver(roleString -> Arrays.asList(new KeyValuePermission("role", Arrays.asList(roleString))));
}
Also used : XmlParser(org.codice.ddf.parser.xml.XmlParser) AuthzRealm(ddf.security.pdp.realm.AuthzRealm) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) ArrayList(java.util.ArrayList) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) WildcardPermission(org.apache.shiro.authz.permission.WildcardPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Before(org.junit.Before)

Example 12 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AuthzRealm method isPermitted.

/**
     * Checks if the corresponding Subject/user contained within the AuthorizationInfo object
     * implies the given Permission.
     *
     * @param permission        the permission being checked.
     * @param authorizationInfo the application-specific subject/user identifier.
     * @return true if the user is permitted
     */
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
    Collection<Permission> perms = getPermissions(authorizationInfo);
    String curUser = "<user>";
    if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
        curUser = subjectPrincipal.getPrimaryPrincipal().toString();
    }
    if (!CollectionUtils.isEmpty(perms)) {
        if (permission instanceof KeyValuePermission) {
            permission = new KeyValueCollectionPermission(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
            LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
        }
        if (permission != null && permission instanceof KeyValueCollectionPermission) {
            KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
            List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
            List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
            List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
            for (KeyValuePermission keyValuePermission : keyValuePermissions) {
                String metacardKey = keyValuePermission.getKey();
                // user specified this key in the match all list - remap key
                if (matchAllMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), keyValuePermission.getValues());
                    matchAllPermissions.add(kvp);
                // user specified this key in the match one list - remap key
                } else if (matchOneMap.containsKey(metacardKey)) {
                    KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), keyValuePermission.getValues());
                    matchOnePermissions.add(kvp);
                // this key was not specified in either - default to match all with the
                // same key value
                } else {
                    //creating a KeyValuePermission list to try to quick match all of these permissions
                    //if that fails, then XACML will try to match them
                    //this covers the case where attributes on the user match up perfectly with the permissions being implied
                    //this also allows the xacml permissions to run through the policy extensions
                    matchAllPreXacmlPermissions.add(keyValuePermission);
                }
            }
            CollectionPermission subjectAllCollection = new CollectionPermission(CollectionPermission.UNKNOWN_ACTION, perms);
            KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPermissions);
            KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
            KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchOnePermissions);
            matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection);
            matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection);
            matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection);
            MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
            boolean matchAll = subjectAllCollection.implies(matchAllCollection);
            boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
            boolean matchOne = subjectOneCollection.implies(matchOneCollection);
            if (!matchAll || !matchOne) {
                SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
            }
            //if we weren't able to automatically imply these permissions, call out to XACML
            if (!matchAllXacml) {
                KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
                matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
                if (!matchAllXacml) {
                    SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
                }
            }
            return matchAll && matchOne && matchAllXacml;
        }
        for (Permission perm : perms) {
            if (permission != null && perm.implies(permission)) {
                return true;
            }
        }
    }
    SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
    return false;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission)

Example 13 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AuthzRealm method resolveRolePermissions.

/**
     * Returns a collection of {@link Permission} objects that are built from the associated
     * collection of Strings that represent the roles that a user possesses.
     *
     * @param roleNames user roles.
     * @return collection of Permissions
     */
private Collection<Permission> resolveRolePermissions(Collection<String> roleNames) {
    Collection<Permission> perms = Collections.emptySet();
    RolePermissionResolver resolver = getRolePermissionResolver();
    if (resolver != null && !CollectionUtils.isEmpty(roleNames)) {
        perms = new HashSet<>(roleNames.size());
        for (String roleName : roleNames) {
            Collection<Permission> resolved = resolver.resolvePermissionsInRole(roleName);
            if (!CollectionUtils.isEmpty(resolved)) {
                perms.addAll(resolved);
            }
        }
    }
    return perms;
}
Also used : MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) RolePermissionResolver(org.apache.shiro.authz.permission.RolePermissionResolver)

Example 14 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AuthzRealm method resolvePermissions.

/**
     * Returns a collection of {@link Permission} objects that are built from the associated
     * collection of Strings.
     *
     * @param stringPerms collection of Strings that represent permissions.
     * @return collection of Permissions
     */
private Collection<Permission> resolvePermissions(Collection<String> stringPerms) {
    Collection<Permission> perms = Collections.emptySet();
    PermissionResolver resolver = getPermissionResolver();
    if (resolver != null && !CollectionUtils.isEmpty(stringPerms)) {
        perms = new HashSet<>(stringPerms.size());
        for (String strPermission : stringPerms) {
            Permission permission = getPermissionResolver().resolvePermission(strPermission);
            perms.add(permission);
        }
    }
    return perms;
}
Also used : MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) RolePermissionResolver(org.apache.shiro.authz.permission.RolePermissionResolver) PermissionResolver(org.apache.shiro.authz.permission.PermissionResolver)

Example 15 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class XacmlPdp method createSubjectAttributes.

private AttributesType createSubjectAttributes(String subject, AuthorizationInfo info) {
    AttributesType subjectAttributes = new AttributesType();
    subjectAttributes.setCategory(XACMLConstants.ACCESS_SUBJECT_CATEGORY);
    AttributeType subjectAttribute = new AttributeType();
    subjectAttribute.setAttributeId(XACMLConstants.SUBJECT_ID);
    subjectAttribute.setIncludeInResult(false);
    AttributeValueType subjectValue = new AttributeValueType();
    subjectValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
    LOGGER.debug("Adding subject: {}", subject);
    subjectValue.getContent().add(subject);
    subjectAttribute.getAttributeValue().add(subjectValue);
    subjectAttributes.getAttribute().add(subjectAttribute);
    AttributeType roleAttribute = new AttributeType();
    roleAttribute.setAttributeId(XACMLConstants.ROLE_CLAIM);
    roleAttribute.setIncludeInResult(false);
    if (info.getRoles().size() > 0) {
        for (String curRole : info.getRoles()) {
            AttributeValueType roleValue = new AttributeValueType();
            roleValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
            LOGGER.trace("Adding role: {} for subject: {}", curRole, subject);
            roleValue.getContent().add(curRole);
            roleAttribute.getAttributeValue().add(roleValue);
        }
        subjectAttributes.getAttribute().add(roleAttribute);
    }
    for (Permission curPermission : info.getObjectPermissions()) {
        if (curPermission instanceof KeyValuePermission) {
            AttributeType subjAttr = new AttributeType();
            subjAttr.setAttributeId(((KeyValuePermission) curPermission).getKey());
            subjAttr.setIncludeInResult(false);
            if (((KeyValuePermission) curPermission).getValues().size() > 0) {
                for (String curPermValue : ((KeyValuePermission) curPermission).getValues()) {
                    AttributeValueType subjAttrValue = new AttributeValueType();
                    subjAttrValue.setDataType(getXacmlDataType(curPermValue));
                    LOGGER.trace("Adding permission: {}:{} for subject: {}", ((KeyValuePermission) curPermission).getKey(), curPermValue, subject);
                    subjAttrValue.getContent().add(curPermValue);
                    subjAttr.getAttributeValue().add(subjAttrValue);
                }
                subjectAttributes.getAttribute().add(subjAttr);
            }
        } else {
            LOGGER.warn("Permissions for subject were not of type KeyValuePermission, cannot add any subject permissions to the request.");
        }
    }
    return subjectAttributes;
}
Also used : AttributeValueType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType) AttributeType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeType) AttributesType(oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributesType) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission)

Aggregations

Permission (org.apache.shiro.authz.Permission)32 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)22 CollectionPermission (ddf.security.permission.CollectionPermission)21 KeyValuePermission (ddf.security.permission.KeyValuePermission)20 Test (org.junit.Test)11 ArrayList (java.util.ArrayList)8 SimpleAuthorizationInfo (org.apache.shiro.authz.SimpleAuthorizationInfo)7 MatchOneCollectionPermission (ddf.security.permission.MatchOneCollectionPermission)4 List (java.util.List)4 AuthorizationException (org.apache.shiro.authz.AuthorizationException)4 WildcardPermission (org.apache.shiro.authz.permission.WildcardPermission)4 HashMap (java.util.HashMap)3 HashSet (java.util.HashSet)3 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)3 Expansion (ddf.security.expansion.Expansion)2 AuthzRealm (ddf.security.pdp.realm.AuthzRealm)2 Map (java.util.Map)2 CamelAuthorizationException (org.apache.camel.CamelAuthorizationException)2 RolePermissionResolver (org.apache.shiro.authz.permission.RolePermissionResolver)2 XSString (org.opensaml.core.xml.schema.XSString)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial