Search in sources :

Example 16 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AbstractAuthorizingRealm method doGetAuthorizationInfo.

/**
     * Takes the security attributes about the subject of the incoming security token and builds
     * sets of permissions and roles for use in further checking.
     *
     * @param principalCollection holds the security assertions for the primary principal of this request
     * @return a new collection of permissions and roles corresponding to the security assertions
     * @throws AuthorizationException if there are no security assertions associated with this principal collection or
     *                                if the token cannot be processed successfully.
     */
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    LOGGER.debug("Retrieving authorization info for {}", principalCollection.getPrimaryPrincipal());
    SecurityAssertion assertion = principalCollection.oneByType(SecurityAssertion.class);
    if (assertion == null) {
        String msg = "No assertion found, cannot retrieve authorization info.";
        throw new AuthorizationException(msg);
    }
    List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
    Set<Permission> permissions = new HashSet<>();
    Set<String> roles = new HashSet<>();
    Map<String, Set<String>> permissionsMap = new HashMap<>();
    Collection<Expansion> expansionServices = getUserExpansionServices();
    for (AttributeStatement curStatement : attributeStatements) {
        addAttributesToMap(curStatement.getAttributes(), permissionsMap, expansionServices);
    }
    for (Map.Entry<String, Set<String>> entry : permissionsMap.entrySet()) {
        permissions.add(new KeyValuePermission(entry.getKey(), entry.getValue()));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Adding permission: {} : {}", entry.getKey(), StringUtils.join(entry.getValue(), ","));
        }
    }
    if (permissionsMap.containsKey(SAML_ROLE)) {
        roles.addAll(permissionsMap.get(SAML_ROLE));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Adding roles to authorization info: {}", StringUtils.join(roles, ","));
        }
    }
    info.setObjectPermissions(permissions);
    info.setRoles(roles);
    return info;
}
Also used : SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) HashSet(java.util.HashSet) Set(java.util.Set) AuthorizationException(org.apache.shiro.authz.AuthorizationException) HashMap(java.util.HashMap) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) XSString(org.opensaml.core.xml.schema.XSString) SecurityAssertion(ddf.security.assertion.SecurityAssertion) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Expansion(ddf.security.expansion.Expansion) HashMap(java.util.HashMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) KeyValuePermission(ddf.security.permission.KeyValuePermission) HashSet(java.util.HashSet)

Example 17 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AbstractAuthorizingRealm method expandPermissions.

protected List<Permission> expandPermissions(List<Permission> permissions) {
    Collection<Expansion> expansionServices = getMetacardExpansionServices();
    if (CollectionUtils.isEmpty(expansionServices)) {
        return permissions;
    }
    List<Permission> expandedPermissions = new ArrayList<>(permissions.size());
    for (Permission permission : permissions) {
        if (permission instanceof KeyValuePermission) {
            for (Expansion expansionService : expansionServices) {
                Set<String> expandedSet = expansionService.expand(((KeyValuePermission) permission).getKey(), new HashSet<>(((KeyValuePermission) permission).getValues()));
                expandedPermissions.add(new KeyValuePermission(((KeyValuePermission) permission).getKey(), expandedSet));
            }
        } else if (permission instanceof KeyValueCollectionPermission) {
            List<Permission> keyValuePermissionList = ((KeyValueCollectionPermission) permission).getKeyValuePermissionList();
            List<Permission> expandedCollection = expandPermissions(keyValuePermissionList);
            //we know that everything in a key value collection is a key value permission so just do the unchecked cast
            List<KeyValuePermission> castedList = castToKeyValueList(expandedCollection);
            expandedPermissions.add(new KeyValueCollectionPermission(((KeyValueCollectionPermission) permission).getAction(), castedList));
        } else {
            expandedPermissions.add(permission);
        }
    }
    return expandedPermissions;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) List(java.util.List) XSString(org.opensaml.core.xml.schema.XSString) Expansion(ddf.security.expansion.Expansion) KeyValuePermission(ddf.security.permission.KeyValuePermission)

Example 18 with Permission

use of org.apache.shiro.authz.Permission in project airpal by airbnb.

the class ExampleLDAPRealm method doGetAuthorizationInfo.

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    Set<String> roles = Sets.newHashSet("user");
    Set<Permission> permissions = Sets.newHashSet();
    Collection<AllowAllUser> principalsCollection = principals.byType(AllowAllUser.class);
    if (principalsCollection.isEmpty()) {
        throw new AuthorizationException("No principals!");
    }
    for (AllowAllUser user : principalsCollection) {
        for (UserGroup userGroup : groups) {
            if (userGroup.representedByGroupStrings(user.getGroups())) {
                permissions.addAll(userGroup.getPermissions());
                break;
            }
        }
    }
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(roles);
    authorizationInfo.setObjectPermissions(permissions);
    return authorizationInfo;
}
Also used : SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) AuthorizationException(org.apache.shiro.authz.AuthorizationException) Permission(org.apache.shiro.authz.Permission)

Example 19 with Permission

use of org.apache.shiro.authz.Permission in project graylog2-server by Graylog2.

the class RootAccountRealm method addRootAccount.

private void addRootAccount(String username, String password) {
    LOG.debug("Adding root account named {}, having all permissions", username);
    add(new SimpleAccount(username, password, getName(), CollectionUtils.asSet("root"), CollectionUtils.<Permission>asSet(new AllPermission())));
}
Also used : SimpleAccount(org.apache.shiro.authc.SimpleAccount) AllPermission(org.apache.shiro.authz.permission.AllPermission) Permission(org.apache.shiro.authz.Permission) AllPermission(org.apache.shiro.authz.permission.AllPermission)

Example 20 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class OperationPluginTest method makeDecision.

private Answer<Boolean> makeDecision() {
    Map<String, List<String>> testRoleMap = new HashMap<String, List<String>>();
    List<String> testRoles = new ArrayList<String>();
    testRoles.add("A");
    testRoles.add("B");
    testRoleMap.put("Roles", testRoles);
    final KeyValueCollectionPermission testUserPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION, testRoleMap);
    return new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) {
            Object[] args = invocation.getArguments();
            Permission incomingPermission = (Permission) args[1];
            return testUserPermission.implies(incomingPermission);
        }
    };
}
Also used : Answer(org.mockito.stubbing.Answer) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) HashMap(java.util.HashMap) InvocationOnMock(org.mockito.invocation.InvocationOnMock) ArrayList(java.util.ArrayList) CollectionPermission(ddf.security.permission.CollectionPermission) Permission(org.apache.shiro.authz.Permission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) ArrayList(java.util.ArrayList) List(java.util.List)

Aggregations

Permission (org.apache.shiro.authz.Permission)32 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)22 CollectionPermission (ddf.security.permission.CollectionPermission)21 KeyValuePermission (ddf.security.permission.KeyValuePermission)20 Test (org.junit.Test)11 ArrayList (java.util.ArrayList)8 SimpleAuthorizationInfo (org.apache.shiro.authz.SimpleAuthorizationInfo)7 MatchOneCollectionPermission (ddf.security.permission.MatchOneCollectionPermission)4 List (java.util.List)4 AuthorizationException (org.apache.shiro.authz.AuthorizationException)4 WildcardPermission (org.apache.shiro.authz.permission.WildcardPermission)4 HashMap (java.util.HashMap)3 HashSet (java.util.HashSet)3 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)3 Expansion (ddf.security.expansion.Expansion)2 AuthzRealm (ddf.security.pdp.realm.AuthzRealm)2 Map (java.util.Map)2 CamelAuthorizationException (org.apache.camel.CamelAuthorizationException)2 RolePermissionResolver (org.apache.shiro.authz.permission.RolePermissionResolver)2 XSString (org.opensaml.core.xml.schema.XSString)2