Examples with ContextPolicy org.codice.ddf.security.policy.context.ContextPolicy used on opensource projects

Example 1 with ContextPolicy

use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.

the class PolicyManager method setPolicyStore.

private void setPolicyStore(Map<String, String> allContextsToRealms, Map<String, List<String>> allContextsToAuths, Map<String, List<ContextAttributeMapping>> allContextsToAttrs) {
    //add default context values if they do not exist
    if (allContextsToRealms.get("/") == null) {
        allContextsToRealms.put("/", DEFAULT_REALM_CONTEXT_VALUE);
    }
    if (allContextsToAttrs.get("/") == null) {
        allContextsToAttrs.put("/", new ArrayList<ContextAttributeMapping>());
    }
    if (allContextsToAuths.get("/") == null) {
        allContextsToAuths.put("/", new ArrayList<String>());
    }
    //gather all given context paths
    Set<String> allContextPaths = new HashSet<>();
    allContextPaths.addAll(allContextsToRealms.keySet());
    allContextPaths.addAll(allContextsToAuths.keySet());
    allContextPaths.addAll(allContextsToAttrs.keySet());
    Map<String, ContextPolicy> newPolicyStore = new HashMap<>();
    newPolicyStore.put("/", defaultPolicy);
    //resolve all realms, authorization types & required attributes
    for (String path : allContextPaths) {
        String contextRealm = getContextRealm(path, allContextsToRealms);
        List<String> contextAuthTypes = getContextAuthTypes(path, allContextsToAuths);
        List<ContextAttributeMapping> contextReqAttrs = getContextReqAttrs(path, allContextsToAttrs);
        newPolicyStore.put(path, new Policy(path, contextRealm, contextAuthTypes, contextReqAttrs));
    }
    policyStore = newPolicyStore;
}

Example 2 with ContextPolicy

use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.

the class PolicyManagerTest method testSimpleAttributeMappings.

@Test
public void testSimpleAttributeMappings() {
    for (Map.Entry<String, List<ContextAttributeMapping>> entry : simpleAttributeMap.entrySet()) {
        ContextPolicy policy = manager.getContextPolicy(entry.getKey());
        CollectionPermission permission = policy.getAllowedAttributePermissions();
        assertThat(permission.implies(entry.getValue().get(0).getAttributePermission()), is(true));
    }
}

Example 3 with ContextPolicy

use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.

the class AuthorizationFilter method doFilter.

@SuppressWarnings("PackageAccessibility")
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    Subject subject = null;
    if (request.getAttribute(ContextPolicy.NO_AUTH_POLICY) != null) {
        LOGGER.debug("NO_AUTH_POLICY header was found, skipping authorization filter.");
        chain.doFilter(request, response);
    } else {
        try {
            subject = SecurityUtils.getSubject();
        } catch (Exception e) {
            LOGGER.debug("Unable to retrieve user from request.", e);
        }
        boolean permitted = true;
        final String path = httpRequest.getRequestURI();
        ContextPolicy policy = contextPolicyManager.getContextPolicy(path);
        CollectionPermission permissions = null;
        if (policy != null && subject != null) {
            permissions = policy.getAllowedAttributePermissions();
            if (!permissions.isEmpty()) {
                permitted = subject.isPermitted(permissions);
            }
        } else {
            LOGGER.warn("Unable to determine policy for path {}. User is not permitted to continue. Check policy configuration!", path);
            permitted = false;
        }
        if (!permitted) {
            SecurityLogger.audit("Subject not authorized to view resource {}", path);
            LOGGER.debug("Subject not authorized.");
            returnNotAuthorized(httpResponse);
        } else {
            if (!permissions.isEmpty()) {
                SecurityLogger.audit("Subject is authorized to view resource {}", path);
            }
            LOGGER.debug("Subject is authorized!");
            chain.doFilter(request, response);
        }
    }
}

Example 4 with ContextPolicy

use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.

the class AbstractStsRealm method createClaimsElement.

/**
     * Create the claims element with the claims provided in the STS client configuration in the
     * admin console.
     */
protected Element createClaimsElement() {
    Element claimsElement = null;
    List<String> claims = new ArrayList<>();
    claims.addAll(getClaims());
    if (contextPolicyManager != null) {
        Collection<ContextPolicy> contextPolicies = contextPolicyManager.getAllContextPolicies();
        Set<String> attributes = new LinkedHashSet<>();
        if (contextPolicies != null && contextPolicies.size() > 0) {
            for (ContextPolicy contextPolicy : contextPolicies) {
                attributes.addAll(contextPolicy.getAllowedAttributeNames());
            }
        }
        if (attributes.size() > 0) {
            claims.addAll(attributes);
        }
    }
    if (claims.size() != 0) {
        W3CDOMStreamWriter writer = null;
        try {
            writer = new W3CDOMStreamWriter();
            writer.writeStartElement("wst", "Claims", STSUtils.WST_NS_05_12);
            writer.writeNamespace("wst", STSUtils.WST_NS_05_12);
            writer.writeNamespace("ic", "http://schemas.xmlsoap.org/ws/2005/05/identity");
            writer.writeAttribute("Dialect", "http://schemas.xmlsoap.org/ws/2005/05/identity");
            for (String claim : claims) {
                LOGGER.trace("Claim: {}", claim);
                writer.writeStartElement("ic", "ClaimType", "http://schemas.xmlsoap.org/ws/2005/05/identity");
                writer.writeAttribute("Uri", claim);
                writer.writeAttribute("Optional", "true");
                writer.writeEndElement();
            }
            writer.writeEndElement();
            claimsElement = writer.getDocument().getDocumentElement();
        } catch (XMLStreamException e) {
            String msg = "Unable to create claims. Subjects will not have any attributes. Check STS Client configuration.";
            LOGGER.warn(msg, e);
            claimsElement = null;
        } finally {
            if (writer != null) {
                try {
                    writer.close();
                } catch (XMLStreamException ignore) {
                //ignore
                }
            }
        }
        if (LOGGER.isDebugEnabled()) {
            if (claimsElement != null) {
                LOGGER.debug("Claims: {}", getFormattedXml(claimsElement));
            }
        }
    } else {
        LOGGER.debug("There are no claims to process.");
        claimsElement = null;
    }
    return claimsElement;
}

Example 5 with ContextPolicy

use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.

the class AuthenticationEndpointTest method testSingleRealm.

@Test
public void testSingleRealm() throws SecurityServiceException {
    HttpServletRequest request = mock(HttpServletRequest.class);
    when(request.isSecure()).thenReturn(true);
    ContextPolicy policy = mock(ContextPolicy.class);
    when(policy.getRealm()).thenReturn(REALM);
    when(policyManager.getContextPolicy(PATH)).thenReturn(policy);
    authEndpoint.login(request, USER_NAME, PASSWORD, PATH);
}