Search in sources :

Example 1 with PrincipalRoleMapper

use of org.infinispan.security.PrincipalRoleMapper in project infinispan by infinispan.

the class Parser method parseGlobalAuthorization.

private void parseGlobalAuthorization(ConfigurationReader reader, ConfigurationBuilderHolder holder) {
    GlobalAuthorizationConfigurationBuilder builder = holder.getGlobalConfigurationBuilder().security().authorization().enable();
    for (int i = 0; i < reader.getAttributeCount(); i++) {
        String value = reader.getAttributeValue(i);
        Attribute attribute = Attribute.forName(reader.getAttributeName(i));
        switch(attribute) {
            case AUDIT_LOGGER:
                {
                    builder.auditLogger(Util.getInstance(value, holder.getClassLoader()));
                    break;
                }
            default:
                {
                    throw ParseUtils.unexpectedAttribute(reader, i);
                }
        }
    }
    PrincipalRoleMapper roleMapper = null;
    RolePermissionMapper permissionMapper = null;
    while (reader.hasNext()) {
        reader.nextElement();
        Element element = Element.forName(reader.getLocalName());
        switch(element) {
            case AUTHORIZATION:
                {
                    reader.require(ConfigurationReader.ElementType.END_ELEMENT);
                    if (permissionMapper != null) {
                        builder.rolePermissionMapper(permissionMapper);
                    }
                    if (roleMapper != null) {
                        builder.principalRoleMapper(roleMapper);
                    }
                    return;
                }
            case CLUSTER_PERMISSION_MAPPER:
                if (permissionMapper != null) {
                    throw ParseUtils.unexpectedElement(reader);
                }
                ParseUtils.requireNoAttributes(reader);
                ParseUtils.requireNoContent(reader);
                permissionMapper = new ClusterPermissionMapper();
                break;
            case CUSTOM_PERMISSION_MAPPER:
                if (permissionMapper != null) {
                    throw ParseUtils.unexpectedElement(reader);
                }
                permissionMapper = parseCustomPermissionMapper(reader, holder);
                break;
            case IDENTITY_ROLE_MAPPER:
                if (roleMapper != null) {
                    throw ParseUtils.unexpectedElement(reader);
                }
                ParseUtils.requireNoAttributes(reader);
                ParseUtils.requireNoContent(reader);
                roleMapper = new IdentityRoleMapper();
                break;
            case COMMON_NAME_ROLE_MAPPER:
                if (roleMapper != null) {
                    throw ParseUtils.unexpectedElement(reader);
                }
                ParseUtils.requireNoAttributes(reader);
                ParseUtils.requireNoContent(reader);
                roleMapper = new CommonNameRoleMapper();
                break;
            case CLUSTER_ROLE_MAPPER:
                if (roleMapper != null) {
                    throw ParseUtils.unexpectedElement(reader);
                }
                ParseUtils.requireNoAttributes(reader);
                ParseUtils.requireNoContent(reader);
                roleMapper = new ClusterRoleMapper();
                break;
            case CUSTOM_ROLE_MAPPER:
                if (roleMapper != null) {
                    throw ParseUtils.unexpectedElement(reader);
                }
                roleMapper = parseCustomRoleMapper(reader, holder);
                break;
            case ROLES:
                {
                    while (reader.inTag()) {
                        Map.Entry<String, String> item = reader.getMapItem(Attribute.NAME);
                        parseGlobalRole(reader, builder, item.getKey());
                        reader.endMapItem();
                    }
                    break;
                }
            case ROLE:
                {
                    parseGlobalRole(reader, builder, null);
                    break;
                }
            default:
                {
                    throw ParseUtils.unexpectedElement(reader);
                }
        }
    }
}
Also used : PrincipalRoleMapper(org.infinispan.security.PrincipalRoleMapper) IdentityRoleMapper(org.infinispan.security.mappers.IdentityRoleMapper) ParseUtils.ignoreAttribute(org.infinispan.configuration.parsing.ParseUtils.ignoreAttribute) RolePermissionMapper(org.infinispan.security.RolePermissionMapper) GlobalAuthorizationConfigurationBuilder(org.infinispan.configuration.global.GlobalAuthorizationConfigurationBuilder) ClusterRoleMapper(org.infinispan.security.mappers.ClusterRoleMapper) CommonNameRoleMapper(org.infinispan.security.mappers.CommonNameRoleMapper) ClusterPermissionMapper(org.infinispan.security.mappers.ClusterPermissionMapper)

Example 2 with PrincipalRoleMapper

use of org.infinispan.security.PrincipalRoleMapper in project infinispan by infinispan.

the class Authorizer method computeSubjectACL.

private SubjectACL computeSubjectACL(Subject subject, AuthorizationConfiguration configuration) {
    GlobalAuthorizationConfiguration authorization = globalConfiguration.authorization();
    PrincipalRoleMapper roleMapper = authorization.principalRoleMapper();
    Set<Principal> principals = subject.getPrincipals();
    Set<String> allRoles = new HashSet<>(principals.size());
    // Map all the Subject's principals to roles using the role mapper. There may be more than one role per principal
    for (Principal principal : principals) {
        Set<String> roleNames = roleMapper.principalToRoles(principal);
        if (roleNames != null) {
            allRoles.addAll(roleNames);
        }
    }
    // Create a bitmask of the permissions this Subject has for the resource identified by the configuration
    int subjectMask = 0;
    // If this resource has not declared any roles, all the inheritable global roles will be checked
    boolean implicit = configuration != null ? configuration.roles().isEmpty() : false;
    for (String role : allRoles) {
        if (configuration == null || implicit || configuration.roles().contains(role)) {
            Role globalRole = authorization.getRole(role);
            if (globalRole != null && (!implicit || globalRole.isInheritable())) {
                subjectMask |= globalRole.getMask();
            }
        }
    }
    if (log.isTraceEnabled()) {
        log.tracef("Subject '%s' has roles '%s' and permission mask %d", subject, allRoles, subjectMask);
    }
    return new SubjectACL(allRoles, subjectMask);
}
Also used : PrincipalRoleMapper(org.infinispan.security.PrincipalRoleMapper) Role(org.infinispan.security.Role) Principal(java.security.Principal) GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration) HashSet(java.util.HashSet)

Example 3 with PrincipalRoleMapper

use of org.infinispan.security.PrincipalRoleMapper in project infinispan by infinispan.

the class CoreConfigurationSerializer method writeSecurity.

private void writeSecurity(ConfigurationWriter writer, GlobalConfiguration configuration) {
    GlobalAuthorizationConfiguration authorization = configuration.security().authorization();
    AttributeSet attributes = authorization.attributes();
    if (attributes.isModified() && authorization.enabled()) {
        writer.writeStartElement(Element.SECURITY);
        writer.writeStartElement(Element.AUTHORIZATION);
        attributes.write(writer, GlobalAuthorizationConfiguration.AUDIT_LOGGER, Attribute.AUDIT_LOGGER);
        PrincipalRoleMapper mapper = authorization.principalRoleMapper();
        if (mapper != null) {
            if (mapper instanceof IdentityRoleMapper) {
                writer.writeEmptyElement(Element.IDENTITY_ROLE_MAPPER);
            } else if (mapper instanceof CommonNameRoleMapper) {
                writer.writeEmptyElement(Element.COMMON_NAME_ROLE_MAPPER);
            } else if (mapper instanceof ClusterRoleMapper) {
                writer.writeEmptyElement(Element.CLUSTER_ROLE_MAPPER);
            } else {
                writer.writeStartElement(Element.CUSTOM_ROLE_MAPPER);
                writer.writeAttribute(Attribute.CLASS, mapper.getClass().getName());
                writer.writeEndElement();
            }
        }
        if (!authorization.isDefaultRoles()) {
            writer.writeStartMap(Element.ROLES);
            for (Role role : authorization.roles().values()) {
                writer.writeMapItem(Element.ROLE, Attribute.NAME, role.getName());
                writeCollectionAsAttribute(writer, Attribute.PERMISSIONS, role.getPermissions());
                writer.writeEndMapItem();
            }
            writer.writeEndMap();
        }
        writer.writeEndElement();
        writer.writeEndElement();
    }
}
Also used : PrincipalRoleMapper(org.infinispan.security.PrincipalRoleMapper) Role(org.infinispan.security.Role) IdentityRoleMapper(org.infinispan.security.mappers.IdentityRoleMapper) AttributeSet(org.infinispan.commons.configuration.attributes.AttributeSet) ClusterRoleMapper(org.infinispan.security.mappers.ClusterRoleMapper) CommonNameRoleMapper(org.infinispan.security.mappers.CommonNameRoleMapper) GlobalAuthorizationConfiguration(org.infinispan.configuration.global.GlobalAuthorizationConfiguration)

Aggregations

PrincipalRoleMapper (org.infinispan.security.PrincipalRoleMapper)3 GlobalAuthorizationConfiguration (org.infinispan.configuration.global.GlobalAuthorizationConfiguration)2 Role (org.infinispan.security.Role)2 ClusterRoleMapper (org.infinispan.security.mappers.ClusterRoleMapper)2 CommonNameRoleMapper (org.infinispan.security.mappers.CommonNameRoleMapper)2 IdentityRoleMapper (org.infinispan.security.mappers.IdentityRoleMapper)2 Principal (java.security.Principal)1 HashSet (java.util.HashSet)1 AttributeSet (org.infinispan.commons.configuration.attributes.AttributeSet)1 GlobalAuthorizationConfigurationBuilder (org.infinispan.configuration.global.GlobalAuthorizationConfigurationBuilder)1 ParseUtils.ignoreAttribute (org.infinispan.configuration.parsing.ParseUtils.ignoreAttribute)1 RolePermissionMapper (org.infinispan.security.RolePermissionMapper)1 ClusterPermissionMapper (org.infinispan.security.mappers.ClusterPermissionMapper)1