public Authorization clone() { AuthorizationType authorizationTypeClone = authorizationType.clone(); Authorization clone = new Authorization(authorizationTypeClone); clone.sourceDescription = this.sourceDescription; return clone; }
private boolean allActionsAlloved(Authorization autz) { for (String autzAction: autz.getAction()) { if (!limitActions.contains(autzAction)) { return false; } } return true; }
public boolean hasItemSpecification() { return !getItem().isEmpty() || !getExceptItem().isEmpty(); }
private Authorization createAuthorization(AuthorizationType authorizationType, String sourceDesc) { Authorization authorization = new Authorization(authorizationType); authorization.setSourceDescription(sourceDesc); return authorization; }
/** * Deciding whether authorization is acceptable * (based on a value parsed before) */ @Override public Collection<Authorization> transform(Authorization autz) { if (unlimited || allActionsAlloved(autz)) { return Arrays.asList(autz); } Authorization limitedAutz = autz.clone(); Iterator<String> actionIterator = limitedAutz.getAction().iterator(); while (actionIterator.hasNext()) { String autzAction = actionIterator.next(); if (!limitActions.contains(autzAction)) { actionIterator.remove(); } } if (limitedAutz.getAction().isEmpty()) { return Collections.EMPTY_LIST; } return Arrays.asList(limitedAutz); }
if (authority instanceof Authorization) { Authorization autz = (Authorization)authority; String autzHumanReadableDesc = autz.getHumanReadableDesc(); LOGGER.trace(" Evaluating {}", autzHumanReadableDesc); if (!autz.getAction().contains(operationUrl) && !autz.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) { LOGGER.trace(" {} not applicable for operation {}", autzHumanReadableDesc, operationUrl); continue; if (autz.getPhase() == null) { LOGGER.trace(" {} is applicable for all phases (continuing evaluation)", autzHumanReadableDesc); } else { if (autz.getPhase() != phase) { LOGGER.trace(" {} is not applicable for phases {} (breaking evaluation)", autzHumanReadableDesc, phase); continue; if (isApplicable(autz.getTarget(), params.getTarget(), midPointPrincipal, ownerResolver, "target", autzHumanReadableDesc, task, result)) { LOGGER.trace(" {} applicable for target {} (continuing evaluation)", autzHumanReadableDesc, params.getAnyObject()); } else { AuthorizationDecisionType autzDecision = autz.getDecision(); if (autzDecision == null || autzDecision.equals(AuthorizationDecisionType.ALLOW)) { allowedItems.collectItems(autz);
String autzHumanReadableDesc = autz.getHumanReadableDesc(); LOGGER.trace(" Evaluating {}", autzHumanReadableDesc); if (!autz.getAction().contains(operationUrl) && !autz.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) { LOGGER.trace(" {} not applicable for operation {}", autzHumanReadableDesc, operationUrl); continue; if (autz.getPhase() != null && autz.getPhase() != AuthorizationPhaseType.REQUEST) { LOGGER.trace(" {} is not applicable for phase {} (breaking evaluation)", autzHumanReadableDesc, AuthorizationPhaseType.REQUEST); continue; if (isApplicable(autz.getObject(), object, midPointPrincipal, ownerResolver, "object", autzHumanReadableDesc, task, result)) { LOGGER.trace(" {} applicable for object {} (continuing evaluation)", autzHumanReadableDesc, object); } else { if (isApplicable(autz.getTarget(), target, midPointPrincipal, ownerResolver, "target", autzHumanReadableDesc, task, result)) { LOGGER.trace(" {} applicable for target {} (continuing evaluation)", autzHumanReadableDesc, object); } else {
public void applyAuthorization(Authorization autz) { List<String> actions = autz.getAction(); AuthorizationPhaseType phase = autz.getPhase(); AuthorizationDecisionType decision = autz.getDecision(); if (decision == null) { decision = AuthorizationDecisionType.ALLOW; } for (String action: actions) { if (phase == null) { getOrCreateItemConstraints(action, AuthorizationPhaseType.REQUEST).collectItems(autz); getOrCreateItemConstraints(action, AuthorizationPhaseType.EXECUTION).collectItems(autz); } else { getOrCreateItemConstraints(action, phase).collectItems(autz); } } }
if (authority instanceof Authorization) { Authorization autz = (Authorization)authority; String autzHumanReadableDesc = autz.getHumanReadableDesc(); LOGGER.trace(" Evaluating {}", autzHumanReadableDesc); if (autz.getPhase() == phase || (includeNullPhase && autz.getPhase() == null)) { LOGGER.trace(" Authorization is applicable for phases {} (continuing evaluation)", phase); } else { objectSpecTypes = autz.getObject(); objectTargetSpec = "object"; } else { objectSpecTypes = autz.getTarget(); objectTargetSpec = "target"; if (isApplicable(autz.getObject(), object, principal, null, "object", autzHumanReadableDesc, task, result)) { LOGGER.trace(" Authorization is applicable for object {}", object); } else { ObjectFilter objSpecRoleRelationFilter = processRoleRelationFilter(principal, autz, specRoleRelation, queryItemsSpec, origFilter); if (objSpecRoleRelationFilter == null) { if (autz.maySkipOnSearch()) { LOGGER.trace(" not applying roleRelation filter {} because it is not efficient and maySkipOnSearch is set", objSpecRoleRelationFilter); applicable = false; ObjectFilter objSpecTenantFilter = processTenantFilter(principal, autz, specTenant, queryItemsSpec, origFilter); if (objSpecTenantFilter == null) { if (autz.maySkipOnSearch()) {
protected void assertHasAuthotizationAllow(Authorization authorization, String... action) { assertNotNull("Null authorization", authorization); assertEquals("Wrong decision in "+authorization, AuthorizationDecisionType.ALLOW, authorization.getDecision()); TestUtil.assertSetEquals("Wrong action in "+authorization, authorization.getAction(), action); }
private boolean isApplicableOrderConstraints(Authorization autz, List<OrderConstraintsType> paramOrderConstraints) { if (autz.getAction().contains(AuthorizationConstants.AUTZ_ALL_URL)) { // #all is always applicable // Compatibility note: in fact, this not really correct. We should not make // any special case for #all action - except for the fact that it applies to // all actions. Even for #all, the object and target specification should // still be processed. But orderConstraint is a bit different. For all other // authorization clauses holds that empty clause means that everything is // applicable. But it is different for orderConstraints. Due to compatibility // with midPoint 3.8 empty orderConstraints means min=0,max=0, i.e. it applies // only to assignment (not inducements). Therefore we need this exception for // #all, otherwise #all won't be applicable to inducements. return true; } OrderConstraintsType autzOrderConstraints = autz.getOrderConstraints(); if (paramOrderConstraints == null || paramOrderConstraints.isEmpty()) { if (autzOrderConstraints == null) { return true; } else { return false; } } for (OrderConstraintsType paramOrderConstraint : paramOrderConstraints) { if (!isSubset(paramOrderConstraint, autzOrderConstraints)) { return false; } } return true; }
@NotNull public List<ItemPath> getItems() { List<ItemPathType> itemPaths = getItem(); // TODO: maybe we can cache the itemPaths here? List<ItemPath> items = new ArrayList<>(itemPaths.size()); for (ItemPathType itemPathType: itemPaths) { items.add(itemPathType.getItemPath()); } return items; }
@NotNull public List<ItemPath> getExceptItems() { List<ItemPathType> itemPaths = getExceptItem(); // TODO: maybe we can cache the itemPaths here? List<ItemPath> items = new ArrayList<>(itemPaths.size()); for (ItemPathType itemPathType: itemPaths) { items.add(itemPathType.getItemPath()); } return items; }
public void collectItems(Authorization autz) { AuthorizationDecisionType decision = autz.getDecision(); if (decision == null || decision == AuthorizationDecisionType.ALLOW) { allowedItems.collectItems(autz); } else { deniedItems.collectItems(autz); } }
private Authorization createPrivilegedAuthorization() { AuthorizationType authorizationType = new AuthorizationType(); authorizationType.getAction().add(AuthorizationConstants.AUTZ_ALL_URL); return new Authorization(authorizationType); }
private boolean isApplicableForActions(Authorization autz, String[] requiredActions) { List<String> autzActions = autz.getAction(); if (autzActions.contains(AuthorizationConstants.AUTZ_ALL_URL)) { return true; } for (String requiredAction : requiredActions) { if (autzActions.contains(requiredAction)) { return true; } } return false; }
private <O extends ObjectType> boolean isApplicableItem(Authorization autz, PrismObject<O> object, ObjectDelta<O> delta) throws SchemaException { List<ItemPathType> itemPaths = autz.getItem(); if (itemPaths == null || itemPaths.isEmpty()) { List<ItemPathType> exceptItems = autz.getExceptItem(); if (exceptItems.isEmpty()) { // No item constraints. Applicable for all items. LOGGER.trace(" items empty"); return true; } else { return isApplicableItem(autz, object, delta, exceptItems, false); } } else { return isApplicableItem(autz, object, delta, itemPaths, true); } }
protected void loginSuperUser(MidPointPrincipal principal) throws SchemaException { AuthorizationType superAutzType = new AuthorizationType(); prismContext.adopt(superAutzType, RoleType.class, RoleType.F_AUTHORIZATION); superAutzType.getAction().add(AuthorizationConstants.AUTZ_ALL_URL); Authorization superAutz = new Authorization(superAutzType); Collection<Authorization> authorities = principal.getAuthorities(); authorities.add(superAutz); SecurityContext securityContext = SecurityContextHolder.getContext(); Authentication authentication = new UsernamePasswordAuthenticationToken(principal, null); securityContext.setAuthentication(authentication); }
private boolean hasAnyAuthorization(MidPointPrincipal principal) { Collection<Authorization> authorizations = principal.getAuthorities(); if (authorizations == null || authorizations.isEmpty()){ return false; } for (Authorization auth : authorizations){ if (auth.getAction() != null && !auth.getAction().isEmpty()){ return true; } } return false; }
private void addFakeAuthorization(MidPointPrincipal principal) { if (principal == null) { return; } if (principal.getAuthorities().isEmpty()) { AuthorizationType authorizationType = new AuthorizationType(); authorizationType.getAction().add("FAKE"); principal.getAuthorities().add(new Authorization(authorizationType)); } }