private void recordAuthenticationSuccess(@NotNull MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv) { securityHelper.auditLoginSuccess(principal.getUser(), connEnv); }
protected void assertNoAuthorizations(MidPointPrincipal principal) { if (principal.getAuthorities() != null && !principal.getAuthorities().isEmpty()) { AssertJUnit.fail("Unexpected authorizations in "+principal+": "+principal.getAuthorities()); } }
/** * Semi-shallow clone. */ public MidPointPrincipal clone() { MidPointPrincipal clone = new MidPointPrincipal(this.user); copyValues(clone); return clone; }
protected void recordAuthenticationFailure(@NotNull MidPointPrincipal principal, ConnectionEnvironment connEnv, String reason) { securityHelper.auditLoginFailure(principal.getUsername(), principal.getUser(), connEnv, reason); }
@Test public void test052GetUserGuybrush() throws Exception { final String TEST_NAME = "test052GetUserGuybrush"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
protected void assertJack(MidPointPrincipal principal) { display("Principal jack", principal); assertEquals("wrong username", USER_JACK_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_JACK_OID, principal.getOid()); assertJack(principal.getUser()); }
private void setInitiatorAndAttorneyFromPrincipal(AuditEventRecord record) { try { MidPointPrincipal principal = securityContextManager.getPrincipal(); record.setInitiator(principal.getUser().asPrismObject()); if (principal.getAttorney() != null) { record.setAttorney(principal.getAttorney().asPrismObject()); } } catch (SecurityViolationException e) { record.setInitiator(null); LOGGER.warn("No initiator known for auditing work item event: " + e.getMessage(), e); } } }
private void assertPrincipalJack(MidPointPrincipal principal) { display("principal", principal); assertEquals("Bad principal name", USER_JACK_USERNAME, principal.getName().getOrig()); assertEquals("Bad principal name", USER_JACK_USERNAME, principal.getUsername()); UserType user = principal.getUser(); assertNotNull("No user in principal",user); assertEquals("Bad name in user in principal", USER_JACK_USERNAME, user.getName().getOrig()); }
@Override public MidPointPrincipal createDonorPrincipal(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<UserType> donor, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException { if (attorneyPrincipal.getAttorney() != null) { throw new UnsupportedOperationException("Transitive attorney is not supported yet"); } AuthorizationLimitationsCollector limitationsCollector = new AuthorizationLimitationsCollector(); AuthorizationParameters<UserType, ObjectType> autzParams = AuthorizationParameters.Builder.buildObject(donor); AccessDecision decision = isAuthorizedInternal(attorneyPrincipal, attorneyAuthorizationAction, null, autzParams, null, limitationsCollector, task, result); if (!decision.equals(AccessDecision.ALLOW)) { failAuthorization(attorneyAuthorizationAction, null, autzParams, result); } MidPointPrincipal donorPrincipal = securityContextManager.getUserProfileService().getPrincipal(donor, limitationsCollector, result); donorPrincipal.setAttorney(attorneyPrincipal.getUser()); // chain principals so we can easily drop the power of attorney and return back to original identity donorPrincipal.setPreviousPrincipal(attorneyPrincipal); return donorPrincipal; }
private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration) { OperationResult result = new OperationResult(MidPointPrincipalManagerMock.class.getName() + ".addAuthorizations"); principal.setApplicableSecurityPolicy(locateSecurityPolicy(principal, systemConfiguration, result)); // if (systemConfiguration != null) { // principal.setAdminGuiConfiguration(systemConfiguration.asObjectable().getAdminGuiConfiguration()); // } AuthorizationType authorizationType = new AuthorizationType(); authorizationType.getAction().add("FAKE"); principal.getAuthorities().add(new Authorization(authorizationType)); ActivationType activation = principal.getUser().getActivation(); if (activation != null) { activationComputer.computeEffective(principal.getUser().getLifecycleState(), activation, null); } }
private void evaluateAssignments(Collection<AssignmentType> assignments, boolean virtual, AssignmentEvaluator<UserType> assignmentEvaluator, MidPointPrincipal principal, AuthorizationTransformer authorizationTransformer, Collection<AdminGuiConfigurationType> adminGuiConfigurations, Task task, OperationResult result) { UserType userType = principal.getUser(); Collection<Authorization> authorizations = principal.getAuthorities(); && DeputyUtils.isDelegationPath(target.getAssignmentPath(), relationRegistry)) { List<OtherPrivilegesLimitationType> limitations = DeputyUtils.extractLimitations(target.getAssignmentPath()); principal.addDelegatorWithOtherPrivilegesLimitations(new DelegatorWithOtherPrivilegesLimitations( (UserType) target.getTarget().asObjectable(), limitations));
@Override public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment connEnv, T authnCtx) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException { checkEnteredCredentials(connEnv, authnCtx); MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx.getUsername(), true); UserType userType = principal.getUser(); CredentialsType credentials = userType.getCredentials(); CredentialPolicyType credentialsPolicy = getCredentialsPolicy(principal, authnCtx); if (checkCredentials(principal, authnCtx, connEnv)) { recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), credentialsPolicy); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities()); return token; } else { recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "password mismatch"); throw new BadCredentialsException("web.security.provider.invalid"); } }
protected String getSecurityContextUserOid() { return ((MidPointPrincipal) (SecurityContextHolder.getContext().getAuthentication().getPrincipal())).getOid(); }
private String getQuotedUsername(MidPointPrincipal principal) { if (principal == null) { return "(none)"; } return "'"+ principal.getUsername()+"'"; }
@Override public void updateUser(MidPointPrincipal principal) { OperationResult result = new OperationResult(OPERATION_UPDATE_USER); try { save(principal, result); } catch (Exception ex) { LOGGER.warn("Couldn't save user '{}, ({})', reason: {}.", principal.getFullName(), principal.getOid(), ex.getMessage(), ex); } }
UserType userType = principal.getUser(); CredentialsType credentials = userType.getCredentials(); if (credentials == null) { SecurityPolicyType securityPolicy = principal.getApplicableSecurityPolicy(); PasswordCredentialsPolicyType passwordCredentialsPolicy = SecurityUtil.getEffectivePasswordCredentialsPolicy(securityPolicy);
private void setSecurityContext(UserType user) { SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken( new MidPointPrincipal(user), null)); }
private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPrincipal principal, QName limitationItemName, RelationRegistry relationRegistry) { // As for relations, WorkItem.assigneeRef should contain only the default ones. QName defaultRelation = relationRegistry.getDefaultRelation(); List<PrismReferenceValue> rv = new ArrayList<>(); rv.add(ObjectTypeUtil.createObjectRef(principal.getOid(), ObjectTypes.USER).relation(defaultRelation).asReferenceValue()); for (DelegatorWithOtherPrivilegesLimitations delegator : principal.getDelegatorWithOtherPrivilegesLimitationsCollection()) { if (DeputyUtils.limitationsAllow(delegator.getLimitations(), limitationItemName)) { rv.add(ObjectTypeUtil.createObjectRef(delegator.getDelegator(), defaultRelation).asReferenceValue()); } } return rv; }
if (origPrincipal != null) { if (origPrincipal instanceof MidPointPrincipal) { MidPointPrincipal newMidPointPrincipal = ((MidPointPrincipal)origPrincipal).clone(); newMidPointPrincipal.getAuthorities().add(privilegedAuthorization); newPrincipal = newMidPointPrincipal;