private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O> object, ObjectSecurityConstraints securityConstraints, PrismObjectDefinition<O> objectDefinition, GetOperationOptions rootOptions, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException { Validate.notNull(phase); try { AuthorizationDecisionType globalReadDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase); if (globalReadDecision == AuthorizationDecisionType.DENY) { // shortcut SecurityUtil.logSecurityDeny(object, "because the authorization denies access"); throw new AuthorizationException("Access denied"); } AuthorizationDecisionType globalAddDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), phase); AuthorizationDecisionType globalModifyDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase); applySecurityConstraints(object.getValue().getItems(), securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase); if (object.isEmpty()) { // let's make it explicit SecurityUtil.logSecurityDeny(object, "because the subject has not access to any item"); throw new AuthorizationException("Access denied"); } applySecurityConstraintsItemDef(objectDefinition, new IdentityHashMap<>(), ItemPath.EMPTY_PATH, securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase); } catch (SecurityViolationException | RuntimeException e) { result.recordFatalError(e); throw e; } }
@Override public <O extends ObjectType, T extends ObjectType> void failAuthorization(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OperationResult result) throws SecurityViolationException { MidPointPrincipal principal = securityContextManager.getPrincipal(); String username = getQuotedUsername(principal); String message; if (params.getTarget() == null && params.getAnyObject() == null) { message = "User '"+username+"' not authorized for operation "+ operationUrl; } else if (params.getTarget() == null) { message = "User '"+username+"' not authorized for operation "+ operationUrl + " on " + params.getAnyObject(); } else { message = "User '"+username+"' not authorized for operation "+ operationUrl + " on " + params.getAnyObject() + " with target " + params.getTarget(); } LOGGER.error("{}", message); AuthorizationException e = new AuthorizationException(message); result.recordFatalError(e.getMessage(), e); throw e; }
private <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException { try { ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, null, task, result); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Security constraints for {}:\n{}", object, securityConstraints==null?"null":securityConstraints.debugDump()); } if (securityConstraints == null) { SecurityUtil.logSecurityDeny(object, "because no security constraints are defined (default deny)"); throw new AuthorizationException("Access denied"); } return securityConstraints; } catch (Throwable e) { result.recordFatalError(e); throw e; } }
throw new AuthorizationException("Access denied");
LOGGER.trace("Denied request for element context {}: access to {} container/properties is explicitly denied", elementContext.getHumanReadableName(), assignmentElementQName.getLocalPart()); throw new AuthorizationException("Access denied"); } else { AuthorizationDecisionType allItemsDecision = securityConstraints.findAllItemsDecision(deltaOperationUrl, getRequestAuthorizationPhase(context)); LOGGER.trace("Denied request for element context {}: access to {} items is explicitly denied", elementContext.getHumanReadableName(), assignmentElementQName.getLocalPart()); throw new AuthorizationException("Access denied"); } else {
LOGGER.trace("Denied request for element context {}: null security constraints", elementContext.getHumanReadableName()); throw new AuthorizationException("Access denied"); LOGGER.trace("Denied request for element context {}: explicit credentials deny", elementContext.getHumanReadableName()); throw new AuthorizationException("Access denied"); } else { LOGGER.trace("Denied request for element context {}: explicit credentials deny", elementContext.getHumanReadableName()); throw new AuthorizationException("Access denied"); } else {