@Override protected boolean securityChecks(final Set<String> effectiveRealms, final String realm, final String key) { boolean authorized = effectiveRealms.stream().anyMatch(ownedRealm -> realm.startsWith(ownedRealm) || ownedRealm.equals(RealmUtils.getGroupOwnerRealm(realm, key))); if (!authorized) { authorized = groupDAO.findDynRealms(key).stream(). anyMatch(dynRealm -> effectiveRealms.contains(dynRealm)); } if (!authorized) { throw new DelegatedAdministrationException(realm, AnyTypeKind.GROUP.name(), key); } return effectiveRealms.stream().anyMatch(new RealmUtils.DynRealmsPredicate()); }
public static Set<String> getEffective(final Set<String> allowedRealms, final String requestedRealm) { Set<String> allowed = RealmUtils.normalize(allowedRealms); Set<String> requested = new HashSet<>(); requested.add(requestedRealm); Set<String> effective = new HashSet<>(); effective.addAll(requested.stream().filter(new StartsWithPredicate(allowed)).collect(Collectors.toSet())); effective.addAll(allowed.stream().filter(new StartsWithPredicate(requested)).collect(Collectors.toSet())); // includes dynamic realms if (allowedRealms != null) { effective.addAll(allowedRealms.stream().filter(new DynRealmsPredicate()).collect(Collectors.toSet())); } return effective; }
public boolean addRealm(final String newRealm) { return RealmUtils.normalizingAddTo(realms, newRealm); }
realms.add(RealmUtils.getGroupOwnerRealm(group.getRealm().getFullPath(), group.getKey())); authority.addRealms(RealmUtils.normalize(entry.getValue())); return authority; }).forEachOrdered(authority -> authorities.add(authority));
@PreAuthorize("hasRole('" + StandardEntitlement.GROUP_SEARCH + "')") @Transactional(readOnly = true) @Override public Pair<Integer, List<GroupTO>> search( final SearchCond searchCond, final int page, final int size, final List<OrderByClause> orderBy, final String realm, final boolean details) { int count = searchDAO.count( RealmUtils.getEffective(SyncopeConstants.FULL_ADMIN_REALMS, realm), searchCond == null ? groupDAO.getAllMatchingCond() : searchCond, AnyTypeKind.GROUP); List<Group> matching = searchDAO.search( RealmUtils.getEffective(SyncopeConstants.FULL_ADMIN_REALMS, realm), searchCond == null ? groupDAO.getAllMatchingCond() : searchCond, page, size, orderBy, AnyTypeKind.GROUP); List<GroupTO> result = matching.stream(). map(group -> binder.getGroupTO(group, details)).collect(Collectors.toList()); return Pair.of(count, result); }
realms.add(RealmUtils.getGroupOwnerRealm(group.getRealm().getFullPath(), group.getKey())); authority.addRealms(RealmUtils.normalize(entry.getValue())); return authority; }).forEachOrdered(authority -> authorities.add(authority));
@PreAuthorize("hasRole('" + StandardEntitlement.USER_SEARCH + "')") @Transactional(readOnly = true) @Override public Pair<Integer, List<UserTO>> search( final SearchCond searchCond, final int page, final int size, final List<OrderByClause> orderBy, final String realm, final boolean details) { int count = searchDAO.count(RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.USER_SEARCH), realm), searchCond == null ? userDAO.getAllMatchingCond() : searchCond, AnyTypeKind.USER); List<User> matching = searchDAO.search(RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.USER_SEARCH), realm), searchCond == null ? userDAO.getAllMatchingCond() : searchCond, page, size, orderBy, AnyTypeKind.USER); List<UserTO> result = matching.stream(). map(user -> binder.returnUserTO(binder.getUserTO(user, details))). collect(Collectors.toList()); return Pair.of(count, result); }
@Transactional(readOnly = true) @Override public Pair<Integer, List<AnyObjectTO>> search( final SearchCond searchCond, final int page, final int size, final List<OrderByClause> orderBy, final String realm, final boolean details) { if (searchCond.hasAnyTypeCond() == null) { throw new UnsupportedOperationException("Need to specify " + AnyType.class.getSimpleName()); } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(AnyEntitlement.SEARCH.getFor(searchCond.hasAnyTypeCond())), realm); int count = searchDAO.count(effectiveRealms, searchCond, AnyTypeKind.ANY_OBJECT); List<AnyObject> matching = searchDAO.search( effectiveRealms, searchCond, page, size, orderBy, AnyTypeKind.ANY_OBJECT); List<AnyObjectTO> result = matching.stream(). map(anyObject -> binder.getAnyObjectTO(anyObject, details)).collect(Collectors.toList()); return Pair.of(count, result); }
public static Set<String> getEffective(final Set<String> allowedRealms, final String requestedRealm) { Set<String> allowed = RealmUtils.normalize(allowedRealms); Set<String> requested = new HashSet<>(); requested.add(requestedRealm); Set<String> effective = new HashSet<>(); effective.addAll(requested.stream().filter(new StartsWithPredicate(allowed)).collect(Collectors.toSet())); effective.addAll(allowed.stream().filter(new StartsWithPredicate(requested)).collect(Collectors.toSet())); // includes dynamic realms if (allowedRealms != null) { effective.addAll(allowedRealms.stream().filter(new DynRealmsPredicate()).collect(Collectors.toSet())); } return effective; }
@Override protected void securityChecks(final Group group) { Map<String, Set<String>> authorizations = AuthContextUtils.getAuthorizations(); Set<String> authRealms = authorizations.containsKey(StandardEntitlement.GROUP_READ) ? authorizations.get(StandardEntitlement.GROUP_READ) : Collections.emptySet(); boolean authorized = authRealms.stream().anyMatch(realm -> group.getRealm().getFullPath().startsWith(realm) || realm.equals(RealmUtils.getGroupOwnerRealm(group.getRealm().getFullPath(), group.getKey()))); if (!authorized) { authorized = findDynRealms(group.getKey()).stream(). filter(dynRealm -> authRealms.contains(dynRealm)). count() > 0; } if (authRealms.isEmpty() || !authorized) { throw new DelegatedAdministrationException( group.getRealm().getFullPath(), AnyTypeKind.GROUP.name(), group.getKey()); } }
public boolean addRealm(final String newRealm) { return RealmUtils.normalizingAddTo(realms, newRealm); }
@PreAuthorize("hasRole('" + StandardEntitlement.GROUP_CREATE + "')") public ProvisioningResult<GroupTO> create(final GroupTO groupTO, final boolean nullPriorityAsync) { Pair<GroupTO, List<LogicActions>> before = beforeCreate(groupTO); if (before.getLeft().getRealm() == null) { throw SyncopeClientException.build(ClientExceptionType.InvalidRealm); } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.GROUP_CREATE), before.getLeft().getRealm()); securityChecks(effectiveRealms, before.getLeft().getRealm(), null); Pair<String, List<PropagationStatus>> created = provisioningManager.create(before.getLeft(), nullPriorityAsync); return afterCreate(binder.getGroupTO(created.getKey()), created.getRight(), before.getRight()); }
RealmUtils.normalize(adminRealms).forEach(realmPath -> { if (realmPath.startsWith("/")) { Realm realm = realmDAO.findByFullPath(realmPath);
public static Set<String> normalize(final Collection<String> realms) { Set<String> normalized = new HashSet<>(); if (realms != null) { realms.forEach(realm -> normalizingAddTo(normalized, realm)); } return normalized; }
public ProvisioningResult<AnyObjectTO> create(final AnyObjectTO anyObjectTO, final boolean nullPriorityAsync) { Pair<AnyObjectTO, List<LogicActions>> before = beforeCreate(anyObjectTO); if (before.getLeft().getRealm() == null) { throw SyncopeClientException.build(ClientExceptionType.InvalidRealm); } if (before.getLeft().getType() == null) { throw SyncopeClientException.build(ClientExceptionType.InvalidAnyType); } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(AnyEntitlement.CREATE.getFor(before.getLeft().getType())), before.getLeft().getRealm()); securityChecks(effectiveRealms, before.getLeft().getRealm(), null); Pair<String, List<PropagationStatus>> created = provisioningManager.create(before.getLeft(), nullPriorityAsync); return afterCreate(binder.getAnyObjectTO(created.getKey()), created.getRight(), before.getRight()); }
public static Set<String> normalize(final Collection<String> realms) { Set<String> normalized = new HashSet<>(); if (realms != null) { realms.forEach(realm -> normalizingAddTo(normalized, realm)); } return normalized; }
@Override public ProvisioningResult<AnyObjectTO> delete(final String key, final boolean nullPriorityAsync) { AnyObjectTO anyObject = binder.getAnyObjectTO(key); Pair<AnyObjectTO, List<LogicActions>> before = beforeDelete(anyObject); Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(AnyEntitlement.DELETE.getFor(before.getLeft().getType())), before.getLeft().getRealm()); securityChecks(effectiveRealms, before.getLeft().getRealm(), before.getLeft().getKey()); List<PropagationStatus> statuses = provisioningManager.delete(before.getLeft().getKey(), nullPriorityAsync); AnyObjectTO anyObjectTO = new AnyObjectTO(); anyObjectTO.setKey(before.getLeft().getKey()); return afterDelete(anyObjectTO, statuses, before.getRight()); }
protected ProvisioningResult<UserTO> doCreate( final UserTO userTO, final boolean storePassword, final boolean self, final boolean nullPriorityAsync) { Pair<UserTO, List<LogicActions>> before = beforeCreate(userTO); if (before.getLeft().getRealm() == null) { throw SyncopeClientException.build(ClientExceptionType.InvalidRealm); } if (!self) { Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.USER_CREATE), before.getLeft().getRealm()); securityChecks(effectiveRealms, before.getLeft().getRealm(), null); } Pair<String, List<PropagationStatus>> created = provisioningManager.create(before.getLeft(), storePassword, nullPriorityAsync); return afterCreate( binder.returnUserTO(binder.getUserTO(created.getKey())), created.getRight(), before.getRight()); }
@PreAuthorize("hasRole('" + StandardEntitlement.GROUP_DELETE + "')") @Override public ProvisioningResult<GroupTO> delete(final String key, final boolean nullPriorityAsync) { GroupTO group = binder.getGroupTO(key); Pair<GroupTO, List<LogicActions>> before = beforeDelete(group); Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.GROUP_DELETE), before.getLeft().getRealm()); securityChecks(effectiveRealms, before.getLeft().getRealm(), before.getLeft().getKey()); List<Group> ownedGroups = groupDAO.findOwnedByGroup(before.getLeft().getKey()); if (!ownedGroups.isEmpty()) { SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.GroupOwnership); sce.getElements().addAll(ownedGroups.stream(). map(g -> g.getKey() + " " + g.getName()).collect(Collectors.toList())); throw sce; } List<PropagationStatus> statuses = provisioningManager.delete(before.getLeft().getKey(), nullPriorityAsync); GroupTO groupTO = new GroupTO(); groupTO.setKey(before.getLeft().getKey()); return afterDelete(groupTO, statuses, before.getRight()); }
@PreAuthorize("hasRole('" + StandardEntitlement.USER_UPDATE + "')") @Override public ProvisioningResult<UserTO> unassign( final String key, final Collection<String> resources, final boolean nullPriorityAsync) { // security checks UserTO user = binder.getUserTO(key); Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.USER_UPDATE), user.getRealm()); securityChecks(effectiveRealms, user.getRealm(), user.getKey()); UserPatch patch = new UserPatch(); patch.setKey(key); patch.getResources().addAll(resources.stream().map(resource -> new StringPatchItem.Builder().operation(PatchOperation.DELETE).value(resource).build()). collect(Collectors.toList())); return update(patch, nullPriorityAsync); }