protected void assertNoAuthorizations(MidPointPrincipal principal) { if (principal.getAuthorities() != null && !principal.getAuthorities().isEmpty()) { AssertJUnit.fail("Unexpected authorizations in "+principal+": "+principal.getAuthorities()); } }
protected void login(MidPointPrincipal principal) { SecurityContext securityContext = SecurityContextHolder.getContext(); Authentication authentication = new UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities()); securityContext.setAuthentication(authentication); }
private Collection<Authorization> getAuthorities(MidPointPrincipal principal) { if (principal == null) { // Anonymous access, possibly with elevated privileges Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); Collection<Authorization> authorizations = new ArrayList<>(); if (authentication != null) { for (GrantedAuthority authority: authentication.getAuthorities()) { if (authority instanceof Authorization) { authorizations.add((Authorization)authority); } } } return authorizations; } else { return principal.getAuthorities(); } }
protected Collection<Authorization> getSecurityContextAuthorizations() { MidPointPrincipal midPointPrincipal = getSecurityContextPrincipal(); if (midPointPrincipal == null) { return null; } return midPointPrincipal.getAuthorities(); }
protected void assertAuthorizations(MidPointPrincipal principal, String... expectedAuthorizations) { List<String> actualAuthorizations = new ArrayList<>(); for (Authorization authorization: principal.getAuthorities()) { actualAuthorizations.addAll(authorization.getAction()); } PrismAsserts.assertSets("Wrong authorizations in "+principal, actualAuthorizations, expectedAuthorizations); }
private boolean hasAnyAuthorization(MidPointPrincipal principal) { Collection<Authorization> authorizations = principal.getAuthorities(); if (authorizations == null || authorizations.isEmpty()){ return false; } for (Authorization auth : authorizations){ if (auth.getAction() != null && !auth.getAction().isEmpty()){ return true; } } return false; }
protected void loginSuperUser(MidPointPrincipal principal) throws SchemaException { AuthorizationType superAutzType = new AuthorizationType(); prismContext.adopt(superAutzType, RoleType.class, RoleType.F_AUTHORIZATION); superAutzType.getAction().add(AuthorizationConstants.AUTZ_ALL_URL); Authorization superAutz = new Authorization(superAutzType); Collection<Authorization> authorities = principal.getAuthorities(); authorities.add(superAutz); SecurityContext securityContext = SecurityContextHolder.getContext(); Authentication authentication = new UsernamePasswordAuthenticationToken(principal, null); securityContext.setAuthentication(authentication); }
@Override public void setupPreAuthenticatedSecurityContext(MidPointPrincipal principal) { // Make sure that constructor with authorities is used. Otherwise the context will not be authenticated. Authentication authentication = new PreAuthenticatedAuthenticationToken(principal, null, principal.getAuthorities()); setupPreAuthenticatedSecurityContext(authentication); }
private void addFakeAuthorization(MidPointPrincipal principal) { if (principal == null) { return; } if (principal.getAuthorities().isEmpty()) { AuthorizationType authorizationType = new AuthorizationType(); authorizationType.getAction().add("FAKE"); principal.getAuthorities().add(new Authorization(authorizationType)); } }
@Override public PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated(ConnectionEnvironment connEnv, String enteredUsername) { MidPointPrincipal principal = getAndCheckPrincipal(connEnv, enteredUsername, true); // Authorizations if (!hasAnyAuthorization(principal)) { recordAuthenticationFailure(principal, connEnv, "no authorizations"); throw new AccessDeniedException("web.security.provider.access.denied"); } PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(principal, null, principal.getAuthorities()); recordAuthenticationSuccess(principal, connEnv); return token; }
@Test public void test010GetUserAdministrator() throws Exception { final String TEST_NAME = "test010GetUserAdministrator"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_ADMINISTRATOR_USERNAME); // THEN display("Administrator principal", principal); assertEquals("Wrong number of authorizations", 1, principal.getAuthorities().size()); assertHasAuthotizationAllow(principal.getAuthorities().iterator().next(), AuthorizationConstants.AUTZ_ALL_URL); assertAuthorized(principal, AUTZ_LOOT_URL); assertAuthorized(principal, AUTZ_COMMAND_URL); }
@Override public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment connEnv, T authnCtx) throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException, CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException { checkEnteredCredentials(connEnv, authnCtx); MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx.getUsername(), true); UserType userType = principal.getUser(); CredentialsType credentials = userType.getCredentials(); CredentialPolicyType credentialsPolicy = getCredentialsPolicy(principal, authnCtx); if (checkCredentials(principal, authnCtx, connEnv)) { recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), credentialsPolicy); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities()); return token; } else { recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "password mismatch"); throw new BadCredentialsException("web.security.provider.invalid"); } }
private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration) { OperationResult result = new OperationResult(MidPointPrincipalManagerMock.class.getName() + ".addAuthorizations"); principal.setApplicableSecurityPolicy(locateSecurityPolicy(principal, systemConfiguration, result)); // if (systemConfiguration != null) { // principal.setAdminGuiConfiguration(systemConfiguration.asObjectable().getAdminGuiConfiguration()); // } AuthorizationType authorizationType = new AuthorizationType(); authorizationType.getAction().add("FAKE"); principal.getAuthorities().add(new Authorization(authorizationType)); ActivationType activation = principal.getUser().getActivation(); if (activation != null) { activationComputer.computeEffective(principal.getUser().getLifecycleState(), activation, null); } }
@Test public void test050GetUserJack() throws Exception { final String TEST_NAME = "test050GetUserJack"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_JACK_USERNAME); // THEN assertNoAuthentication(); assertJack(principal); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); assertNoAuthentication(); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); assertNoAuthentication(); }
@Test public void test111GuybrushRoleCaptain() throws Exception { final String TEST_NAME = "test111GuybrushRoleCaptain"; displayTestTitle(TEST_NAME); // GIVEN login(USER_ADMINISTRATOR_USERNAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); assignRole(USER_GUYBRUSH_OID, ROLE_CAPTAIN_OID, task, result); resetAuthentication(); // WHEN displayWhen(TEST_NAME); MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN displayThen(TEST_NAME); display("Principal guybrush", principal); assertEquals("Wrong number of authorizations", 3, principal.getAuthorities().size()); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test119GuybrushUnassignRoles() throws Exception { final String TEST_NAME = "test119GuybrushUnassignRoles"; displayTestTitle(TEST_NAME); // GIVEN login(USER_ADMINISTRATOR_USERNAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result); unassignRole(USER_JACK_OID, ROLE_CAPTAIN_OID, task, result); resetAuthentication(); // WHEN displayWhen(TEST_NAME); MidPointPrincipal principal = userProfileService.getPrincipal(USER_JACK_USERNAME); // THEN displayThen(TEST_NAME); assertEquals("Wrong number of authorizations", 0, principal.getAuthorities().size()); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test110GuybrushRoleNicePirate() throws Exception { final String TEST_NAME = "test110GuybrushRoleNicePirate"; displayTestTitle(TEST_NAME); // GIVEN login(USER_ADMINISTRATOR_USERNAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); assignRole(USER_GUYBRUSH_OID, ROLE_NICE_PIRATE_OID, task, result); resetAuthentication(); // WHEN displayWhen(TEST_NAME); MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN displayThen(TEST_NAME); display("Principal guybrush", principal); assertEquals("Wrong number of authorizations", 2, principal.getAuthorities().size()); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test052GetUserGuybrush() throws Exception { final String TEST_NAME = "test052GetUserGuybrush"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test051GetUserBarbossa() throws Exception { final String TEST_NAME = "test051GetUserBarbossa"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_BARBOSSA_USERNAME); // THEN display("Principal barbossa", principal); assertNotNull("No principal for username "+USER_BARBOSSA_USERNAME, principal); assertEquals("wrong username", USER_BARBOSSA_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_BARBOSSA_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal barbossa", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test062GuybrushConditionalRoleUnassign() throws Exception { final String TEST_NAME = "test062GuybrushConditionalRoleUnassign"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); unassignRole(USER_GUYBRUSH_OID, ROLE_CONDITIONAL_OID); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }