private boolean authorizeUser(String authorization, UserType user, PrismObject<UserType> proxyUser, String enteredUsername, ConnectionEnvironment connEnv, ContainerRequestContext requestCtx) { Task task = taskManager.createTaskInstance(MidpointRestAuthenticator.class.getName() + ".authorizeUser"); try { // authorize for proxy securityEnforcer.authorize(authorization, null, AuthorizationParameters.Builder.buildObject(proxyUser), null, task, task.getResult()); } catch (SecurityViolationException e){ securityHelper.auditLoginFailure(enteredUsername, user, connEnv, "Not authorized"); requestCtx.abortWith(Response.status(Status.FORBIDDEN).build()); return false; } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | CommunicationException | ConfigurationException e) { securityHelper.auditLoginFailure(enteredUsername, user, connEnv, "Internal error: "+e.getMessage()); requestCtx.abortWith(Response.status(Status.BAD_REQUEST).build()); return false; } return true; }
@Override public AccessCertificationCampaignType createCampaign(String definitionOid, Task task, OperationResult parentResult) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ObjectAlreadyExistsException, ExpressionEvaluationException, CommunicationException, ConfigurationException { Validate.notNull(definitionOid, "definitionOid"); Validate.notNull(task, "task"); Validate.notNull(parentResult, "parentResult"); OperationResult result = parentResult.createSubresult(OPERATION_CREATE_CAMPAIGN); try { PrismObject<AccessCertificationDefinitionType> definition = repositoryService.getObject(AccessCertificationDefinitionType.class, definitionOid, null, result); securityEnforcer.authorize(ModelAuthorizationAction.CREATE_CERTIFICATION_CAMPAIGN.getUrl(), null, AuthorizationParameters.Builder.buildObject(definition), null, task, result); return openerHelper.createCampaign(definition, result, task); } catch (RuntimeException e) { result.recordFatalError("Couldn't create certification campaign: unexpected exception: " + e.getMessage(), e); throw e; } finally { result.computeStatusIfUnknown(); } }
private void authorizeNodeCollectionOperation(ModelAuthorizationAction action, Collection<String> identifiers, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException { if (securityEnforcer.isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, AuthorizationParameters.EMPTY, null, task, parentResult)) { return; } for (String identifier : identifiers) { PrismObject<NodeType> existingObject; ObjectQuery q = ObjectQueryUtil.createNameQuery(NodeType.class, prismContext, identifier); List<PrismObject<NodeType>> nodes = cacheRepositoryService.searchObjects(NodeType.class, q, null, parentResult); if (nodes.isEmpty()) { throw new ObjectNotFoundException("Node with identifier '" + identifier + "' couldn't be found."); } else if (nodes.size() > 1) { throw new SystemException("Multiple nodes with identifier '" + identifier + "'"); } existingObject = nodes.get(0); securityEnforcer.authorize(action.getUrl(), null, AuthorizationParameters.Builder.buildObject(existingObject), null, task, parentResult); } }
AuthorizationParameters.Builder.buildObject(testRoleObject), null); AuthorizationParameters.Builder.buildObject(testRoleObject), null);
LOGGER.trace("Denied request for object {}: {} of non-target {} not allowed", object, operationDesc, assignmentElementQName.getLocalPart()); securityEnforcer.failAuthorization(operationDesc, getRequestAuthorizationPhase(context), AuthorizationParameters.Builder.buildObject(object), result);
AuthorizationParameters.Builder.buildObject(campaign.asPrismObject()), null, task, result);
AuthorizationParameters.Builder.buildObject(campaign.asPrismObject()), null, task, result);
AuthorizationParameters.Builder.buildObject(campaign.asPrismObject()), null, task, result);
public void closeCampaign(String campaignOid, boolean noBackgroundTask, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, SecurityViolationException, ObjectAlreadyExistsException, ExpressionEvaluationException, CommunicationException, ConfigurationException { Validate.notNull(campaignOid, "campaignOid"); Validate.notNull(task, "task"); Validate.notNull(parentResult, "parentResult"); OperationResult result = parentResult.createSubresult(OPERATION_CLOSE_CAMPAIGN); try { AccessCertificationCampaignType campaign = generalHelper.getCampaign(campaignOid, null, task, result); securityEnforcer.authorize(ModelAuthorizationAction.CLOSE_CERTIFICATION_CAMPAIGN.getUrl(), null, AuthorizationParameters.Builder.buildObject(campaign.asPrismObject()), null, task, result); closerHelper.closeCampaign(campaign, task, result); if (!noBackgroundTask) { closingTaskHandler.launch(campaign, result); } } catch (RuntimeException e) { result.recordFatalError("Couldn't close certification campaign: unexpected exception: " + e.getMessage(), e); throw e; } finally { result.computeStatusIfUnknown(); } }
@Override public void reiterateCampaign(String campaignOid, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, SecurityViolationException, ObjectAlreadyExistsException, ExpressionEvaluationException, CommunicationException, ConfigurationException { OperationResult result = parentResult.createSubresult(OPERATION_REITERATE_CAMPAIGN); try { AccessCertificationCampaignType campaign = generalHelper.getCampaign(campaignOid, null, task, result); securityEnforcer.authorize(ModelAuthorizationAction.REITERATE_CERTIFICATION_CAMPAIGN.getUrl(), null, AuthorizationParameters.Builder.buildObject(campaign.asPrismObject()), null, task, result); openerHelper.reiterateCampaign(campaign, task, result); } catch (RuntimeException e) { result.recordFatalError("Couldn't reiterate certification campaign: unexpected exception: " + e.getMessage(), e); throw e; } finally { result.computeStatusIfUnknown(); } }
@Override public MidPointPrincipal createDonorPrincipal(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<UserType> donor, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException { if (attorneyPrincipal.getAttorney() != null) { throw new UnsupportedOperationException("Transitive attorney is not supported yet"); } AuthorizationLimitationsCollector limitationsCollector = new AuthorizationLimitationsCollector(); AuthorizationParameters<UserType, ObjectType> autzParams = AuthorizationParameters.Builder.buildObject(donor); AccessDecision decision = isAuthorizedInternal(attorneyPrincipal, attorneyAuthorizationAction, null, autzParams, null, limitationsCollector, task, result); if (!decision.equals(AccessDecision.ALLOW)) { failAuthorization(attorneyAuthorizationAction, null, autzParams, result); } MidPointPrincipal donorPrincipal = securityContextManager.getUserProfileService().getPrincipal(donor, limitationsCollector, result); donorPrincipal.setAttorney(attorneyPrincipal.getUser()); // chain principals so we can easily drop the power of attorney and return back to original identity donorPrincipal.setPreviousPrincipal(attorneyPrincipal); return donorPrincipal; }
@Override public void stopProcessInstance(String instanceId, String username, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException { if (!securityEnforcer.isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, AuthorizationParameters.EMPTY, null, task, parentResult)) { ObjectQuery query = prismContext.queryFor(TaskType.class) .item(TaskType.F_WORKFLOW_CONTEXT, WfContextType.F_PROCESS_INSTANCE_ID).eq(instanceId) .build(); List<PrismObject<TaskType>> tasks = cacheRepositoryService.searchObjects(TaskType.class, query, GetOperationOptions.createRawCollection(), parentResult); if (tasks.size() > 1) { throw new IllegalStateException("More than one task for process instance ID " + instanceId); } else if (tasks.size() == 0) { throw new ObjectNotFoundException("No task for process instance ID " + instanceId, instanceId); } securityEnforcer.authorize(ModelAuthorizationAction.STOP_APPROVAL_PROCESS_INSTANCE.getUrl(), null, AuthorizationParameters.Builder.buildObject(tasks.get(0)), null, task, parentResult); } getWorkflowManagerChecked().stopProcessInstance(instanceId, username, parentResult); }
private void authorizeTaskCollectionOperation(ModelAuthorizationAction action, Collection<String> oids, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException { if (securityEnforcer.isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, AuthorizationParameters.EMPTY, null, task, parentResult)) { return; } for (String oid : oids) { PrismObject<TaskType> existingObject = cacheRepositoryService.getObject(TaskType.class, oid, null, parentResult); securityEnforcer.authorize(action.getUrl(), null, AuthorizationParameters.Builder.buildObject(existingObject), null, task, parentResult); } }
private void authorizePartialExecution(LensContext<? extends ObjectType> context, ModelExecuteOptions options, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException { PartialProcessingOptionsType partialProcessing = ModelExecuteOptions.getPartialProcessing(options); if (partialProcessing != null) { PrismObject<? extends ObjectType> object = context.getFocusContext().getObjectAny(); securityEnforcer.authorize(ModelAuthorizationAction.PARTIAL_EXECUTION.getUrl(), null, AuthorizationParameters.Builder.buildObject(object), null, task, result); } }