@Override public <T extends ObjectType> ObjectFilter getDonorFilter(Class<T> searchResultType, ObjectFilter origFilter, String targetAuthorizationAction, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException { return securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ATTORNEY, null, searchResultType, null, origFilter, targetAuthorizationAction, null, task, parentResult); }
private <O extends ObjectType> ObjectQuery preProcessQuerySecurity(Class<O> objectType, ObjectQuery origQuery, GetOperationOptions rootOptions, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException { ObjectFilter origFilter = null; if (origQuery != null) { origFilter = origQuery.getFilter(); } AuthorizationPhaseType phase = null; if (GetOperationOptions.isExecutionPhase(rootOptions)) { phase = AuthorizationPhaseType.EXECUTION; } ObjectFilter secFilter = securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_SEARCH, phase, objectType, null, origFilter, null, null, task, result); return updateObjectQuery(origQuery, secFilter); }
private <C extends Containerable, O extends ObjectType> ObjectQuery preProcessSubobjectQuerySecurity(Class<C> containerType, Class<O> objectType, ObjectQuery origQuery, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException { // Search containers is an operation on one object. Therefore even if it works with a search filter, it requires GET authorizations ObjectFilter secParentFilter = securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, null, objectType, null, null, null, null, task, result); if (secParentFilter == null || secParentFilter instanceof AllFilter) { return origQuery; // no need to update the query } ObjectFilter secChildFilter; if (secParentFilter instanceof NoneFilter) { secChildFilter = FilterCreationUtil.createNone(prismContext); } else { ObjectFilter origChildFilter = origQuery != null ? origQuery.getFilter() : null; ObjectFilter secChildFilterParentPart = prismContext.queryFactory().createExists(ItemName.fromQName(PrismConstants.T_PARENT), // fixme containerType, prismContext, secParentFilter); if (origChildFilter == null) { secChildFilter = secChildFilterParentPart; } else { secChildFilter = prismContext.queryFactory().createAnd(origChildFilter, secChildFilterParentPart); } } return updateObjectQuery(origQuery, secChildFilter); }
orderConstraintsList.add(orderConstraints); try { ObjectFilter filter = securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ASSIGN, AuthorizationPhaseType.REQUEST, targetType, focus, FilterCreationUtil.createAll(prismContext), null, orderConstraintsList, task, result); LOGGER.trace("assignableRoleSpec filter: {}", filter);