public AuthorizationDecisionType computeItemDecision(ObjectSecurityConstraints securityConstraints, ItemPath nameOnlyItemPath, String[] actionUrls, AuthorizationDecisionType defaultDecision, AuthorizationPhaseType phase) { AuthorizationDecisionType explicitDecision = securityConstraints.findItemDecision(nameOnlyItemPath, actionUrls, phase); // LOGGER.trace("Explicit decision for {} ({} {}): {}", nameOnlyItemPath, actionUrl, phase, explicitDecision); if (explicitDecision != null) { return explicitDecision; } else { return defaultDecision; } }
LOGGER.trace("Security constrains for getAssignableRoleSpecification on {}:\n{}", focus, securityConstraints==null?null:securityConstraints.debugDump(1)); assignmentPath = SchemaConstants.PATH_INDUCEMENT; AuthorizationDecisionType decision = securityConstraints.findItemDecision(assignmentPath, ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST); LOGGER.trace("getAssignableRoleSpecification decision for {}:{}", assignmentPath, decision); return spec; decision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), AuthorizationPhaseType.REQUEST); if (decision == AuthorizationDecisionType.ALLOW) { getAllRoleTypesSpec(spec, result);
AuthorizationDecisionType globalReadDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase); if (globalReadDecision == AuthorizationDecisionType.DENY) { AuthorizationDecisionType globalAddDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), phase); AuthorizationDecisionType globalModifyDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase); globalAddDecision, globalModifyDecision, phase)); AuthorizationDecisionType assignmentDecision = securityConstraints.findItemDecision(SchemaConstants.PATH_ASSIGNMENT, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase); if (!AuthorizationDecisionType.ALLOW.equals(assignmentDecision)) { if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Security constrains for {}:\n{}", shadow, securityConstraints==null?"null":securityConstraints.debugDump()); securityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase), phase); AuthorizationDecisionType attributesAddDecision = schemaTransformer.computeItemDecision(securityConstraints, attributesPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_ADD, securityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), phase), phase); AuthorizationDecisionType attributesModifyDecision = schemaTransformer.computeItemDecision(securityConstraints, attributesPath, ModelAuthorizationAction.AUTZ_ACTIONS_URLS_MODIFY, securityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase), phase); LOGGER.trace("Attributes container access read:{}, add:{}, modify:{}", attributesReadDecision, attributesAddDecision, attributesModifyDecision);
private <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException { try { ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, null, task, result); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Security constraints for {}:\n{}", object, securityConstraints==null?"null":securityConstraints.debugDump()); } if (securityConstraints == null) { SecurityUtil.logSecurityDeny(object, "because no security constraints are defined (default deny)"); throw new AuthorizationException("Access denied"); } return securityConstraints; } catch (Throwable e) { result.recordFatalError(e); throw e; } }
private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O> object, ObjectSecurityConstraints securityConstraints, PrismObjectDefinition<O> objectDefinition, GetOperationOptions rootOptions, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException { Validate.notNull(phase); try { AuthorizationDecisionType globalReadDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.AUTZ_ACTIONS_URLS_GET, phase); if (globalReadDecision == AuthorizationDecisionType.DENY) { // shortcut SecurityUtil.logSecurityDeny(object, "because the authorization denies access"); throw new AuthorizationException("Access denied"); } AuthorizationDecisionType globalAddDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.ADD.getUrl(), phase); AuthorizationDecisionType globalModifyDecision = securityConstraints.findAllItemsDecision(ModelAuthorizationAction.MODIFY.getUrl(), phase); applySecurityConstraints(object.getValue().getItems(), securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase); if (object.isEmpty()) { // let's make it explicit SecurityUtil.logSecurityDeny(object, "because the subject has not access to any item"); throw new AuthorizationException("Access denied"); } applySecurityConstraintsItemDef(objectDefinition, new IdentityHashMap<>(), ItemPath.EMPTY_PATH, securityConstraints, globalReadDecision, globalAddDecision, globalModifyDecision, phase); } catch (SecurityViolationException | RuntimeException e) { result.recordFatalError(e); throw e; } }
LOGGER.trace("Security constrains for {}:\n{}", object, securityConstraints==null?"null":securityConstraints.debugDump());
AuthorizationDecisionType allItemsDecision = securityConstraints.findAllItemsDecision(deltaOperationUrl, getRequestAuthorizationPhase(context)); if (allItemsDecision == AuthorizationDecisionType.ALLOW) {
private <F extends ObjectType> AuthorizationDecisionType evaluateCredentialDecision(LensContext<F> context, ObjectSecurityConstraints securityConstraints, ItemDelta credentialChange) { return securityConstraints.findItemDecision(credentialChange.getPath().namedSegmentsOnly(), ModelAuthorizationAction.CHANGE_CREDENTIALS.getUrl(), getRequestAuthorizationPhase(context)); }
LOGGER.trace("Authorized request for element context {}, constraints:\n{}", elementContext.getHumanReadableName(), securityConstraints.debugDump(1));
private AccessDecision subitemDecide(ItemPath nameOnlyItemPath, boolean removingContainer, ObjectSecurityConstraints securityConstraints, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath) { if (removingContainer && isInList(nameOnlyItemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) { return null; } if (AuthorizationPhaseType.EXECUTION.equals(phase) && isInList(nameOnlyItemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) { return null; } if (subitemRootPath != null && !subitemRootPath.isSubPathOrEquivalent(nameOnlyItemPath)) { // LOGGER.trace("subitem decision: {} <=> {} (not under root) : {}", subitemRootPath, nameOnlyItemPath, null); return null; } AuthorizationDecisionType authorizationDecisionType = securityConstraints.findItemDecision(nameOnlyItemPath, operationUrl, phase); AccessDecision decision = AccessDecision.translate(authorizationDecisionType); // LOGGER.trace("subitem decision: {} <=> {} : {}", subitemRootPath, nameOnlyItemPath, decision); return decision; }
@Override public <C extends Containerable> AccessDecision determineSubitemDecision( ObjectSecurityConstraints securityConstraints, PrismContainerValue<C> containerValue, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath, PlusMinusZero plusMinusZero, String decisionContextDesc) { boolean removingContainer = false; if (plusMinusZero == PlusMinusZero.MINUS) { removingContainer = true; } return determineContainerDecision(containerValue, (nameOnlyItemPath, lRemovingContainer) -> { if (lRemovingContainer && isInList(nameOnlyItemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) { return null; } if (AuthorizationPhaseType.EXECUTION.equals(phase) && isInList(nameOnlyItemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) { return null; } if (subitemRootPath != null && !subitemRootPath.isSubPathOrEquivalent(nameOnlyItemPath)) { // LOGGER.trace("subitem decision: {} <=> {} (not under root) : {}", subitemRootPath, nameOnlyItemPath, null); return null; } AuthorizationDecisionType authorizationDecisionType = securityConstraints.findItemDecision(nameOnlyItemPath, operationUrl, phase); AccessDecision decision = AccessDecision.translate(authorizationDecisionType); // LOGGER.trace("subitem decision: {} <=> {} : {}", subitemRootPath, nameOnlyItemPath, decision); return decision; }, removingContainer, decisionContextDesc); } }