private static boolean isPathInSelected(ItemPath path, ItemPath selected) { if (selected == null || path == null) { return false; } else { return selected.isSubPathOrEquivalent(path); } }
public static boolean isAmongHiddenPaths(ItemPath path, List<ItemPath> hiddenPaths) { if (hiddenPaths == null) { return false; } for (ItemPath hiddenPath : hiddenPaths) { if (hiddenPath.isSubPathOrEquivalent(path)) { return true; } } return false; }
private boolean isInList(ItemPath itemPath, Collection<ItemPath> allowedItems) { boolean itemAllowed = false; for (ItemPath allowedPath: allowedItems) { if (allowedPath.isSubPathOrEquivalent(itemPath)) { itemAllowed = true; break; } } return itemAllowed; }
public boolean matchesStartOf(ItemPath itemPath) { return this.itemPath.isSubPathOrEquivalent(itemPath); }
/** * Returns true if the collection contains a subpath of or equivalent path to the given path. * I.e. having collection = { A/B, A/C } * then the method for this collection and 'path' returns: * - path = A/B -> true * - path = A -> false * - path = A/B/C -> true * - path = X -> false */ public static boolean containsSubpathOrEquivalent(Collection<? extends ItemPath> paths, ItemPath pathToBeFound) { for (ItemPath path : paths) { if (path.isSubPathOrEquivalent(pathToBeFound)) { return true; } } return false; }
public boolean isApplicable(ItemPath nameOnlyItemPath) { if (allItems) { return true; } for (ItemPath includedItem: includedItems) { if (includedItem.isSubPathOrEquivalent(nameOnlyItemPath)) { return true; } } if (excludedItems.isEmpty()) { return false; } for (ItemPath excludedItem: excludedItems) { CompareResult result = excludedItem.compareComplex(nameOnlyItemPath); // This is tricky. We really want to exclude all related paths: // subpaths, superpaths and (obviously) the item itself // Exclusion of subpaths are quite obtious. // But we also need to exclude superpaths. If we don't to this // then we efficiently grant access to the superpath element which // will also apply to this element - and that would include it. if (result != CompareResult.NO_RELATION) { return false; } } return true; }
public static void onShadowModifyOperation(Collection<? extends ItemDelta> deltas) { // here we must be very cautious; we do not know which attributes are naming ones! // so in case of any attribute change, let's clear the cache // (actually, currently only naming attributes are stored in repo) Cache cache = Cache.getCache(); if (cache == null) { return; } ItemPath attributesPath = ShadowType.F_ATTRIBUTES; for (ItemDelta itemDelta : deltas) { if (attributesPath.isSubPathOrEquivalent(itemDelta.getParentPath())) { log("Clearing cache on shadow attribute modify operation"); cache.conflictFreeSituations.clear(); return; } } }
public static boolean pathMatches(@NotNull Collection<? extends ItemDelta<?, ?>> deltas, @NotNull ItemPath path, int segmentsToSkip, boolean exactMatch) { for (ItemDelta<?, ?> delta : deltas) { ItemPath modifiedPath = delta.getPath().rest(segmentsToSkip).removeIds(); // because of extension/cities[2]/name (in delta) vs. extension/cities/name (in spec) if (exactMatch) { if (path.equivalent(modifiedPath)) { return true; } } else { if (path.isSubPathOrEquivalent(modifiedPath)) { return true; } } } return false; }
/** * Checks if we do not try to modify assignment.targetRef or assignment.construction.kind or intent. * * @param context * @param <F> * @throws SchemaException */ private <F extends AssignmentHolderType> void checkAssignmentDeltaSanity(LensContext<F> context) throws SchemaException { ObjectDelta<F> focusDelta = context.getFocusContext().getDelta(); if (focusDelta == null || !focusDelta.isModify() || focusDelta.getModifications() == null) { return; } for (@SuppressWarnings("rawtypes") ItemDelta itemDelta : focusDelta.getModifications()) { ItemPath itemPath = itemDelta.getPath().namedSegmentsOnly(); if (SchemaConstants.PATH_ASSIGNMENT_TARGET_REF.isSubPathOrEquivalent(itemPath)) { throw new SchemaException("It is not allowed to change targetRef in an assignment. Offending path: " + itemPath); } if (SchemaConstants.PATH_ASSIGNMENT_CONSTRUCTION_KIND.isSubPathOrEquivalent(itemPath)) { throw new SchemaException("It is not allowed to change construction.kind in an assignment. Offending path: " + itemPath); } if (SchemaConstants.PATH_ASSIGNMENT_CONSTRUCTION_INTENT.isSubPathOrEquivalent(itemPath)) { throw new SchemaException("It is not allowed to change construction.intent in an assignment. Offending path: " + itemPath); } // TODO some mechanism to detect changing kind/intent by add/delete/replace whole ConstructionType (should be implemented in the caller) } }
private AccessDecision subitemDecide(ItemPath nameOnlyItemPath, boolean removingContainer, ObjectSecurityConstraints securityConstraints, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath) { if (removingContainer && isInList(nameOnlyItemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) { return null; } if (AuthorizationPhaseType.EXECUTION.equals(phase) && isInList(nameOnlyItemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) { return null; } if (subitemRootPath != null && !subitemRootPath.isSubPathOrEquivalent(nameOnlyItemPath)) { // LOGGER.trace("subitem decision: {} <=> {} (not under root) : {}", subitemRootPath, nameOnlyItemPath, null); return null; } AuthorizationDecisionType authorizationDecisionType = securityConstraints.findItemDecision(nameOnlyItemPath, operationUrl, phase); AccessDecision decision = AccessDecision.translate(authorizationDecisionType); // LOGGER.trace("subitem decision: {} <=> {} : {}", subitemRootPath, nameOnlyItemPath, decision); return decision; }
@Override public <C extends Containerable> AccessDecision determineSubitemDecision( ObjectSecurityConstraints securityConstraints, PrismContainerValue<C> containerValue, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath, PlusMinusZero plusMinusZero, String decisionContextDesc) { boolean removingContainer = false; if (plusMinusZero == PlusMinusZero.MINUS) { removingContainer = true; } return determineContainerDecision(containerValue, (nameOnlyItemPath, lRemovingContainer) -> { if (lRemovingContainer && isInList(nameOnlyItemPath, AuthorizationConstants.OPERATIONAL_ITEMS_ALLOWED_FOR_CONTAINER_DELETE)) { return null; } if (AuthorizationPhaseType.EXECUTION.equals(phase) && isInList(nameOnlyItemPath, AuthorizationConstants.EXECUTION_ITEMS_ALLOWED_BY_DEFAULT)) { return null; } if (subitemRootPath != null && !subitemRootPath.isSubPathOrEquivalent(nameOnlyItemPath)) { // LOGGER.trace("subitem decision: {} <=> {} (not under root) : {}", subitemRootPath, nameOnlyItemPath, null); return null; } AuthorizationDecisionType authorizationDecisionType = securityConstraints.findItemDecision(nameOnlyItemPath, operationUrl, phase); AccessDecision decision = AccessDecision.translate(authorizationDecisionType); // LOGGER.trace("subitem decision: {} <=> {} : {}", subitemRootPath, nameOnlyItemPath, decision); return decision; }, removingContainer, decisionContextDesc); } }
private boolean containsItem(ItemDelta itemDelta, ItemPath itemPath) { ItemPath namesOnlyPathTested = itemPath.namedSegmentsOnly(); ItemPath namesOnlyPathInDelta = itemDelta.getPath().namedSegmentsOnly(); if (namesOnlyPathTested.isSubPathOrEquivalent(namesOnlyPathInDelta)) { return true; } // however, we can add/delete whole container (containing part of the path) // e.g. we can test for activation/administrativeStatus, and the delta is: // ADD activation VALUE (administrativeStatus=ENABLED) if (!namesOnlyPathInDelta.isSubPath(namesOnlyPathTested)) { return false; } // for ADD values we know // for REPLACE values we know - for values being added, but NOT for values being left behind // for DELETE we have a problem if we are deleting "by ID" - we just don't know if the value being deleted contains the path in question or not ItemPath remainder = namesOnlyPathTested.remainder(namesOnlyPathInDelta); return containsItemInValues(itemDelta.getValuesToAdd(), remainder) || containsItemInValues(itemDelta.getValuesToReplace(), remainder) || containsItemInValues(itemDelta.getValuesToDelete(), remainder); }
assertFalse(pathFoo.isSubPath(empty)); assertTrue(pathFoo123Bar.isSubPathOrEquivalent(pathFoo123BarBaz)); assertFalse(pathFoo123Bar.isSubPathOrEquivalent(pathZoo)); assertFalse(pathFoo123Bar.isSubPathOrEquivalent(pathFoo123BazBaz)); assertFalse(pathFooBar.isSubPathOrEquivalent(pathFoo123BarBaz)); assertFalse(pathFooBar.isSubPathOrEquivalent(pathZoo)); assertFalse(pathFooBar.isSubPathOrEquivalent(pathFoo123BazBaz)); assertTrue(pathFooBar.isSubPathOrEquivalent(pathFoo123BarBaz.namedSegmentsOnly())); assertTrue(pathFooBar.isSubPathOrEquivalent(pathFooBar)); assertFalse(pathFooBar.isSubPathOrEquivalent(pathZoo)); assertFalse(pathFooBar.isSubPathOrEquivalent(pathFooBazBaz));