protected String getSecurityContextUserOid() { return ((MidPointPrincipal) (SecurityContextHolder.getContext().getAuthentication().getPrincipal())).getOid(); }
public boolean isEqualOrDeputyOf(MidPointPrincipal principal, String eligibleUserOid, RelationRegistry relationRegistry) { return principal.getOid().equals(eligibleUserOid) || DeputyUtils.isDelegationPresent(principal.getUser(), eligibleUserOid, relationRegistry); }
public boolean isAuthorizedToClaim(String taskId) { MidPointPrincipal principal; try { principal = securityContextManager.getPrincipal(); } catch (SecurityViolationException e) { return false; } String currentUserOid = principal.getOid(); if (currentUserOid == null) { return false; } return isAmongCandidates(principal, taskId); }
@Override public void updateUser(MidPointPrincipal principal) { OperationResult result = new OperationResult(OPERATION_UPDATE_USER); try { save(principal, result); } catch (Exception ex) { LOGGER.warn("Couldn't save user '{}, ({})', reason: {}.", principal.getFullName(), principal.getOid(), ex.getMessage(), ex); } }
private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPrincipal principal, QName limitationItemName, RelationRegistry relationRegistry) { // As for relations, WorkItem.assigneeRef should contain only the default ones. QName defaultRelation = relationRegistry.getDefaultRelation(); List<PrismReferenceValue> rv = new ArrayList<>(); rv.add(ObjectTypeUtil.createObjectRef(principal.getOid(), ObjectTypes.USER).relation(defaultRelation).asReferenceValue()); for (DelegatorWithOtherPrivilegesLimitations delegator : principal.getDelegatorWithOtherPrivilegesLimitationsCollection()) { if (DeputyUtils.limitationsAllow(delegator.getLimitations(), limitationItemName)) { rv.add(ObjectTypeUtil.createObjectRef(delegator.getDelegator(), defaultRelation).asReferenceValue()); } } return rv; }
@Override public void updateUser(MidPointPrincipal principal) { OperationResult result = new OperationResult(OPERATION_UPDATE_USER); try { save(principal, result); } catch (Exception ex) { LOGGER.warn("Couldn't save user '{}, ({})', reason: {}.", new Object[]{principal.getFullName(), principal.getOid(), ex.getMessage()}); } }
protected void recordDecision(String campaignOid, AccessCertificationCaseType aCase, AccessCertificationResponseType response, String comment, String reviewerOid, Task task, OperationResult result) throws CommunicationException, ObjectNotFoundException, ObjectAlreadyExistsException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException { Authentication originalAuthentication = null; String realReviewerOid; if (reviewerOid != null) { originalAuthentication = SecurityContextHolder.getContext().getAuthentication(); login(getUser(reviewerOid)); realReviewerOid = reviewerOid; } else { realReviewerOid = securityContextManager.getPrincipal().getOid(); } List<AccessCertificationWorkItemType> workItems = aCase.getWorkItem().stream() .filter(wi -> ObjectTypeUtil.containsOid(wi.getAssigneeRef(), realReviewerOid)) .filter(wi -> wi.getStageNumber() == aCase.getStageNumber()) .filter(wi -> norm(wi.getIteration()) == norm(aCase.getIteration())) .collect(Collectors.toList()); assertEquals("Wrong # of current work items for " + realReviewerOid + " in " + aCase, 1, workItems.size()); long id = aCase.asPrismContainerValue().getId(); certificationManager.recordDecision(campaignOid, id, workItems.get(0).getId(), response, comment, task, result); if (reviewerOid != null) { SecurityContextHolder.getContext().setAuthentication(originalAuthentication); } }
String desc = MiscDataUtil.stringToRef(task.getAssignee()).getOid().equals(principal.getOid()) ? "the current" : "another"; throw new SystemException("The work item is already assigned to "+desc+" user"); throw new SecurityViolationException("You are not authorized to claim the selected work item."); taskService.claim(workItemId, principal.getOid()); task = taskService.createTaskQuery().taskId(workItemId).singleResult(); if (task == null) { throw new ObjectNotFoundException("The work item does not exist"); setNewAssignees(task, Collections.singletonList(ObjectTypeUtil.createObjectRef(principal.getOid(), ObjectTypes.USER)), taskService); } catch (ObjectNotFoundException|SecurityViolationException|RuntimeException e) { result.recordFatalError("Couldn't claim the work item " + workItemId + ": " + e.getMessage(), e);
private MidPointPrincipal save(MidPointPrincipal person, OperationResult result) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException { UserType oldUserType = getUserByOid(person.getOid(), result); PrismObject<UserType> oldUser = oldUserType.asPrismObject(); PrismObject<UserType> newUser = person.getUser().asPrismObject(); ObjectDelta<UserType> delta = oldUser.diff(newUser); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Updating user {} with delta:\n{}", newUser, delta.debugDump()); } repositoryService.modifyObject(UserType.class, delta.getOid(), delta.getModifications(), new OperationResult(OPERATION_UPDATE_USER)); return person; }
private boolean isAmongCandidates(MidPointPrincipal principal, String taskId) { String currentUserOid = principal.getOid(); List<IdentityLink> identityLinks; try { TaskService taskService = activitiEngine.getTaskService(); // working around activiti bug, see MID-3799.6 (the NPE when task does not exist) org.activiti.engine.task.Task task = taskService.createTaskQuery() .taskId(taskId) .singleResult(); if (task == null) { return false; } identityLinks = taskService.getIdentityLinksForTask(taskId); } catch (ActivitiException e) { throw new SystemException("Couldn't determine user authorization, because the task candidate users and groups couldn't be retrieved: " + e.getMessage(), e); } for (IdentityLink identityLink : identityLinks) { if (identityLink.getUserId() != null && identityLink.getUserId().equals(currentUserOid)) { return true; } if (identityLink.getGroupId() != null) { if (isMemberOfActivitiGroup(principal.getUser(), identityLink.getGroupId())) { return true; } } } return false; }
protected void assertJack(MidPointPrincipal principal) { display("Principal jack", principal); assertEquals("wrong username", USER_JACK_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_JACK_OID, principal.getOid()); assertJack(principal.getUser()); }
public boolean isAuthorized(WorkItemType workItem, RequestedOperation operation, Task task, OperationResult result) throws ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException { MidPointPrincipal principal; try { principal = securityContextManager.getPrincipal(); } catch (SecurityViolationException e) { return false; } if (principal.getOid() == null) { return false; } try { if (securityEnforcer.isAuthorized(operation.actionAll.getUrl(), null, AuthorizationParameters.EMPTY, null, task, result)) { return true; } if (operation.actionOwn != null && !securityEnforcer.isAuthorized(operation.actionOwn.getUrl(), null, AuthorizationParameters.EMPTY, null, task, result)) { return false; } } catch (SchemaException e) { throw new SystemException(e.getMessage(), e); } for (ObjectReferenceType assignee : workItem.getAssigneeRef()) { if (isEqualOrDeputyOf(principal, assignee.getOid(), relationRegistry)) { return true; } } return isAmongCandidates(principal, workItem.getExternalId()); }
throw new SystemException("The work item is not assigned to a user"); if (!MiscDataUtil.stringToRef(task.getAssignee()).getOid().equals(principal.getOid())) { throw new SystemException("The work item is not assigned to the current user");
private MidPointPrincipal save(MidPointPrincipal person, OperationResult result) throws ObjectNotFoundException, SchemaException, ObjectAlreadyExistsException { UserType oldUserType = getUserByOid(person.getOid(), result); PrismObject<UserType> oldUser = oldUserType.asPrismObject(); PrismObject<UserType> newUser = person.getUser().asPrismObject(); ObjectDelta<UserType> delta = oldUser.diff(newUser); repositoryService.modifyObject(UserType.class, delta.getOid(), delta.getModifications(), new OperationResult(OPERATION_UPDATE_USER)); return person; }
@Test public void test052GetUserGuybrush() throws Exception { final String TEST_NAME = "test052GetUserGuybrush"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test051GetUserBarbossa() throws Exception { final String TEST_NAME = "test051GetUserBarbossa"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_BARBOSSA_USERNAME); // THEN display("Principal barbossa", principal); assertNotNull("No principal for username "+USER_BARBOSSA_USERNAME, principal); assertEquals("wrong username", USER_BARBOSSA_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_BARBOSSA_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal barbossa", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test062GuybrushConditionalRoleUnassign() throws Exception { final String TEST_NAME = "test062GuybrushConditionalRoleUnassign"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); unassignRole(USER_GUYBRUSH_OID, ROLE_CONDITIONAL_OID); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test060GuybrushConditionalRoleFalse() throws Exception { final String TEST_NAME = "test060GuybrushConditionalRoleFalse"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); assignRole(USER_GUYBRUSH_OID, ROLE_CONDITIONAL_OID); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); assertNotAuthorized(principal, AUTZ_SUPERSPECIAL_URL); assertNotAuthorized(principal, AUTZ_NONSENSE_URL); }
@Test public void test061GuybrushConditionalRoleTrue() throws Exception { final String TEST_NAME = "test061GuybrushConditionalRoleTrue"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); modifyUserReplace(USER_GUYBRUSH_OID, UserType.F_SUBTYPE, task, result, "special"); resetAuthentication(); // WHEN TestUtil.displayWhen(TEST_NAME); MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN TestUtil.displayThen(TEST_NAME); display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertAuthorized(principal, AUTZ_SUPERSPECIAL_URL); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); assertNotAuthorized(principal, AUTZ_CAPSIZE_URL); assertNotAuthorized(principal, AUTZ_NONSENSE_URL); }