Interface SecurityEnforcer
-
public interface SecurityEnforcer
- Author:
- Radovan Semancik
-
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description default void
authorize(String operationUrl, Task task, OperationResult result)
Convenience variant ofauthorize(String, AuthorizationPhaseType, AuthorizationParameters, OwnerResolver, Task, OperationResult)
that is to be used when there is no object, target, nor other parameters.<O extends ObjectType,T extends ObjectType>
voidauthorize(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OwnerResolver ownerResolver, Task task, OperationResult result)
Evaluates authorization: simply returns if the currently logged it user is authorized for a specified action.default void
authorizeAll(Task task, OperationResult result)
<T extends ObjectType,O extends ObjectType>
booleancanSearch(String[] operationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, PrismObject<O> object, boolean includeSpecial, ObjectFilter filter, Task task, OperationResult result)
Question: does object make any sense here? E.g.<O extends ObjectType>
ObjectSecurityConstraintscompileSecurityConstraints(PrismObject<O> object, boolean fullInformationAvailable, OwnerResolver ownerResolver, Task task, OperationResult result)
<T extends ObjectType,O extends ObjectType,F>
FcomputeSecurityFilter(MidPointPrincipal principal, String[] operationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, PrismObject<O> object, ObjectFilter origFilter, String limitAuthorizationAction, List<OrderConstraintsType> paramOrderConstraints, FilterGizmo<F> gizmo, Task task, OperationResult result)
<F extends FocusType>
MidPointPrincipalcreateDonorPrincipal(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<F> donor, Task task, OperationResult result)
<O extends ObjectType,T extends ObjectType>
AccessDecisiondecideAccess(MidPointPrincipal principal, Collection<String> requiredActions, AuthorizationParameters<O,T> params, Task task, OperationResult result)
Simple access control decision similar to that used by spring security.AccessDecision
decideAccess(MidPointPrincipal principal, Collection<String> requiredActions, Task task, OperationResult result)
Simple access control decision similar to that used by spring security.<O extends ObjectType>
AccessDecisiondetermineSubitemDecision(ObjectSecurityConstraints securityConstraints, ObjectDelta<O> delta, PrismObject<O> currentObject, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath)
<C extends Containerable>
AccessDecisiondetermineSubitemDecision(ObjectSecurityConstraints securityConstraints, PrismContainerValue<C> containerValue, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath, PlusMinusZero plusMinusZero, String decisionContextDesc)
<O extends ObjectType,T extends ObjectType>
voidfailAuthorization(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OperationResult result)
Produces authorization error with proper message and logs it using proper logger.<O extends ObjectType,R extends AbstractRoleType>
ItemSecurityConstraintsgetAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String operationUrl, PrismObject<O> object, PrismObject<R> target, OwnerResolver ownerResolver, Task task, OperationResult result)
Returns decisions for individual items for "assign" authorization.MidPointPrincipal
getMidPointPrincipal()
default boolean
hasAnyAllowAuthorization(@NotNull List<String> actions, @Nullable AuthorizationPhaseType phase)
Checks if the currently logged-in user is authorized for any of the specified actions.<O extends ObjectType,T extends ObjectType>
booleanisAuthorized(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OwnerResolver ownerResolver, Task task, OperationResult result)
Returns true if the currently logged-in user is authorized for specified action, returns false otherwise.<T extends ObjectType,O extends ObjectType>
ObjectFilterpreProcessObjectFilter(String[] operationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, PrismObject<O> object, ObjectFilter origFilter, String limitAuthorizationAction, List<OrderConstraintsType> paramOrderConstraints, Task task, OperationResult result)
Returns a filter that applies to all the objects/targets for which the principal is authorized.
-
-
-
Method Detail
-
decideAccess
AccessDecision decideAccess(MidPointPrincipal principal, Collection<String> requiredActions, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
Simple access control decision similar to that used by spring security. It is practically applicable only for simple (non-parametric) cases such as access to GUI pages. However, it supports authorization hierarchies. Therefore the ordering of elements in required actions is important.
-
hasAnyAllowAuthorization
default boolean hasAnyAllowAuthorization(@NotNull @NotNull List<String> actions, @Nullable @Nullable AuthorizationPhaseType phase)
Checks if the currently logged-in user is authorized for any of the specified actions. BEWARE: Only for preliminary/coarse-grained decisions! Use only when followed by more precise authorization checks. For example, it ignores any object or target qualification, DENY authorizations, and so on.
-
decideAccess
<O extends ObjectType,T extends ObjectType> AccessDecision decideAccess(MidPointPrincipal principal, Collection<String> requiredActions, AuthorizationParameters<O,T> params, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
Simple access control decision similar to that used by spring security. It is practically applicable for REST authorization with user from 'switch-to-principal' in parameters. However, it supports authorization hierarchies. Therefore the ordering of elements in required actions is important.
-
failAuthorization
<O extends ObjectType,T extends ObjectType> void failAuthorization(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OperationResult result) throws SecurityViolationException
Produces authorization error with proper message and logs it using proper logger.- Throws:
SecurityViolationException
-
isAuthorized
<O extends ObjectType,T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OwnerResolver ownerResolver, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
Returns true if the currently logged-in user is authorized for specified action, returns false otherwise. Does not throw SecurityViolationException.- Parameters:
phase
- check authorization for a specific phase. If null then all phases are checked.- Throws:
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
SecurityViolationException
-
authorize
<O extends ObjectType,T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase, AuthorizationParameters<O,T> params, OwnerResolver ownerResolver, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException
Evaluates authorization: simply returns if the currently logged it user is authorized for a specified action. If it is not authorized then a SecurityViolationException is thrown and the error is recorded in the result.- Parameters:
phase
- check authorization for a specific phase. If null then all phases are checked.- Throws:
SecurityViolationException
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
-
authorize
default void authorize(String operationUrl, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException
Convenience variant ofauthorize(String, AuthorizationPhaseType, AuthorizationParameters, OwnerResolver, Task, OperationResult)
that is to be used when there is no object, target, nor other parameters.
-
authorizeAll
@Experimental default void authorizeAll(Task task, OperationResult result) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException
-
getMidPointPrincipal
MidPointPrincipal getMidPointPrincipal()
-
compileSecurityConstraints
<O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, boolean fullInformationAvailable, OwnerResolver ownerResolver, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
-
preProcessObjectFilter
<T extends ObjectType,O extends ObjectType> ObjectFilter preProcessObjectFilter(String[] operationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, PrismObject<O> object, ObjectFilter origFilter, String limitAuthorizationAction, List<OrderConstraintsType> paramOrderConstraints, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
Returns a filter that applies to all the objects/targets for which the principal is authorized. E.g. it can return a filter of all assignable roles for a principal. In that case #assign authorization is used, and object is the user which should hold the assignment. If it returns NoneFilter then no search should be done. The principal is not authorized for this operation at all. It may return null in case that the original filter was also null. If object is null then the method will return a filter that is applicable to look for object. If object is present then the method will return a filter that is applicable to look for a target. The objectType parameter defines the class of the object for which should be the returned filter applicable.- Parameters:
limitAuthorizationAction
- only consider authorizations that are not limited with respect to this action. If null then all authorizations are considered.- Throws:
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
SecurityViolationException
-
canSearch
<T extends ObjectType,O extends ObjectType> boolean canSearch(String[] operationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, PrismObject<O> object, boolean includeSpecial, ObjectFilter filter, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
Question: does object make any sense here? E.g. when searching role members, the role OID should be determined from the query.- Parameters:
includeSpecial
- include special authorizations such as "self"- Throws:
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
SecurityViolationException
-
computeSecurityFilter
<T extends ObjectType,O extends ObjectType,F> F computeSecurityFilter(MidPointPrincipal principal, String[] operationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, PrismObject<O> object, ObjectFilter origFilter, String limitAuthorizationAction, List<OrderConstraintsType> paramOrderConstraints, FilterGizmo<F> gizmo, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
-
getAllowedRequestAssignmentItems
<O extends ObjectType,R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String operationUrl, PrismObject<O> object, PrismObject<R> target, OwnerResolver ownerResolver, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
Returns decisions for individual items for "assign" authorization. This is usually applicable to assignment parameters.
-
createDonorPrincipal
<F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<F> donor, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException
-
determineSubitemDecision
<O extends ObjectType> AccessDecision determineSubitemDecision(ObjectSecurityConstraints securityConstraints, ObjectDelta<O> delta, PrismObject<O> currentObject, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath)
-
determineSubitemDecision
<C extends Containerable> AccessDecision determineSubitemDecision(ObjectSecurityConstraints securityConstraints, PrismContainerValue<C> containerValue, String operationUrl, AuthorizationPhaseType phase, ItemPath subitemRootPath, PlusMinusZero plusMinusZero, String decisionContextDesc)
-
-