Interface SecurityEnforcer
public interface SecurityEnforcer
Answers questions about authorizations, for example whether a user is authorized to do something.
- Author:
- Radovan Semancik
-
Nested Class Summary
Modifier and TypeInterfaceDescriptionstatic interface
A sink for authorization/selector evaluation messages.static final record
-
Method Summary
Modifier and TypeMethodDescriptiondefault void
authorize
(@NotNull String operationUrl, @NotNull Task task, @NotNull OperationResult result) Convenience variant ofauthorize(String, AuthorizationPhaseType, AbstractAuthorizationParameters, Task, OperationResult)
that is to be used when there is no object, target, nor other parameters.default void
authorize
(@NotNull String operationUrl, @Nullable AuthorizationPhaseType phase, @NotNull AbstractAuthorizationParameters params, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult result) Evaluates authorization: simply returns if the currently logged it user is authorized for a specified action.default void
authorize
(@NotNull String operationUrl, @Nullable AuthorizationPhaseType phase, @NotNull AbstractAuthorizationParameters params, @NotNull Task task, @NotNull OperationResult result) Convenience variant ofauthorize(String, AuthorizationPhaseType, AbstractAuthorizationParameters, Options, Task, OperationResult)
with the default options.default void
authorizeAll
(Task task, OperationResult result) compileOperationConstraints
(@Nullable MidPointPrincipal principal, @NotNull PrismObjectValue<?> value, @Nullable AuthorizationPhaseType phase, @NotNull String[] actionUrls, @NotNull SecurityEnforcer.Options enforcerOptions, @NotNull CompileConstraintsOptions compileConstraintsOptions, @NotNull Task task, @NotNull OperationResult result) Compiles the security constraints related to given `actionUrls` and `phase` for a given principal against the `object`.<O extends ObjectType>
@NotNull ObjectSecurityConstraintscompileSecurityConstraints
(@NotNull PrismObject<O> object, boolean fullInformationAvailable, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult result) Compiles relevant security constraints (ObjectSecurityConstraints
) for a current principal against given `object`.<T extends ObjectType,
O extends ObjectType, F>
FcomputeTargetSecurityFilter
(MidPointPrincipal principal, String[] operationUrls, @NotNull String[] searchByOperationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, @NotNull PrismObject<O> object, ObjectFilter origFilter, String limitAuthorizationAction, List<OrderConstraintsType> paramOrderConstraints, FilterGizmo<F> gizmo, Task task, OperationResult result) Similar topreProcessObjectFilter(MidPointPrincipal, String[], String[], AuthorizationPhaseType, Class, ObjectFilter, String, List, Options, Task, OperationResult)
but deals with the target-related authorization statements, not object-related ones.<F extends FocusType>
MidPointPrincipalcreateDonorPrincipal
(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<F> donor, Task task, OperationResult result) TODO describe@NotNull AccessDecision
decideAccess
(@Nullable MidPointPrincipal principal, @NotNull String operationUrl, @Nullable AuthorizationPhaseType phase, @NotNull AbstractAuthorizationParameters params, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult result) General access-decision method.default <O extends ObjectType,
T extends ObjectType>
@NotNull AccessDecisiondecideAccess
(@Nullable MidPointPrincipal principal, @NotNull Collection<String> operationUrls, @NotNull AuthorizationParameters<O, T> params, @NotNull Task task, @NotNull OperationResult result) Simple access control decision similar to that used by spring security.default @NotNull AccessDecision
decideAccess
(@Nullable MidPointPrincipal principal, @NotNull Collection<String> operationUrls, @NotNull Task task, @NotNull OperationResult result) Simplified version ofdecideAccess(MidPointPrincipal, Collection, AuthorizationParameters, Task, OperationResult)
.<O extends ObjectType>
AccessDecisiondetermineItemDecision
(@NotNull ObjectSecurityConstraints securityConstraints, @NotNull ObjectDelta<O> delta, PrismObject<O> currentObject, @NotNull String operationUrl, @NotNull AuthorizationPhaseType phase, @NotNull ItemPath itemPath) Determines the access to given item (e.g.<C extends Containerable>
AccessDecisiondetermineItemValueDecision
(@NotNull ObjectSecurityConstraints securityConstraints, @NotNull PrismContainerValue<C> containerValue, @NotNull String operationUrl, @NotNull AuthorizationPhaseType phase, boolean consideringCreation, @NotNull String decisionContextDesc) Determines the access to given value (`containerValue`) carrying e.g.void
failAuthorization
(String operationUrl, AuthorizationPhaseType phase, AbstractAuthorizationParameters params, OperationResult result) Produces authorization error with proper message and logs it using proper logger.<O extends ObjectType,
R extends AbstractRoleType>
ItemSecurityConstraintsgetAllowedRequestAssignmentItems
(MidPointPrincipal midPointPrincipal, String operationUrl, PrismObject<O> object, PrismObject<R> target, Task task, OperationResult result) Returns decisions for individual items for "assign" authorization.@Nullable MidPointPrincipal
Obtains currently logged-in principal, if it's ofMidPointPrincipal
type.default boolean
hasAnyAllowAuthorization
(@NotNull List<String> actions, @Nullable AuthorizationPhaseType phase) Checks if the currently logged-in user is authorized for any of the specified actions.default boolean
isAuthorized
(@NotNull String operationUrl, @Nullable AuthorizationPhaseType phase, @NotNull AbstractAuthorizationParameters params, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult result) Returns `true` if the currently logged-in user is authorized for specified action (represented by `operationUrl`), returns `false` otherwise.default boolean
isAuthorizedAll
(@NotNull Task task, @NotNull OperationResult result) <T> @Nullable ObjectFilter
preProcessObjectFilter
(@Nullable MidPointPrincipal principal, @NotNull String[] operationUrls, @NotNull String[] searchByOperationUrls, @Nullable AuthorizationPhaseType phase, @NotNull Class<T> filterType, @Nullable ObjectFilter origFilter, @Nullable String limitAuthorizationAction, @NotNull List<OrderConstraintsType> paramOrderConstraints, @NotNull SecurityEnforcer.Options options, @NotNull Task task, @NotNull OperationResult result) Returns a filter that covers all the objects for which the principal is authorized to apply `operationUrls`.
-
Method Details
-
decideAccess
@NotNull @NotNull AccessDecision decideAccess(@Nullable @Nullable MidPointPrincipal principal, @NotNull @NotNull String operationUrl, @Nullable @Nullable AuthorizationPhaseType phase, @NotNull @NotNull AbstractAuthorizationParameters params, @NotNull @NotNull SecurityEnforcer.Options options, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException General access-decision method. Determines whether given `operationUrl` (in specified `phase`, with `params`) is allowed for the given `principal`. -
isAuthorized
default boolean isAuthorized(@NotNull @NotNull String operationUrl, @Nullable @Nullable AuthorizationPhaseType phase, @NotNull @NotNull AbstractAuthorizationParameters params, @NotNull @NotNull SecurityEnforcer.Options options, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Returns `true` if the currently logged-in user is authorized for specified action (represented by `operationUrl`), returns `false` otherwise. Does not throwSecurityViolationException
if it is not. (But may throw that exception e.g. if the authority cannot be determined because of some deeper security error.)- Parameters:
phase
- check authorization for a specific phase. If null then all phases are checked.- Throws:
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
SecurityViolationException
-
isAuthorizedAll
default boolean isAuthorizedAll(@NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ExpressionEvaluationException, CommunicationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException -
hasAnyAllowAuthorization
default boolean hasAnyAllowAuthorization(@NotNull @NotNull List<String> actions, @Nullable @Nullable AuthorizationPhaseType phase) Checks if the currently logged-in user is authorized for any of the specified actions. BEWARE: Only for preliminary/coarse-grained decisions! Use only when followed by more precise authorization checks. For example, it ignores any object or target qualification, DENY authorizations, and so on. -
decideAccess
@NotNull default <O extends ObjectType,T extends ObjectType> @NotNull AccessDecision decideAccess(@Nullable @Nullable MidPointPrincipal principal, @NotNull @NotNull Collection<String> operationUrls, @NotNull @NotNull AuthorizationParameters<O, T> params, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationExceptionSimple access control decision similar to that used by spring security. It is usable for parametric cases; for example, REST login using proxy user ("switch-to-principal"). Checks multiple actions (operation URLs). - If any of the operations fail the authorization (the decision isAccessDecision.DENY
, the overall outcome is alsoAccessDecision.DENY
. - If any of the operations results inAccessDecision.ALLOW
, the result isAccessDecision.ALLOW
. - Otherwise (i.e., if all operations areAccessDecision.DEFAULT
), the result isAccessDecision.DEFAULT
. -
decideAccess
@NotNull default @NotNull AccessDecision decideAccess(@Nullable @Nullable MidPointPrincipal principal, @NotNull @NotNull Collection<String> operationUrls, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Simplified version ofdecideAccess(MidPointPrincipal, Collection, AuthorizationParameters, Task, OperationResult)
. It is practically applicable only for simple (non-parametric) cases such as access to GUI pages. -
authorize
default void authorize(@NotNull @NotNull String operationUrl, @Nullable @Nullable AuthorizationPhaseType phase, @NotNull @NotNull AbstractAuthorizationParameters params, @NotNull @NotNull SecurityEnforcer.Options options, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException Evaluates authorization: simply returns if the currently logged it user is authorized for a specified action. If it is not authorized then aSecurityViolationException
is thrown and the error is recorded in the result.- Parameters:
phase
- check authorization for a specific phase. If null then all phases are checked.- Throws:
SecurityViolationException
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
- See Also:
-
authorize
default void authorize(@NotNull @NotNull String operationUrl, @Nullable @Nullable AuthorizationPhaseType phase, @NotNull @NotNull AbstractAuthorizationParameters params, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException Convenience variant ofauthorize(String, AuthorizationPhaseType, AbstractAuthorizationParameters, Options, Task, OperationResult)
with the default options. -
authorize
default void authorize(@NotNull @NotNull String operationUrl, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException Convenience variant ofauthorize(String, AuthorizationPhaseType, AbstractAuthorizationParameters, Task, OperationResult)
that is to be used when there is no object, target, nor other parameters. -
authorizeAll
default void authorizeAll(Task task, OperationResult result) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException -
failAuthorization
@Contract("_, _, _, _ -> fail") void failAuthorization(String operationUrl, AuthorizationPhaseType phase, AbstractAuthorizationParameters params, OperationResult result) throws SecurityViolationException Produces authorization error with proper message and logs it using proper logger.- Throws:
SecurityViolationException
-
getMidPointPrincipal
Obtains currently logged-in principal, if it's ofMidPointPrincipal
type.- See Also:
-
SecurityContext.getAuthentication()
-
compileSecurityConstraints
@NotNull <O extends ObjectType> @NotNull ObjectSecurityConstraints compileSecurityConstraints(@NotNull @NotNull PrismObject<O> object, boolean fullInformationAvailable, @NotNull @NotNull SecurityEnforcer.Options options, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Compiles relevant security constraints (ObjectSecurityConstraints
) for a current principal against given `object`. Returns a map-like object (indexed by operation and phase) covering all operations defined for the object. -
compileOperationConstraints
PrismEntityOpConstraints.ForValueContent compileOperationConstraints(@Nullable @Nullable MidPointPrincipal principal, @NotNull @NotNull PrismObjectValue<?> value, @Nullable @Nullable AuthorizationPhaseType phase, @NotNull @NotNull String[] actionUrls, @NotNull @NotNull SecurityEnforcer.Options enforcerOptions, @NotNull @NotNull CompileConstraintsOptions compileConstraintsOptions, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Compiles the security constraints related to given `actionUrls` and `phase` for a given principal against the `object`. So, unlikecompileSecurityConstraints(PrismObject, boolean, Options, Task, OperationResult)
, it is focused on a given operation, usually `#get`, `#search`, or `#read`. Note that the `value` is currently alwaysPrismObjectValue
. In the future we may lift this restriction, and allow arbitraryPrismValue
instances here. But this is simpler with respect to application of authorizations to these values. -
preProcessObjectFilter
@Nullable <T> @Nullable ObjectFilter preProcessObjectFilter(@Nullable @Nullable MidPointPrincipal principal, @NotNull @NotNull String[] operationUrls, @NotNull @NotNull String[] searchByOperationUrls, @Nullable @Nullable AuthorizationPhaseType phase, @NotNull @NotNull Class<T> filterType, @Nullable @Nullable ObjectFilter origFilter, @Nullable @Nullable String limitAuthorizationAction, @NotNull @NotNull List<OrderConstraintsType> paramOrderConstraints, @NotNull @NotNull SecurityEnforcer.Options options, @NotNull @NotNull Task task, @NotNull @NotNull OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Returns a filter that covers all the objects for which the principal is authorized to apply `operationUrls`. The `filterType` parameter defines the class of the object for which should be the returned filter applicable. When the search is considered, if this method returnsNoneFilter
then no search should be done. The principal is not authorized for that operation at all. It may return null in case that the original filter was also null.- Parameters:
limitAuthorizationAction
- only consider authorizations that are not limited with respect to this action. If `null` then all authorizations are considered.- Throws:
SchemaException
ObjectNotFoundException
ExpressionEvaluationException
CommunicationException
ConfigurationException
SecurityViolationException
-
computeTargetSecurityFilter
<T extends ObjectType,O extends ObjectType, F computeTargetSecurityFilterF> (MidPointPrincipal principal, String[] operationUrls, @NotNull @NotNull String[] searchByOperationUrls, AuthorizationPhaseType phase, Class<T> searchResultType, @NotNull @NotNull PrismObject<O> object, ObjectFilter origFilter, String limitAuthorizationAction, List<OrderConstraintsType> paramOrderConstraints, FilterGizmo<F> gizmo, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Similar topreProcessObjectFilter(MidPointPrincipal, String[], String[], AuthorizationPhaseType, Class, ObjectFilter, String, List, Options, Task, OperationResult)
but deals with the target-related authorization statements, not object-related ones. The `object` is the object we are looking for targets for. Typical use: it can return a filter of all assignable roles for a principal. In that case `#assign` authorization is used, and object is the user which should hold the assignment. -
getAllowedRequestAssignmentItems
<O extends ObjectType,R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(MidPointPrincipal midPointPrincipal, String operationUrl, PrismObject<O> object, PrismObject<R> target, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException Returns decisions for individual items for "assign" authorization. This is usually applicable to assignment parameters. -
createDonorPrincipal
<F extends FocusType> MidPointPrincipal createDonorPrincipal(MidPointPrincipal attorneyPrincipal, String attorneyAuthorizationAction, PrismObject<F> donor, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException TODO describe -
determineItemDecision
<O extends ObjectType> AccessDecision determineItemDecision(@NotNull @NotNull ObjectSecurityConstraints securityConstraints, @NotNull @NotNull ObjectDelta<O> delta, PrismObject<O> currentObject, @NotNull @NotNull String operationUrl, @NotNull @NotNull AuthorizationPhaseType phase, @NotNull @NotNull ItemPath itemPath) Determines the access to given item (e.g. `assignment`) of given object. Uses pre-computed security constraints. The `phase` is marked as not null, because this is how it is currently used. This is to simplify the code. We can make it nullable in the future, if needed. TODO what is the role of `currentObject` w.r.t. `securityConstraints`? -
determineItemValueDecision
<C extends Containerable> AccessDecision determineItemValueDecision(@NotNull @NotNull ObjectSecurityConstraints securityConstraints, @NotNull @NotNull PrismContainerValue<C> containerValue, @NotNull @NotNull String operationUrl, @NotNull @NotNull AuthorizationPhaseType phase, boolean consideringCreation, @NotNull @NotNull String decisionContextDesc) Determines the access to given value (`containerValue`) carrying e.g. an assignment. It is assumed that the value is part of the object, so it has its own "item path". Operation URL and phase are used to determine the access from `securityConstraints`.
-