From 236591ea919063321d6f58274105801f33ab4684 Mon Sep 17 00:00:00 2001 From: Radovan Semancik Date: Mon, 13 Mar 2017 19:34:16 +0100 Subject: [PATCH 1/4] Fixing orgRelation autohorization in case of multiple relations to multiple orgs. --- .../midpoint/model/intest/TestSecurity.java | 104 ++++++++++++++++++ .../security/impl/SecurityEnforcerImpl.java | 2 +- 2 files changed, 105 insertions(+), 1 deletion(-) diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java index ed0fbe613fe..7b35bbe050c 100644 --- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java +++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java @@ -1559,6 +1559,108 @@ public void test242AutzJackManagerFullControlManagerMinistryOfRum() throws Excep assertGlobalStateUntouched(); } + @Test + public void test246AutzJackManagerFullControlManagerMinistryOfRumAndDefense() throws Exception { + final String TEST_NAME = "test246AutzJackManagerFullControlManagerMinistryOfRumAndDefense"; + TestUtil.displayTestTile(this, TEST_NAME); + // GIVEN + cleanupAutzTest(USER_JACK_OID); + + assignRole(USER_JACK_OID, ROLE_MANAGER_FULL_CONTROL_OID); + assignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, SchemaConstants.ORG_MANAGER); + assignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, SchemaConstants.ORG_MANAGER); + assignAccount(USER_JACK_OID, RESOURCE_DUMMY_OID, null); + + // precondition + PrismObject elaineShadow = getObject(ShadowType.class, ACCOUNT_SHADOW_ELAINE_DUMMY_OID); + assertNotNull(elaineShadow); + display("Elaine's shadow", elaineShadow); + + login(USER_JACK_USERNAME); + + // WHEN + TestUtil.displayWhen(TEST_NAME); + + assertGetAllow(UserType.class, USER_JACK_OID); + assertGetAllow(UserType.class, USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw())); + assertGetDeny(UserType.class, USER_GUYBRUSH_OID); + assertGetDeny(UserType.class, USER_GUYBRUSH_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw())); + + assertSearch(UserType.class, null, 4); + assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), 1); + assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 1); + assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), 0); + assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 0); + + assertAddDeny(); + + assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain")); + assertModifyAllowOptions(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_SUFFIX, ModelExecuteOptions.createRaw(), PrismTestUtil.createPolyString("CSc")); + assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate")); + + assertDeleteDeny(); + + assertGetAllow(UserType.class, userRumRogersOid); + assertModifyAllow(UserType.class, userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk")); + assertGetAllow(UserType.class, userCobbOid); // Cobb is in Scumm Bar, transitive descendant of Ministry of Rum + assertAddAllow(USER_MANCOMB_FILE); + + PrismObject user = getUser(USER_JACK_OID); + String accountOid = getSingleLinkOid(user); + assertGetAllow(ShadowType.class, accountOid); + PrismObject shadow = getObject(ShadowType.class, accountOid); + display("Jack's shadow", shadow); + + assertGetDeny(ShadowType.class, ACCOUNT_SHADOW_ELAINE_DUMMY_OID); + + assertVisibleUsers(5); + + assertGetAllow(OrgType.class, ORG_MINISTRY_OF_RUM_OID); + assertSearch(OrgType.class, null, 3); + + assertModifyDeny(OrgType.class, ORG_MINISTRY_OF_RUM_OID, OrgType.F_DESCRIPTION, "blababla"); + assertModifyAllow(OrgType.class, ORG_SCUMM_BAR_OID, OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World."); + + assignAccount(USER_ESTEVAN_OID, RESOURCE_DUMMY_OID, null); + + PrismObject userEstevan = getUser(USER_ESTEVAN_OID); + String accountEstevanOid = getSingleLinkOid(userEstevan); + assertGetAllow(ShadowType.class, accountEstevanOid); + PrismObject shadowEstevan = getObject(ShadowType.class, accountEstevanOid); + display("Estevan shadow", shadowEstevan); + + // MID-2822 + + Task task = taskManager.createTaskInstance(TestSecurity.class.getName() + "." + TEST_NAME); + OperationResult result = task.getResult(); + + ObjectQuery query = ObjectQuery.createObjectQuery( + ObjectQueryUtil.createResourceAndObjectClassFilter(RESOURCE_DUMMY_OID, + new QName(RESOURCE_DUMMY_NAMESPACE, "AccountObjectClass"), prismContext)); + + // When finally fixed is should be like this: +// assertSearch(ShadowType.class, query, 2); + + try { + + modelService.searchObjects(ShadowType.class, query, null, task, result); + + AssertJUnit.fail("unexpected success"); + + } catch (SchemaException e) { + // This is expected. The authorizations will mix on-resource and off-resource search. + display("Expected exception", e); + } + result.computeStatus(); + TestUtil.assertFailure(result); + + + assertDeleteAllow(UserType.class, USER_ESTEVAN_OID); + + assertVisibleUsers(4); + + assertGlobalStateUntouched(); + } @Test public void test250AutzJackSelfAccountsRead() throws Exception { @@ -3234,6 +3336,8 @@ private void cleanupAutzTest(String userOid) throws ObjectNotFoundException, Sch unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, SchemaConstants.ORG_MANAGER, task, result); unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result); + unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, SchemaConstants.ORG_MANAGER, task, result); + unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, null, task, result); } private void cleanupAdd(File userLargoFile, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException, IOException { diff --git a/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java b/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java index 52d58bea722..5f81896e7f7 100644 --- a/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java +++ b/repo/security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java @@ -965,7 +965,7 @@ private ObjectFilter preProcessObje if (BooleanUtils.isTrue(specOrgRelation.isIncludeReferenceOrg())) { q2 = q2.or().id(subjectParentOrgRef.getOid()); } - objSpecOrgRelationFilter = ObjectQueryUtil.filterAnd(objSpecOrgRelationFilter, q2.buildFilter()); + objSpecOrgRelationFilter = ObjectQueryUtil.filterOr(objSpecOrgRelationFilter, q2.buildFilter()); } } if (objSpecOrgRelationFilter == null) { From ec343a2081b019c08dcac90a97f472b74579b63c Mon Sep 17 00:00:00 2001 From: Radovan Semancik Date: Mon, 13 Mar 2017 19:37:40 +0100 Subject: [PATCH 2/4] Permission to read workflow status of tasks --- .../resources/initial-objects/040-role-enduser.xml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml index 74751a64b26..7eebc299b9a 100644 --- a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml +++ b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml @@ -160,5 +160,19 @@ ServiceType + + assignment-target-read-task + + Authorization that allows to read workflow status of tasks. This is used to display requests + to the end users, especially in the "My Requests" box in user dashboard. + This authorization is a temporary solution. It will be replaced by a finer-grained + permissions in the future. + + http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read + + TaskType + + workflowContext + system \ No newline at end of file From 95bb45451b28331c64c40a9db6659885fdb74ae0 Mon Sep 17 00:00:00 2001 From: Radovan Semancik Date: Mon, 13 Mar 2017 19:38:14 +0100 Subject: [PATCH 3/4] Improved Evolveum sample --- samples/evolveum/org-users.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/samples/evolveum/org-users.xml b/samples/evolveum/org-users.xml index 309fd236bf5..76193d03e01 100644 --- a/samples/evolveum/org-users.xml +++ b/samples/evolveum/org-users.xml @@ -24,6 +24,9 @@ Manager Role for organizational unit managers. Allows delegated administration. + + + gui-access http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll From 7a3594c0472ba06a3fa254e8f6042e2824a8255f Mon Sep 17 00:00:00 2001 From: Radovan Semancik Date: Mon, 13 Mar 2017 20:03:10 +0100 Subject: [PATCH 4/4] making samples schema-compliant --- samples/evolveum/role-catalog.xml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/samples/evolveum/role-catalog.xml b/samples/evolveum/role-catalog.xml index 6b2536f9e26..f864c3f2ca0 100644 --- a/samples/evolveum/role-catalog.xml +++ b/samples/evolveum/role-catalog.xml @@ -144,8 +144,8 @@ - true + application @@ -198,8 +198,8 @@ - true + application @@ -213,8 +213,8 @@ - true + application @@ -224,8 +224,8 @@ - true + application @@ -255,8 +255,8 @@ - true + application @@ -266,8 +266,8 @@ - true + application @@ -287,8 +287,8 @@ - true + application @@ -298,8 +298,8 @@ - true + application @@ -319,8 +319,8 @@ - true + application