-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve authorization for filter items
In order to evaluate a filter, one has to be authorized to access items (and their values) used for filter evaluation. The support for this feature was present but a bit incomplete. "Deny" authorizations were not taken into account, and authorizations for unrelated types (required e.g. by the referencedBy filter) were ignored. This commit partially fixes that: "deny" authorizations are now supported in the same way as "allow" ones, and some filter items are checked, at least at a rudimentary level. To be improved later. (Also adding forgotten TestExpressionProfiles to test suite.) Related to MID-9638 and MID-9670.
- Loading branch information
Showing
15 changed files
with
394 additions
and
137 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
...el-intest/src/test/resources/security/role-deny-read-assignment-and-roleMembershipRef.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
<!-- | ||
~ Copyright (C) 2010-2024 Evolveum and contributors | ||
~ | ||
~ This work is dual-licensed under the Apache License 2.0 | ||
~ and European Union Public License. See LICENSE file for details. | ||
--> | ||
|
||
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" | ||
oid="2c328dbc-a40d-43a8-a9e1-266c96cad22d"> | ||
<name>role-deny-read-assignment-and-roleMembershipRef</name> | ||
<authorization> | ||
<name>deny-read-assignment-and-roleMembershipRef</name> | ||
<decision>deny</decision> | ||
<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action> | ||
<object> | ||
<type>UserType</type> | ||
</object> | ||
<item>roleMembershipRef</item> | ||
<item>assignment</item> | ||
</authorization> | ||
</role> |
14 changes: 14 additions & 0 deletions
14
model/model-intest/src/test/resources/security/user-alex.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!-- | ||
~ Copyright (c) 2010-2018 Evolveum and contributors | ||
~ | ||
~ This work is dual-licensed under the Apache License 2.0 | ||
~ and European Union Public License. See LICENSE file for details. | ||
--> | ||
<user oid="90b46002-15df-4de5-b73b-2103860fb2b1" | ||
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'> | ||
<name>alex</name> | ||
<assignment> | ||
<targetRef oid="00000000-0000-0000-0000-00000000aad1" type="RoleType"/> | ||
</assignment> | ||
</user> |
14 changes: 14 additions & 0 deletions
14
model/model-intest/src/test/resources/security/user-betty.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!-- | ||
~ Copyright (c) 2010-2018 Evolveum and contributors | ||
~ | ||
~ This work is dual-licensed under the Apache License 2.0 | ||
~ and European Union Public License. See LICENSE file for details. | ||
--> | ||
<user oid="64b3462b-a221-4a6f-9ad3-4bc4b622ccc5" | ||
xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'> | ||
<name>betty</name> | ||
<assignment> | ||
<targetRef oid="3a17b131-82c2-4669-a491-791081be9c04" type="RoleType"/> | ||
</assignment> | ||
</user> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.