Check authorizations after Projector starts

This resolves MID-9459.
Evolveum · Feb 8, 2024 · 4fa9a65 · 4fa9a65
1 parent ff99d05
commit 4fa9a65
Show file tree

Hide file tree

Showing 20 changed files with 295 additions and 101 deletions.
diff --git a/...dpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java b/...dpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java
@@ -317,9 +317,9 @@ public <O extends ObjectType, T extends ObjectType> AccessDecision decideAccess(
     }
 
     @Override
-    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, OwnerResolver ownerResolver, Task task, OperationResult result)
+    public <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, boolean fullInformationAvailable, OwnerResolver ownerResolver, Task task, OperationResult result)
             throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
-        return securityEnforcer.compileSecurityConstraints(object, ownerResolver, task, result);
+        return securityEnforcer.compileSecurityConstraints(object, fullInformationAvailable, ownerResolver, task, result);
     }
 
     @Override

diff --git a/...model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java b/...model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
@@ -382,6 +382,9 @@ private void authorizePartialExecution(LensContext<? extends ObjectType> context
         PartialProcessingOptionsType partialProcessing = ModelExecuteOptions.getPartialProcessing(options);
         if (partialProcessing != null) {
             PrismObject<? extends ObjectType> object = context.getFocusContext().getObjectAny();
+            // FIXME the information about the object may be incomplete (orgs, tenants, roles) but we treat it as complete here.
+            //  See also MID-9454.
+            // TODO audit the request failure if this check fails
             securityEnforcer.authorize(ModelAuthorizationAction.PARTIAL_EXECUTION.getUrl(),
                     null, AuthorizationParameters.Builder.buildObject(object), null, task, result);
         }

diff --git a/...rc/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java b/...rc/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
@@ -269,7 +269,7 @@ public <O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(
             PrismObject<O> fullObject = getFullObjectReadWrite(object, result);
 
             // TODO: maybe we need to expose owner resolver in the interface?
-            ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(fullObject, null, task, result);
+            ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(fullObject, true, null, task, result);
             LOGGER.trace("Security constrains for {}:\n{}", object, DebugUtil.debugDumpLazily(securityConstraints));
             if (securityConstraints == null) {
                 // Nothing allowed => everything denied
@@ -387,7 +387,7 @@ public ResourceObjectDefinition getEditObjectClassDefinition(
 
         // TODO: maybe we need to expose owner resolver in the interface?
         ObjectSecurityConstraints securityConstraints =
-                securityEnforcer.compileSecurityConstraints(shadow, null, task, result);
+                securityEnforcer.compileSecurityConstraints(shadow, true, null, task, result);
         LOGGER.trace("Security constrains for {}:\n{}", shadow, DebugUtil.debugDumpLazily(securityConstraints));
         if (securityConstraints == null) {
             return null;
@@ -522,7 +522,7 @@ public <H extends AssignmentHolderType, R extends AbstractRoleType> RoleSelectio
 
         ObjectSecurityConstraints securityConstraints;
         try {
-            securityConstraints = securityEnforcer.compileSecurityConstraints(focus, null, task, result);
+            securityConstraints = securityEnforcer.compileSecurityConstraints(focus, true, null, task, result);
         } catch (ExpressionEvaluationException | ObjectNotFoundException | SchemaException | CommunicationException |
                 SecurityViolationException e) {
             result.recordFatalError(e);

diff --git a/...el-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/RawChangesExecutor.java b/...el-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/RawChangesExecutor.java
@@ -331,7 +331,7 @@ private <T extends ObjectType> T executeModifyDeltaRaw(ObjectDelta<T> delta,
             if (!preAuthorized) {
                 //noinspection unchecked
                 AuthorizationParameters<T, ObjectType> autzParams =
-                        AuthorizationParameters.Builder.buildObjectDelta((PrismObject<T>) existingObject.asPrismObject(), delta);
+                        AuthorizationParameters.Builder.buildObjectDelta((PrismObject<T>) existingObject.asPrismObject(), delta, true);
                 securityEnforcer.authorize(ModelAuthorizationAction.RAW_OPERATION.getUrl(), null, autzParams, null, task, result);
                 securityEnforcer.authorize(ModelAuthorizationAction.MODIFY.getUrl(), null, autzParams, null, task, result);
             }

diff --git a/...del-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java b/...del-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java
@@ -181,10 +181,10 @@ private <T extends ObjectType> void applySchemaAndSecurityToObject(PrismObject<T
         }
     }
 
-    private <O extends ObjectType> void authorizeOptions(GetOperationOptions rootOptions, PrismObject<O> object, ObjectDelta<O> delta, AuthorizationPhaseType phase, Task task, OperationResult result)
+    private <O extends ObjectType> void authorizeOptions(GetOperationOptions rootOptions, PrismObject<O> object, AuthorizationPhaseType phase, Task task, OperationResult result)
             throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
         if (GetOperationOptions.isRaw(rootOptions)) {
-            securityEnforcer.authorize(ModelAuthorizationAction.RAW_OPERATION.getUrl(), phase, AuthorizationParameters.Builder.buildObjectDelta(object, delta), null, task, result);
+            securityEnforcer.authorize(ModelAuthorizationAction.RAW_OPERATION.getUrl(), phase, AuthorizationParameters.Builder.buildObject(object), null, task, result);
         }
     }
 
@@ -199,7 +199,7 @@ <O extends ObjectType> void applySchemasAndSecurity(PrismObject<O> object, GetOp
                     throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
         LOGGER.trace("applySchemasAndSecurity({}) starting", object);
         OperationResult result = parentResult.createMinorSubresult(OP_APPLY_SCHEMAS_AND_SECURITY);
-        authorizeOptions(rootOptions, object, null, phase, task, result);
+        authorizeOptions(rootOptions, object, phase, task, result);
         validateObject(object, rootOptions, result);
 
         ObjectSecurityConstraints securityConstraints = compileSecurityConstraints(object, task, result);
@@ -318,7 +318,7 @@ private <F extends ObjectType, O extends ObjectType> ObjectSecurityConstraints a
             }
         }
         GetOperationOptions getOptions = ModelExecuteOptions.toGetOperationOptions(context.getOptions());
-        authorizeOptions(getOptions, object, null, phase, task, result);
+        authorizeOptions(getOptions, object, phase, task, result);
 
         ObjectSecurityConstraints securityConstraints = compileSecurityConstraints(object, task, result);
 
@@ -375,7 +375,7 @@ private <O extends ObjectType> void applySchemasAndSecurityPhase(PrismObject<O>
 
     private <O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException {
         try {
-            ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, null, task, result);
+            ObjectSecurityConstraints securityConstraints = securityEnforcer.compileSecurityConstraints(object, true, null, task, result);
             if (LOGGER.isTraceEnabled()) {
                 LOGGER.trace("Security constraints for {}:\n{}", object, securityConstraints==null?"null":securityConstraints.debugDump());
             }

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java
@@ -58,8 +58,11 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 
 /**
- * @author semancik
+ * The "clockwork" that drives the change processing. The main entry is {@link #run(LensContext, Task, OperationResult)} method.
+ *
+ * As a special responsibility, this class ensures the conflict resolution with the help of {@link ClockworkConflictResolver}.
  *
+ * @author semancik
  */
 @Component
 public class Clockwork {