Introducing AuthorizationException. Minor web service fixes.

infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd

@@ -8915,6 +8915,62 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000008">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ROLE_END_USER"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000009">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_AUDIT"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000100">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_RECONCILIATION"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000107">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_USER_ACCOUNTS"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000108">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_USER_ORGS"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000109">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_USER_ROLES"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000110">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_USERS"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-000000000111">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT_SHADOW_OWNER"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
         </xsd:restriction>
     </xsd:simpleType>
 

infra/util/src/main/java/com/evolveum/midpoint/util/exception/AuthorizationException.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2015 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.util.exception;
+
+/**
+ * Exception indicating violation of authorization policies.
+ * 
+ * @author Radovan Semancik
+ *
+ */
+public class AuthorizationException extends SecurityViolationException {
+
+	public AuthorizationException() {
+	}
+
+	public AuthorizationException(String message) {
+		super(message);
+	}
+
+	public AuthorizationException(Throwable cause) {
+		super(cause);
+	}
+
+	public AuthorizationException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+	@Override
+	public String getOperationResultMessage() {
+		return "Not authorized";
+	}
+
+}

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebService.java

@@ -41,6 +41,7 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.util.exception.AuthorizationException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
@@ -80,6 +81,8 @@
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
 
 import org.apache.commons.lang.StringUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -130,7 +133,7 @@ public void getObject(QName objectType, String oid, SelectorQualifiedGetOptionsT
 			return;
 		} catch (Exception ex) {
 			LoggingUtils.logException(LOGGER, "# MODEL getObject() failed", ex);
-			throw createSystemFault(ex, operationResult);
+			throwFault(ex, operationResult);
 		} finally {
 			auditLogout(task);
 		}
@@ -157,7 +160,7 @@ public void searchObjects(QName objectType, QueryType query, SelectorQualifiedGe
 			objectListHolder.value = listType;
 		} catch (Exception ex) {
 			LoggingUtils.logException(LOGGER, "# MODEL searchObjects() failed", ex);
-			throw createSystemFault(ex, operationResult);
+			throwFault(ex, operationResult);
 		} finally {
 			auditLogout(task);
 		}
@@ -187,7 +190,9 @@ public ObjectDeltaOperationListType executeChanges(ObjectDeltaListType deltaList
             return retval;
 		} catch (Exception ex) {
 			LoggingUtils.logException(LOGGER, "# MODEL executeChanges() failed", ex);
-			throw createSystemFault(ex, operationResult);
+			throwFault(ex, operationResult);
+			// notreached
+			return null;
 		} finally {
 			auditLogout(task);
 		}
@@ -210,7 +215,7 @@ public void findShadowOwner(String accountOid, Holder<UserType> userHolder, Hold
 			return;
 		} catch (Exception ex) {
 			LoggingUtils.logException(LOGGER, "# MODEL findShadowOwner() failed", ex);
-			throw createSystemFault(ex, operationResult);
+			throwFault(ex, operationResult);
 		} finally {
 			auditLogout(task);
 		}
@@ -227,7 +232,9 @@ public OperationResultType testResource(String resourceOid) throws FaultMessage
 			return handleOperationResult(testResult);
 		} catch (Exception ex) {
 			LoggingUtils.logException(LOGGER, "# MODEL testResource() failed", ex);
-			throw createSystemFault(ex, null);
+			throwFault(ex, null);
+			// notreached
+			return null;
 		} finally {
 			auditLogout(task);
 		}
@@ -243,7 +250,9 @@ public ExecuteScriptsResponseType executeScripts(ExecuteScriptsType parameters)
             return doExecuteScripts(scriptsToExecute, parameters.getOptions(), task, result);
         } catch (Exception ex) {
             LoggingUtils.logException(LOGGER, "# MODEL executeScripts() failed", ex);
-            throw createSystemFault(ex, null);
+            throwFault(ex, null);
+            // notreached
+         	return null;
 		} finally {
 			auditLogout(task);
         }
@@ -359,7 +368,7 @@ public FaultMessage createIllegalArgumentFault(String message) {
 		return new FaultMessage(message, faultType);
 	}
 
-    public FaultMessage createSystemFault(Exception ex, OperationResult result) {
+    public void throwFault(Exception ex, OperationResult result) throws FaultMessage {
 		if (result != null) {
 			result.recordFatalError(ex.getMessage(), ex);
 		}
@@ -371,6 +380,12 @@ public FaultMessage createSystemFault(Exception ex, OperationResult result) {
 			faultType = new IllegalArgumentFaultType();
 		} else if (ex instanceof ObjectAlreadyExistsException){
 			faultType = new ObjectAlreadyExistsFaultType();
+		} else if (ex instanceof AuthorizationException) {
+			throw new Fault(new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION),
+					WSSecurityException.ErrorCode.FAILED_AUTHENTICATION.getQName());
+		} else if (ex instanceof SecurityViolationException) {
+			throw new Fault(new WSSecurityException(WSSecurityException.ErrorCode.FAILURE),
+					WSSecurityException.ErrorCode.FAILURE.getQName());
 		} else{
 			faultType = new SystemFaultType();
 		}
@@ -379,7 +394,7 @@ public FaultMessage createSystemFault(Exception ex, OperationResult result) {
 			faultType.setOperationResult(result.createOperationResultType());
 		}
 
-		return new FaultMessage(ex.getMessage(), faultType, ex);
+		throw new FaultMessage(ex.getMessage(), faultType, ex);
 	}
 
 	@Override
@@ -399,7 +414,9 @@ public TaskType importFromResource(String resourceOid, QName objectClass)
 		} catch (Exception ex) {
 			LoggingUtils.logException(LOGGER, "# MODEL importFromResource() failed", ex);
 			auditLogout(task);
-			throw createSystemFault(ex, operationResult);
+			throwFault(ex, operationResult);
+			// notreached
+			return null;
 		}
 	}
 
@@ -418,31 +435,31 @@ public TaskType notifyChange(ResourceObjectShadowChangeDescriptionType changeDes
 			} catch (ObjectNotFoundException ex) {
 				LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			} catch (SchemaException ex) {
 				 LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			} catch (CommunicationException ex) {
 				LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			} catch (ConfigurationException ex) {
 				LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			} catch (SecurityViolationException ex) {
 				LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			} catch (RuntimeException ex){
 				LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			} catch (ObjectAlreadyExistsException ex){
 				LoggingUtils.logException(LOGGER, "# MODEL notifyChange() failed", ex);
 				auditLogout(task);
-				throw createSystemFault(ex, parentResult);
+				throwFault(ex, parentResult);
 			}
 
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelWebServiceRaw.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2015 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -189,7 +189,9 @@ public DOMSource invokeAllowingFaults(DOMSource request) throws FaultMessage {
                 throw ws.createIllegalArgumentFault("Unsupported request type: " + requestObject);
             }
         } catch (SchemaException e) {
-            throw createSystemFault(e, operationResultTypeHolder.value);
+        	throwFault(e, operationResultTypeHolder.value);
+        	// not reached
+        	return null;
         }
 
         // brutal hack for MID-2001 (serializing and parsing eliminates the problem!)
@@ -221,11 +223,11 @@ private String getStackTraceAsString(FaultMessage faultMessage) {
         return sw.toString();
     }
 
-    private FaultMessage createSystemFault(Exception ex, OperationResultType resultType) {
+    private void throwFault(Exception ex, OperationResultType resultType) throws FaultMessage {
 		if (resultType != null) {
-            return ws.createSystemFault(ex, OperationResult.createOperationResult(resultType));
+            ws.throwFault(ex, OperationResult.createOperationResult(resultType));
 		} else {
-            return ws.createSystemFault(ex, null);
+            ws.throwFault(ex, null);
         }
 	}
 }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java

@@ -138,6 +138,7 @@
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.DisplayableValue;
+import com.evolveum.midpoint.util.exception.AuthorizationException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -1920,20 +1921,20 @@ private <T extends ObjectType> void postProcessObject(PrismObject<T> object, Get
 				LOGGER.trace("Security constrains for {}:\n{}", object, securityConstraints==null?"null":securityConstraints.debugDump());
 			}
 			if (securityConstraints == null) {
-				throw new SecurityViolationException("Access denied");
+				throw new AuthorizationException("Access denied");
 			}
 			AuthorizationDecisionType globalDecision = securityConstraints.getActionDecision(ModelAuthorizationAction.READ.getUrl(), null);
 			if (globalDecision == AuthorizationDecisionType.DENY) {
 				// shortcut
-				throw new SecurityViolationException("Access denied");
+				throw new AuthorizationException("Access denied");
 			}
 			if (globalDecision == AuthorizationDecisionType.ALLOW && securityConstraints.hasNoItemDecisions()) {
 				// shortcut, nothing to do
 			} else {
 				removeDeniedItems((List)object.getValue().getItems(), securityConstraints, globalDecision);
 				if (object.isEmpty()) {
 					// let's make it explicit
-					throw new SecurityViolationException("Access denied");
+					throw new AuthorizationException("Access denied");
 				}
 			}
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java

@@ -70,6 +70,7 @@
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.util.exception.AuthorizationException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -916,13 +917,13 @@ private <F extends ObjectType, O extends ObjectType> ObjectSecurityConstraints a
 					if (assignmentItemDecision == AuthorizationDecisionType.ALLOW) {
 						// Nothing to do, operation is allowed for all values
 					} else if (assignmentItemDecision == AuthorizationDecisionType.DENY) {
-						throw new SecurityViolationException("Access denied");
+						throw new AuthorizationException("Access denied");
 					} else {
 						AuthorizationDecisionType actionDecision = securityConstraints.getActionDecision(operationUrl, AuthorizationPhaseType.REQUEST);
 						if (actionDecision == AuthorizationDecisionType.ALLOW) {
 							// Nothing to do, operation is allowed for all values
 						} else if (actionDecision == AuthorizationDecisionType.DENY) {
-							throw new SecurityViolationException("Access denied");
+							throw new AuthorizationException("Access denied");
 						} else {
 							// No explicit decision for assignment modification yet
 							// process each assignment individually

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/MidpointRestAuthenticationHandler.java

@@ -175,7 +175,7 @@ public void handleRequest(Message m, ContainerRequestContext requestCtx) {
 
 
         try {
-			securityEnforcer.authorize(AuthorizationConstants.AUTZ_REST_URL, null, null, null, null, null, authorizeResult);
+			securityEnforcer.authorize(AuthorizationConstants.AUTZ_REST_ALL_URL, null, null, null, null, null, authorizeResult);
 		} catch (SecurityViolationException e){
 			securityHelper.auditLoginFailure(username, "Not authorized", SchemaConstants.CHANNEL_REST_URI);
 			requestCtx.abortWith(Response.status(403).header("WWW-Authenticate", "Basic").build());