Skip to content

Commit

Permalink
resolve error with authorization in channel objects
Browse files Browse the repository at this point in the history
  • Loading branch information
@skublik
skublik committed Jan 14, 2020
1 parent 1067061 commit 65a4679
Show file tree
Hide file tree
Showing 4 changed files with 251 additions and 24 deletions.
171 changes: 171 additions & 0 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageAuthenticationBase.java
View file
@@ -0,0 +1,171 @@
/*
* Copyright (c) 2010-2018 Evolveum and contributors
*
* This work is dual-licensed under the Apache License 2.0
* and European Union Public License. See LICENSE file for details.
*/
package com.evolveum.midpoint.web.page.login;

import com.evolveum.midpoint.gui.api.page.PageBase;
import com.evolveum.midpoint.model.api.AuthenticationEvaluator;
import com.evolveum.midpoint.model.api.context.NonceAuthenticationContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.exception.CommonException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.page.forgetpassword.ResetPolicyDto;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import org.apache.wicket.RestartResponseException;
import org.apache.wicket.spring.injection.annot.SpringBean;

public class PageAuthenticationBase extends PageBase {

private static final long serialVersionUID = 1L;
private static final String DOT_CLASS = PageAuthenticationBase.class.getName() + ".";
private static final String OPERATION_GET_SECURITY_POLICY = DOT_CLASS + "getSecurityPolicy";

protected static final String OPERATION_LOAD_DYNAMIC_FORM = DOT_CLASS + "loadDynamicForm";

private static final Trace LOGGER = TraceManager.getTrace(PageAuthenticationBase.class);

@SpringBean(name = "nonceAuthenticationEvaluator")
private AuthenticationEvaluator<NonceAuthenticationContext> authenticationEvaluator;

private ResetPolicyDto resetPasswordPolicy;
private SelfRegistrationDto selfRegistrationDto;
private SelfRegistrationDto postAuthenticationDto;

public PageAuthenticationBase() {
// initSelfRegistrationConfiguration();
// initResetCredentialsConfiguration();
}

private void initSelfRegistrationConfiguration() {

SecurityPolicyType securityPolicy = resolveSecurityPolicy();

this.selfRegistrationDto = new SelfRegistrationDto();
try {
this.selfRegistrationDto.initSelfRegistrationDto(securityPolicy);
} catch (SchemaException e) {
LOGGER.error("Failed to initialize self registration configuration.", e);
getSession().error(
createStringResource("PageSelfRegistration.selfRegistration.configuration.init.failed")
.getString());
throw new RestartResponseException(PageLogin.class);
}

}

private void initPostAuthenticationConfiguration() {

SecurityPolicyType securityPolicy = resolveSecurityPolicy();

this.postAuthenticationDto = new SelfRegistrationDto();
try {
this.postAuthenticationDto.initPostAuthenticationDto(securityPolicy);
} catch (SchemaException e) {
LOGGER.error("Failed to initialize self registration configuration.", e);
getSession().error(
createStringResource("PageSelfRegistration.selfRegistration.configuration.init.failed")
.getString());
throw new RestartResponseException(PageLogin.class);
}

}

private void initResetCredentialsConfiguration() {

// TODO: cleanup, the same as in the PageRegistrationBase
SecurityPolicyType securityPolicy = resolveSecurityPolicy();

this.resetPasswordPolicy = new ResetPolicyDto();
try {
this.resetPasswordPolicy.initResetPolicyDto(securityPolicy);
} catch (SchemaException e) {
LOGGER.error("Failed to initialize self registration configuration.", e);
getSession().error(
createStringResource("PageSelfRegistration.selfRegistration.configuration.init.failed")
.getString());
throw new RestartResponseException(PageLogin.class);
}

}

private SecurityPolicyType resolveSecurityPolicy() {
SecurityPolicyType securityPolicy = resolveSecurityPolicy(null);

if (securityPolicy == null) {
LOGGER.error("No security policy defined.");
getSession()
.error(createStringResource("PageSelfRegistration.securityPolicy.notFound").getString());
throw new RestartResponseException(PageLogin.class);
}

return securityPolicy;
}

protected SecurityPolicyType resolveSecurityPolicy(PrismObject<UserType> user) {
SecurityPolicyType securityPolicy = runPrivileged(new Producer<SecurityPolicyType>() {
private static final long serialVersionUID = 1L;

@Override
public SecurityPolicyType run() {

Task task = createAnonymousTask(OPERATION_GET_SECURITY_POLICY);
task.setChannel(SchemaConstants.CHANNEL_GUI_SELF_REGISTRATION_URI);
OperationResult result = new OperationResult(OPERATION_GET_SECURITY_POLICY);

try {
return getModelInteractionService().getSecurityPolicy(user, task, result);
} catch (CommonException e) {
LOGGER.error("Could not retrieve security policy: {}", e.getMessage(), e);
return null;
}

}

});

return securityPolicy;

}

public SelfRegistrationDto getSelfRegistrationConfiguration() {

if (selfRegistrationDto == null) {
initSelfRegistrationConfiguration();
}

return selfRegistrationDto;

}

public ResetPolicyDto getResetPasswordPolicy() {
if (resetPasswordPolicy == null) {
initResetCredentialsConfiguration();
}
return resetPasswordPolicy;
}

public SelfRegistrationDto getPostAuthenticationConfiguration() {

if (postAuthenticationDto == null) {
initPostAuthenticationConfiguration();
}

return postAuthenticationDto;

}

public AuthenticationEvaluator<NonceAuthenticationContext> getAuthenticationEvaluator() {
return authenticationEvaluator;
}

}
34 changes: 27 additions & 7 deletions ...c/main/java/com/evolveum/midpoint/web/security/channel/ActuatorAuthenticationChannel.java
View file
Expand Up @@ -7,12 +7,14 @@
package com.evolveum.midpoint.web.security.channel;

import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
import org.springframework.security.core.GrantedAuthority;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

/**
* @author skublik
Expand All @@ -36,14 +38,32 @@ public String getPathAfterSuccessfulAuthentication() {
public Collection<? extends GrantedAuthority> resolveAuthorities(Collection<? extends GrantedAuthority> authorities) {
ArrayList<GrantedAuthority> newAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority authority : authorities) {
if (authority != null && authority.getAuthority() != null
&& authority.getAuthority().startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)) {
newAuthorities.add(authority);
}
if (AuthorizationConstants.AUTZ_ALL_URL.equals(authority.getAuthority())) {
newAuthorities.add(authority);
List<String> authoritiesString = new ArrayList<String>();
if (authority instanceof Authorization) {
Authorization clone = ((Authorization) authority).clone();
authoritiesString = clone.getAction();
List<String> newAction = new ArrayList<String>();
for (String authorityString : authoritiesString) {
if (authorityString.startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)
|| authorityString.equals(AuthorizationConstants.AUTZ_ALL_URL)) {
newAction.add(authorityString);
}
}
if (!newAction.isEmpty()) {
clone.getAction().clear();
clone.getAction().addAll(newAction);
newAuthorities.add(clone);
}
} else {
if (authority.getAuthority().startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)) {
newAuthorities.add(authority);
}
if (authority.getAuthority().equals(AuthorizationConstants.AUTZ_ALL_URL)) {
newAuthorities.add(authority);
}
}

}
return authorities;
return newAuthorities;
}
}
45 changes: 36 additions & 9 deletions ...n/java/com/evolveum/midpoint/web/security/channel/ResetPasswordAuthenticationChannel.java
View file
Expand Up @@ -19,6 +19,7 @@

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

/**
* @author skublik
Expand Down Expand Up @@ -46,16 +47,42 @@ public String getPathAfterSuccessfulAuthentication() {
public Collection<? extends GrantedAuthority> resolveAuthorities(Collection<? extends GrantedAuthority> authorities) {
ArrayList<GrantedAuthority> newAuthorities = new ArrayList<GrantedAuthority>();
for (GrantedAuthority authority : authorities) {
if (AuthorizationConstants.AUTZ_ALL_URL.equals(authority.getAuthority())) {
newAuthorities.add(new SimpleGrantedAuthority(PageResetPassword.AUTH_SELF_ALL_URI));
newAuthorities.add(new SimpleGrantedAuthority(AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL));
}
if (PageResetPassword.AUTH_SELF_ALL_URI.equals(authority.getAuthority())) {
newAuthorities.add(authority);
}
if (AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL.equals(authority.getAuthority())) {
newAuthorities.add(authority);
List<String> authoritiesString = new ArrayList<String>();
if (authority instanceof Authorization) {
Authorization clone = ((Authorization) authority).clone();
authoritiesString = clone.getAction();
List<String> newAction = new ArrayList<String>();
for (String authorityString : authoritiesString) {
if (AuthorizationConstants.AUTZ_ALL_URL.equals(authorityString)) {
authoritiesString.remove(authorityString);
newAction.add(PageResetPassword.AUTH_SELF_ALL_URI);
newAction.add(AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL);
}
if (authority.getAuthority().startsWith(AuthorizationConstants.NS_AUTHORIZATION_REST)) {
newAction.add(AuthorizationConstants.NS_AUTHORIZATION_REST);
}
if (authority.getAuthority().equals(AuthorizationConstants.AUTZ_ALL_URL)) {
newAction.add(AuthorizationConstants.AUTZ_ALL_URL);
}
}
if (!newAction.isEmpty()) {
clone.getAction().clear();
clone.getAction().addAll(newAction);
newAuthorities.add(clone);
}
} else {
if (AuthorizationConstants.AUTZ_ALL_URL.equals(authority.getAuthority())) {
newAuthorities.add(new SimpleGrantedAuthority(PageResetPassword.AUTH_SELF_ALL_URI));
newAuthorities.add(new SimpleGrantedAuthority(AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL));
}
if (PageResetPassword.AUTH_SELF_ALL_URI.equals(authority.getAuthority())) {
newAuthorities.add(authority);
}
if (AuthorizationConstants.AUTZ_UI_SELF_CREDENTIALS_URL.equals(authority.getAuthority())) {
newAuthorities.add(authority);
}
}

}
return newAuthorities;
}
Expand Down
25 changes: 17 additions & 8 deletions ...i/src/main/java/com/evolveum/midpoint/web/security/channel/RestAuthenticationChannel.java
View file
Expand Up @@ -42,20 +42,29 @@ public Collection<? extends GrantedAuthority> resolveAuthorities(Collection<? ex
for (GrantedAuthority authority : authorities) {
List<String> authoritiesString = new ArrayList<String>();
if (authority instanceof Authorization) {
authoritiesString = ((Authorization)authority).getAction();
} else {
authoritiesString.add(authority.getAuthority());
}
if (authoritiesString != null) {
Authorization clone = ((Authorization) authority).clone();
authoritiesString = clone.getAction();
List<String> newAction = new ArrayList<String>();
for (String authorityString : authoritiesString) {
if (authorityString.startsWith(AuthorizationConstants.NS_AUTHORIZATION_REST)) {
newAuthorities.add(authority);
if (authorityString.startsWith(AuthorizationConstants.NS_AUTHORIZATION_REST)
|| authorityString.equals(AuthorizationConstants.AUTZ_ALL_URL)) {
newAction.add(authorityString);
}
}
if (authoritiesString.contains(AuthorizationConstants.AUTZ_ALL_URL)) {
if (!newAction.isEmpty()) {
clone.getAction().clear();
clone.getAction().addAll(newAction);
newAuthorities.add(clone);
}
} else {
if (authority.getAuthority().startsWith(AuthorizationConstants.NS_AUTHORIZATION_REST)) {
newAuthorities.add(authority);
}
if (authority.getAuthority().equals(AuthorizationConstants.AUTZ_ALL_URL)) {
newAuthorities.add(authority);
}
}

}
return newAuthorities;
}
Expand Down

0 comments on commit 65a4679

Please sign in to comment.