MID-9062:added options to enable/disable authorization collection, co…

…mpile admin gui configuration and locate security policy for principal during pending authentication

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/AuthenticationChannel.java

@@ -6,8 +6,6 @@
  */
 package com.evolveum.midpoint.authentication.api;
 
-import java.util.Collection;
-
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
 
@@ -35,8 +33,6 @@ public interface AuthenticationChannel {
 
     boolean isDefault();
 
-    Collection<Authorization> resolveAuthorities(Collection<Authorization> authorities);
-
     void postSuccessAuthenticationProcessing();
 
     String getSpecificLoginUrl();
@@ -48,4 +44,6 @@ public interface AuthenticationChannel {
     String getUrlSuffix();
 
     boolean isPostAuthenticationEnabled();
+
+    boolean isAllowedAuthorization(Authorization autz);
 }

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/config/MidpointAuthentication.java

@@ -653,15 +653,6 @@ public boolean isArchetypeDefined() {
         return StringUtils.isNotEmpty(archetypeOid) || archetypeSelected;
     }
 
-    public Collection<? extends GrantedAuthority> resolveAuthorities(Authentication token) {
-        if (token.getPrincipal() instanceof MidPointPrincipal mpPrincipal) {
-            Collection<Authorization> newAuthorities = authenticationChannel.resolveAuthorities(mpPrincipal.getAuthorities());
-            newAuthorities.forEach(a -> mpPrincipal.addExtraAuthorizationIfMissing(a, true));
-            return newAuthorities;
-        }
-        return token.getAuthorities();
-    }
-
     public ModuleAuthentication getProcessingModuleOrThrowException() {
         ModuleAuthentication moduleAuthentication = getProcessingModuleAuthentication();
         if (moduleAuthentication == null) {

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/evaluator/context/AbstractAuthenticationContext.java

@@ -30,8 +30,6 @@ public abstract class AbstractAuthenticationContext {
 
     private final boolean supportActivationByChannel;
 
-    private final boolean supportGuiConfigByChannel;
-
     public AbstractAuthenticationContext(
             String username,
             Class<? extends FocusType> principalType,
@@ -41,7 +39,6 @@ public AbstractAuthenticationContext(
         this.requireAssignments = requireAssignment;
         this.principalType = principalType;
         this.supportActivationByChannel = channel == null || channel.isSupportActivationByChannel();
-        this.supportGuiConfigByChannel = channel == null || channel.isSupportGuiConfigByChannel();
     }
 
     public String getUsername() {
@@ -56,10 +53,6 @@ public boolean isSupportActivationByChannel() {
         return supportActivationByChannel;
     }
 
-    public boolean isSupportGuiConfigByChannel() {
-        return supportGuiConfigByChannel;
-    }
-
     public List<ObjectReferenceType> getRequireAssignments() {
         return requireAssignments;
     }

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java

@@ -137,6 +137,15 @@ public static MidpointAuthentication getMidpointAuthentication() {
         return (MidpointAuthentication) authentication;
     }
 
+    @Nullable
+    public static MidpointAuthentication getMidpointAuthenticationNotRequired() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (!(authentication instanceof MidpointAuthentication)) {
+            return null;
+        }
+        return (MidpointAuthentication) authentication;
+    }
+
     public static ModuleAuthentication getAuthenticatedModule() {
 //        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/FocusAuthenticationResultRecorder.java

@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
 import com.evolveum.midpoint.security.api.ConnectionEnvironment;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
+import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
 import com.evolveum.midpoint.security.api.SecurityUtil;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
@@ -180,7 +181,8 @@ public void recordSequenceAuthenticationFailure(String username, MidPointPrincip
         if (principal == null && StringUtils.isNotEmpty(username)) {
             try {
                 // For recording audit log, we don't need to support GUI config
-                principal = focusProfileService.getPrincipal(username, FocusType.class, false);
+                principal = focusProfileService.getPrincipal(
+                        username, FocusType.class, ProfileCompilerOptions.createOnlyPrincipalOption());
             } catch (CommonException e) {
                 //ignore error
             }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointHttpAuthorizationEvaluator.java

@@ -88,7 +88,9 @@ public void decide(Authentication authentication, Object object, Collection<Conf
                                 // TODO get operation result from the caller
                                 securityContextManager.getUserProfileService().getPrincipal(
                                         authorizedUser,
-                                        false, // For REST API, we don't need to support GUI config
+                                        // For REST API, we don't need to support GUI config
+                                        ProfileCompilerOptions.createNotCompileGuiAdminConfiguration()
+                                                .locateSecurityPolicy(false),
                                         new OperationResult(MidPointPrincipalManager.OPERATION_GET_PRINCIPAL));
                         ((MidpointAuthentication) authentication).setPrincipal(principal);
                         ((MidpointAuthentication) authentication).setAuthorities(principal.getAuthorities());

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/ActuatorAuthenticationChannel.java

@@ -6,10 +6,6 @@
  */
 package com.evolveum.midpoint.authentication.impl.channel;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
@@ -34,25 +30,19 @@ public String getPathAfterSuccessfulAuthentication() {
     }
 
     @Override
-    public Collection<Authorization> cleanupAuthorities(Collection<Authorization> authorities) {
-        ArrayList<Authorization> newAuthorities = new ArrayList<>();
-        for (Authorization authority : authorities) {
-            Authorization clone = authority.clone();
-            List<String> authoritiesString = clone.getAction();
-            List<String> newAction = new ArrayList<>();
-            for (String authorityString : authoritiesString) {
-                if (authorityString.startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)
-                        || authorityString.equals(AuthorizationConstants.AUTZ_ALL_URL)
-                        || authorityString.equals(AuthorizationConstants.NS_AUTHORIZATION_UI)) {
-                    newAction.add(authorityString);
-                }
-            }
-            if (!newAction.isEmpty()) {
-                clone.getAction().clear();
-                clone.getAction().addAll(newAction);
-                newAuthorities.add(clone);
+    public boolean isSupportGuiConfigByChannel() {
+        return false;
+    }
+
+    @Override
+    public boolean isAllowedAuthorization(Authorization autz) {
+        for (String action : autz.getAction()) {
+            if (action.startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)
+                    || action.equals(AuthorizationConstants.AUTZ_ALL_URL)
+                    || action.equals(AuthorizationConstants.NS_AUTHORIZATION_UI)) {
+                return true;
             }
         }
-        return newAuthorities;
+        return false;
     }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/AuthenticationChannelImpl.java

@@ -6,7 +6,6 @@
  */
 package com.evolveum.midpoint.authentication.impl.channel;
 
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 
@@ -17,8 +16,6 @@
 
 import com.evolveum.midpoint.authentication.api.util.AuthUtil;
 
-import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
-
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.Validate;
 
@@ -91,39 +88,10 @@ public boolean isDefault() {
         return Boolean.TRUE.equals(this.channel.isDefault());
     }
 
-    /**
-     * This method cares about removing some undesirable authorities and adding some additional authorities
-     * (e.g. an authority for the password reset page should be added to the list in case of successful user authentication)
-     *
-     * @param authorities
-     * @return
-     */
-    public Collection<Authorization> resolveAuthorities(Collection<Authorization> authorities) {
-        var cleanedUpAuthorities = cleanupAuthorities(authorities);
-        var newAuthorities = new ArrayList<>(cleanedUpAuthorities);
-        addAdditionalAuthorities(newAuthorities);
-        return Collections.unmodifiableList(newAuthorities);
-    }
-
-    protected Collection<Authorization> cleanupAuthorities(Collection<Authorization> authorities) {
-        return authorities;
-    }
-
-    private void addAdditionalAuthorities(Collection<Authorization> authorities) {
-        getAdditionalAuthoritiesList()
-                .forEach(a -> authorities.add(createAuthorization(a)));
-    }
-
     protected Collection<String> getAdditionalAuthoritiesList() {
         return Collections.emptyList();
     }
 
-    private Authorization createAuthorization(String authUrl) {
-        var authorizationType = new AuthorizationType();
-        authorizationType.getAction().add(authUrl);
-        return new Authorization(authorizationType);
-    }
-
     @Override
     public void postSuccessAuthenticationProcessing() {
     }
@@ -152,4 +120,9 @@ public String getUrlSuffix() {
     public boolean isPostAuthenticationEnabled() {
         return false;
     }
+
+    @Override
+    public boolean isAllowedAuthorization(Authorization autz) {
+        return true;
+    }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/ResetPasswordAuthenticationChannel.java

@@ -6,17 +6,13 @@
  */
 package com.evolveum.midpoint.authentication.impl.channel;
 
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
-
-import org.jetbrains.annotations.NotNull;
 
 /**
  * @author skublik
@@ -38,11 +34,12 @@ public String getPathAfterSuccessfulAuthentication() {
     }
 
     @Override
-    public Collection<Authorization> cleanupAuthorities(@NotNull Collection<Authorization> authorities) {
-        for (Authorization authzI : authorities) {
-            authzI.getAction().removeIf(action -> action.contains(AuthorizationConstants.NS_AUTHORIZATION_UI));
+    public boolean isAllowedAuthorization(Authorization autz) {
+        if (autz != null
+                && autz.getAction().contains(AuthorizationConstants.AUTZ_UI_RESET_PASSWORD_URL)) {
+            return true;
         }
-        return authorities;
+        return false;
     }
 
     @Override

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/RestAuthenticationChannel.java

@@ -30,4 +30,6 @@ public String getPathAfterSuccessfulAuthentication() {
     public boolean isSupportGuiConfigByChannel() {
         return false;
     }
+
+
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java

@@ -20,6 +20,7 @@
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.ConnectionEnvironment;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
+import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
@@ -48,7 +49,8 @@ public void setPrincipalManager(GuiProfiledPrincipalManager focusProfileService)
 
 
     @NotNull
-    protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connEnv, C authCtx, boolean supportActivationCheck) {
+    protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndCheckPrincipal(
+            ConnectionEnvironment connEnv, C authCtx, boolean supportActivationCheck) {
         ObjectQuery query = authCtx.createFocusQuery();
         String username = authCtx.getUsername();
         if (query == null) {
@@ -59,7 +61,8 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
         Class<? extends FocusType> clazz = authCtx.getPrincipalType();
         MidPointPrincipal principal;
         try {
-            principal = focusProfileService.getPrincipal(query, clazz, authCtx.isSupportGuiConfigByChannel());
+            principal = focusProfileService.getPrincipal(
+                    query, clazz, createOptionForGettingPrincipal());
         } catch (ObjectNotFoundException e) {
             recordModuleAuthenticationFailure(username, null, connEnv, null, "no focus");
             throw new UsernameNotFoundException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
@@ -92,6 +95,10 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
         return principal;
     }
 
+    protected ProfileCompilerOptions createOptionForGettingPrincipal() {
+        return ProfileCompilerOptions.createOnlyPrincipalOption();
+    }
+
     protected boolean hasNoAuthorizations(MidPointPrincipal principal) {
         for (Authorization auth : principal.getAuthorities()) {
             if (!auth.getAction().isEmpty()) {

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/evaluator/CredentialsAuthenticationEvaluatorImpl.java

@@ -9,6 +9,8 @@
 import javax.xml.datatype.Duration;
 import javax.xml.datatype.XMLGregorianCalendar;
 
+import com.evolveum.midpoint.security.api.ProfileCompilerOptions;
+
 import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.MessageSource;
@@ -92,7 +94,7 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
             throw new BadCredentialsException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
         }
 
-        checkAuthorizations(principal, connEnv, authnCtx);
+//        checkAuthorizations(principal, connEnv, authnCtx);
         recordModuleAuthenticationSuccess(principal, connEnv);
         return new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities());
     }
@@ -342,4 +344,11 @@ private LoginEventType getLastFailedLogin(AuthenticationAttemptDataType authenti
     public AuthenticationAttemptDataType getAuthenticationData(MidPointPrincipal principal, ConnectionEnvironment connectionEnvironment) {
         return AuthUtil.findAuthAttemptDataForModule(connectionEnvironment, principal);
     }
+
+    @Override
+    protected ProfileCompilerOptions createOptionForGettingPrincipal() {
+        return ProfileCompilerOptions.createNotCompileGuiAdminConfiguration()
+                .collectAuthorization(false)
+                .locateSecurityPolicy(true);
+    }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/evaluator/PreAuthenticatedEvaluatorImpl.java

@@ -49,10 +49,10 @@ public PreAuthenticatedAuthenticationToken authenticate(
         MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx, authnCtx.isSupportActivationByChannel());
 
         // Authorizations
-        if (hasNoAuthorizations(principal)) {
-            recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no authorizations");
-            throw new DisabledException("web.security.provider.access.denied");
-        }
+//        if (hasNoAuthorizations(principal)) {
+//            recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no authorizations");
+//            throw new DisabledException("web.security.provider.access.denied");
+//        }
 
         if (AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(principal.getFocus(), authnCtx.getRequireAssignments())) {
             PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(principal, null, principal.getAuthorities());