Authorization expressions (MID-4191) and an avalanche of cleanup.

gui/admin-gui/pom.xml

@@ -304,6 +304,11 @@
             <artifactId>security-api</artifactId>
             <version>3.7-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>com.evolveum.midpoint.repo</groupId>
+            <artifactId>security-enforcer-api</artifactId>
+            <version>3.7-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>com.evolveum.midpoint.model</groupId>
             <artifactId>workflow-api</artifactId>
@@ -388,6 +393,12 @@
             <version>3.7-SNAPSHOT</version>
             <scope>runtime</scope>
         </dependency>
+        <dependency>
+            <groupId>com.evolveum.midpoint.repo</groupId>
+            <artifactId>security-enforcer-impl</artifactId>
+            <version>3.7-SNAPSHOT</version>
+            <scope>runtime</scope>
+        </dependency>
         <dependency>
             <groupId>com.evolveum.midpoint.model</groupId>
             <artifactId>model-impl</artifactId>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/MainObjectListPanel.java

@@ -206,8 +206,7 @@ public boolean isVisible(){
 
                     boolean isVisible = false;
                     try {
-                        isVisible = ((PageBase) getPage()).getSecurityEnforcer().isAuthorized(ModelAuthorizationAction.IMPORT_OBJECTS.getUrl(),
-                                null, null, null, null, null)
+                        isVisible = ((PageBase) getPage()).isAuthorized(ModelAuthorizationAction.IMPORT_OBJECTS.getUrl())
                                 && WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_CONFIGURATION_ALL_URL,
                                 AuthorizationConstants.AUTZ_UI_CONFIGURATION_IMPORT_URL);
                     } catch (Exception ex){

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/TypedAssignablePanel.java

@@ -25,6 +25,7 @@
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
@@ -247,12 +248,13 @@ protected void onUpdateCheckbox(AjaxRequestTarget target) {
             protected ObjectQuery addFilterToContentQuery(ObjectQuery query) {
                 if (type.equals(RoleType.COMPLEX_TYPE)) {
                     LOGGER.debug("Loading roles which the current user has right to assign");
-                    OperationResult result = new OperationResult(OPERATION_LOAD_ASSIGNABLE_ROLES);
+                    Task task = getPageBase().createSimpleTask(OPERATION_LOAD_ASSIGNABLE_ROLES);
+                    OperationResult result = task.getResult();
                     ObjectFilter filter = null;
                     try {
                         ModelInteractionService mis = parentPage.getModelInteractionService();
                         RoleSelectionSpecification roleSpec =
-                                mis.getAssignableRoleSpecification(SecurityUtils.getPrincipalUser().getUser().asPrismObject(), result);
+                                mis.getAssignableRoleSpecification(SecurityUtils.getPrincipalUser().getUser().asPrismObject(), task, result);
                         filter = roleSpec.getFilter();
                     } catch (Exception ex) {
                         LoggingUtils.logUnexpectedException(LOGGER, "Couldn't load available roles", ex);

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/result/OpResult.java

@@ -170,11 +170,11 @@ public void determineBackgroundTaskVisibility(PageBase pageBase) {
 			return;
 		}
 		try {
-			if (pageBase.getSecurityEnforcer().isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, null)) {
+			if (pageBase.isAuthorized(AuthorizationConstants.AUTZ_ALL_URL)) {
 				backgroundTaskVisible = true;
 				return;
 			}
-		} catch (SchemaException e) {
+		} catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException e) {
 			backgroundTaskVisible = false;
 			LoggingUtils.logUnexpectedException(LOGGER, "Couldn't determine background task visibility", e);
 			return;

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -35,6 +35,7 @@
 import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
@@ -48,7 +49,9 @@
 import com.evolveum.midpoint.schema.util.ObjectResolver;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.security.api.OwnerResolver;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskCategory;
 import com.evolveum.midpoint.task.api.TaskManager;
@@ -259,6 +262,9 @@ public abstract class PageBase extends WebPage implements ModelServiceLocator {
 
     @SpringBean(name = "accessDecisionManager")
     private SecurityEnforcer securityEnforcer;
+
+    @SpringBean
+    private SecurityContextManager securityContextManager;
 
     @SpringBean
     private MidpointFormValidatorRegistry formValidatorRegistry;
@@ -323,7 +329,7 @@ protected Integer load() {
                     ObjectQuery query = QueryUtils.filterForAssignees(q, getPrincipal(),
                             OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS).build();
                     return getModelService().countContainers(WorkItemType.class, query, null, task, task.getResult());
-                } catch (SchemaException | SecurityViolationException e) {
+                } catch (SchemaException | SecurityViolationException | ExpressionEvaluationException | ObjectNotFoundException e) {
                     LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't load work item count", e);
                     return null;
                 }
@@ -340,7 +346,7 @@ protected Integer load() {
                     OperationResult result = task.getResult();
                     return acs.countOpenWorkItems(new ObjectQuery(), true, null, task, result);
                 } catch (SchemaException | SecurityViolationException | ObjectNotFoundException
-                        | ConfigurationException | CommunicationException e) {
+                        | ConfigurationException | CommunicationException | ExpressionEvaluationException e) {
                     LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't load certification work item count", e);
                     return null;
                 }
@@ -485,6 +491,11 @@ public TaskService getTaskService() {
     public SecurityEnforcer getSecurityEnforcer() {
         return securityEnforcer;
     }
+
+    @Override
+    public SecurityContextManager getSecurityContextManager() {
+        return securityContextManager;
+    }
 
     @Override
     public ModelInteractionService getModelInteractionService() {
@@ -521,7 +532,31 @@ public Task getPageTask() {
         }
         return pageTask;
     }
+
+    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	return isAuthorized(operationUrl, null, null, null, null, null);
+    }
+
+    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	Task task = getPageTask();
+    	return getSecurityEnforcer().isAuthorized(operationUrl, phase, object, delta, target, ownerResolver, task, task.getResult());
+    }
+
+    public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver, OperationResult result)
+			throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	getSecurityEnforcer().authorize(operationUrl, phase, object, delta, target, ownerResolver, getPageTask(), result);
+    }
+
+    public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver)
+			throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	Task task = getPageTask();
+    	getSecurityEnforcer().authorize(operationUrl, phase, object, delta, target, ownerResolver, task, task.getResult());
+    }
 
+
     public MidpointFormValidatorRegistry getFormValidatorRegistry() {
         return formValidatorRegistry;
     }
@@ -1637,10 +1672,10 @@ private boolean isMenuItemAuthorized(Class<? extends PageAdmin> newPageClass) {
 
             // TODO: the modify authorization here is probably wrong.
             // It is a model autz. UI autz should be here instead?
-            return getSecurityEnforcer().isAuthorized(ModelAuthorizationAction.ADD.getUrl(),
+            return isAuthorized(ModelAuthorizationAction.ADD.getUrl(),
                     AuthorizationPhaseType.REQUEST, object == null ? null : object.asPrismObject(),
                     null, null, null);
-        } catch (SchemaException ex) {
+        } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException ex) {
             LoggingUtils.logUnexpectedException(LOGGER, "Couldn't solve authorization for New organization menu item", ex);
         }
         return false;
@@ -1878,8 +1913,8 @@ protected void setTimeZone(PageBase page) {
         }
     }
 
-    protected <T> T runPrivileged(Producer<T> producer) {
-        return securityEnforcer.runPrivileged(producer);
+    public <T> T runPrivileged(Producer<T> producer) {
+        return securityContextManager.runPrivileged(producer);
     }
 
     public void setBreadcrumbs(List<Breadcrumb> breadcrumbs) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/ModelServiceLocator.java

@@ -20,7 +20,8 @@
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.schema.util.ObjectResolver;
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AdminGuiConfigurationType;
 
@@ -51,6 +52,8 @@ public interface ModelServiceLocator {
 	PrismContext getPrismContext();
 
 	SecurityEnforcer getSecurityEnforcer();
+
+	SecurityContextManager getSecurityContextManager();
 
 	ExpressionFactory getExpressionFactory();
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/SecurityContextAwareCallable.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,38 +16,40 @@
 
 package com.evolveum.midpoint.web.component;
 
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
 import org.apache.commons.lang.Validate;
 import org.apache.wicket.Application;
 import org.apache.wicket.Session;
 import org.apache.wicket.ThreadContext;
 import org.springframework.security.core.Authentication;
 
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
+
 import java.util.concurrent.Callable;
 
 /**
  * @author lazyman
  */
 public abstract class SecurityContextAwareCallable<V> implements Callable<V> {
 
-    private SecurityEnforcer enforcer;
+    private SecurityContextManager securityContextManager;
     private Authentication authentication;
 
-    protected SecurityContextAwareCallable(SecurityEnforcer enforcer, Authentication authentication) {
-        Validate.notNull(enforcer, "Security enforcer must not be null.");
+    protected SecurityContextAwareCallable(SecurityContextManager securityContextManager, Authentication authentication) {
+        Validate.notNull(securityContextManager, "Security enforcer must not be null.");
 
-        this.enforcer = enforcer;
+        this.securityContextManager = securityContextManager;
         this.authentication = authentication;
     }
 
     @Override
     public final V call() throws Exception {
-        enforcer.setupPreAuthenticatedSecurityContext(authentication);
+    	securityContextManager.setupPreAuthenticatedSecurityContext(authentication);
 
         try {
             return callWithContextPrepared();
         } finally {
-            enforcer.setupPreAuthenticatedSecurityContext((Authentication) null);
+        	securityContextManager.setupPreAuthenticatedSecurityContext((Authentication) null);
             //todo cleanup security context
         }
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/AssignmentEditorPanel.java

@@ -1164,9 +1164,9 @@ private ItemSecurityDecisions loadSecurityDecisions(){
 		ItemSecurityDecisions decisions = null;
 		try{
 			decisions =
-					pageBase.getModelInteractionService().getAllowedRequestAssignmentItems(operationObject, targetRefObject);
+					pageBase.getModelInteractionService().getAllowedRequestAssignmentItems(operationObject, targetRefObject, task, result);
 
-		} catch (SchemaException|SecurityViolationException ex){
+		} catch (SchemaException | SecurityViolationException | ObjectNotFoundException | ExpressionEvaluationException ex){
 			LoggingUtils.logUnexpectedException(LOGGER, "Couldn't load security decisions for assignment items.", ex);
 		}
 		return decisions;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ObjectWrapperFactory.java

@@ -38,6 +38,7 @@
 import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SystemException;
@@ -118,15 +119,15 @@ public <O extends ObjectType> ObjectWrapper<O> createObjectWrapper(String displa
                 PrismObject<ResourceType> resource = resourceRef.getValue().getObject();
                 Validate.notNull(resource, "No resource object in the resourceRef");
                 objectClassDefinitionForEditing = modelServiceLocator.getModelInteractionService().getEditObjectClassDefinition(
-                        (PrismObject<ShadowType>) object, resource, authorizationPhase);
+                        (PrismObject<ShadowType>) object, resource, authorizationPhase, task, result);
                 if (objectClassDefinitionForEditing != null) {
                 	object.findOrCreateContainer(ShadowType.F_ATTRIBUTES).applyDefinition((PrismContainerDefinition) objectClassDefinitionForEditing.toResourceAttributeContainerDefinition());;
                 }
 
             }
             return createObjectWrapper(displayName, description, object, objectDefinitionForEditing,
                     objectClassDefinitionForEditing, status, result);
-        } catch (SchemaException | ConfigurationException | ObjectNotFoundException ex) {
+        } catch (SchemaException | ConfigurationException | ObjectNotFoundException | ExpressionEvaluationException ex) {
             throw new SystemException(ex);
         }
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/progress/ProgressReporter.java

@@ -23,8 +23,9 @@
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.security.api.HttpConnectionInformation;
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.security.api.SecurityUtil;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.*;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
@@ -163,7 +164,7 @@ private void executeChangesSync(Collection<ObjectDelta<? extends ObjectType>> de
     private void executeChangesAsync(final Collection<ObjectDelta<? extends ObjectType>> deltas, final boolean previewOnly,
 			final ModelExecuteOptions options, final Task task, final OperationResult result, AjaxRequestTarget target,
 			final ModelService modelService, final ModelInteractionService modelInteractionService) {
-		final SecurityEnforcer enforcer = parentPage.getSecurityEnforcer();
+		final SecurityContextManager enforcer = parentPage.getSecurityContextManager();
 		final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 
 		asyncOperationResult = null;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/progress/ProgressReportingAwarePage.java

@@ -19,7 +19,8 @@
 import com.evolveum.midpoint.model.api.ModelInteractionService;
 import com.evolveum.midpoint.model.api.ModelService;
 import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.web.security.WebApplicationConfiguration;
 
@@ -50,6 +51,8 @@ public interface ProgressReportingAwarePage {
     ModelInteractionService getModelInteractionService();
 
     SecurityEnforcer getSecurityEnforcer();
+
+    SecurityContextManager getSecurityContextManager();
 
     Task createSimpleTask(String name);
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/search/SearchFactory.java

@@ -27,6 +27,7 @@
 import com.evolveum.midpoint.schema.util.SystemConfigurationTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
+import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
 import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SystemException;
@@ -176,7 +177,7 @@ private static <T extends ObjectType> PrismObjectDefinition findObjectDefinition
                 return modelServiceLocator.getModelInteractionService().getEditObjectDefinition(
                         empty, AuthorizationPhaseType.REQUEST, task, result);
             }
-        } catch (SchemaException | ConfigurationException | ObjectNotFoundException ex) {
+        } catch (SchemaException | ConfigurationException | ObjectNotFoundException | ExpressionEvaluationException ex) {
             result.recordFatalError(ex.getMessage());
             throw new SystemException();
         }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertDecisions.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -130,7 +130,7 @@ private ObjectQuery createCampaignQuery() {
 
     private String getCurrentUserOid() {
         try {
-            return getSecurityEnforcer().getPrincipal().getOid();
+            return getSecurityContextManager().getPrincipal().getOid();
         } catch (SecurityViolationException e) {
             // TODO handle more cleanly
             throw new SystemException("Couldn't get currently logged user OID", e);