Skip to content

Commit

Permalink
Merge branch 'master' of github.com:Evolveum/midpoint
Browse files Browse the repository at this point in the history 
* 'master' of github.com:Evolveum/midpoint: (104 commits)
  MID-8842 ninja, more options to verify
  Remove ModelInteractionService#canSearch method
  Downgrade maven-deploy-plugin
  MID-8842 ninja, ImportRepositoryTest ignored for now hopefully (not via annotation, but via testng xml)
  MID-8842 ninja, ImportRepositoryTest ignored for now, no idea how to reproduce
  attempt to fix build compilation/dependency issues
  Simplify SecurityEnforcer interface
  MID-8842 ninja, another fix for import tests
  MID-8842 ninja, xsd schemas cleanup, ModuleSaml2KeyTypeType.encryption moved back to xsd, marked as removed
  MID-8842 ninja, xsd schemas cleanup, fixed smaller issues after review
  MID-8842 ninja, xsd schemas cleanup, fixed removed elements/types. fixed plannedRemoval/removedSince annotations
  MID-8842 ninja, xsd schemas cleanup, fixed removed elements/types. now just marked as a:removed
  Adapt authorization playground
  getting rid of some warnings from maven build
  MID-8842 ninja, pre-upgrade check tests
  Fix unmappable char in XSD docs
  MID-8842 ninja, verification now returns counts by priority (used mainly in upgrade-distribution)
  MID-8842 ninja, moved upgrade validator to schema module, since it could be used in different places as well (e.g. tasks or gui)
  MID-8842 ninja, first attempt at some code that enhances object validator with regards to upgrade process
  MID-8842 ninja, moving upgrade actions to separate package
  ...

# Conflicts:
#	gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageAuthorizationPlayground.java
  • Loading branch information
@katkav
katkav committed Jul 4, 2023
2 parents ea1f4c8 + 2fed5fb commit c004f8e
Show file tree
Hide file tree
Showing 253 changed files with 12,354 additions and 2,967 deletions.
96 changes: 5 additions & 91 deletions gui/admin-gui/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,32 +113,14 @@
<dependency>
<groupId>com.evolveum.commons</groupId>
<artifactId>util</artifactId>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.prism</groupId>
<artifactId>prism-api</artifactId>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.prism</groupId>
<artifactId>prism-impl</artifactId>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
Expand All @@ -155,12 +137,6 @@
<groupId>com.evolveum.midpoint.repo</groupId>
<artifactId>repo-common</artifactId>
<version>${project.version}</version>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.model</groupId>
Expand All @@ -181,12 +157,6 @@
<groupId>com.evolveum.midpoint.model</groupId>
<artifactId>model-common</artifactId>
<version>${project.version}</version>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.repo</groupId>
Expand Down Expand Up @@ -230,12 +200,6 @@
<artifactId>repo-sql-impl</artifactId>
<version>${project.version}</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.repo</groupId>
Expand All @@ -253,12 +217,6 @@
<groupId>com.evolveum.midpoint.model</groupId>
<artifactId>rest-impl</artifactId>
<version>${project.version}</version>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
Expand Down Expand Up @@ -335,12 +293,6 @@
<artifactId>provisioning-impl</artifactId>
<version>${project.version}</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.provisioning</groupId>
Expand All @@ -353,12 +305,6 @@
<artifactId>report-impl</artifactId>
<version>${project.version}</version>
<scope>runtime</scope>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.model</groupId>
Expand Down Expand Up @@ -425,18 +371,6 @@
<artifactId>wicket-request</artifactId>
</dependency>

<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-commons-fileupload</artifactId>
<version>${wicket.version}</version>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-ioc</artifactId>
Expand All @@ -450,12 +384,6 @@
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-util</artifactId>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
Expand Down Expand Up @@ -497,6 +425,10 @@
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</dependency>

<dependency>
<groupId>org.apache.commons</groupId>
Expand Down Expand Up @@ -610,24 +542,12 @@
<groupId>com.evolveum.midpoint.infra</groupId>
<artifactId>test-util</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.repo</groupId>
<artifactId>repo-test-util</artifactId>
<version>${project.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.evolveum.midpoint.repo</groupId>
Expand Down Expand Up @@ -703,12 +623,6 @@
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<exclusions>
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>

<dependency>
Expand Down Expand Up @@ -755,7 +669,7 @@
<include>**/org.identityconnectors.common.logging</include>
</includes>
</resource>

<resource>
<filtering>false</filtering>
<directory>src/main/java</directory>
Expand Down
24 changes: 15 additions & 9 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageAdminLTE.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,6 @@
import com.evolveum.midpoint.repo.common.util.SubscriptionUtil.SubscriptionType;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.schema.selector.eval.OwnerResolver;
import com.evolveum.midpoint.security.api.SecurityContextManager;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
Expand Down Expand Up @@ -958,8 +957,8 @@ private OperationResult executeResultScriptHook(OperationResult result) {

public <O extends ObjectType> boolean isAuthorized(ModelAuthorizationAction action, PrismObject<O> object) {
try {
return isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, null)
|| isAuthorized(action.getUrl(), null, object, null, null, null);
return isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null)
|| isAuthorized(action.getUrl(), null, object, null, null);
} catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException | CommunicationException |
ConfigurationException | SecurityViolationException e) {
LoggingUtils.logUnexpectedException(LOGGER, "Couldn't determine authorization for {}", e, action);
Expand All @@ -968,20 +967,27 @@ public <O extends ObjectType> boolean isAuthorized(ModelAuthorizationAction acti
}

public boolean isAuthorized(String operationUrl) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
return isAuthorized(operationUrl, null, null, null, null, null);
return isAuthorized(operationUrl, null, null, null, null);
}

public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase,
PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(
String operationUrl, AuthorizationPhaseType phase, PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target)
throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException,
ConfigurationException, SecurityViolationException {
Task task = getPageTask();
AuthorizationParameters<O, T> params = new AuthorizationParameters.Builder<O, T>()
.oldObject(object)
.delta(delta)
.target(target)
.build();
boolean isAuthorized = getSecurityEnforcer().isAuthorized(operationUrl, phase, params, ownerResolver, task, task.getResult());
if (!isAuthorized && (ModelAuthorizationAction.GET.getUrl().equals(operationUrl) || ModelAuthorizationAction.SEARCH.getUrl().equals(operationUrl))) {
isAuthorized = getSecurityEnforcer().isAuthorized(ModelAuthorizationAction.READ.getUrl(), phase, params, ownerResolver, task, task.getResult());
SecurityEnforcer.Options options = SecurityEnforcer.Options.create();
boolean isAuthorized = getSecurityEnforcer().isAuthorized(
operationUrl, phase, params, options, task, task.getResult());
if (!isAuthorized &&
(ModelAuthorizationAction.GET.getUrl().equals(operationUrl)
|| ModelAuthorizationAction.SEARCH.getUrl().equals(operationUrl))) {
isAuthorized = getSecurityEnforcer().isAuthorized(
ModelAuthorizationAction.READ.getUrl(), phase, params, options, task, task.getResult());
}
return isAuthorized;
}
Expand Down
12 changes: 7 additions & 5 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.schema.result.OperationConstants;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.selector.eval.OwnerResolver;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.Holder;
Expand Down Expand Up @@ -182,15 +181,18 @@ public PageBase() {
this(null);
}

public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver, OperationResult result)
throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
public <O extends ObjectType, T extends ObjectType> void authorize(
String operationUrl, AuthorizationPhaseType phase,
PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target,
OperationResult result)
throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException,
CommunicationException, ConfigurationException {
AuthorizationParameters<O, T> params = new AuthorizationParameters.Builder<O, T>()
.oldObject(object)
.delta(delta)
.target(target)
.build();
getSecurityEnforcer().authorize(operationUrl, phase, params, ownerResolver, getPageTask(), result);
getSecurityEnforcer().authorize(operationUrl, phase, params, getPageTask(), result);
}

public boolean hasSubjectRoleRelation(String oid, List<QName> subjectRelations) {
Expand Down
8 changes: 4 additions & 4 deletions ...veum/midpoint/gui/impl/page/admin/abstractrole/component/MemberOperationsTaskCreator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,13 +333,13 @@ private ActivitySubmissionOptions createSubmissionOptions() {
}

void checkScriptingAuthorization(Task task, OperationResult result) throws CommonException {
pageBase.getSecurityEnforcer().authorize(ModelAuthorizationAction.EXECUTE_SCRIPT.getUrl(),
null, AuthorizationParameters.EMPTY, null, task, result);
pageBase.getSecurityEnforcer().authorize(
ModelAuthorizationAction.EXECUTE_SCRIPT.getUrl(), task, result);
}

void checkRecomputationAuthorization(@NotNull Task task, @NotNull OperationResult result) throws CommonException {
pageBase.getSecurityEnforcer().authorize(ModelAuthorizationAction.RECOMPUTE.getUrl(),
null, AuthorizationParameters.EMPTY, null, task, result);
pageBase.getSecurityEnforcer().authorize(
ModelAuthorizationAction.RECOMPUTE.getUrl(), task, result);
}

/** Converts {@link #getOperationKey()} to a resolved name. Used also as a task name. */
Expand Down
10 changes: 6 additions & 4 deletions ...mpl/page/admin/assignmentholder/component/assignmentType/AbstractAssignmentTypePanel.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,9 +229,10 @@ public InlineMenuItemAction initAction() {
private <AH extends AssignmentHolderType> ButtonInlineMenuItem createUnassignAction() {
PrismObject<AH> obj = getFocusObject();
try {
boolean isUnassignAuthorized = getPageBase().isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_UNASSIGN_ACTION_URI,
boolean isUnassignAuthorized = getPageBase().isAuthorized(
AuthorizationConstants.AUTZ_UI_ADMIN_UNASSIGN_ACTION_URI,
AuthorizationPhaseType.REQUEST, obj,
null, null, null);
null, null);
if (isUnassignAuthorized) {
return createUnassignButtonInlineMenuItem(getAssignmentsLimitReachedUnassignTitleModel());
}
Expand Down Expand Up @@ -645,9 +646,10 @@ protected PrismContainerDefinition<AssignmentType> getTypeDefinitionForSearch()

protected <AH extends AssignmentHolderType> boolean isNewObjectButtonVisible(PrismObject<AH> focusObject) {
try {
return getPageBase().isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ASSIGN_ACTION_URI,
return getPageBase().isAuthorized(
AuthorizationConstants.AUTZ_UI_ADMIN_ASSIGN_ACTION_URI,
AuthorizationPhaseType.REQUEST, focusObject,
null, null, null);
null, null);
} catch (Exception ex) {
return WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ASSIGN_ACTION_URI);
}
Expand Down
22 changes: 13 additions & 9 deletions ...src/main/java/com/evolveum/midpoint/gui/impl/page/admin/org/component/TreeTablePanel.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,9 +429,10 @@ private boolean isAllowRead(OrgType org) {
boolean allowRead = false;
try {
allowRead = org == null ||
getPageBase().isAuthorized(ModelAuthorizationAction.GET.getUrl(),
getPageBase().isAuthorized(
ModelAuthorizationAction.GET.getUrl(),
AuthorizationPhaseType.REQUEST, org.asPrismObject(),
null, null, null);
null, null);
} catch (Throwable ex) {
LoggingUtils.logUnexpectedException(LOGGER, "Failed to check menu items authorizations", ex);
}
Expand All @@ -442,9 +443,10 @@ private boolean isAllowModify(OrgType org) {
boolean allowModify = false;
try {
allowModify = org == null ||
getPageBase().isAuthorized(ModelAuthorizationAction.MODIFY.getUrl(),
getPageBase().isAuthorized(
ModelAuthorizationAction.MODIFY.getUrl(),
AuthorizationPhaseType.REQUEST, org.asPrismObject(),
null, null, null);
null, null);
} catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException
| CommunicationException | ConfigurationException | SecurityViolationException ex) {
LoggingUtils.logUnexpectedException(LOGGER, "Failed to check menu items authorizations", ex);
Expand All @@ -455,9 +457,10 @@ private boolean isAllowModify(OrgType org) {
private boolean isAllowAddNew() {
boolean allowAddNew = false;
try {
allowAddNew = getPageBase().isAuthorized(ModelAuthorizationAction.ADD.getUrl(),
AuthorizationPhaseType.REQUEST, (new OrgType(getPageBase().getPrismContext())).asPrismObject(),
null, null, null);
allowAddNew = getPageBase().isAuthorized(
ModelAuthorizationAction.ADD.getUrl(),
AuthorizationPhaseType.REQUEST, new OrgType().asPrismObject(),
null, null);
} catch (Throwable ex) {
LoggingUtils.logUnexpectedException(LOGGER, "Failed to check menu items authorizations", ex);
}
Expand All @@ -468,9 +471,10 @@ private boolean isAllowDelete(OrgType org) {
boolean allowDelete = false;
try {
allowDelete = org == null ||
getPageBase().isAuthorized(ModelAuthorizationAction.DELETE.getUrl(),
getPageBase().isAuthorized(
ModelAuthorizationAction.DELETE.getUrl(),
AuthorizationPhaseType.REQUEST, org.asPrismObject(),
null, null, null);
null, null);
} catch (Throwable ex) {
LoggingUtils.logUnexpectedException(LOGGER, "Failed to check menu items authorizations", ex);
}
Expand Down
2 changes: 1 addition & 1 deletion ...admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageAbout.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -505,7 +505,7 @@ private void reindexRepositoryObjectsPerformed(AjaxRequestTarget target) {
OperationResult result = new OperationResult(OPERATION_SUBMIT_REINDEX);
try {
Task task = getTaskManager().createTaskInstance();
authorize(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, null, result);
authorize(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, result);
getModelInteractionService().submit(
ActivityDefinitionBuilder.create(
new ReindexingWorkDefinitionType())
Expand Down

0 comments on commit c004f8e

Please sign in to comment.