SecurityEnforcer.java

/**
 * Copyright (c) 2014-2017 Evolveum
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.evolveum.midpoint.security.api;

import org.springframework.security.access.AccessDecisionManager;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.util.Producer;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import org.springframework.security.core.Authentication;

/**
 * @author Radovan Semancik
 *
 */
public interface SecurityEnforcer extends AccessDecisionManager {
	
	UserProfileService getUserProfileService();

	void setUserProfileService(UserProfileService userProfileService);

    void setupPreAuthenticatedSecurityContext(Authentication authentication);

	void setupPreAuthenticatedSecurityContext(PrismObject<UserType> user) throws SchemaException;
	
	boolean isAuthenticated();
	
	/**
	 * Returns principal representing the currently logged-in user.
	 * Assumes that the user is logged-in. Otherwise an exception is thrown.
	 */
	MidPointPrincipal getPrincipal() throws SecurityViolationException;

	/**
	 * Produces authorization error with proper message and logs it using proper logger.
	 */
	<O extends ObjectType, T extends ObjectType> void failAuthorization(String operationUrl, AuthorizationPhaseType phase, PrismObject<O> object,
			ObjectDelta<O> delta, PrismObject<T> target, OperationResult result)
			throws SecurityViolationException;
	
	/**
	 * Returns true if the currently logged-in user is authorized for specified action, returns false otherwise.
	 * Does not throw SecurityViolationException.
	 * @param phase check authorization for a specific phase. If null then all phases are checked.
	 */
	<O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase,
			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) throws SchemaException;
	
	/**
	 * Evaluates authorization: simply returns if the currently logged it user is authorized for a
	 * specified action. If it is not authorized then a  SecurityViolationException is thrown and the
	 * error is recorded in the result.
	 * @param phase check authorization for a specific phase. If null then all phases are checked.
	 */
	<O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver, 
			OperationResult result) throws SecurityViolationException, SchemaException;	
	
	<O extends ObjectType> ObjectSecurityConstraints compileSecurityConstraints(PrismObject<O> object, OwnerResolver ownerResolver) throws SchemaException;
	
	/**
	 * TODO
	 * If it returns NoneFilter then no search should be done. The principal is not authorized for this operation at all.
	 * It may return null in case that the original filter was also null.
	 * 
	 * If object is null then the method will return a filter that is applicable to look for object.
	 * If object is present then the method will return a filter that is applicable to look for a target.
	 * 
	 * The objectType parameter defines the class of the object for which should be the returned filter applicable.
	 */
	<T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObjectFilter(String operationUrl, AuthorizationPhaseType phase,
			Class<T> objectType, PrismObject<O> object, ObjectFilter origFilter) throws SchemaException;
	
	<T> T runAs(Producer<T> producer, PrismObject<UserType> user) throws SchemaException ;
	
	<T> T runPrivileged(Producer<T> producer);

	/**
	 * Returns decisions for individual items for "assign" authorization. This is usually applicable to assignment parameters.
	 */
	<O extends ObjectType, R extends AbstractRoleType> ItemSecurityDecisions getAllowedRequestAssignmentItems( MidPointPrincipal midPointPrincipal, PrismObject<O> object, PrismObject<R> target, OwnerResolver ownerResolver) throws SchemaException;

}