[midPoint-git] [Evolveum/midpoint] cffacf: Add preliminary support for "item value" autz

mederly noreply at github.com
Fri May 12 23:17:39 CEST 2023 

  Branch: refs/heads/feature/autz-improvements
  Home:   https://github.com/Evolveum/midpoint
  Commit: cffacf55bb1afe9d2033b0673cea79569f68db06
      https://github.com/Evolveum/midpoint/commit/cffacf55bb1afe9d2033b0673cea79569f68db06
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    M infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/archetypes/AbstractArchetypesTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/persona/AbstractPersonaTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
    A model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityItemValues.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMedium.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityPrincipal.java
    A model/model-intest/src/test/resources/security/role-case-work-items-assignee-self-read.xml
    M model/model-intest/testng-integration-full.xml
    M model/model-intest/testng-integration-security.xml
    M model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
    M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/TestObject.java
    M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/Authorization.java
    A repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/PrismEntityOpConstraints.java
    M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/OtherEnforcerOperation.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/ValueSelectorEvaluation.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/clauses/RoleRelation.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/PrismEntityCoverage.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/PrismEntityCoverageInformation.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/PrismItemCoverageInformation.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/PrismValueCoverageInformation.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/SinglePhasePrismEntityOpConstraintsImpl.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/TwoPhasesPrismEntityOpConstraintsImpl.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/prism/UpdatablePrismEntityOpConstraints.java

  Log Message:
  -----------
  Add preliminary support for "item value" autz

This commit introduces limited support for "item value" authorizations,
i.e., ones that can discriminate between values of given prism item.
For example, one can allow the #get operation only for work items
assigned to the current principal.

The support is limited to filtering unreadable items/values for now.

Filtering is no longer based on ObjectOperationConstraints. Instead,
PrismEntityOpConstraints (based on new PrismEntityCoverageInformation)
were conceived. They should be more flexible, allowing for filtering
on both items and their values.

Work in progress.

More information about the midPoint-svn mailing list