[midPoint-git] [Evolveum/midpoint] da667e: Make REST authorizations finer-grained
mederly
noreply at github.com
Tue Feb 20 11:57:31 CET 2024
Branch: refs/heads/master
Home: https://github.com/Evolveum/midpoint
Commit: da667ef7debff76ef5e496913b85634ec2ec0650
https://github.com/Evolveum/midpoint/commit/da667ef7debff76ef5e496913b85634ec2ec0650
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-02-13 (Tue, 13 Feb 2024)
Changed paths:
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/EndPointsUrlMapping.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyAuditService.java
A repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestMethod.java
M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/AbstractRestServiceInitializer.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/RestServiceInitializer.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
A testing/rest/src/test/resources/repo/role-rest-limited.xml
A testing/rest/src/test/resources/repo/user-rest-limited.xml
Log Message:
-----------
Make REST authorizations finer-grained
While "rest-3#all" authorization still exists, it is no longer
required to use it when only a subset of REST methods is to be
accessed by particular client. Each method has now its own
authorization.
Related change: Due to the current authentication architecture
in midPoint, these authorizations are checked in the respective
methods' bodies. So, if an unauthorized method is called, the
"login success" is audited, but the operation immediately fails.
The failure is recorded in the termination (logout) event. And
this is the change: the logout event now contains the real status
of the whole operation. (Previously, it was always SUCCESS.)
Commit: 9ebd0f9f9292cbfd0fdf9f7eb7f8d92931a786e8
https://github.com/Evolveum/midpoint/commit/9ebd0f9f9292cbfd0fdf9f7eb7f8d92931a786e8
Author: skublik <lukas.skublik at gmail.com>
Date: 2024-02-19 (Mon, 19 Feb 2024)
Changed paths:
M README
M README.md
M dist/src/main/bin/midpoint.sh
M dist/src/main/bin/ninja.sh
M docs/admin-gui/resource-wizard/index.adoc
M docs/concepts/clockwork/conflict-resolution-howto.adoc
A docs/concepts/query/midpoint-query-language/errors/err-add-unsupported-filter.png
A docs/concepts/query/midpoint-query-language/errors/err-path-is-not-present-deref.png
M docs/concepts/query/midpoint-query-language/errors/index.adoc
M docs/concepts/query/midpoint-query-language/searchable-items.adoc
M docs/concepts/query/query-concepts/index.adoc
M docs/expressions/constants/configuration.adoc
M docs/expressions/constants/index.adoc
M docs/expressions/expressions/index.adoc
M docs/expressions/function-libraries/configuration.adoc
M docs/expressions/function-libraries/index.adoc
M docs/expressions/mappings/index.adoc
M docs/expressions/non-tolerant-induced-focus-mapping.adoc
M docs/expressions/object-template.adoc
M docs/expressions/sequences/configuration.adoc
M docs/expressions/sequences/index.adoc
M docs/interfaces/rest/concepts/index.adoc
A docs/interfaces/rest/operations/examples/raw/create-ou-projects.adoc
A docs/interfaces/rest/operations/examples/raw/delete-ou.adoc
M docs/interfaces/rest/operations/examples/raw/delete-role.adoc
A docs/interfaces/rest/operations/examples/raw/get-direct-indirect-assignments.adoc
A docs/interfaces/rest/operations/examples/raw/get-ou-projects.adoc
A docs/interfaces/rest/operations/examples/raw/index.adoc
A docs/interfaces/rest/operations/examples/raw/modify-attr-ou-projects.adoc
A docs/interfaces/rest/operations/examples/raw/org-id-generate.adoc
A docs/interfaces/rest/operations/examples/raw/search-all-ou.adoc
M docs/interfaces/rest/operations/get-op-rest.adoc
A docs/interfaces/rest/operations/raw/index.adoc
A docs/interfaces/rest/operations/raw/operation-prop-search.adoc
A docs/interfaces/rest/operations/raw/options-usage.adoc
M docs/interfaces/rest/operations/search-op-rest.adoc
M docs/interfaces/rest/resource-types/index.adoc
M docs/interfaces/rest/resource-types/organizational-units.adoc
M docs/interfaces/rest/resource-types/roles.adoc
M docs/interfaces/rest/resource-types/users.adoc
M docs/repository/generic/implementation.adoc
M docs/repository/generic/ms-sql.adoc
M docs/repository/native-postgresql/design-and-implementation.adoc
M docs/roles-policies/certification/authorization.adoc
M docs/samples/iot-cloud/midpoint-object-attributes.adoc
M docs/tasks/task-manager/configuration.adoc
M gui/admin-gui/pom.xml
M gui/admin-gui/src/frontend/js/bootstrap-strength-meter/_patched_by_evolveum_
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/duplication/DuplicationProcessHelper.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/factory/wrapper/PrismObjectWrapperFactoryImpl.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/factory/wrapper/ResourceObjectTypeWrapperFactory.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/task/PageTask.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/task/component/wizard/TaskBasicWizardPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/self/requestAccess/RequestAccess.java
M icf-connectors/dummy-connector-fake/pom.xml
M icf-connectors/dummy-connector/pom.xml
M infra/common/src/main/java/com/evolveum/midpoint/common/cleanup/CleanupActionProcessor.java
A infra/common/src/main/java/com/evolveum/midpoint/common/secrets/ContainerSecretsProvider.java
M infra/common/src/main/java/com/evolveum/midpoint/common/secrets/DockerSecretsProvider.java
M infra/common/src/main/java/com/evolveum/midpoint/common/secrets/EnvironmentVariablesSecretsProvider.java
A infra/common/src/main/java/com/evolveum/midpoint/common/secrets/FileSecretsProvider.java
M infra/common/src/main/java/com/evolveum/midpoint/common/secrets/PropertiesSecretsProvider.java
M infra/common/src/main/java/com/evolveum/midpoint/common/secrets/SecretsProviderImpl.java
M infra/common/src/main/java/com/evolveum/midpoint/common/secrets/SecretsProviderManager.java
M infra/common/src/test/java/com/evolveum/midpoint/common/SecretProviderManagerTest.java
M infra/common/src/test/java/com/evolveum/midpoint/common/cleanup/CleanupActionProcessorTest.java
M infra/common/src/test/resources/cleanup/resource.xml
M infra/common/src/test/resources/cleanup/user.xml
M infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd
M model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/functions/BasicExpressionFunctions.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
M pom.xml
M repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/util/RepoCommonUtils.java
M repo/system-init/src/main/java/com/evolveum/midpoint/init/ConfigurableProtector.java
M repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/run/JobExecutor.java
M testing/rest/pom.xml
Log Message:
-----------
Merge remote-tracking branch 'origin/master' into tmp/detailed-rest-autz
Commit: c28cdabb7e608b0a2c206451b77084008c06b30a
https://github.com/Evolveum/midpoint/commit/c28cdabb7e608b0a2c206451b77084008c06b30a
Author: skublik <lukas.skublik at gmail.com>
Date: 2024-02-19 (Mon, 19 Feb 2024)
Changed paths:
M model/authentication-impl/pom.xml
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointAllowAllAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointHttpAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/configuration/SecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.java
M model/authentication-impl/src/test/java/com/evolveum/midpoint/authentication/TestIntegrationSecurity.java
Log Message:
-----------
adding support for finding of called rest method to authorization evaluator
Commit: 46d392e6aca4c29e5219e946d410c153ab2717ab
https://github.com/Evolveum/midpoint/commit/46d392e6aca4c29e5219e946d410c153ab2717ab
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-02-20 (Tue, 20 Feb 2024)
Changed paths:
M model/authentication-impl/pom.xml
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/EndPointsUrlMapping.java
M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyAuditService.java
A repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestAuthorizationAction.java
A repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestHandlerMethod.java
R repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestMethod.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
M testing/rest/src/test/resources/repo/user-rest-limited.xml
Log Message:
-----------
Improve fine-grained REST authorizations
This is an improvement of da667ef7debff76ef5e496913b85634ec2ec0650:
Instead of checking REST action authorization in the method body
(which was wrong), we determine the respective method, with the
corresponding action URI right in MidPointGuiAuthorizationEvaluator.
So the full REST-method-level authorization can be done there.
This is the correct solution. So, the hacks introduced previously
are rolled-back in this commit.
Commit: 87050180255e7f365afab60ff57ac820a8e83e10
https://github.com/Evolveum/midpoint/commit/87050180255e7f365afab60ff57ac820a8e83e10
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-02-20 (Tue, 20 Feb 2024)
Changed paths:
M model/authentication-impl/pom.xml
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointAllowAllAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidpointHttpAuthorizationEvaluator.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/configuration/SecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpBasicModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpClusterModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/HttpSecurityQuestionsModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/OidcResourceServerModuleWebSecurityConfigurer.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/util/EndPointsUrlMapping.java
M model/authentication-impl/src/test/java/com/evolveum/midpoint/authentication/TestIntegrationSecurity.java
M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/AbstractRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ClusterRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ExtensionSchemaRestController.java
M model/rest-impl/src/main/java/com/evolveum/midpoint/rest/impl/ModelRestController.java
A repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestAuthorizationAction.java
A repo/security-api/src/main/java/com/evolveum/midpoint/security/api/RestHandlerMethod.java
M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/AbstractRestServiceInitializer.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/RestServiceInitializer.java
M testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
A testing/rest/src/test/resources/repo/role-rest-limited.xml
A testing/rest/src/test/resources/repo/user-rest-limited.xml
Log Message:
-----------
Merge branch 'tmp/detailed-rest-autz'
Compare: https://github.com/Evolveum/midpoint/compare/a33a12fa8c2c...87050180255e
To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/midpoint/settings/notifications
More information about the midPoint-svn
mailing list