[midPoint-git] [Evolveum/midpoint] 609286: Improve search item autz evaluation

mederly noreply at github.com
Thu May 2 21:37:34 CEST 2024 

  Branch: refs/heads/master
  Home:   https://github.com/Evolveum/midpoint
  Commit: 60928672b8e51946edf01fcbe0d253e4ae65c4cf
      https://github.com/Evolveum/midpoint/commit/60928672b8e51946edf01fcbe0d253e4ae65c4cf
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2024-05-02 (Thu, 02 May 2024)

  Changed paths:
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/authorization/evaluator/MidPointGuiAuthorizationEvaluator.java
    M model/certification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelAuthorizationAction.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityGovernance.java
    R model/model-intest/src/test/resources/security/campaigns.xml
    M model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
    M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/PositiveNegativeItemPaths.java
    M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AuthorizationFilterEvaluation.java
    A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AuthorizationSearchItemsEvaluation.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryObjectAutzCoverage.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryObjectsAutzCoverage.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityTraceEvent.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SelectorWithItems.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/TieredSelectorWithItems.java
    M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/TracingUtil.java

  Log Message:
  -----------
  Improve search item autz evaluation

To address MID-9638/MID-9670 (leaking data via referencedBy filter),
the handling of items allowed for search operations was changed.

It is now evaluated not only for the type we are searching for
(like RoleType), but for all types whose items are to be used
for the search (like UserType for a filter like "give me RoleType
referencedBy UserType via assignment/targetRef").

Limitations:

The checks are "yes/no" style only, based on the presence or absence
of authorizations against specified type and item(s), with appropriate
action URIs (read, search, and the new searchBy). No detailed checking
for the values is done. E.g. if the search for UserType:name is allowed
even for potentially a single user object (via an authorization clause
that can provide any number of matching objects, even zero), then the
"name" item can be used for any search concerning UserType or even
FocusType objects.

Effects on existing deployments:

1. Some queries allowed previously may now fail because of missing
item-searching authorizations. As a quick fix, new (experimental,
temporary) "searchBy" authorization is available to give search access
to these items without providing any additional access to data values.

2. Some queries denied previously may now be allowed. This should be
quite rare, but possible. (See TestSecurityAdvanced.test151 for an
example.) It can happen if the original authorization was not applied
because of some specific limitations (like roleRelation with no
explicit role information), and hence the item/exceptItem part of it
was skipped. This is no longer the case.


  Commit: 70a3f973d015d95eab0b0a12428ece0afe18000f
      https://github.com/Evolveum/midpoint/commit/70a3f973d015d95eab0b0a12428ece0afe18000f
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2024-05-02 (Thu, 02 May 2024)

  Changed paths:
    M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.html

  Log Message:
  -----------
  Merge remote-tracking branch 'origin/master'


Compare: https://github.com/Evolveum/midpoint/compare/9805f2d5e1b7...70a3f973d015

To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/midpoint/settings/notifications

More information about the midPoint-svn mailing list