diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java index d2a7cf1720ab058984be9e230adca5331a07287f..f0120bae2cb325a7c222f5d07601a27e761fcce5 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java @@ -86,11 +86,12 @@ public interface PerunAdapterMethods { * Perform check if user can access service based on his/her membership * in groups assigned to facility resources * - * @param facility Facility object - * @param userId ID of user + * @param facility Facility object + * @param userId ID of user + * @param accessControlDisabledAttr * @return TRUE if user can access, FALSE otherwise */ - boolean canUserAccessBasedOnMembership(Facility facility, Long userId); + boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr); /** * Fetch facility attribute values diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java index 36b09cd6dfba7e2291543e7cc2e8123a26ab69e0..1160ca0d29d375e6582873ab39a0c7fa0c91f940 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java @@ -62,12 +62,12 @@ public class PerunAdapterImpl extends PerunAdapter { } @Override - public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) { + public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr) { try { - return this.getAdapterPrimary().canUserAccessBasedOnMembership(facility, userId); + return this.getAdapterPrimary().canUserAccessBasedOnMembership(facility, userId, accessControlDisabledAttr); } catch (UnsupportedOperationException e) { if (this.isCallFallback()) { - return this.getAdapterFallback().canUserAccessBasedOnMembership(facility, userId); + return this.getAdapterFallback().canUserAccessBasedOnMembership(facility, userId, accessControlDisabledAttr); } else { throw e; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java index e38c288acd3e073682b02a1838d76c84662036c8..6f93e3a182c793e44a713acd6a849a476752e30f 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java @@ -142,14 +142,14 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements } @Override - public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) { - Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), null); + public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr) { + Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), accessControlDisabledAttr); if (groupsWithAccessIds == null || groupsWithAccessIds.isEmpty()) { return false; } Set<Long> userGroupIds = getGroupIdsWhereUserIsMember(userId, null); - if (userGroupIds == null || userGroupIds.isEmpty()) { + if (userGroupIds.isEmpty()) { return false; } diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java index 66db96adb1f2e2819c6e909e76f0de6486bfc3d6..05501b4c4395eb565b6b4d45ecb4920573d4d0e7 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java @@ -132,12 +132,12 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements } @Override - public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) { + public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String ignoreAttr) { if (!this.connectorRpc.isEnabled()) { return true; } - List<Group> activeGroups = getGroupsWhereUserIsActiveByFacility(facility.getId(), userId); + Set<Group> activeGroups = getGroupsWhereUserIsActive(facility.getId(), userId, ignoreAttr); return !activeGroups.isEmpty(); } @@ -1002,6 +1002,19 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements return groups; } + private Set<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) { + if (!this.connectorRpc.isEnabled()) { + return new HashSet<>(); + } + + Map<String, Object> map = new LinkedHashMap<>(); + map.put("facility", facilityId); + map.put("user", userId); + JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map); + + return new HashSet<>(RpcMapper.mapGroups(jsonNode)); + } + private Set<Resource> getResourcesAssignedToFacility(Long facilityId, Long userId, String ignoreAttribute) { if (!this.connectorRpc.isEnabled()) { return new HashSet<>(); @@ -1010,7 +1023,7 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements Set<Resource> result = new HashSet<>(); for (Resource resource : resources) { PerunAttributeValue attrValue = getResourceAttributeValue(resource.getId(), ignoreAttribute); - if (attrValue == null || attrValue.isNullValue()) { + if (attrValue == null || attrValue.isNullValue() || !attrValue.valueAsBoolean()) { result.add(resource); } else { log.debug( @@ -1251,19 +1264,6 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements return true; } - private List<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) { - if (!this.connectorRpc.isEnabled()) { - return new ArrayList<>(); - } - - Map<String, Object> map = new LinkedHashMap<>(); - map.put("facility", facilityId); - map.put("user", userId); - JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map); - - return RpcMapper.mapGroups(jsonNode); - } - private Map<Long, Vo> convertVoListToMap(List<Vo> vos) { if (!this.connectorRpc.isEnabled()) { return new HashMap<>(); diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java index 9c92242b0b3bebdb2381a21317eae40277eed9bb..40929bae022bc5c3f4e8feabe8828f6334226ee1 100644 --- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java +++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java @@ -31,6 +31,11 @@ import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.STATE; * * Configuration: * - based on the configuration of bean "facilityAttrsConfig" + * Configuration of filter (replace [name] part with the name defined for the filter): + * <ul> + * <li><b>filter.[name].accessControlDisabledAttr</b> - resource attribute which triggers if resource assigned + * groups should not be used for controlling access. When not specified, all groups will be used.</li> + * </ul> * @see FacilityAttrsConfig * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options) * @@ -39,15 +44,19 @@ import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.STATE; @Slf4j public class PerunAuthorizationFilter extends AuthProcFilter { + protected static final String ACCESS_CONTROL_DISABLED_ATTR = "accessControlDisabledAttr"; + private final PerunAdapter perunAdapter; private final FacilityAttrsConfig facilityAttrsConfig; private final PerunOidcConfig config; + private final String accessControlDisabledAttr; public PerunAuthorizationFilter(AuthProcFilterInitContext ctx) throws ConfigurationException { super(ctx); this.perunAdapter = ctx.getPerunAdapterBean(); this.config = ctx.getPerunOidcConfigBean(); this.facilityAttrsConfig = ctx.getBeanUtil().getBean(FacilityAttrsConfig.class); + this.accessControlDisabledAttr = ctx.getProperty(ACCESS_CONTROL_DISABLED_ATTR, null); } @Override @@ -65,7 +74,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter { } return this.decideAccess(facility, user, req, res, params.getClientIdentifier(), - perunAdapter, facilityAttrsConfig); + perunAdapter, facilityAttrsConfig, accessControlDisabledAttr); } @Override @@ -73,9 +82,14 @@ public class PerunAuthorizationFilter extends AuthProcFilter { return false; } - private boolean decideAccess(Facility facility, PerunUser user, HttpServletRequest req, - HttpServletResponse response, String clientIdentifier, PerunAdapter perunAdapter, - FacilityAttrsConfig facilityAttrsConfig) + private boolean decideAccess(Facility facility, + PerunUser user, + HttpServletRequest req, + HttpServletResponse response, + String clientIdentifier, + PerunAdapter perunAdapter, + FacilityAttrsConfig facilityAttrsConfig, + String accessControlDisabledAttr) { Map<String, PerunAttributeValue> facilityAttributes = perunAdapter.getFacilityAttributeValues( facility, facilityAttrsConfig.getMembershipAttrNames()); @@ -85,7 +99,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter { return true; } - if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId())) { + if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId(), accessControlDisabledAttr)) { log.info("{} - user allowed to access the service", getFilterName()); return true; } else {