Source code

001package com.identityworksllc.iiq.common;
002
003import com.identityworksllc.iiq.common.access.AccessCheck;
004import com.identityworksllc.iiq.common.access.AccessCheckInput;
005import com.identityworksllc.iiq.common.auth.DummyPluginResource;
006import org.apache.commons.logging.Log;
007import org.apache.commons.logging.LogFactory;
008import sailpoint.api.SailPointContext;
009import sailpoint.object.*;
010import sailpoint.rest.plugin.BasePluginResource;
011import sailpoint.tools.GeneralException;
012import sailpoint.web.UserContext;
013
014import java.util.Map;
015
016/**
017 * Implements the "Common Security" protocol that was originally part of the
018 * UPE plugin. This allows more detailed authorization to check access to
019 * various objects within IIQ.
020 *
021 * There are two users involved in thing access: an subject Identity and a target
022 * Identity. The subject is the one doing the thing while the target is the one
023 * the thing is being done to. Some actions may be 'self' actions, where both the
024 * subject and the target are the same. Other actions don't have a 'target' concept
025 * and are treated as 'self' actions.
026 *
027 * @see AccessCheck
028 */
029@SuppressWarnings("unused")
030public final class ThingAccessUtils {
031
032    /**
033     * The logger
034     */
035    private static final Log log = LogFactory.getLog(ThingAccessUtils.class);
036
037    /**
038     * Returns true if the logged in user can access the item based on the Common Security configuration parameters.
039     *
040     * @param pluginContext The plugin context, which provides user details
041     * @param configuration The configuration for the field or button or other object
042     * @return True if the user has access to the thing based on the configuration
043     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
044     */
045    public static boolean checkThingAccess(UserContext pluginContext, Map<String, Object> configuration) throws GeneralException {
046        return checkThingAccess(pluginContext, null, AccessCheck.ANONYMOUS_THING, configuration);
047    }
048
049    /**
050     * Returns true if the logged in user can access the item based on the Common Security configuration parameters.
051     *
052     * @param pluginContext The plugin context, which provides user details
053     * @param configuration The configuration for the field or button or other object
054     * @return True if the user has access to the thing based on the configuration
055     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
056     */
057    public static boolean checkThingAccess(BasePluginResource pluginContext, Map<String, Object> configuration) throws GeneralException {
058        return checkThingAccess(pluginContext, null, AccessCheck.ANONYMOUS_THING, configuration);
059    }
060
061    /**
062     * Returns true if the logged in user can access the item based on the CommonSecurityConfig object
063     *
064     * @param pluginContext The plugin context, which provides user details
065     * @param config the CommonSecurityConfig object
066     * @return True if the user has access to the thing based on the configuration
067     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
068     */
069    public static boolean checkThingAccess(UserContext pluginContext, CommonSecurityConfig config) throws GeneralException {
070        return checkThingAccess(pluginContext, null, AccessCheck.ANONYMOUS_THING, config);
071    }
072
073    /**
074     * Returns true if the logged in user can access the item based on the CommonSecurityConfig object
075     *
076     * @param pluginContext The plugin context, which provides user details
077     * @param config the CommonSecurityConfig object
078     * @return True if the user has access to the thing based on the configuration
079     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
080     */
081    public static boolean checkThingAccess(BasePluginResource pluginContext, CommonSecurityConfig config) throws GeneralException {
082        return checkThingAccess(pluginContext, null, AccessCheck.ANONYMOUS_THING, config);
083    }
084
085    /**
086     * Returns true if the logged in user can access the item based on the common configuration parameters.
087     *
088     * @param pluginContext The login context, which provides user details
089     * @param targetIdentity The target identity for the action (as opposed to the actor)
090     * @param configuration The configuration for the field or button or other object
091     * @return True if the user has access to the thing based on the configuration
092     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
093     */
094    public static boolean checkThingAccess(UserContext pluginContext, Identity targetIdentity, Map<String, Object> configuration) throws GeneralException {
095        return checkThingAccess(pluginContext, targetIdentity, AccessCheck.ANONYMOUS_THING, configuration);
096    }
097
098    /**
099     * Returns true if the logged in user can access the item based on the common configuration parameters.
100     *
101     * @param pluginContext The plugin context, which provides user details
102     * @param targetIdentity The target identity for the action (as opposed to the actor)
103     * @param configuration The configuration for the field or button or other object
104     * @return True if the user has access to the thing based on the configuration
105     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
106     */
107    public static boolean checkThingAccess(BasePluginResource pluginContext, Identity targetIdentity, Map<String, Object> configuration) throws GeneralException {
108        return checkThingAccess(pluginContext, targetIdentity, AccessCheck.ANONYMOUS_THING, configuration);
109    }
110
111    /**
112     * Returns true if the logged in user can access the item based on the common configuration parameters.
113     *
114     * @param pluginContext The plugin context, which provides user details
115     * @param targetIdentity The target identity for the action (as opposed to the actor)
116     * @param configuration The configuration for the field or button or other object
117     * @return True if the user has access to the thing based on the configuration
118     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
119     */
120    public static boolean checkThingAccess(BasePluginResource pluginContext, Identity targetIdentity, String thingName, Map<String, Object> configuration) throws GeneralException {
121        return checkThingAccess((UserContext) pluginContext, targetIdentity, AccessCheck.ANONYMOUS_THING, configuration);
122    }
123
124    /**
125     * Returns true if the logged in user can access the item based on the common configuration parameters.
126     *
127     * @param pluginContext A plugin REST API resource (or fake equivalent) used to get some details and settings. This must not be null.
128     * @param targetIdentity The target identity
129     * @param thingName The thing being checked
130     * @param configuration The configuration for the field or button or other object
131     * @return True if the user has access to the thing based on the configuration
132     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
133     */
134    public static boolean checkThingAccess(UserContext pluginContext, Identity targetIdentity, String thingName, Map<String, Object> configuration) throws GeneralException {
135        Identity currentUser = pluginContext.getLoggedInUser();
136        Identity target = targetIdentity;
137        if (target == null) {
138            target = currentUser;
139        }
140        if (configuration == null || configuration.isEmpty()) {
141            Configuration systemConfig = Configuration.getSystemConfig();
142            boolean defaultDeny = systemConfig.getBoolean("IIQCommon.ThingAccessUtils.denyOnEmpty", false);
143            if (defaultDeny) {
144                log.debug("Configuration for " + thingName + " is empty; assuming that access is NOT allowed");
145                return false;
146            } else {
147                log.debug("Configuration for " + thingName + " is empty; assuming that access is allowed");
148                return true;
149            }
150        }
151        CommonSecurityConfig config = CommonSecurityConfig.decode(configuration);
152        return checkThingAccess(pluginContext, target, thingName, config);
153    }
154
155    /**
156     * Returns true if the logged in user can access the item based on the common configuration parameters.
157     *
158     * Results for the same CommonSecurityConfig, source, and target user will be cached for up to one minute
159     * unless the CommonSecurityConfig object has noCache set to true.
160     *
161     * @param pluginContext A plugin REST API resource (or fake equivalent) used to get some details and settings. This must not be null.
162     * @param target The target identity
163     * @param thingName The thing being checked, entirely for logging purposes
164     * @param config The configuration specifying security rights
165     * @return True if the user has access to the thing based on the configuration
166     * @throws GeneralException if any check failures occur (this should be interpreted as "no access")
167     */
168    public static boolean checkThingAccess(UserContext pluginContext, Identity target, String thingName, CommonSecurityConfig config) throws GeneralException {
169        AccessCheckInput input = new AccessCheckInput(pluginContext, target, thingName, config);
170
171        return AccessCheck.accessCheck(input).isAllowed();
172    }
173
174    /**
175     * An optional clear-cache method that can be used by plugin code
176     */
177    public static void clearCachedResults() {
178        AccessCheck.clearCachedResults();
179    }
180
181    /**
182     * Creates a fake plugin context for use with {@link ThingAccessUtils#checkThingAccess(UserContext, Identity, String, Map)} outside of a plugin. This constructs a new instance of a dummy BasePluginResource web service endpoint class.
183     * @param context The SailPointContext to return from {@link BasePluginResource#getContext()}
184     * @param loggedInUser The Identity to return from various getLoggedIn... methods
185     * @param pluginName The name of the plugin to include in the fake plugin context
186     * @return The fake plugin resource
187     */
188    public static BasePluginResource createFakePluginContext(final SailPointContext context, final Identity loggedInUser, String pluginName) {
189        return new DummyPluginResource(context, loggedInUser, pluginName);
190    }
191
192}