io.imunity.scim.admin.AdminAuthzService Maven / Gradle / Ivy
/*
* Copyright (c) 2021 Bixbit - Krzysztof Benedyczak. All rights reserved.
* See LICENCE.txt file for licensing information.
*/
package io.imunity.scim.admin;
import java.util.Map;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import io.imunity.scim.config.SCIMEndpointDescription;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.group.GroupMembership;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.AuthorizationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.InvocationContext.InvocationMaterial;
class AdminAuthzService
{
private static final Logger log = Log.getLogger(Log.U_SERVER_SCIM, AdminAuthzService.class);
private final SCIMEndpointDescription configuration;
private final EntityManagement entityManagement;
AdminAuthzService(SCIMEndpointDescription configuration, EntityManagement entityManagement)
{
this.configuration = configuration;
this.entityManagement = entityManagement;
}
void authorizeReadOrUpdateOfExposedGroups() throws EngineException
{
if (configuration.restAdminGroup.isEmpty())
{
log.debug("Missconfigured SCIM endpoint {}, rest admin group is not set", configuration.endpointName);
throw new AuthorizationException("Access is denied");
}
InvocationContext invocationContext = InvocationContext.getCurrent();
if (!invocationContext.getInvocationMaterial().equals(InvocationMaterial.DIRECT))
{
log.debug("Access is denied. Update exposed groups is available only via direct authentication");
throw new AuthorizationException("Access is denied");
}
Map userGroups = entityManagement
.getGroups(new EntityParam(invocationContext.getLoginSession().getEntityId()));
if (!userGroups.containsKey(configuration.restAdminGroup.get()))
{
log.debug("Access is denied. Caller not a member of admin SCIM admin group");
throw new AuthorizationException("Access is denied");
}
}
@Component
static class SCIMAdminAuthzServiceFactory
{
private final EntityManagement entityManagement;
@Autowired
SCIMAdminAuthzServiceFactory(@Qualifier("insecure") EntityManagement entityManagement)
{
this.entityManagement = entityManagement;
}
AdminAuthzService getService(SCIMEndpointDescription configuration)
{
return new AdminAuthzService(configuration, entityManagement);
}
}
}