@Override
public boolean canRunAs(Set<String> mappedRoles, String runAsRole) {
if (runAsRole == null) {
return false;
}
boolean hasRole = authorizerConfiguration.hasRole(runAsRole);
boolean isSuperUser = mappedRoles.contains(StandardRole.SUPERUSER.toString());
/*
* We only allow users to specify roles to run as if they are SuperUser, if the user is not SuperUser we need to be
* careful to not provide a way for the user to test which roles actually exist.
*/
if (isSuperUser && hasRole == false) {
throw ControllerLogger.ROOT_LOGGER.unknownRole(runAsRole);
}
return hasRole && isSuperUser;
}
@Override
public boolean canRunAs(Set<String> mappedRoles, String runAsRole) {
return runAsRole != null
&& roles.contains(runAsRole)
&& mappedRoles.contains(StandardRole.SUPERUSER.toString());
}
/**
* A {@link RoleMapper} that supports configuration from the WildFly management API.
*
* @author <a href="mailto:[email protected]">Darran Lofthouse</a>
*/
public class StandardRoleMapper implements RoleMapper {
private static final String IN_VM_ROLE = StandardRole.SUPERUSER.getOfficialForm();
private static final RunAsRolePermission RUN_AS_IN_VM_ROLE = new RunAsRolePermission(IN_VM_ROLE);
private final AuthorizerConfiguration authorizerConfiguration;
public StandardRoleMapper(final AuthorizerConfiguration authorizerConfiguration) {
this.authorizerConfiguration = authorizerConfiguration;
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, Action action, TargetAttribute attribute) {
return mapRoles(caller);
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, Action action, TargetResource resource) {
return mapRoles(caller);
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, JmxAction action, JmxTarget target) {
return mapRoles(caller);
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
return mapRoles(caller);
}
@Override
public boolean canRunAs(Set<String> mappedRoles, String runAsRole) {
if (runAsRole == null) {
return false;
}
boolean hasRole = authorizerConfiguration.hasRole(runAsRole);
boolean isSuperUser = mappedRoles.contains(StandardRole.SUPERUSER.toString());
/*
* We only allow users to specify roles to run as if they are SuperUser, if the user is not SuperUser we need to be
* careful to not provide a way for the user to test which roles actually exist.
*/
if (isSuperUser && hasRole == false) {
throw ControllerLogger.ROOT_LOGGER.unknownRole(runAsRole);
}
return hasRole && isSuperUser;
}
private Set<String> mapRoles(final Caller caller) {
Set<String> mappedRoles = new HashSet<String>();
boolean traceEnabled = ACCESS_LOGGER.isTraceEnabled();
if (caller.hasSubject()) {
Map<String, AuthorizerConfiguration.RoleMapping> rolesToCheck;
if (authorizerConfiguration.isMapUsingRealmRoles()) {
rolesToCheck =
new HashMap<String, AuthorizerConfiguration.RoleMapping>(
authorizerConfiguration.getRoleMappings());
Set<String> realmRoles = caller.getAssociatedRoles();
for (String current : realmRoles) {
String roleName = current.toUpperCase(Locale.ENGLISH);
if (rolesToCheck.containsKey(roleName)) {
AuthorizerConfiguration.RoleMapping roleMapping = rolesToCheck.remove(roleName);
AuthorizerConfiguration.MappingPrincipal exclusion = roleMapping.isExcluded(caller);
if (exclusion == null) {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' assigned role '%s' due to realm assignment and no exclusion in role mapping definition.",
caller.getName(), roleName);
}
mappedRoles.add(roleName);
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' NOT assigned role '%s' despite realm assignment due to exclusion match against %s.",
caller.getName(), roleName, exclusion);
}
}
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' assigned role '%s' due to realm assignment and no role mapping to check for exclusion.",
caller.getName(), roleName);
}
mappedRoles.add(roleName);
}
}
} else {
// A clone is not needed here as the whole set of values is to be iterated with no need for
// removal.
rolesToCheck = authorizerConfiguration.getRoleMappings();
}
for (AuthorizerConfiguration.RoleMapping current : rolesToCheck.values()) {
boolean includeAll = current.includeAllAuthedUsers();
AuthorizerConfiguration.MappingPrincipal inclusion =
includeAll == false ? current.isIncluded(caller) : null;
if (includeAll || inclusion != null) {
AuthorizerConfiguration.MappingPrincipal exclusion = current.isExcluded(caller);
if (exclusion == null) {
if (traceEnabled) {
if (includeAll) {
ACCESS_LOGGER.tracef(
"User '%s' assiged role '%s' due to include-all set on role.",
caller.getName(), current.getName());
} else {
ACCESS_LOGGER.tracef(
"User '%s' assiged role '%s' due to match on inclusion %s",
caller.getName(), current.getName(), inclusion);
}
}
mappedRoles.add(current.getName());
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' denied membership of role '%s' due to exclusion %s",
caller.getName(), current.getName(), exclusion);
}
}
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' not assigned role '%s' as no match on the include definition of the role mapping.",
caller.getName(), current.getName());
}
}
}
} else {
/*
* If the IN-VM code does not have the required permission a SecurityException will be thrown.
*
* At the moment clients should not be making speculation requests so in a correctly configured installation this
* check should pass with no error.
*/
checkPermission(RUN_AS_IN_VM_ROLE);
ACCESS_LOGGER.tracef(
"Assigning role '%s' for call with no assigned Subject (An IN-VM Call).", IN_VM_ROLE);
mappedRoles.add(IN_VM_ROLE);
}
if (traceEnabled) {
StringBuilder sb =
new StringBuilder("User '").append(caller.getName()).append("' Assigned Roles { ");
for (String current : mappedRoles) {
sb.append("'").append(current).append("' ");
}
sb.append("}");
ACCESS_LOGGER.trace(sb.toString());
}
// TODO - We could consider something along the lines of a WeakHashMap to hold this result keyed
// on the Caller.
// The contents of the Caller are not expected to change during a call and we could clear the
// cache on a config change.
return Collections.unmodifiableSet(mappedRoles);
}
private static void checkPermission(final Permission permission) {
SecurityManager securityManager = System.getSecurityManager();
if (securityManager != null) {
securityManager.checkPermission(permission);
}
}
}
