Google Git
Sign in
eclipse / gerrit / osbp / org.eclipse.osbp.ui.api / cce56cec69021a0c184b6d538fa03be25ce8b109 / . / org.eclipse.osbp.ui.api / src / org / eclipse / osbp / ui / api / useraccess / AbstractAuthorization.java
blob: 4b6e4847251b18dbc1db426ae3fe476112ebdf66 [file] [log] [blame]
/**
*
* Copyright (c) 2011, 2016 - Loetz GmbH&Co.KG (69115 Heidelberg, Germany)
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* Christophe Loetz (Loetz GmbH&Co.KG) - initial implementation
*/
package org.eclipse.osbp.ui.api.useraccess;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* AbstractAuthorization holds permissions per role associated to one position.
* Grants and vetoes can be queried. Grants apply to object level, vetoes to attributes and relationships.
* Conflicts arising from merged roles of a position are resolved favoring the more generous grant and the less restrictive veto
*/
public abstract class AbstractAuthorization {
private static final Logger LOGGER = LoggerFactory.getLogger(AbstractAuthorization.class);
/** The role permissions. */
private HashMap<String, List<Set<Permission>>> rolePermissions = new HashMap<>();
/** the fast lookup map */
private HashMap<String, Action> fastPermissions = new HashMap<>();
/**
* Adds the role permissions.
*
* @param roleName the role name
* @param permissions the permissions
*/
public void addRolePermissions(String roleName, List<Set<Permission>> permissions) {
String key;
rolePermissions.put(roleName, permissions);
for(Set<Permission> permissionSet : permissions) {
for(Permission permission:permissionSet) {
key = String.format("%s%s%s%s", roleName, permission.group, permission.clazz, permission.attribute);
fastPermissions.put(key, permission.action);
}
}
}
/**
* Gets the role authorization group.
*
* @param role
* the role
* @return the role authorization group
*/
public final List<Set<Permission>> getRolePermissions(String role) {
return rolePermissions.get(role);
}
/**
* Gets the authorization groups.
*
* @return the authorization groups
*/
public final Map<String, List<Set<Permission>>> getAuthorizationGroups() {
return this.rolePermissions;
}
/**
* Gets the roles.
*
* @return the roles
*/
public final Collection<String> getRoles() {
return rolePermissions.keySet();
}
public boolean isApplicableGrant(Group group, Action action, String descriptor) {
for(String roleName : getRoles()) {
String key = String.format("%s%s%snull", roleName, group, descriptor);
if(fastPermissions.containsKey(key)) {
Action a = fastPermissions.get(key);
if(a.getWeight() >= action.getWeight()) {
return true;
}
}
}
return false;
}
// public boolean isApplicableGrant(Group group, Action action, String descriptor) {
// LOGGER.debug("isApplicableGrant group:{} action:{} descriptor:{}", group, action, descriptor);
// for(String roleName : getRoles()) {
// for(Set<Permission> permissionSet : getAuthorizationGroups().get(roleName)) {
// for(Permission permission:permissionSet) {
// LOGGER.trace("role:{} permission:{}", roleName, permission);
// if(permission.clazz.equals(descriptor) && permission.group == group && permission.action.getWeight() >= action.getWeight()) {
// LOGGER.debug("grant result {}", true);
// return true;
// }
// }
// }
// }
// LOGGER.debug("grant result {}", false);
// return false;
// }
public boolean isApplicableVeto(Group group, Action action, String descriptor, String property) {
for(String roleName : getRoles()) {
String key = String.format("%s%s%s%s", roleName, group, descriptor, property);
if(fastPermissions.containsKey(key)) {
Action a = fastPermissions.get(key);
if (a.getWeight() < action.getWeight()) {
return false;
} else {
return true;
}
}
}
return false;
}
// public boolean isApplicableVeto(Group group, Action action, String descriptor, String property) {
// LOGGER.debug("isApplicableVeto group:{} action:{} descriptor:{} property:{}", group, action, descriptor, property);
// for(String roleName : getRoles()) {
// for(Set<Permission> permissionSet : getAuthorizationGroups().get(roleName)) {
// for(Permission permission:permissionSet) {
// LOGGER.trace("role:{} permission:{}", roleName, permission);
// if(permission.clazz.equals(descriptor) && permission.attribute != null && permission.attribute.equals(property) && permission.group == group) {
// if(permission.action.getWeight() < action.getWeight()) {
// LOGGER.debug("veto result {}", false);
// return false;
// } else {
// LOGGER.debug("veto result {}", true);
// return true;
// }
// }
// }
// }
// }
// LOGGER.debug("veto result {}", false);
// return true;
// }
/**
* Granted.
*
* @param group the group
* @param clas the clas
* @param actions the actions
* @return the sets the
*/
public static final Set<Permission> granted(Group group, String clas, Action... actions) {
Set<Permission> granted = new HashSet<>();
for (Action action : actions) {
granted.add(new Permission(group, clas, action));
}
return granted;
}
/**
* Denied.
*
* @param group the group
* @param clas the clas
* @param attribute the attribute
* @param actions the actions
* @return the sets the
*/
public static final Set<Permission> denied(Group group, String clas, String attribute, Action... actions) {
Set<Permission> denied = new HashSet<>();
for (Action action : actions) {
denied.add(new Permission(group, clas, attribute, action));
}
return denied;
}
/**
* The Class Permission.
*/
public static class Permission {
/** The Constant SEPARATOR. */
private static final String SEPARATOR = ":";
/** The group. */
private final Group group;
/** The class. */
private final String clazz;
/** The attribute. */
private final String attribute;
/** The action. */
private final Action action;
/**
* Instantiates a new permission.
*
* @param group
* the group
* @param clas
* the clas
* @param action
* the action
*/
public Permission(Group group, String clas, Action action) {
this(group, clas, null, action);
}
/**
* Instantiates a new permission.
*
* @param type
* the type
* @param group
* the group
* @param clas
* the clas
* @param attribute
* the attribute
* @param action
* the action
*/
public Permission(Group group, String clas, String attribute, Action action) {
this.group = group;
this.clazz = clas;
this.attribute = attribute;
this.action = action;
}
/*
* (non-Javadoc)
*
* @see java.lang.Object#toString()
*/
@Override
public String toString() {
return group.toString() + SEPARATOR + clazz + SEPARATOR + attribute + SEPARATOR + action.toString();
}
}
/**
* The Enum Group.
*/
public enum Group {
/** The blip process start. */
PROCESS,
/** The blip user task execute. */
TASK,
/** The entity. */
ENTITY,
/** The bean. */
BEAN,
/** The dto. */
DTO;
}
/**
* The Enum Action.
*/
public enum Action {
/** can a new entity instance be CREATED. */
CREATABLE(3),
/** can an entity instance be READ. */
READABLE(1),
/** can an entity instance be UPDATED. */
UPDATABLE(2),
/** can an entity instance be DELETED. */
DELETEABLE(4),
/** can an entity instance be CREATED, READ, UPDATED and DELETED. */
ANY(1000),
/** is the entity.property INVISIBLE, otherwise at least visible */
INVISIBLE(3),
/** is entity.property DISABLED, otherwise at least enabled */
DISABLED(2),
/** is entity.property NONEDITABLE, otherwise at least editable */
NONEDITABLE(1),
/** The unvetoed. */
UNVETOED(0),
/** is the blip process startable. */
STARTABLE(1),
/** is the blip user task event executable. */
TASKABLE(1);
private final int weight;
/**
* Instantiates a new action.
*/
private Action(int weight) {
this.weight = weight;
}
public int getWeight() {
return weight;
}
}
}