| /** |
| * |
| * Copyright (c) 2011, 2016 - Loetz GmbH&Co.KG (69115 Heidelberg, Germany) |
| * |
| * All rights reserved. This program and the accompanying materials |
| * are made available under the terms of the Eclipse Public License 2.0 |
| * which accompanies this distribution, and is available at |
| * https://www.eclipse.org/legal/epl-2.0/ |
| * |
| * SPDX-License-Identifier: EPL-2.0 |
| * |
| * Contributors: |
| * Christophe Loetz (Loetz GmbH&Co.KG) - initial implementation |
| */ |
| package org.eclipse.osbp.ui.api.useraccess; |
| |
| import java.util.Collection; |
| import java.util.HashMap; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Set; |
| |
| /** |
| * AbstractAuthorization holds permissions per role associated to one position. |
| * Grants and vetoes can be queried. Grants apply to object level, vetoes to attributes and relationships. |
| * Conflicts arising from merged roles of a position are resolved favoring the more generous grant and the less restrictive veto |
| */ |
| public abstract class AbstractAuthorization { |
| |
| /** The role permissions. */ |
| private HashMap<String, List<Set<Permission>>> rolePermissions = new HashMap<>(); |
| |
| /** |
| * Adds the role permissions. |
| * |
| * @param roleName the role name |
| * @param permissions the permissions |
| */ |
| public void addRolePermissions(String roleName, List<Set<Permission>> permissions) { |
| rolePermissions.put(roleName, permissions); |
| } |
| |
| /** |
| * Gets the role authorization group. |
| * |
| * @param role |
| * the role |
| * @return the role authorization group |
| */ |
| public final List<Set<Permission>> getRolePermissions(String role) { |
| return rolePermissions.get(role); |
| } |
| |
| /** |
| * Gets the authorization groups. |
| * |
| * @return the authorization groups |
| */ |
| public final Map<String, List<Set<Permission>>> getAuthorizationGroups() { |
| return this.rolePermissions; |
| } |
| |
| /** |
| * Gets the roles. |
| * |
| * @return the roles |
| */ |
| public final Collection<String> getRoles() { |
| return rolePermissions.keySet(); |
| } |
| |
| public boolean isApplicableGrant(Group group, Action action, String descriptor) { |
| for(String roleName : getRoles()) { |
| for(Set<Permission> permissionSet : getAuthorizationGroups().get(roleName)) { |
| for(Permission permission:permissionSet) { |
| if(permission.clazz.equals(descriptor) && permission.group == group && permission.action.getWeight() >= action.getWeight()) { |
| return true; |
| } |
| } |
| } |
| } |
| return false; |
| } |
| |
| public boolean isApplicableVeto(Group group, Action action, String descriptor, String property) { |
| for(String roleName : getRoles()) { |
| for(Set<Permission> permissionSet : getAuthorizationGroups().get(roleName)) { |
| for(Permission permission:permissionSet) { |
| if(permission.clazz.equals(descriptor) && permission.attribute != null && permission.attribute.equals(property) && permission.group == group && permission.action.getWeight() < action.getWeight()) { |
| return false; |
| } |
| } |
| } |
| } |
| return true; |
| } |
| |
| /** |
| * Granted. |
| * |
| * @param group the group |
| * @param clas the clas |
| * @param actions the actions |
| * @return the sets the |
| */ |
| public static final Set<Permission> granted(Group group, String clas, Action... actions) { |
| Set<Permission> granted = new HashSet<>(); |
| for (Action action : actions) { |
| granted.add(new Permission(group, clas, action)); |
| } |
| return granted; |
| } |
| |
| /** |
| * Denied. |
| * |
| * @param group the group |
| * @param clas the clas |
| * @param attribute the attribute |
| * @param actions the actions |
| * @return the sets the |
| */ |
| public static final Set<Permission> denied(Group group, String clas, String attribute, Action... actions) { |
| Set<Permission> denied = new HashSet<>(); |
| for (Action action : actions) { |
| denied.add(new Permission(group, clas, attribute, action)); |
| } |
| return denied; |
| } |
| |
| /** |
| * The Class Permission. |
| */ |
| public static class Permission { |
| /** The Constant SEPARATOR. */ |
| private static final String SEPARATOR = ":"; |
| |
| /** The group. */ |
| private final Group group; |
| |
| /** The class. */ |
| private final String clazz; |
| |
| /** The attribute. */ |
| private final String attribute; |
| |
| /** The action. */ |
| private final Action action; |
| |
| /** |
| * Instantiates a new permission. |
| * |
| * @param group |
| * the group |
| * @param clas |
| * the clas |
| * @param action |
| * the action |
| */ |
| public Permission(Group group, String clas, Action action) { |
| this(group, clas, null, action); |
| } |
| |
| /** |
| * Instantiates a new permission. |
| * |
| * @param type |
| * the type |
| * @param group |
| * the group |
| * @param clas |
| * the clas |
| * @param attribute |
| * the attribute |
| * @param action |
| * the action |
| */ |
| public Permission(Group group, String clas, String attribute, Action action) { |
| this.group = group; |
| this.clazz = clas; |
| this.attribute = attribute; |
| this.action = action; |
| } |
| |
| /* |
| * (non-Javadoc) |
| * |
| * @see java.lang.Object#toString() |
| */ |
| @Override |
| public String toString() { |
| return group.toString() + SEPARATOR + clazz + SEPARATOR + attribute + SEPARATOR + action.toString(); |
| } |
| } |
| |
| /** |
| * The Enum Group. |
| */ |
| public enum Group { |
| |
| /** The blip process start. */ |
| PROCESS, |
| |
| /** The blip user task execute. */ |
| TASK, |
| |
| /** The entity. */ |
| ENTITY, |
| |
| /** The bean. */ |
| BEAN, |
| |
| /** The dto. */ |
| DTO; |
| } |
| |
| /** |
| * The Enum Action. |
| */ |
| public enum Action { |
| /** can a new entity instance be CREATED. */ |
| CREATABLE(3), |
| |
| /** can an entity instance be READ. */ |
| READABLE(1), |
| |
| /** can an entity instance be UPDATED. */ |
| UPDATABLE(2), |
| |
| /** can an entity instance be DELETED. */ |
| DELETEABLE(4), |
| |
| /** can an entity instance be CREATED, READ, UPDATED and DELETED. */ |
| ANY(1000), |
| |
| /** is the entity.property INVISIBLE, otherwise at least visible */ |
| INVISIBLE(3), |
| |
| /** is entity.property DISABLED, otherwise at least enabled */ |
| DISABLED(2), |
| |
| /** is entity.property NONEDITABLE, otherwise at least editable */ |
| NONEDITABLE(1), |
| |
| /** The unvetoed. */ |
| UNVETOED(0), |
| |
| /** is the blip process startable. */ |
| STARTABLE(1), |
| |
| /** is the blip user task event executable. */ |
| TASKABLE(1); |
| |
| |
| private final int weight; |
| |
| /** |
| * Instantiates a new action. |
| */ |
| private Action(int weight) { |
| this.weight = weight; |
| } |
| |
| public int getWeight() { |
| return weight; |
| } |
| |
| } |
| } |