Examples with IPermission org.apereo.portal.security.IPermission used on opensource projects

Example 1 with IPermission

use of org.apereo.portal.security.IPermission in project uPortal by Jasig.

the class ApiPermissionsService method getAssignmentsForPerson.

@Override
public Set<Assignment> getAssignmentsForPerson(String username, boolean includeInherited) {
    Set<Assignment> rslt = new HashSet<Assignment>();
    if (StringUtils.isBlank(username)) {
        return null;
    }
    IAuthorizationPrincipal authP = this.authorizationService.newPrincipal(username, EntityEnum.PERSON.getClazz());
    // first get the permissions explicitly set for this principal
    IPermission[] directPermissions = permissionStore.select(null, authP.getPrincipalString(), null, null, null);
    for (IPermission permission : directPermissions) {
        if (authP.hasPermission(permission.getOwner(), permission.getActivity(), permission.getTarget())) {
            Assignment a = createAssignment(permission, authP, false);
            if (a != null) {
                rslt.add(a);
            }
        }
    }
    if (includeInherited) {
        IGroupMember member = GroupService.getGroupMember(authP.getKey(), authP.getType());
        for (IEntityGroup parent : member.getAncestorGroups()) {
            IAuthorizationPrincipal parentPrincipal = this.authorizationService.newPrincipal(parent);
            IPermission[] parentPermissions = permissionStore.select(null, parentPrincipal.getPrincipalString(), null, null, null);
            for (IPermission permission : parentPermissions) {
                if (authP.hasPermission(permission.getOwner(), permission.getActivity(), permission.getTarget())) {
                    Assignment a = createAssignment(permission, authP, true);
                    if (a != null) {
                        rslt.add(a);
                    }
                }
            }
        }
    }
    return rslt;
}

Example 2 with IPermission

use of org.apereo.portal.security.IPermission in project uPortal by Jasig.

the class PermissionsRESTController method getAssignmentsOnTarget.

@PreAuthorize("hasPermission('ALL', 'java.lang.String', new org.apereo.portal.spring.security.evaluator.AuthorizableActivity('UP_PERMISSIONS', 'VIEW_PERMISSIONS'))")
@RequestMapping("/assignments/target/{target}.json")
public ModelAndView getAssignmentsOnTarget(@PathVariable("target") String target, @RequestParam(value = "includeInherited", required = false) boolean includeInherited, HttpServletRequest request, HttpServletResponse response) {
    Set<UniquePermission> directAssignments = new HashSet<UniquePermission>();
    // first get the permissions explicitly set for this principal
    IPermission[] directPermissions = permissionStore.select(null, null, null, target, null);
    for (IPermission permission : directPermissions) {
        directAssignments.add(new UniquePermission(permission.getOwner(), permission.getActivity(), permission.getPrincipal(), false));
    }
    JsonEntityBean entity = groupListHelper.getEntityForPrincipal(target);
    Set<UniquePermission> inheritedAssignments = new HashSet<UniquePermission>();
    List<JsonPermission> permissions = new ArrayList<JsonPermission>();
    if (entity != null) {
        IAuthorizationPrincipal p = this.authorizationService.newPrincipal(entity.getId(), entity.getEntityType().getClazz());
        if (includeInherited) {
            IGroupMember member = GroupService.getGroupMember(p.getKey(), p.getType());
            for (IEntityGroup parent : member.getAncestorGroups()) {
                IAuthorizationPrincipal parentPrincipal = this.authorizationService.newPrincipal(parent);
                IPermission[] parentPermissions = permissionStore.select(null, null, null, parentPrincipal.getKey(), null);
                for (IPermission permission : parentPermissions) {
                    inheritedAssignments.add(new UniquePermission(permission.getOwner(), permission.getActivity(), permission.getPrincipal(), true));
                }
            }
        }
        for (UniquePermission permission : directAssignments) {
            JsonEntityBean e = groupListHelper.getEntityForPrincipal(permission.getIdentifier());
            Class<?> clazz;
            EntityEnum entityType = EntityEnum.getEntityEnum(e.getEntityTypeAsString());
            if (entityType.isGroup()) {
                clazz = IEntityGroup.class;
            } else {
                clazz = entityType.getClazz();
            }
            IAuthorizationPrincipal principal = this.authorizationService.newPrincipal(e.getId(), clazz);
            if (principal.hasPermission(permission.getOwner(), permission.getActivity(), p.getKey())) {
                permissions.add(getPermissionOnTarget(permission, entity));
            }
        }
        for (UniquePermission permission : inheritedAssignments) {
            JsonEntityBean e = groupListHelper.getEntityForPrincipal(permission.getIdentifier());
            Class<?> clazz;
            EntityEnum entityType = EntityEnum.getEntityEnum(e.getEntityTypeAsString());
            if (entityType.isGroup()) {
                clazz = IEntityGroup.class;
            } else {
                clazz = entityType.getClazz();
            }
            IAuthorizationPrincipal principal = this.authorizationService.newPrincipal(e.getId(), clazz);
            if (principal.hasPermission(permission.getOwner(), permission.getActivity(), p.getKey())) {
                permissions.add(getPermissionOnTarget(permission, entity));
            }
        }
        Collections.sort(permissions);
    }
    ModelAndView mv = new ModelAndView();
    mv.addObject("assignments", permissions);
    mv.setViewName("json");
    return mv;
}

Example 3 with IPermission

use of org.apereo.portal.security.IPermission in project uPortal by Jasig.

the class PortletDefinitionImporterExporter method savePortletDefinition.

/**
     * Save a portlet definition.
     *
     * @param definition the portlet definition
     * @param publisher the person publishing the portlet
     * @param categories the list of categories for the portlet
     * @param permissionMap a map of permission name -> list of groups who are granted that
     *     permission (Note: for now, only grant is supported and only for the FRAMEWORK_OWNER perm
     *     manager)
     */
private IPortletDefinition savePortletDefinition(IPortletDefinition definition, IPerson publisher, List<PortletCategory> categories, Map<ExternalPermissionDefinition, Set<IGroupMember>> permissionMap) {
    boolean newChannel = (definition.getPortletDefinitionId() == null);
    // save the channel
    definition = portletDefinitionDao.savePortletDefinition(definition);
    definition = portletDefinitionDao.getPortletDefinitionByFname(definition.getFName());
    final String defId = definition.getPortletDefinitionId().getStringId();
    final IEntity portletDefEntity = GroupService.getEntity(defId, IPortletDefinition.class);
    //The groups service needs to deal with concurrent modification better.
    synchronized (this.groupUpdateLock) {
        // Delete existing category memberships for this channel
        if (!newChannel) {
            for (IEntityGroup group : portletDefEntity.getAncestorGroups()) {
                group.removeChild(portletDefEntity);
                group.update();
            }
        }
        // For each category ID, add channel to category
        for (PortletCategory category : categories) {
            final IEntityGroup categoryGroup = GroupService.findGroup(category.getId());
            categoryGroup.addChild(portletDefEntity);
            categoryGroup.updateMembers();
        }
        // Set groups
        final AuthorizationService authService = AuthorizationService.instance();
        final String target = PermissionHelper.permissionTargetIdForPortletDefinition(definition);
        // Loop over the affected permission managers...
        Map<String, Collection<ExternalPermissionDefinition>> permissionsBySystem = getPermissionsBySystem(permissionMap.keySet());
        for (String system : permissionsBySystem.keySet()) {
            Collection<ExternalPermissionDefinition> systemPerms = permissionsBySystem.get(system);
            // get the permission manager for this system...
            final IUpdatingPermissionManager upm = authService.newUpdatingPermissionManager(system);
            final List<IPermission> permissions = new ArrayList<>();
            // add activity grants for each permission..
            for (ExternalPermissionDefinition permissionDef : systemPerms) {
                Set<IGroupMember> members = permissionMap.get(permissionDef);
                for (final IGroupMember member : members) {
                    final IAuthorizationPrincipal authPrincipal = authService.newPrincipal(member);
                    final IPermission permEntity = upm.newPermission(authPrincipal);
                    permEntity.setType(IPermission.PERMISSION_TYPE_GRANT);
                    permEntity.setActivity(permissionDef.getActivity());
                    permEntity.setTarget(target);
                    permissions.add(permEntity);
                }
            }
            // If modifying the channel, remove the existing permissions before adding the new ones
            if (!newChannel) {
                for (ExternalPermissionDefinition permissionName : permissionMap.keySet()) {
                    IPermission[] oldPermissions = upm.getPermissions(permissionName.getActivity(), target);
                    upm.removePermissions(oldPermissions);
                }
            }
            upm.addPermissions(permissions.toArray(new IPermission[permissions.size()]));
        }
    }
    if (logger.isDebugEnabled()) {
        logger.debug("Portlet " + defId + " has been " + (newChannel ? "published" : "modified") + ".");
    }
    return definition;
}

Example 4 with IPermission

use of org.apereo.portal.security.IPermission in project uPortal by Jasig.

the class GroupListHelperImpl method getIndividualBestRootEntity.

@Override
public JsonEntityBean getIndividualBestRootEntity(final IPerson person, final String groupType, final String permissionOwner, final String[] permissionActivities) {
    if (log.isDebugEnabled()) {
        String username = (person == null) ? "null" : person.getUserName();
        log.debug("Choosing best root group for user='" + username + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "'");
    }
    final IAuthorizationPrincipal principal = AuthorizationPrincipalHelper.principalFromUser(person);
    final JsonEntityBean canonicalRootGroup = getRootEntity(groupType);
    if (log.isDebugEnabled()) {
        log.debug("Found for groupType='" + groupType + "' the following canonicalRootGroup:  " + canonicalRootGroup);
    }
    /*
         *  First check the canonical root group for the applicable activities
         *  (NOTE: the uPortal permissions infrastructure handles checking of
         *  special, collective targets like "ALL_GROUPS" and "All_categories").
         */
    for (String activity : permissionActivities) {
        if (principal.hasPermission(permissionOwner, activity, canonicalRootGroup.getId())) {
            return canonicalRootGroup;
        }
    }
    // So much for the easy path -- see if the user has any records at all for this specific
    // owner/activity
    // Default
    JsonEntityBean rslt = null;
    final List<IPermission> permissionsOfRelevantActivity = new ArrayList<IPermission>();
    for (String activity : permissionActivities) {
        permissionsOfRelevantActivity.addAll(Arrays.asList(principal.getAllPermissions(permissionOwner, activity, null)));
    }
    if (log.isDebugEnabled()) {
        log.debug("For user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "' permissionsOfRelevantTypes.size()=" + permissionsOfRelevantActivity.size());
    }
    switch(permissionsOfRelevantActivity.size()) {
        case 0:
            // No problem -- user doesn't have any of this sort of permission (leave it null)
            break;
        default:
            // root group to send back.  With luck there aren't many matches.
            for (IPermission p : permissionsOfRelevantActivity) {
                IEntityGroup groupMember = GroupService.findGroup(p.getTarget());
                final JsonEntityBean candidate = getEntity(groupMember);
                // Pass on any matches of the wrong groupType...
                if (!candidate.getEntityTypeAsString().equalsIgnoreCase(groupType)) {
                    continue;
                }
                if (rslt == null) {
                    // First allowable selection;  run with this one
                    // unless/until we're forced to make a choice.
                    rslt = candidate;
                } else {
                    // the same rich hierarchy.
                    if (candidate.getChildren().size() > rslt.getChildren().size()) {
                        rslt = candidate;
                    }
                }
            }
            break;
    }
    if (log.isDebugEnabled()) {
        log.debug("Selected for user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "' the following best root group:  " + rslt);
    }
    return rslt;
}

Example 5 with IPermission

use of org.apereo.portal.security.IPermission in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method hasUnblockedPathToGrant.

/**
 * This method performs the actual, low-level checking of a single activity and target. Is IS
 * responsible for performing the same check for affiliated groups in the Groups hierarchy, but
 * it is NOT responsible for understanding the nuances of relationships some activities and/or
 * targets have with one another (e.g. MANAGE_APPROVED, ALL_PORTLETS, etc.). It performs the
 * following steps, in order:
 *
 * <ol>
 *   <li>Find out if the specified principal is <em>specifically</em> granted or denied; if an
 *       answer is found in this step, return it
 *   <li>Find out what groups this principal belongs to; convert each one to a principal and
 *       seek an answer by invoking ourselves recursively; if an answer is found in this step,
 *       return it
 *   <li>Return false (no explicit GRANT means no permission)
 * </ol>
 */
private boolean hasUnblockedPathToGrant(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target, Set<IGroupMember> seenGroups) throws GroupsException {
    if (log.isTraceEnabled()) {
        log.trace("Searching for unblocked path to GRANT for principal '{}' to " + "'{}' on target '{}' having already checked:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
    }
    /*
         * Step #1:  Specific GRANT/DENY attached to this principal
         */
    final IPermission[] permissions = service.getPermissionsForPrincipal(principal, owner.getFname(), activity.getFname(), target.getKey());
    final Set<IPermission> activePermissions = removeInactivePermissions(permissions);
    final boolean denyExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
    if (denyExists) {
        // We need go no further;  DENY trumps both GRANT & inherited permissions
        return false;
    }
    final boolean grantExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT);
    if (grantExists) {
        // We need go no further;  explicit GRANT at this level of the hierarchy
        if (log.isTraceEnabled()) {
            log.trace("Found unblocked path to this permission set including a GRANT:  {}", activePermissions);
        }
        return true;
    }
    /*
         * Step #2:  Seek an answer from affiliated groups
         */
    IGroupMember principalAsGroupMember = service.getGroupMember(principal);
    if (seenGroups.contains(principalAsGroupMember)) {
        if (log.isTraceEnabled()) {
            log.trace("Declining to re-examine principal '{}' for permission to '{}' " + "on '{}' because this group is among already checked groups:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
        }
        return false;
    }
    seenGroups.add(principalAsGroupMember);
    Set<IEntityGroup> immediatelyContainingGroups = principalAsGroupMember.getParentGroups();
    for (IGroupMember parentGroup : immediatelyContainingGroups) {
        try {
            if (parentGroup != null) {
                IAuthorizationPrincipal parentPrincipal = service.newPrincipal(parentGroup);
                boolean parentHasUnblockedPathToGrant = hasUnblockedPathToGrantWithCache(service, parentPrincipal, owner, activity, target, seenGroups);
                if (parentHasUnblockedPathToGrant) {
                    return true;
                }
            // Parent didn't have a path to grant, fall through and try another parent (if
            // any)
            }
        } catch (Exception e) {
            // problem evaluating this path, but let's not let it stop
            // us from exploring other paths.  Though a portion of the
            // group structure is broken, permission may be granted by
            // an unbroken portion
            log.error("Error evaluating permissions of parent group [" + parentGroup + "]", e);
        }
    }
    /*
         * Step #3:  No explicit GRANT means no permission
         */
    return false;
}