Examples with IEntityGroup org.apereo.portal.groups.IEntityGroup used on opensource projects

Example 6 with IEntityGroup

use of org.apereo.portal.groups.IEntityGroup in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method hasUnblockedPathToGrant.

/**
     * This method performs the actual, low-level checking of a single activity and target. Is IS
     * responsible for performing the same check for affiliated groups in the Groups hierarchy, but
     * it is NOT responsible for understanding the nuances of relationships some activities and/or
     * targets have with one another (e.g. MANAGE_APPROVED, ALL_PORTLETS, etc.). It performs the
     * following steps, in order:
     *
     * <ol>
     *   <li>Find out if the specified principal is <em>specifically</em> granted or denied; if an
     *       answer is found in this step, return it
     *   <li>Find out what groups this principal belongs to; convert each one to a principal and
     *       seek an answer by invoking ourselves recursively; if an answer is found in this step,
     *       return it
     *   <li>Return false (no explicit GRANT means no permission)
     * </ol>
     */
private boolean hasUnblockedPathToGrant(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target, Set<IGroupMember> seenGroups) throws GroupsException {
    if (log.isTraceEnabled()) {
        log.trace("Searching for unblocked path to GRANT for principal '{}' to " + "'{}' on target '{}' having already checked:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
    }
    /*
         * Step #1:  Specific GRANT/DENY attached to this principal
         */
    final IPermission[] permissions = service.getPermissionsForPrincipal(principal, owner.getFname(), activity.getFname(), target.getKey());
    final Set<IPermission> activePermissions = removeInactivePermissions(permissions);
    final boolean denyExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
    if (denyExists) {
        // We need go no further;  DENY trumps both GRANT & inherited permissions
        return false;
    }
    final boolean grantExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT);
    if (grantExists) {
        // We need go no further;  explicit GRANT at this level of the hierarchy
        if (log.isTraceEnabled()) {
            log.trace("Found unblocked path to this permission set including a GRANT:  {}", activePermissions);
        }
        return true;
    }
    /*
         * Step #2:  Seek an answer from affiliated groups
         */
    IGroupMember principalAsGroupMember = service.getGroupMember(principal);
    if (seenGroups.contains(principalAsGroupMember)) {
        if (log.isTraceEnabled()) {
            log.trace("Declining to re-examine principal '{}' for permission to '{}' " + "on '{}' because this group is among already checked groups:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
        }
        return false;
    }
    seenGroups.add(principalAsGroupMember);
    Set<IEntityGroup> immediatelyContainingGroups = principalAsGroupMember.getParentGroups();
    for (IGroupMember parentGroup : immediatelyContainingGroups) {
        try {
            if (parentGroup != null) {
                IAuthorizationPrincipal parentPrincipal = service.newPrincipal(parentGroup);
                boolean parentHasUnblockedPathToGrant = hasUnblockedPathToGrantWithCache(service, parentPrincipal, owner, activity, target, seenGroups);
                if (parentHasUnblockedPathToGrant) {
                    return true;
                }
            // Parent didn't have a path to grant, fall through and try another parent (if any)
            }
        } catch (Exception e) {
            // problem evaluating this path, but let's not let it stop
            // us from exploring other paths.  Though a portion of the
            // group structure is broken, permission may be granted by
            // an unbroken portion
            log.error("Error evaluating permissions of parent group [" + parentGroup + "]", e);
        }
    }
    /*
         * Step #3:  No explicit GRANT means no permission
         */
    return false;
}

Example 7 with IEntityGroup

use of org.apereo.portal.groups.IEntityGroup in project uPortal by Jasig.

the class AuthorizationHeaderProvider method createHeader.

@Override
public Header createHeader(RenderRequest renderRequest, RenderResponse renderResponse) {
    // Username
    final String username = getUsername(renderRequest);
    // Attributes
    final Map<String, List<String>> attributes = new HashMap<>();
    final IPersonAttributes person = personAttributeDao.getPerson(username);
    if (person != null) {
        for (Entry<String, List<Object>> y : person.getAttributes().entrySet()) {
            final List<String> values = new ArrayList<>();
            for (Object value : y.getValue()) {
                if (value instanceof String) {
                    values.add((String) value);
                }
            }
            attributes.put(y.getKey(), values);
        }
    }
    logger.debug("Found the following user attributes for username='{}':  {}", username, attributes);
    // Groups
    final List<String> groups = new ArrayList<>();
    final IGroupMember groupMember = GroupService.getGroupMember(username, IPerson.class);
    if (groupMember != null) {
        Set<IEntityGroup> ancestors = groupMember.getAncestorGroups();
        for (IEntityGroup g : ancestors) {
            groups.add(g.getName());
        }
    }
    logger.debug("Found the following group affiliations for username='{}':  {}", username, groups);
    // Expiration of the Bearer token
    final PortletSession portletSession = renderRequest.getPortletSession();
    final Date expires = new Date(portletSession.getLastAccessedTime() + ((long) portletSession.getMaxInactiveInterval() * 1000L));
    // Authorization header
    final Bearer bearer = bearerService.createBearer(username, attributes, groups, expires);
    final Header rslt = new BasicHeader(Headers.AUTHORIZATION.getName(), Headers.BEARER_TOKEN_PREFIX + bearer.getEncryptedToken());
    logger.debug("Produced the following Authorization header for username='{}':  {}", username, rslt);
    return rslt;
}

Example 8 with IEntityGroup

use of org.apereo.portal.groups.IEntityGroup in project uPortal by Jasig.

the class XalanGroupMembershipHelperBean method isChannelDeepMemberOf.

/* (non-Javadoc)
     * @see org.apereo.portal.security.xslt.IXalanGroupMembershipHelper#isChannelDeepMemberOf(java.lang.String, java.lang.String)
     */
@Override
public boolean isChannelDeepMemberOf(String fname, String groupKey) {
    final IEntityGroup distinguishedGroup = GroupService.findGroup(groupKey);
    if (distinguishedGroup == null) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("No group found for key '" + groupKey + "'");
        }
        return false;
    }
    final IPortletDefinition portletDefinition;
    try {
        portletDefinition = this.portletDefinitionRegistry.getPortletDefinitionByFname(fname);
    } catch (Exception e) {
        this.logger.warn("Caught exception while retrieving portlet definition for fname '" + fname + "'", e);
        return false;
    }
    if (portletDefinition == null) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("No portlet found for key '" + fname + "'");
        }
        return false;
    }
    final String portletId = portletDefinition.getPortletDefinitionId().getStringId();
    final IEntity entity = GroupService.getEntity(portletId, IPortletDefinition.class);
    if (entity == null) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("No portlet found for id '" + portletId + "'");
        }
        return false;
    }
    return distinguishedGroup.deepContains(entity);
}

Example 9 with IEntityGroup

use of org.apereo.portal.groups.IEntityGroup in project uPortal by Jasig.

the class GroupListHelperImpl method getRootEntity.

/*
     * (non-Javadoc)
     * @see org.apereo.portal.layout.dlm.remoting.IGroupListHelper#getRootEntity(java.lang.String)
     */
public JsonEntityBean getRootEntity(String groupType) {
    EntityEnum type = EntityEnum.getEntityEnum(groupType);
    String rootKey;
    if (EntityEnum.GROUP.equals(type)) {
        rootKey = "local.0";
    } else if (EntityEnum.CATEGORY.equals(type)) {
        IEntityGroup categoryGroup = GroupService.getDistinguishedGroup(IPortletDefinition.DISTINGUISHED_GROUP);
        return new JsonEntityBean(categoryGroup, EntityEnum.CATEGORY);
    } else {
        throw new IllegalArgumentException("Unable to determine a root entity for group type '" + groupType + "'");
    }
    JsonEntityBean bean = getEntity(groupType, rootKey, false);
    return bean;
}

Example 10 with IEntityGroup

use of org.apereo.portal.groups.IEntityGroup in project uPortal by Jasig.

the class GroupListHelperImpl method getIndividualBestRootEntity.

@Override
public JsonEntityBean getIndividualBestRootEntity(final IPerson person, final String groupType, final String permissionOwner, final String[] permissionActivities) {
    if (log.isDebugEnabled()) {
        log.debug("Choosing best root group for user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "'");
    }
    final IAuthorizationPrincipal principal = AuthorizationPrincipalHelper.principalFromUser(person);
    final JsonEntityBean canonicalRootGroup = getRootEntity(groupType);
    if (log.isDebugEnabled()) {
        log.debug("Found for groupType='" + groupType + "' the following canonicalRootGroup:  " + canonicalRootGroup);
    }
    /*
         *  First check the canonical root group for the applicable activities
         *  (NOTE: the uPortal permissions infrastructure handles checking of
         *  special, collective targets like "ALL_GROUPS" and "All_categories").
         */
    for (String activity : permissionActivities) {
        if (principal.hasPermission(permissionOwner, activity, canonicalRootGroup.getId())) {
            return canonicalRootGroup;
        }
    }
    // So much for the easy path -- see if the user has any records at all for this specific owner/activity
    // Default
    JsonEntityBean rslt = null;
    final List<IPermission> permissionsOfRelevantActivity = new ArrayList<IPermission>();
    for (String activity : permissionActivities) {
        permissionsOfRelevantActivity.addAll(Arrays.asList(principal.getAllPermissions(permissionOwner, activity, null)));
    }
    if (log.isDebugEnabled()) {
        log.debug("For user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "' permissionsOfRelevantTypes.size()=" + permissionsOfRelevantActivity.size());
    }
    switch(permissionsOfRelevantActivity.size()) {
        case 0:
            // No problem -- user doesn't have any of this sort of permission (leave it null)
            break;
        default:
            // root group to send back.  With luck there aren't many matches.
            for (IPermission p : permissionsOfRelevantActivity) {
                IEntityGroup groupMember = GroupService.findGroup(p.getTarget());
                final JsonEntityBean candidate = getEntity(groupMember);
                // Pass on any matches of the wrong groupType...
                if (!candidate.getEntityTypeAsString().equalsIgnoreCase(groupType)) {
                    continue;
                }
                if (rslt == null) {
                    // First allowable selection;  run with this one
                    // unless/until we're forced to make a choice.
                    rslt = candidate;
                } else {
                    // the same rich hierarchy.
                    if (candidate.getChildren().size() > rslt.getChildren().size()) {
                        rslt = candidate;
                    }
                }
            }
            break;
    }
    if (log.isDebugEnabled()) {
        log.debug("Selected for user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "' the following best root group:  " + rslt);
    }
    return rslt;
}