use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.
the class AnyUnblockedGrantPermissionPolicy method loadInCache.
/**
* Allows an outside actor to force this policy to evaluate and cache an authorization decision.
* Permissions checking can be expensive; a well-primed cache can make the task perform better.
* This method will create the cache entry whether it exists already or not, forcibly resetting
* the TTL.
*
* @since 4.3
*/
public void loadInCache(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target) {
final Set<IGroupMember> seenGroups = new HashSet<>();
final CacheTuple cacheTuple = new CacheTuple(principal.getPrincipalString(), owner.getFname(), activity.getFname(), target.getKey());
final boolean answer = hasUnblockedPathToGrant(service, principal, owner, activity, target, seenGroups);
Element element = new Element(cacheTuple, answer);
hasUnblockedGrantCache.put(element);
}
use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.
the class AuthorizationImpl method primGetPermissionsForPrincipal.
/**
* @return IPermission[]
* @param principal org.apereo.portal.security.IAuthorizationPrincipal
* @param owner String
* @param activity String
* @param target String
*/
private IPermission[] primGetPermissionsForPrincipal(IAuthorizationPrincipal principal, String owner, String activity, String target) throws AuthorizationException {
/*
* Get a list of all permissions for the specified principal, then iterate
* through them to build a list of the permissions matching the specified criteria.
*/
IPermission[] perms = primGetPermissionsForPrincipal(principal);
if (owner == null && activity == null && target == null) {
return perms;
}
// If there are no permissions left, no need to look through group mappings.
if (perms.length == 0) {
return perms;
}
Set<String> containingGroups;
if (target != null) {
final Element element = this.entityParentsCache.get(target);
if (element != null) {
containingGroups = (Set<String>) element.getObjectValue();
} else {
containingGroups = new HashSet<String>();
//Ignore target entity lookups for the various synthetic ALL targets
if (!IPermission.ALL_CATEGORIES_TARGET.equals(target) && !IPermission.ALL_GROUPS_TARGET.equals(target) && !IPermission.ALL_PORTLETS_TARGET.equals(target) && !IPermission.ALL_TARGET.equals(target)) {
// UP-4410; It would be ideal if the target string indicated it was a group or entity that might be
// a member of a group so we could determine whether to check what groups the target entity might be
// contained within to see if the principal has permission to the containing group, but it does not
// (too significant to refactor database values at this point). If the owner and activity strings map to
// a type of target that might be a group name or entity name, create a set of the groups the target
// entity is contained in.
boolean checkTargetForContainingGroups = true;
if (owner != null && activity != null) {
IPermissionActivity permissionActivity = permissionOwner.getPermissionActivity(owner, activity);
if (nonEntityPermissionTargetProviders.contains(permissionActivity.getTargetProviderKey())) {
checkTargetForContainingGroups = false;
}
}
if (checkTargetForContainingGroups) {
log.debug("Target '{}' is an entity. Checking for group or groups containing entity", target);
IGroupMember targetEntity = GroupService.findGroup(target);
if (targetEntity == null) {
if (target.startsWith(IPermission.PORTLET_PREFIX)) {
targetEntity = GroupService.getGroupMember(target.replace(IPermission.PORTLET_PREFIX, ""), IPortletDefinition.class);
} else {
targetEntity = GroupService.getGroupMember(target, IPerson.class);
}
}
if (targetEntity != null) {
for (IEntityGroup ancestor : targetEntity.getAncestorGroups()) {
containingGroups.add(ancestor.getKey());
}
}
}
}
this.entityParentsCache.put(new Element(target, containingGroups));
}
} else {
containingGroups = new HashSet<String>();
}
List<IPermission> al = new ArrayList<IPermission>(perms.length);
for (int i = 0; i < perms.length; i++) {
String permissionTarget = perms[i].getTarget();
if (// owner matches
(owner == null || owner.equals(perms[i].getOwner())) && // activity matches
(activity == null || activity.equals(perms[i].getActivity())) && // target matches or is a member of the current permission target
(target == null || target.equals(permissionTarget) || containingGroups.contains(permissionTarget))) {
al.add(perms[i]);
}
}
if (log.isTraceEnabled()) {
log.trace("AuthorizationImpl.primGetPermissionsForPrincipal(): " + "Principal: " + principal + " owner: " + owner + " activity: " + activity + " target: " + target + " : permissions retrieved: " + al);
} else if (log.isDebugEnabled()) {
log.debug("AuthorizationImpl.primGetPermissionsForPrincipal(): " + "Principal: " + principal + " owner: " + owner + " activity: " + activity + " target: " + target + " : number of permissions retrieved: " + al.size());
}
return ((IPermission[]) al.toArray(new IPermission[al.size()]));
}
use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.
the class XalanGroupMembershipHelperBean method isUserDeepMemberOfGroupName.
/* (non-Javadoc)
* @see org.apereo.portal.security.xslt.IXalanGroupMembershipHelper#isUserDeepMemberOfGroupName(java.lang.String, java.lang.String)
*/
@Override
public boolean isUserDeepMemberOfGroupName(String userName, String groupName) {
final EntityIdentifier[] results = GroupService.searchForGroups(groupName, GroupService.IS, IPerson.class);
if (results == null || results.length == 0) {
return false;
}
if (results.length > 1) {
this.logger.warn(results.length + " groups were found for '" + groupName + "'. The first result will be used.");
}
final IGroupMember group = GroupService.getGroupMember(results[0]);
final IEntity entity = GroupService.getEntity(userName, IPerson.class);
if (entity == null) {
if (this.logger.isDebugEnabled()) {
this.logger.debug("No user found for key '" + userName + "'");
}
return false;
}
return group.asGroup().deepContains(entity);
}
Aggregations