Search in sources :

Example 46 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method loadInCache.

/**
     * Allows an outside actor to force this policy to evaluate and cache an authorization decision.
     * Permissions checking can be expensive; a well-primed cache can make the task perform better.
     * This method will create the cache entry whether it exists already or not, forcibly resetting
     * the TTL.
     *
     * @since 4.3
     */
public void loadInCache(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target) {
    final Set<IGroupMember> seenGroups = new HashSet<>();
    final CacheTuple cacheTuple = new CacheTuple(principal.getPrincipalString(), owner.getFname(), activity.getFname(), target.getKey());
    final boolean answer = hasUnblockedPathToGrant(service, principal, owner, activity, target, seenGroups);
    Element element = new Element(cacheTuple, answer);
    hasUnblockedGrantCache.put(element);
}
Also used : IGroupMember(org.apereo.portal.groups.IGroupMember) Element(net.sf.ehcache.Element) HashSet(java.util.HashSet)

Example 47 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AuthorizationImpl method primGetPermissionsForPrincipal.

/**
     * @return IPermission[]
     * @param principal org.apereo.portal.security.IAuthorizationPrincipal
     * @param owner String
     * @param activity String
     * @param target String
     */
private IPermission[] primGetPermissionsForPrincipal(IAuthorizationPrincipal principal, String owner, String activity, String target) throws AuthorizationException {
    /*
         * Get a list of all permissions for the specified principal, then iterate
         * through them to build a list of the permissions matching the specified criteria.
         */
    IPermission[] perms = primGetPermissionsForPrincipal(principal);
    if (owner == null && activity == null && target == null) {
        return perms;
    }
    // If there are no permissions left, no need to look through group mappings.
    if (perms.length == 0) {
        return perms;
    }
    Set<String> containingGroups;
    if (target != null) {
        final Element element = this.entityParentsCache.get(target);
        if (element != null) {
            containingGroups = (Set<String>) element.getObjectValue();
        } else {
            containingGroups = new HashSet<String>();
            //Ignore target entity lookups for the various synthetic ALL targets
            if (!IPermission.ALL_CATEGORIES_TARGET.equals(target) && !IPermission.ALL_GROUPS_TARGET.equals(target) && !IPermission.ALL_PORTLETS_TARGET.equals(target) && !IPermission.ALL_TARGET.equals(target)) {
                // UP-4410; It would be ideal if the target string indicated it was a group or entity that might be
                // a member of a group so we could determine whether to check what groups the target entity might be
                // contained within to see if the principal has permission to the containing group, but it does not
                // (too significant to refactor database values at this point).  If the owner and activity strings map to
                // a type of target that might be a group name or entity name, create a set of the groups the target
                // entity is contained in.
                boolean checkTargetForContainingGroups = true;
                if (owner != null && activity != null) {
                    IPermissionActivity permissionActivity = permissionOwner.getPermissionActivity(owner, activity);
                    if (nonEntityPermissionTargetProviders.contains(permissionActivity.getTargetProviderKey())) {
                        checkTargetForContainingGroups = false;
                    }
                }
                if (checkTargetForContainingGroups) {
                    log.debug("Target '{}' is an entity. Checking for group or groups containing entity", target);
                    IGroupMember targetEntity = GroupService.findGroup(target);
                    if (targetEntity == null) {
                        if (target.startsWith(IPermission.PORTLET_PREFIX)) {
                            targetEntity = GroupService.getGroupMember(target.replace(IPermission.PORTLET_PREFIX, ""), IPortletDefinition.class);
                        } else {
                            targetEntity = GroupService.getGroupMember(target, IPerson.class);
                        }
                    }
                    if (targetEntity != null) {
                        for (IEntityGroup ancestor : targetEntity.getAncestorGroups()) {
                            containingGroups.add(ancestor.getKey());
                        }
                    }
                }
            }
            this.entityParentsCache.put(new Element(target, containingGroups));
        }
    } else {
        containingGroups = new HashSet<String>();
    }
    List<IPermission> al = new ArrayList<IPermission>(perms.length);
    for (int i = 0; i < perms.length; i++) {
        String permissionTarget = perms[i].getTarget();
        if (// owner matches
        (owner == null || owner.equals(perms[i].getOwner())) && // activity matches
        (activity == null || activity.equals(perms[i].getActivity())) && // target matches or is a member of the current permission target
        (target == null || target.equals(permissionTarget) || containingGroups.contains(permissionTarget))) {
            al.add(perms[i]);
        }
    }
    if (log.isTraceEnabled()) {
        log.trace("AuthorizationImpl.primGetPermissionsForPrincipal(): " + "Principal: " + principal + " owner: " + owner + " activity: " + activity + " target: " + target + " : permissions retrieved: " + al);
    } else if (log.isDebugEnabled()) {
        log.debug("AuthorizationImpl.primGetPermissionsForPrincipal(): " + "Principal: " + principal + " owner: " + owner + " activity: " + activity + " target: " + target + " : number of permissions retrieved: " + al.size());
    }
    return ((IPermission[]) al.toArray(new IPermission[al.size()]));
}
Also used : IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) Element(net.sf.ehcache.Element) ArrayList(java.util.ArrayList) IEntityGroup(org.apereo.portal.groups.IEntityGroup) IGroupMember(org.apereo.portal.groups.IGroupMember) IPerson(org.apereo.portal.security.IPerson) IPermission(org.apereo.portal.security.IPermission) IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition)

Example 48 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class XalanGroupMembershipHelperBean method isUserDeepMemberOfGroupName.

/* (non-Javadoc)
     * @see org.apereo.portal.security.xslt.IXalanGroupMembershipHelper#isUserDeepMemberOfGroupName(java.lang.String, java.lang.String)
     */
@Override
public boolean isUserDeepMemberOfGroupName(String userName, String groupName) {
    final EntityIdentifier[] results = GroupService.searchForGroups(groupName, GroupService.IS, IPerson.class);
    if (results == null || results.length == 0) {
        return false;
    }
    if (results.length > 1) {
        this.logger.warn(results.length + " groups were found for '" + groupName + "'. The first result will be used.");
    }
    final IGroupMember group = GroupService.getGroupMember(results[0]);
    final IEntity entity = GroupService.getEntity(userName, IPerson.class);
    if (entity == null) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("No user found for key '" + userName + "'");
        }
        return false;
    }
    return group.asGroup().deepContains(entity);
}
Also used : IGroupMember(org.apereo.portal.groups.IGroupMember) IEntity(org.apereo.portal.groups.IEntity) EntityIdentifier(org.apereo.portal.EntityIdentifier)

Aggregations

IGroupMember (org.apereo.portal.groups.IGroupMember)48 IEntityGroup (org.apereo.portal.groups.IEntityGroup)27 HashSet (java.util.HashSet)16 EntityIdentifier (org.apereo.portal.EntityIdentifier)12 IAuthorizationPrincipal (org.apereo.portal.security.IAuthorizationPrincipal)12 ArrayList (java.util.ArrayList)11 EntityEnum (org.apereo.portal.portlets.groupselector.EntityEnum)9 JsonEntityBean (org.apereo.portal.layout.dlm.remoting.JsonEntityBean)8 IPermission (org.apereo.portal.security.IPermission)7 GroupsException (org.apereo.portal.groups.GroupsException)6 PortletCategory (org.apereo.portal.portlet.om.PortletCategory)6 LinkedHashSet (java.util.LinkedHashSet)4 HashMap (java.util.HashMap)3 Element (net.sf.ehcache.Element)3 IEntity (org.apereo.portal.groups.IEntity)3 ExternalPermissionDefinition (org.apereo.portal.io.xml.portlettype.ExternalPermissionDefinition)3 IPortletDefinition (org.apereo.portal.portlet.om.IPortletDefinition)3 IPortletPreference (org.apereo.portal.portlet.om.IPortletPreference)3 IPerson (org.apereo.portal.security.IPerson)3 GcGetMembers (edu.internet2.middleware.grouperClient.api.GcGetMembers)2