Examples with IGroupMember org.apereo.portal.groups.IGroupMember used on opensource projects

Example 6 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method hasUnblockedPathToGrant.

/**
     * This method performs the actual, low-level checking of a single activity and target. Is IS
     * responsible for performing the same check for affiliated groups in the Groups hierarchy, but
     * it is NOT responsible for understanding the nuances of relationships some activities and/or
     * targets have with one another (e.g. MANAGE_APPROVED, ALL_PORTLETS, etc.). It performs the
     * following steps, in order:
     *
     * <ol>
     *   <li>Find out if the specified principal is <em>specifically</em> granted or denied; if an
     *       answer is found in this step, return it
     *   <li>Find out what groups this principal belongs to; convert each one to a principal and
     *       seek an answer by invoking ourselves recursively; if an answer is found in this step,
     *       return it
     *   <li>Return false (no explicit GRANT means no permission)
     * </ol>
     */
private boolean hasUnblockedPathToGrant(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target, Set<IGroupMember> seenGroups) throws GroupsException {
    if (log.isTraceEnabled()) {
        log.trace("Searching for unblocked path to GRANT for principal '{}' to " + "'{}' on target '{}' having already checked:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
    }
    /*
         * Step #1:  Specific GRANT/DENY attached to this principal
         */
    final IPermission[] permissions = service.getPermissionsForPrincipal(principal, owner.getFname(), activity.getFname(), target.getKey());
    final Set<IPermission> activePermissions = removeInactivePermissions(permissions);
    final boolean denyExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
    if (denyExists) {
        // We need go no further;  DENY trumps both GRANT & inherited permissions
        return false;
    }
    final boolean grantExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT);
    if (grantExists) {
        // We need go no further;  explicit GRANT at this level of the hierarchy
        if (log.isTraceEnabled()) {
            log.trace("Found unblocked path to this permission set including a GRANT:  {}", activePermissions);
        }
        return true;
    }
    /*
         * Step #2:  Seek an answer from affiliated groups
         */
    IGroupMember principalAsGroupMember = service.getGroupMember(principal);
    if (seenGroups.contains(principalAsGroupMember)) {
        if (log.isTraceEnabled()) {
            log.trace("Declining to re-examine principal '{}' for permission to '{}' " + "on '{}' because this group is among already checked groups:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
        }
        return false;
    }
    seenGroups.add(principalAsGroupMember);
    Set<IEntityGroup> immediatelyContainingGroups = principalAsGroupMember.getParentGroups();
    for (IGroupMember parentGroup : immediatelyContainingGroups) {
        try {
            if (parentGroup != null) {
                IAuthorizationPrincipal parentPrincipal = service.newPrincipal(parentGroup);
                boolean parentHasUnblockedPathToGrant = hasUnblockedPathToGrantWithCache(service, parentPrincipal, owner, activity, target, seenGroups);
                if (parentHasUnblockedPathToGrant) {
                    return true;
                }
            // Parent didn't have a path to grant, fall through and try another parent (if any)
            }
        } catch (Exception e) {
            // problem evaluating this path, but let's not let it stop
            // us from exploring other paths.  Though a portion of the
            // group structure is broken, permission may be granted by
            // an unbroken portion
            log.error("Error evaluating permissions of parent group [" + parentGroup + "]", e);
        }
    }
    /*
         * Step #3:  No explicit GRANT means no permission
         */
    return false;
}

Example 7 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AuthorizationHeaderProvider method createHeader.

@Override
public Header createHeader(RenderRequest renderRequest, RenderResponse renderResponse) {
    // Username
    final String username = getUsername(renderRequest);
    // Attributes
    final Map<String, List<String>> attributes = new HashMap<>();
    final IPersonAttributes person = personAttributeDao.getPerson(username);
    if (person != null) {
        for (Entry<String, List<Object>> y : person.getAttributes().entrySet()) {
            final List<String> values = new ArrayList<>();
            for (Object value : y.getValue()) {
                if (value instanceof String) {
                    values.add((String) value);
                }
            }
            attributes.put(y.getKey(), values);
        }
    }
    logger.debug("Found the following user attributes for username='{}':  {}", username, attributes);
    // Groups
    final List<String> groups = new ArrayList<>();
    final IGroupMember groupMember = GroupService.getGroupMember(username, IPerson.class);
    if (groupMember != null) {
        Set<IEntityGroup> ancestors = groupMember.getAncestorGroups();
        for (IEntityGroup g : ancestors) {
            groups.add(g.getName());
        }
    }
    logger.debug("Found the following group affiliations for username='{}':  {}", username, groups);
    // Expiration of the Bearer token
    final PortletSession portletSession = renderRequest.getPortletSession();
    final Date expires = new Date(portletSession.getLastAccessedTime() + ((long) portletSession.getMaxInactiveInterval() * 1000L));
    // Authorization header
    final Bearer bearer = bearerService.createBearer(username, attributes, groups, expires);
    final Header rslt = new BasicHeader(Headers.AUTHORIZATION.getName(), Headers.BEARER_TOKEN_PREFIX + bearer.getEncryptedToken());
    logger.debug("Produced the following Authorization header for username='{}':  {}", username, rslt);
    return rslt;
}

Example 8 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class GroupListHelperImpl method search.

/*
     * (non-Javadoc)
     * @see org.apereo.portal.layout.dlm.remoting.IGroupListHelper#search(java.lang.String, java.lang.String)
     */
@SuppressWarnings("unchecked")
public Set<JsonEntityBean> search(String entityType, String searchTerm) {
    Set<JsonEntityBean> results = new HashSet<JsonEntityBean>();
    EntityEnum entityEnum = EntityEnum.getEntityEnum(entityType);
    EntityIdentifier[] identifiers;
    Class identifierType;
    // to locate it
    if (entityEnum.isGroup()) {
        identifiers = GroupService.searchForGroups(searchTerm, GroupService.CONTAINS, entityEnum.getClazz());
        identifierType = IEntityGroup.class;
    } else // otherwise use the getGroupMember method
    {
        identifiers = GroupService.searchForEntities(searchTerm, GroupService.CONTAINS, entityEnum.getClazz());
        identifierType = entityEnum.getClazz();
    }
    for (int i = 0; i < identifiers.length; i++) {
        if (identifiers[i].getType().equals(identifierType)) {
            IGroupMember entity = GroupService.getGroupMember(identifiers[i]);
            if (entity != null) {
                JsonEntityBean jsonBean = getEntity(entity);
                results.add(jsonBean);
            } else {
                log.warn("Grouper member entity of " + identifiers[i].getKey() + " is null.");
            }
        }
    }
    return results;
}

Example 9 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class ApiPermissionsService method getAssignmentsForPerson.

@Override
public Set<Assignment> getAssignmentsForPerson(String username, boolean includeInherited) {
    Set<Assignment> rslt = new HashSet<Assignment>();
    IAuthorizationPrincipal authP = this.authorizationService.newPrincipal(username, EntityEnum.PERSON.getClazz());
    // first get the permissions explicitly set for this principal
    IPermission[] directPermissions = permissionStore.select(null, authP.getPrincipalString(), null, null, null);
    for (IPermission permission : directPermissions) {
        if (authP.hasPermission(permission.getOwner(), permission.getActivity(), permission.getTarget())) {
            Assignment a = createAssignment(permission, authP, false);
            if (a != null) {
                rslt.add(a);
            }
        }
    }
    if (includeInherited) {
        IGroupMember member = GroupService.getGroupMember(authP.getKey(), authP.getType());
        for (IEntityGroup parent : member.getAncestorGroups()) {
            IAuthorizationPrincipal parentPrincipal = this.authorizationService.newPrincipal(parent);
            IPermission[] parentPermissions = permissionStore.select(null, parentPrincipal.getPrincipalString(), null, null, null);
            for (IPermission permission : parentPermissions) {
                if (authP.hasPermission(permission.getOwner(), permission.getActivity(), permission.getTarget())) {
                    Assignment a = createAssignment(permission, authP, true);
                    if (a != null) {
                        rslt.add(a);
                    }
                }
            }
        }
    }
    return rslt;
}

Example 10 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class GroupAdministrationHelper method updateGroupMembers.

/**
     * Update the members of an existing group in the group store.
     *
     * @param groupForm Form representing the new group configuration
     * @param updater Updating user
     */
public void updateGroupMembers(GroupForm groupForm, IPerson updater) {
    if (!canEditGroup(updater, groupForm.getKey())) {
        throw new RuntimeAuthorizationException(updater, IPermission.EDIT_GROUP_ACTIVITY, groupForm.getKey());
    }
    if (log.isDebugEnabled()) {
        log.debug("Updating group members for group form [" + groupForm.toString() + "]");
    }
    // find the current version of this group entity
    IEntityGroup group = GroupService.findGroup(groupForm.getKey());
    // clear the current group membership list
    for (IGroupMember child : group.getChildren()) {
        group.removeChild(child);
    }
    // to the group
    for (JsonEntityBean child : groupForm.getMembers()) {
        EntityEnum type = EntityEnum.getEntityEnum(child.getEntityTypeAsString());
        if (type.isGroup()) {
            IEntityGroup member = GroupService.findGroup(child.getId());
            group.addChild(member);
        } else {
            IGroupMember member = GroupService.getGroupMember(child.getId(), type.getClazz());
            group.addChild(member);
        }
    }
    // save the group, updating both its basic information and group
    // membership
    group.updateMembers();
}