Examples with IGroupMember org.apereo.portal.groups.IGroupMember used on opensource projects

Example 16 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class PortletCategoryRegistryImpl method getParentCategories.

/* (non-Javadoc)
     * @see org.apereo.portal.portlet.registry.IPortletCategoryRegistry#getParentCategories(org.apereo.portal.portlet.om.IPortletDefinition)
     */
@Override
public Set<PortletCategory> getParentCategories(IPortletDefinition child) {
    String childKey = child.getPortletDefinitionId().getStringId();
    IEntity childEntity = GroupService.getEntity(childKey, IPortletDefinition.class);
    Set<PortletCategory> parents = new HashSet<PortletCategory>();
    for (IGroupMember gm : childEntity.getParentGroups()) {
        if (gm.isGroup()) {
            String categoryId = gm.getKey();
            parents.add(getPortletCategory(categoryId));
        }
    }
    return parents;
}

Example 17 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class UserGroupSkinMappingTransformerConfigurationSource method getSkinName.

@Override
protected String getSkinName(HttpServletRequest request) {
    final IUserInstance userInstance = this.userInstanceManager.getUserInstance(request);
    final IPerson person = userInstance.getPerson();
    final EntityIdentifier personIdentifier = person.getEntityIdentifier();
    final IGroupMember groupMember = GroupService.getGroupMember(personIdentifier);
    final Map<IGroupMember, String> groupMemberToSkinMapping = groupMemberToSkinMappingCreator.get();
    for (final Entry<IGroupMember, String> groupToSkinEntry : groupMemberToSkinMapping.entrySet()) {
        final IGroupMember group = groupToSkinEntry.getKey();
        if (group.isGroup() && groupMember.isDeepMemberOf(group.asGroup())) {
            final String skin = groupToSkinEntry.getValue();
            getLogger().debug("Setting skin override {} for {} because they are a member of {}", new Object[] { skin, person.getUserName(), group });
            // Cache the resolution
            return skin;
        }
    }
    getLogger().debug("No user {} is not a member of any configured groups, no skin override will be done", person.getUserName());
    return null;
}

Example 18 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method hasUnblockedPathToGrant.

/**
 * This method performs the actual, low-level checking of a single activity and target. Is IS
 * responsible for performing the same check for affiliated groups in the Groups hierarchy, but
 * it is NOT responsible for understanding the nuances of relationships some activities and/or
 * targets have with one another (e.g. MANAGE_APPROVED, ALL_PORTLETS, etc.). It performs the
 * following steps, in order:
 *
 * <ol>
 *   <li>Find out if the specified principal is <em>specifically</em> granted or denied; if an
 *       answer is found in this step, return it
 *   <li>Find out what groups this principal belongs to; convert each one to a principal and
 *       seek an answer by invoking ourselves recursively; if an answer is found in this step,
 *       return it
 *   <li>Return false (no explicit GRANT means no permission)
 * </ol>
 */
private boolean hasUnblockedPathToGrant(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target, Set<IGroupMember> seenGroups) throws GroupsException {
    if (log.isTraceEnabled()) {
        log.trace("Searching for unblocked path to GRANT for principal '{}' to " + "'{}' on target '{}' having already checked:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
    }
    /*
         * Step #1:  Specific GRANT/DENY attached to this principal
         */
    final IPermission[] permissions = service.getPermissionsForPrincipal(principal, owner.getFname(), activity.getFname(), target.getKey());
    final Set<IPermission> activePermissions = removeInactivePermissions(permissions);
    final boolean denyExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
    if (denyExists) {
        // We need go no further;  DENY trumps both GRANT & inherited permissions
        return false;
    }
    final boolean grantExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT);
    if (grantExists) {
        // We need go no further;  explicit GRANT at this level of the hierarchy
        if (log.isTraceEnabled()) {
            log.trace("Found unblocked path to this permission set including a GRANT:  {}", activePermissions);
        }
        return true;
    }
    /*
         * Step #2:  Seek an answer from affiliated groups
         */
    IGroupMember principalAsGroupMember = service.getGroupMember(principal);
    if (seenGroups.contains(principalAsGroupMember)) {
        if (log.isTraceEnabled()) {
            log.trace("Declining to re-examine principal '{}' for permission to '{}' " + "on '{}' because this group is among already checked groups:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
        }
        return false;
    }
    seenGroups.add(principalAsGroupMember);
    Set<IEntityGroup> immediatelyContainingGroups = principalAsGroupMember.getParentGroups();
    for (IGroupMember parentGroup : immediatelyContainingGroups) {
        try {
            if (parentGroup != null) {
                IAuthorizationPrincipal parentPrincipal = service.newPrincipal(parentGroup);
                boolean parentHasUnblockedPathToGrant = hasUnblockedPathToGrantWithCache(service, parentPrincipal, owner, activity, target, seenGroups);
                if (parentHasUnblockedPathToGrant) {
                    return true;
                }
            // Parent didn't have a path to grant, fall through and try another parent (if
            // any)
            }
        } catch (Exception e) {
            // problem evaluating this path, but let's not let it stop
            // us from exploring other paths.  Though a portion of the
            // group structure is broken, permission may be granted by
            // an unbroken portion
            log.error("Error evaluating permissions of parent group [" + parentGroup + "]", e);
        }
    }
    /*
         * Step #3:  No explicit GRANT means no permission
         */
    return false;
}

Example 19 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method doesPrincipalHavePermission.

@Override
public boolean doesPrincipalHavePermission(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target) throws AuthorizationException {
    /*
         * The API states that the service, owner, and activity arguments must
         * not be null. If for some reason they are null, log and fail closed.
         * In our case, the principal and target must also be non-null.
         */
    if (service == null || principal == null || owner == null || activity == null || target == null) {
        log.error("Null argument to AnyUnblockedGrantPermissionPolicy doesPrincipalHavePermission() method " + "should not be possible.  This is indicative of a potentially serious bug in the permissions " + "and authorization infrastructure;  service='{}', principal='{}', owner='{}', activity='{}', " + "target='{}'", service, principal, owner, activity, target, new AuthorizationException("Null argument"));
        // fail closed
        return false;
    }
    // Is this user a super-user?  (Should this logic be moved to AuthorizationImpl?)
    final IPermissionActivity allPermissionsActivity = permissionOwnerDao.getPermissionActivity(IPermission.PORTAL_SYSTEM, IPermission.ALL_PERMISSIONS_ACTIVITY);
    if (!activity.equals(allPermissionsActivity)) {
        // NOTE:  Must check to avoid infinite recursion
        final IPermissionOwner allPermissionsOwner = permissionOwnerDao.getPermissionOwner(IPermission.PORTAL_SYSTEM);
        final IPermissionTarget allPermissionsTarget = targetProviderRegistry.getTargetProvider(allPermissionsActivity.getTargetProviderKey()).getTarget(IPermission.ALL_TARGET);
        if (doesPrincipalHavePermission(service, principal, allPermissionsOwner, allPermissionsActivity, allPermissionsTarget)) {
            // Stop checking;  just return true
            return true;
        }
    }
    /*
         * uPortal uses a few "special" targets that signal permission to
         * perform the specified activity over an entire class of targets;
         * see if one of those applies in this case.
         */
    IPermissionTarget collectiveTarget = // The "collective noun" representing a class of thing
    null;
    switch(target.getTargetType()) {
        case PORTLET:
            collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_PORTLETS_TARGET);
            break;
        case CATEGORY:
            collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_CATEGORIES_TARGET);
            break;
        case GROUP:
            collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_GROUPS_TARGET);
            break;
        default:
    }
    /*
         * NOTE:  Cannot generalize to a collective target if we are already on
         * the collective target, else StackOverflowError.
         */
    if (collectiveTarget != null && !collectiveTarget.equals(target)) {
        if (doesPrincipalHavePermission(service, principal, owner, activity, collectiveTarget)) {
            /*
                 * There is a collective for this class of target,
                 * and the user DOES have this special permission
                 */
            return true;
        }
    }
    // Search ourselves and all ancestors for an unblocked GRANT.
    boolean rslt;
    try {
        // Track groups we've already explored to avoid infinite loop
        final Set<IGroupMember> seenGroups = new HashSet<>();
        rslt = hasUnblockedPathToGrantWithCache(service, principal, owner, activity, target, seenGroups);
    } catch (Exception e) {
        log.error("Error searching for unblocked path to grant for principal [" + principal + "]", e);
        // fail closed
        return false;
    }
    if (log.isTraceEnabled()) {
        if (rslt) {
            log.trace("Principal '{}' is granted permission to perform activity " + "'{}' on target '{}' under permission owning system '{}' " + "because this principal has an unblocked path to a GRANT.", principal, activity.getFname(), target.getKey(), owner.getFname());
        } else {
            log.trace("Principal '{}' is denied permission to perform activity '{}' " + "on target '{}' under permission owning system '{}' because this " + "principal does not have an unblocked path to a GRANT.", principal, activity.getFname(), target.getKey(), owner.getFname());
        }
    }
    return rslt;
}

Example 20 with IGroupMember

use of org.apereo.portal.groups.IGroupMember in project uPortal by Jasig.

the class AuthorizationImpl method getGroupMemberForPrincipal.

/**
 * @return org.apereo.portal.groups.IGroupMember
 * @param principal org.apereo.portal.security.IAuthorizationPrincipal
 */
private IGroupMember getGroupMemberForPrincipal(IAuthorizationPrincipal principal) throws GroupsException {
    IGroupMember gm = GroupService.getGroupMember(principal.getKey(), principal.getType());
    logger.debug("AuthorizationImpl.getGroupMemberForPrincipal(): principal [{}] got group member [{}]", principal, gm);
    return gm;
}