Examples with IPermissionActivity org.apereo.portal.permission.IPermissionActivity used on opensource projects

Example 16 with IPermissionActivity

use of org.apereo.portal.permission.IPermissionActivity in project uPortal by Jasig.

the class AuthorizationImpl method doesPrincipalHavePermission.

/**
 * Answers if the owner has given the principal permission to perform the activity on the
 * target, as evaluated by the policy. Params <code>policy</code>, <code>owner</code> and <code>
 * activity</code> must be non-null.
 *
 * @return boolean
 * @param principal IAuthorizationPrincipal
 * @param owner java.lang.String
 * @param activity java.lang.String
 * @param target java.lang.String
 * @exception AuthorizationException indicates authorization information could not be retrieved.
 */
@Override
@RequestCache
public boolean doesPrincipalHavePermission(IAuthorizationPrincipal principal, String owner, String activity, String target, IPermissionPolicy policy) throws AuthorizationException {
    final CacheKeyBuilder<Serializable, Serializable> cacheKeyBuilder = CacheKey.builder(AuthorizationImpl.class.getName());
    final String username = principal.getKey();
    if (IPerson.class.equals(principal.getType())) {
        cacheKeyBuilder.addTag(UsernameTaggedCacheEntryPurger.createCacheEntryTag(username));
    }
    cacheKeyBuilder.addAll(policy.getClass(), username, principal.getType(), owner, activity, target);
    final CacheKey key = cacheKeyBuilder.build();
    final Element element = this.doesPrincipalHavePermissionCache.get(key);
    if (element != null) {
        return (Boolean) element.getValue();
    }
    // fail closed
    boolean rslt = false;
    /*
         * Convert to (strongly-typed) Java objects based on interfaces in
         * o.j.p.permission before we make the actual check with IPermissionPolicy;
         * parameters that communicate something of the nature of the things they
         * represent helps us make the check(s) more intelligently.  This objects
         * were retro-fitted to IPermissionPolicy in uP 4.3;  perhaps we should do
         * the same to IAuthorizationService itself?
         */
    final IPermissionOwner ipOwner = permissionOwnerDao.getPermissionOwner(owner);
    final IPermissionActivity ipActivity = permissionOwnerDao.getPermissionActivity(owner, activity);
    if (ipActivity != null) {
        final IPermissionTargetProvider targetProvider = targetProviderRegistry.getTargetProvider(ipActivity.getTargetProviderKey());
        final IPermissionTarget ipTarget = targetProvider.getTarget(target);
        rslt = policy.doesPrincipalHavePermission(this, principal, ipOwner, ipActivity, ipTarget);
    } else {
        /*
             * This circumstance means that a piece of the fundamental Permissions data expected by
             * the code is missing in the database.  It normally happens when a newer version of the
             * uPortal code is run against an existing database, and a required data update was
             * overlooked.  This condition is not great, but probably not catastrophic;  it means
             * that no one will (or can) have the new permission.  This method returns false.
             *
             * Administrators, however, have permission to do anything, including this unknown
             * activity.  It's most common in uPortal for only Administrators to have access to
             * exotic activities, so in most cases this omission is a wash.
             *
             * We need to log a WARNing, but this method is invoked a lot, and we don't want to do
             * it incessantly.
             */
        final Long now = System.currentTimeMillis();
        final String missingDataTrackerKey = owner + ":" + activity;
        final Long lastLogMessageTime = missingDataLogTracker.get(missingDataTrackerKey);
        if (lastLogMessageTime == null || lastLogMessageTime < now - MISSING_DATA_LOG_PERIOD_MILLIS) {
            logger.warn("Activity '{}' is not defined for owner '{}';  only admins will be " + "able to access this function;  this warning usually means that expected data " + "was not imported", activity, owner);
            missingDataLogTracker.put(missingDataTrackerKey, now);
        }
        // This pass becomes a check for superuser (Portal Administrators)
        rslt = doesPrincipalHavePermission(principal, IPermission.PORTAL_SYSTEM, IPermission.ALL_PERMISSIONS_ACTIVITY, IPermission.ALL_TARGET, policy);
    }
    this.doesPrincipalHavePermissionCache.put(new Element(key, rslt));
    return rslt;
}

Example 17 with IPermissionActivity

use of org.apereo.portal.permission.IPermissionActivity in project uPortal by Jasig.

the class AuthorizationImpl method primGetPermissionsForPrincipal.

/**
 * @return IPermission[]
 * @param principal org.apereo.portal.security.IAuthorizationPrincipal
 * @param owner String
 * @param activity String
 * @param target String
 */
private IPermission[] primGetPermissionsForPrincipal(IAuthorizationPrincipal principal, String owner, String activity, String target) throws AuthorizationException {
    /*
         * Get a list of all permissions for the specified principal, then iterate
         * through them to build a list of the permissions matching the specified criteria.
         */
    IPermission[] perms = primGetPermissionsForPrincipal(principal);
    if (owner == null && activity == null && target == null) {
        return perms;
    }
    // If there are no permissions left, no need to look through group mappings.
    if (perms.length == 0) {
        return perms;
    }
    Set<String> containingGroups;
    if (target != null) {
        final Element element = this.entityParentsCache.get(target);
        if (element != null) {
            containingGroups = (Set<String>) element.getObjectValue();
        } else {
            containingGroups = new HashSet<>();
            // Ignore target entity lookups for the various synthetic ALL targets
            if (!IPermission.ALL_CATEGORIES_TARGET.equals(target) && !IPermission.ALL_GROUPS_TARGET.equals(target) && !IPermission.ALL_PORTLETS_TARGET.equals(target) && !IPermission.ALL_TARGET.equals(target)) {
                // UP-4410; It would be ideal if the target string indicated it was a group or
                // entity that might be
                // a member of a group so we could determine whether to check what groups the
                // target entity might be
                // contained within to see if the principal has permission to the containing
                // group, but it does not
                // (too significant to refactor database values at this point).  If the owner
                // and activity strings map to
                // a type of target that might be a group name or entity name, create a set of
                // the groups the target
                // entity is contained in.
                boolean checkTargetForContainingGroups = true;
                if (owner != null && activity != null) {
                    IPermissionActivity permissionActivity = permissionOwner.getPermissionActivity(owner, activity);
                    if (nonEntityPermissionTargetProviders.contains(permissionActivity.getTargetProviderKey())) {
                        checkTargetForContainingGroups = false;
                    }
                }
                if (checkTargetForContainingGroups) {
                    logger.debug("Target '{}' is an entity. Checking for group or groups containing entity", target);
                    IGroupMember targetEntity = GroupService.findGroup(target);
                    if (targetEntity == null) {
                        if (target.startsWith(IPermission.PORTLET_PREFIX)) {
                            targetEntity = GroupService.getGroupMember(target.replace(IPermission.PORTLET_PREFIX, ""), IPortletDefinition.class);
                        } else {
                            targetEntity = GroupService.getGroupMember(target, IPerson.class);
                        }
                    }
                    if (targetEntity != null) {
                        for (IEntityGroup ancestor : targetEntity.getAncestorGroups()) {
                            containingGroups.add(ancestor.getKey());
                        }
                    }
                }
            }
            this.entityParentsCache.put(new Element(target, containingGroups));
        }
    } else {
        containingGroups = new HashSet<>();
    }
    List<IPermission> al = new ArrayList<>(perms.length);
    for (int i = 0; i < perms.length; i++) {
        String permissionTarget = perms[i].getTarget();
        if (// owner matches
        (owner == null || owner.equals(perms[i].getOwner())) && // activity matches
        (activity == null || activity.equals(perms[i].getActivity())) && // target matches or is a member of the current permission target
        (target == null || target.equals(permissionTarget) || containingGroups.contains(permissionTarget))) {
            al.add(perms[i]);
        }
    }
    logger.trace("AuthorizationImpl.primGetPermissionsForPrincipal(): " + "Principal: {} owner: {} activity: {} target: {} : permissions retrieved: {}", principal, owner, activity, target, al);
    logger.debug("AuthorizationImpl.primGetPermissionsForPrincipal(): " + "Principal: {} owner: {} activity: {} target: {} : number of permissions retrieved: {}", principal, owner, activity, target, al.size());
    return ((IPermission[]) al.toArray(new IPermission[al.size()]));
}

Example 18 with IPermissionActivity

use of org.apereo.portal.permission.IPermissionActivity in project uPortal by Jasig.

the class PermissionOwnerImporterExporter method convert.

protected ExternalPermissionOwner convert(final IPermissionOwner permissionOwner) {
    if (permissionOwner == null) {
        return null;
    }
    final ExternalPermissionOwner externalPermissionOwner = new ExternalPermissionOwner();
    externalPermissionOwner.setName(permissionOwner.getName());
    externalPermissionOwner.setFname(permissionOwner.getFname());
    externalPermissionOwner.setDesc(permissionOwner.getDescription());
    final List<ExternalActivity> externalActivities = externalPermissionOwner.getActivities();
    final Set<IPermissionActivity> activities = permissionOwner.getActivities();
    for (final IPermissionActivity permissionActivity : activities) {
        final ExternalActivity externalActivity = new ExternalActivity();
        externalActivity.setName(permissionActivity.getName());
        externalActivity.setFname(permissionActivity.getFname());
        externalActivity.setDesc(permissionActivity.getDescription());
        externalActivity.setTargetProvider(permissionActivity.getTargetProviderKey());
        externalActivities.add(externalActivity);
    }
    Collections.sort(externalActivities, ExternalActivityFnameComparator.INSTANCE);
    return externalPermissionOwner;
}

Example 19 with IPermissionActivity

use of org.apereo.portal.permission.IPermissionActivity in project uPortal by Jasig.

the class PermissionOwnerImporterExporter method importData.

/* (non-Javadoc)
     * @see org.apereo.portal.io.xml.IDataImporter#importData(java.lang.Object)
     */
@Override
@Transactional
public void importData(ExternalPermissionOwner externalPermissionOwner) {
    final String name = externalPermissionOwner.getName();
    final String fname = externalPermissionOwner.getFname();
    final IPermissionOwner permissionOwner = this.permissionOwnerDao.getOrCreatePermissionOwner(name, fname);
    final String desc = externalPermissionOwner.getDesc();
    permissionOwner.setDescription(desc);
    for (final ExternalActivity externalActivity : externalPermissionOwner.getActivities()) {
        final String activityName = externalActivity.getName();
        final String activityFname = externalActivity.getFname();
        final String targetProvider = externalActivity.getTargetProvider();
        final IPermissionActivity permissionActivity = this.permissionOwnerDao.getOrCreatePermissionActivity(permissionOwner, activityName, activityFname, targetProvider);
        final String activityDesc = externalActivity.getDesc();
        permissionActivity.setDescription(activityDesc);
    }
    this.permissionOwnerDao.saveOwner(permissionOwner);
}