Search in sources :

Example 1 with IPermissionTarget

use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method doesPrincipalHavePermission.

public boolean doesPrincipalHavePermission(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target) throws AuthorizationException {
    /*
         * The API states that the service, owner, and activity arguments must
         * not be null. If for some reason they are null, log and fail closed.
         * In our case, the principal and target must also be non-null.
         */
    if (service == null || principal == null || owner == null || activity == null || target == null) {
        log.error("Null argument to AnyUnblockedGrantPermissionPolicy doesPrincipalHavePermission() method " + "should not be possible.  This is indicative of a potentially serious bug in the permissions " + "and authorization infrastructure;  service='{}', principal='{}', owner='{}', activity='{}', " + "target='{}'", service, principal, owner, activity, target);
        // fail closed
        return false;
    }
    // Is this user a super-user?  (Should this logic be moved to AuthorizationImpl?)
    final IPermissionActivity allPermissionsActivity = permissionOwnerDao.getPermissionActivity(IPermission.PORTAL_SYSTEM, IPermission.ALL_PERMISSIONS_ACTIVITY);
    if (!activity.equals(allPermissionsActivity)) {
        // NOTE:  Must check to avoid infinite recursion
        final IPermissionOwner allPermissionsOwner = permissionOwnerDao.getPermissionOwner(IPermission.PORTAL_SYSTEM);
        final IPermissionTarget allPermissionsTarget = targetProviderRegistry.getTargetProvider(allPermissionsActivity.getTargetProviderKey()).getTarget(IPermission.ALL_TARGET);
        if (doesPrincipalHavePermission(service, principal, allPermissionsOwner, allPermissionsActivity, allPermissionsTarget)) {
            // Stop checking;  just return true
            return true;
        }
    }
    /*
         * uPortal uses a few "special" targets that signal permission to
         * perform the specified activity over an entire class of targets;
         * see if one of those applies in this case.
         */
    IPermissionTarget collectiveTarget = // The "collective noun" representing a class of thing
    null;
    switch(target.getTargetType()) {
        case PORTLET:
            collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_PORTLETS_TARGET);
            break;
        case CATEGORY:
            collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_CATEGORIES_TARGET);
            break;
        case GROUP:
            collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_GROUPS_TARGET);
            break;
        default:
    }
    /*
         * NOTE:  Cannot generalize to a collective target if we are already on
         * the collective target, else StackOverflowError.
         */
    if (collectiveTarget != null && !collectiveTarget.equals(target)) {
        if (doesPrincipalHavePermission(service, principal, owner, activity, collectiveTarget)) {
            /*
                 * There is a collective for this class of target,
                 * and the user DOES have this special permission
                 */
            return true;
        }
    }
    // Search ourselves and all ancestors for an unblocked GRANT.
    boolean rslt;
    try {
        // Track groups we've already explored to avoid infinite loop
        final Set<IGroupMember> seenGroups = new HashSet<>();
        rslt = hasUnblockedPathToGrantWithCache(service, principal, owner, activity, target, seenGroups);
    } catch (Exception e) {
        log.error("Error searching for unblocked path to grant for principal [" + principal + "]", e);
        // fail closed
        return false;
    }
    if (log.isTraceEnabled()) {
        if (rslt) {
            log.trace("Principal '{}' is granted permission to perform activity " + "'{}' on target '{}' under permission owning system '{}' " + "because this principal has an unblocked path to a GRANT.", principal, activity.getFname(), target.getKey(), owner.getFname());
        } else {
            log.trace("Principal '{}' is denied permission to perform activity '{}' " + "on target '{}' under permission owning system '{}' because this " + "principal does not have an unblocked path to a GRANT.", principal, activity.getFname(), target.getKey(), owner.getFname());
        }
    }
    return rslt;
}
Also used : IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) IGroupMember(org.apereo.portal.groups.IGroupMember) IPermissionTarget(org.apereo.portal.permission.target.IPermissionTarget) AuthorizationException(org.apereo.portal.AuthorizationException) GroupsException(org.apereo.portal.groups.GroupsException) IPermissionOwner(org.apereo.portal.permission.IPermissionOwner) HashSet(java.util.HashSet)

Example 2 with IPermissionTarget

use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.

the class ApiPermissionsService method createAssignment.

/*
     * Implementation
     */
private Assignment createAssignment(IPermission permission, IAuthorizationPrincipal authP, boolean inherited) {
    Assignment rslt = null;
    try {
        // Owner
        IPermissionOwner owner = permissionOwnerDao.getPermissionOwner(permission.getOwner());
        Owner ownerImpl = new OwnerImpl(permission.getOwner(), owner.getName());
        // Activity
        IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(permission.getOwner(), permission.getActivity());
        Activity activityImpl = new ActivityImpl(permission.getActivity(), activity.getName());
        // Principal
        Principal principalImpl = new PrincipalImpl(authP.getKey(), authP.getPrincipalString());
        // Target
        // default
        Target targetImpl = null;
        IPermissionTargetProvider targetProvider = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey());
        IPermissionTarget target = targetProvider.getTarget(permission.getTarget());
        if (target != null) {
            targetImpl = new TargetImpl(permission.getTarget(), target.getName());
        }
        rslt = new AssignmentImpl(ownerImpl, activityImpl, principalImpl, targetImpl, inherited);
    } catch (Exception e) {
        log.warn("Exception while adding permission", e);
    }
    return rslt;
}
Also used : IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) IPermissionOwner(org.apereo.portal.permission.IPermissionOwner) IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) IPermissionTarget(org.apereo.portal.permission.target.IPermissionTarget) IPermissionTarget(org.apereo.portal.permission.target.IPermissionTarget) IPermissionTargetProvider(org.apereo.portal.permission.target.IPermissionTargetProvider) Principal(org.apereo.portal.api.Principal) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) PrincipalImpl(org.apereo.portal.api.PrincipalImpl) IPermissionOwner(org.apereo.portal.permission.IPermissionOwner)

Example 3 with IPermissionTarget

use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.

the class PermissionsRESTController method getTargets.

/**
     * Return a list of targets defined for a particular IPermissionActivity matching the specified
     * search query.
     *
     * @param activityId
     * @param query
     * @param req
     * @param response
     * @return
     * @throws Exception
     */
@PreAuthorize("hasPermission('string', 'ALL', new org.apereo.portal.spring.security.evaluator.AuthorizableActivity('UP_PERMISSIONS', 'VIEW_PERMISSIONS'))")
@RequestMapping(value = "/permissions/{activity}/targets.json", method = RequestMethod.GET)
public ModelAndView getTargets(@PathVariable("activity") Long activityId, @RequestParam("q") String query, HttpServletRequest req, HttpServletResponse response) throws Exception {
    IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(activityId);
    IPermissionTargetProvider provider = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey());
    SortedSet<IPermissionTarget> matchingTargets = new TreeSet<IPermissionTarget>();
    // add matching results for this identifier provider to the set
    Collection<IPermissionTarget> targets = provider.searchTargets(query);
    for (IPermissionTarget target : targets) {
        if ((StringUtils.isNotBlank(target.getName()) && target.getName().toLowerCase().contains(query)) || target.getKey().toLowerCase().contains(query)) {
            matchingTargets.addAll(targets);
        }
    }
    ModelAndView mv = new ModelAndView();
    mv.addObject("targets", targets);
    mv.setViewName("json");
    return mv;
}
Also used : IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) TreeSet(java.util.TreeSet) IPermissionTarget(org.apereo.portal.permission.target.IPermissionTarget) IPermissionTargetProvider(org.apereo.portal.permission.target.IPermissionTargetProvider) ModelAndView(org.springframework.web.servlet.ModelAndView) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 4 with IPermissionTarget

use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.

the class PermissionsRESTController method getPermissionForPrincipal.

protected JsonPermission getPermissionForPrincipal(UniquePermission permission, JsonEntityBean entity) {
    JsonPermission perm = new JsonPermission();
    perm.setOwnerKey(permission.getOwner());
    perm.setActivityKey(permission.getActivity());
    perm.setTargetKey(permission.getIdentifier());
    perm.setPrincipalKey(entity.getId());
    perm.setPrincipalName(entity.getName());
    perm.setInherited(permission.isInherited());
    try {
        IPermissionOwner owner = permissionOwnerDao.getPermissionOwner(permission.getOwner());
        if (owner != null) {
            perm.setOwnerName(owner.getName());
        }
        IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(permission.getOwner(), permission.getActivity());
        if (activity != null) {
            perm.setActivityName(activity.getName());
            IPermissionTargetProvider targetProvider = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey());
            if (targetProvider != null) {
                IPermissionTarget target = targetProvider.getTarget(permission.getIdentifier());
                if (target != null) {
                    perm.setTargetName(target.getName());
                }
            }
        }
    } catch (RuntimeException e) {
        log.warn("Exception while adding permission", e);
    }
    return perm;
}
Also used : IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) IPermissionTarget(org.apereo.portal.permission.target.IPermissionTarget) IPermissionTargetProvider(org.apereo.portal.permission.target.IPermissionTargetProvider) IPermissionOwner(org.apereo.portal.permission.IPermissionOwner)

Example 5 with IPermissionTarget

use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.

the class PermissionsListController method marshall.

/*
     * Private Stuff.
     */
private List<Map<String, String>> marshall(IPermission[] data) {
    // Assertions.
    if (data == null) {
        String msg = "Argument 'data' cannot be null";
        throw new IllegalArgumentException(msg);
    }
    List<Map<String, String>> rslt = new ArrayList<Map<String, String>>(data.length);
    for (IPermission p : data) {
        JsonEntityBean bean = getEntityBean(p.getPrincipal());
        Map<String, String> entry = new HashMap<String, String>();
        entry.put("owner", p.getOwner());
        entry.put("principalType", bean.getEntityTypeAsString());
        entry.put("principalName", bean.getName());
        entry.put("principalKey", p.getPrincipal());
        entry.put("activity", p.getActivity());
        entry.put("target", p.getTarget());
        entry.put("permissionType", p.getType());
        /*
             *  Attempt to find a name for this target through the permission
             *  target provider registry.  If none can be found, just use
             *  the target key.
             */
        String targetName = null;
        try {
            // attempt to get the target provider for this activity
            IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(p.getOwner(), p.getActivity());
            entry.put("activityName", activity.getName());
            IPermissionOwner owner = permissionOwnerDao.getPermissionOwner(p.getOwner());
            entry.put("ownerName", owner.getName());
            String providerKey = activity.getTargetProviderKey();
            IPermissionTargetProvider provider = targetProviderRegistry.getTargetProvider(providerKey);
            // get the target from the provider
            IPermissionTarget target = provider.getTarget(p.getTarget());
            targetName = target.getName();
        } catch (RuntimeException e) {
            // likely a result of a null activity or provider
            log.trace("Failed to resolve target name", e);
        }
        if (targetName == null) {
            targetName = p.getTarget();
        }
        entry.put("targetName", targetName);
        rslt.add(entry);
    }
    return rslt;
}
Also used : IPermissionActivity(org.apereo.portal.permission.IPermissionActivity) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) JsonEntityBean(org.apereo.portal.layout.dlm.remoting.JsonEntityBean) IPermission(org.apereo.portal.security.IPermission) IPermissionTarget(org.apereo.portal.permission.target.IPermissionTarget) IPermissionTargetProvider(org.apereo.portal.permission.target.IPermissionTargetProvider) HashMap(java.util.HashMap) Map(java.util.Map) IPermissionOwner(org.apereo.portal.permission.IPermissionOwner)

Aggregations

IPermissionActivity (org.apereo.portal.permission.IPermissionActivity)6 IPermissionTarget (org.apereo.portal.permission.target.IPermissionTarget)6 IPermissionOwner (org.apereo.portal.permission.IPermissionOwner)5 IPermissionTargetProvider (org.apereo.portal.permission.target.IPermissionTargetProvider)5 Serializable (java.io.Serializable)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 HashSet (java.util.HashSet)1 Map (java.util.Map)1 TreeSet (java.util.TreeSet)1 Element (net.sf.ehcache.Element)1 AuthorizationException (org.apereo.portal.AuthorizationException)1 Principal (org.apereo.portal.api.Principal)1 PrincipalImpl (org.apereo.portal.api.PrincipalImpl)1 RequestCache (org.apereo.portal.concurrency.caching.RequestCache)1 GroupsException (org.apereo.portal.groups.GroupsException)1 IGroupMember (org.apereo.portal.groups.IGroupMember)1 JsonEntityBean (org.apereo.portal.layout.dlm.remoting.JsonEntityBean)1 IAuthorizationPrincipal (org.apereo.portal.security.IAuthorizationPrincipal)1 IPermission (org.apereo.portal.security.IPermission)1