use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.
the class AnyUnblockedGrantPermissionPolicy method doesPrincipalHavePermission.
public boolean doesPrincipalHavePermission(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target) throws AuthorizationException {
/*
* The API states that the service, owner, and activity arguments must
* not be null. If for some reason they are null, log and fail closed.
* In our case, the principal and target must also be non-null.
*/
if (service == null || principal == null || owner == null || activity == null || target == null) {
log.error("Null argument to AnyUnblockedGrantPermissionPolicy doesPrincipalHavePermission() method " + "should not be possible. This is indicative of a potentially serious bug in the permissions " + "and authorization infrastructure; service='{}', principal='{}', owner='{}', activity='{}', " + "target='{}'", service, principal, owner, activity, target);
// fail closed
return false;
}
// Is this user a super-user? (Should this logic be moved to AuthorizationImpl?)
final IPermissionActivity allPermissionsActivity = permissionOwnerDao.getPermissionActivity(IPermission.PORTAL_SYSTEM, IPermission.ALL_PERMISSIONS_ACTIVITY);
if (!activity.equals(allPermissionsActivity)) {
// NOTE: Must check to avoid infinite recursion
final IPermissionOwner allPermissionsOwner = permissionOwnerDao.getPermissionOwner(IPermission.PORTAL_SYSTEM);
final IPermissionTarget allPermissionsTarget = targetProviderRegistry.getTargetProvider(allPermissionsActivity.getTargetProviderKey()).getTarget(IPermission.ALL_TARGET);
if (doesPrincipalHavePermission(service, principal, allPermissionsOwner, allPermissionsActivity, allPermissionsTarget)) {
// Stop checking; just return true
return true;
}
}
/*
* uPortal uses a few "special" targets that signal permission to
* perform the specified activity over an entire class of targets;
* see if one of those applies in this case.
*/
IPermissionTarget collectiveTarget = // The "collective noun" representing a class of thing
null;
switch(target.getTargetType()) {
case PORTLET:
collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_PORTLETS_TARGET);
break;
case CATEGORY:
collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_CATEGORIES_TARGET);
break;
case GROUP:
collectiveTarget = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey()).getTarget(IPermission.ALL_GROUPS_TARGET);
break;
default:
}
/*
* NOTE: Cannot generalize to a collective target if we are already on
* the collective target, else StackOverflowError.
*/
if (collectiveTarget != null && !collectiveTarget.equals(target)) {
if (doesPrincipalHavePermission(service, principal, owner, activity, collectiveTarget)) {
/*
* There is a collective for this class of target,
* and the user DOES have this special permission
*/
return true;
}
}
// Search ourselves and all ancestors for an unblocked GRANT.
boolean rslt;
try {
// Track groups we've already explored to avoid infinite loop
final Set<IGroupMember> seenGroups = new HashSet<>();
rslt = hasUnblockedPathToGrantWithCache(service, principal, owner, activity, target, seenGroups);
} catch (Exception e) {
log.error("Error searching for unblocked path to grant for principal [" + principal + "]", e);
// fail closed
return false;
}
if (log.isTraceEnabled()) {
if (rslt) {
log.trace("Principal '{}' is granted permission to perform activity " + "'{}' on target '{}' under permission owning system '{}' " + "because this principal has an unblocked path to a GRANT.", principal, activity.getFname(), target.getKey(), owner.getFname());
} else {
log.trace("Principal '{}' is denied permission to perform activity '{}' " + "on target '{}' under permission owning system '{}' because this " + "principal does not have an unblocked path to a GRANT.", principal, activity.getFname(), target.getKey(), owner.getFname());
}
}
return rslt;
}
use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.
the class ApiPermissionsService method createAssignment.
/*
* Implementation
*/
private Assignment createAssignment(IPermission permission, IAuthorizationPrincipal authP, boolean inherited) {
Assignment rslt = null;
try {
// Owner
IPermissionOwner owner = permissionOwnerDao.getPermissionOwner(permission.getOwner());
Owner ownerImpl = new OwnerImpl(permission.getOwner(), owner.getName());
// Activity
IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(permission.getOwner(), permission.getActivity());
Activity activityImpl = new ActivityImpl(permission.getActivity(), activity.getName());
// Principal
Principal principalImpl = new PrincipalImpl(authP.getKey(), authP.getPrincipalString());
// Target
// default
Target targetImpl = null;
IPermissionTargetProvider targetProvider = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey());
IPermissionTarget target = targetProvider.getTarget(permission.getTarget());
if (target != null) {
targetImpl = new TargetImpl(permission.getTarget(), target.getName());
}
rslt = new AssignmentImpl(ownerImpl, activityImpl, principalImpl, targetImpl, inherited);
} catch (Exception e) {
log.warn("Exception while adding permission", e);
}
return rslt;
}
use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.
the class PermissionsRESTController method getTargets.
/**
* Return a list of targets defined for a particular IPermissionActivity matching the specified
* search query.
*
* @param activityId
* @param query
* @param req
* @param response
* @return
* @throws Exception
*/
@PreAuthorize("hasPermission('string', 'ALL', new org.apereo.portal.spring.security.evaluator.AuthorizableActivity('UP_PERMISSIONS', 'VIEW_PERMISSIONS'))")
@RequestMapping(value = "/permissions/{activity}/targets.json", method = RequestMethod.GET)
public ModelAndView getTargets(@PathVariable("activity") Long activityId, @RequestParam("q") String query, HttpServletRequest req, HttpServletResponse response) throws Exception {
IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(activityId);
IPermissionTargetProvider provider = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey());
SortedSet<IPermissionTarget> matchingTargets = new TreeSet<IPermissionTarget>();
// add matching results for this identifier provider to the set
Collection<IPermissionTarget> targets = provider.searchTargets(query);
for (IPermissionTarget target : targets) {
if ((StringUtils.isNotBlank(target.getName()) && target.getName().toLowerCase().contains(query)) || target.getKey().toLowerCase().contains(query)) {
matchingTargets.addAll(targets);
}
}
ModelAndView mv = new ModelAndView();
mv.addObject("targets", targets);
mv.setViewName("json");
return mv;
}
use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.
the class PermissionsRESTController method getPermissionForPrincipal.
protected JsonPermission getPermissionForPrincipal(UniquePermission permission, JsonEntityBean entity) {
JsonPermission perm = new JsonPermission();
perm.setOwnerKey(permission.getOwner());
perm.setActivityKey(permission.getActivity());
perm.setTargetKey(permission.getIdentifier());
perm.setPrincipalKey(entity.getId());
perm.setPrincipalName(entity.getName());
perm.setInherited(permission.isInherited());
try {
IPermissionOwner owner = permissionOwnerDao.getPermissionOwner(permission.getOwner());
if (owner != null) {
perm.setOwnerName(owner.getName());
}
IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(permission.getOwner(), permission.getActivity());
if (activity != null) {
perm.setActivityName(activity.getName());
IPermissionTargetProvider targetProvider = targetProviderRegistry.getTargetProvider(activity.getTargetProviderKey());
if (targetProvider != null) {
IPermissionTarget target = targetProvider.getTarget(permission.getIdentifier());
if (target != null) {
perm.setTargetName(target.getName());
}
}
}
} catch (RuntimeException e) {
log.warn("Exception while adding permission", e);
}
return perm;
}
use of org.apereo.portal.permission.target.IPermissionTarget in project uPortal by Jasig.
the class PermissionsListController method marshall.
/*
* Private Stuff.
*/
private List<Map<String, String>> marshall(IPermission[] data) {
// Assertions.
if (data == null) {
String msg = "Argument 'data' cannot be null";
throw new IllegalArgumentException(msg);
}
List<Map<String, String>> rslt = new ArrayList<Map<String, String>>(data.length);
for (IPermission p : data) {
JsonEntityBean bean = getEntityBean(p.getPrincipal());
Map<String, String> entry = new HashMap<String, String>();
entry.put("owner", p.getOwner());
entry.put("principalType", bean.getEntityTypeAsString());
entry.put("principalName", bean.getName());
entry.put("principalKey", p.getPrincipal());
entry.put("activity", p.getActivity());
entry.put("target", p.getTarget());
entry.put("permissionType", p.getType());
/*
* Attempt to find a name for this target through the permission
* target provider registry. If none can be found, just use
* the target key.
*/
String targetName = null;
try {
// attempt to get the target provider for this activity
IPermissionActivity activity = permissionOwnerDao.getPermissionActivity(p.getOwner(), p.getActivity());
entry.put("activityName", activity.getName());
IPermissionOwner owner = permissionOwnerDao.getPermissionOwner(p.getOwner());
entry.put("ownerName", owner.getName());
String providerKey = activity.getTargetProviderKey();
IPermissionTargetProvider provider = targetProviderRegistry.getTargetProvider(providerKey);
// get the target from the provider
IPermissionTarget target = provider.getTarget(p.getTarget());
targetName = target.getName();
} catch (RuntimeException e) {
// likely a result of a null activity or provider
log.trace("Failed to resolve target name", e);
}
if (targetName == null) {
targetName = p.getTarget();
}
entry.put("targetName", targetName);
rslt.add(entry);
}
return rslt;
}
Aggregations