Examples with IAuthorizationPrincipal org.apereo.portal.security.IAuthorizationPrincipal used on opensource projects

Example 36 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PortletAdministrationHelper method addPrincipalPermissionsToForm.

/*
     * Add to the form SUBSCRIBE, BROWSE, and CONFIGURE activity permissions, along with their principals,
     * assigned to the portlet.
     */
private void addPrincipalPermissionsToForm(IPortletDefinition def, PortletDefinitionForm form) {
    final String portletTargetId = PermissionHelper.permissionTargetIdForPortletDefinition(def);
    final Set<JsonEntityBean> principalBeans = new HashSet<>();
    Map<String, IPermissionManager> permManagers = new HashMap<>();
    for (PortletPermissionsOnForm perm : PortletPermissionsOnForm.values()) {
        if (!permManagers.containsKey(perm.getOwner())) {
            permManagers.put(perm.getOwner(), authorizationService.newPermissionManager(perm.getOwner()));
        }
        final IPermissionManager pm = permManagers.get(perm.getOwner());
        /* Obtain the principals that have permission for the activity on this portlet */
        final IAuthorizationPrincipal[] principals = pm.getAuthorizedPrincipals(perm.getActivity(), portletTargetId);
        for (IAuthorizationPrincipal principal : principals) {
            JsonEntityBean principalBean;
            // first assume this is a group
            final IEntityGroup group = GroupService.findGroup(principal.getKey());
            if (group != null) {
                // principal is a group
                principalBean = new JsonEntityBean(group, EntityEnum.GROUP);
            } else {
                // not a group, so it must be a person
                final IGroupMember member = authorizationService.getGroupMember(principal);
                principalBean = new JsonEntityBean(member, EntityEnum.PERSON);
                // set the name
                final String name = groupListHelper.lookupEntityName(principalBean);
                principalBean.setName(name);
            }
            principalBeans.add(principalBean);
            form.addPermission(principalBean.getTypeAndIdHash() + "_" + perm.getActivity());
        }
    }
    form.setPrincipals(principalBeans, false);
}

Example 37 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class PortletEntityRegistryImpl method checkPortletDefinitionRenderPermissions.

private IPortletDefinition checkPortletDefinitionRenderPermissions(IUserInstance userInstance, final IPortletDefinition portletDefinition) {
    if (portletDefinition == null) {
        return null;
    }
    final IPerson person = userInstance.getPerson();
    final EntityIdentifier ei = person.getEntityIdentifier();
    final IAuthorizationPrincipal ap = AuthorizationServiceFacade.instance().newPrincipal(ei.getKey(), ei.getType());
    if (ap.canRender(portletDefinition.getPortletDefinitionId().getStringId())) {
        return portletDefinition;
    }
    return null;
}

Example 38 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class AnyUnblockedGrantPermissionPolicy method hasUnblockedPathToGrant.

/**
 * This method performs the actual, low-level checking of a single activity and target. Is IS
 * responsible for performing the same check for affiliated groups in the Groups hierarchy, but
 * it is NOT responsible for understanding the nuances of relationships some activities and/or
 * targets have with one another (e.g. MANAGE_APPROVED, ALL_PORTLETS, etc.). It performs the
 * following steps, in order:
 *
 * <ol>
 *   <li>Find out if the specified principal is <em>specifically</em> granted or denied; if an
 *       answer is found in this step, return it
 *   <li>Find out what groups this principal belongs to; convert each one to a principal and
 *       seek an answer by invoking ourselves recursively; if an answer is found in this step,
 *       return it
 *   <li>Return false (no explicit GRANT means no permission)
 * </ol>
 */
private boolean hasUnblockedPathToGrant(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target, Set<IGroupMember> seenGroups) throws GroupsException {
    if (log.isTraceEnabled()) {
        log.trace("Searching for unblocked path to GRANT for principal '{}' to " + "'{}' on target '{}' having already checked:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
    }
    /*
         * Step #1:  Specific GRANT/DENY attached to this principal
         */
    final IPermission[] permissions = service.getPermissionsForPrincipal(principal, owner.getFname(), activity.getFname(), target.getKey());
    final Set<IPermission> activePermissions = removeInactivePermissions(permissions);
    final boolean denyExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
    if (denyExists) {
        // We need go no further;  DENY trumps both GRANT & inherited permissions
        return false;
    }
    final boolean grantExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT);
    if (grantExists) {
        // We need go no further;  explicit GRANT at this level of the hierarchy
        if (log.isTraceEnabled()) {
            log.trace("Found unblocked path to this permission set including a GRANT:  {}", activePermissions);
        }
        return true;
    }
    /*
         * Step #2:  Seek an answer from affiliated groups
         */
    IGroupMember principalAsGroupMember = service.getGroupMember(principal);
    if (seenGroups.contains(principalAsGroupMember)) {
        if (log.isTraceEnabled()) {
            log.trace("Declining to re-examine principal '{}' for permission to '{}' " + "on '{}' because this group is among already checked groups:  {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
        }
        return false;
    }
    seenGroups.add(principalAsGroupMember);
    Set<IEntityGroup> immediatelyContainingGroups = principalAsGroupMember.getParentGroups();
    for (IGroupMember parentGroup : immediatelyContainingGroups) {
        try {
            if (parentGroup != null) {
                IAuthorizationPrincipal parentPrincipal = service.newPrincipal(parentGroup);
                boolean parentHasUnblockedPathToGrant = hasUnblockedPathToGrantWithCache(service, parentPrincipal, owner, activity, target, seenGroups);
                if (parentHasUnblockedPathToGrant) {
                    return true;
                }
            // Parent didn't have a path to grant, fall through and try another parent (if
            // any)
            }
        } catch (Exception e) {
            // problem evaluating this path, but let's not let it stop
            // us from exploring other paths.  Though a portion of the
            // group structure is broken, permission may be granted by
            // an unbroken portion
            log.error("Error evaluating permissions of parent group [" + parentGroup + "]", e);
        }
    }
    /*
         * Step #3:  No explicit GRANT means no permission
         */
    return false;
}

Example 39 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class AuthorizationImpl method getPrincipalsFromPermissions.

/**
 * Returns <code>IAuthorizationPrincipals</code> associated with the <code>IPermission[]</code>.
 *
 * @return IAuthorizationPrincipal[]
 * @param permissions IPermission[]
 */
private IAuthorizationPrincipal[] getPrincipalsFromPermissions(IPermission[] permissions) throws AuthorizationException {
    Set principals = new HashSet();
    for (int i = 0; i < permissions.length; i++) {
        IAuthorizationPrincipal principal = getPrincipal(permissions[i]);
        principals.add(principal);
    }
    return ((IAuthorizationPrincipal[]) principals.toArray(new IAuthorizationPrincipal[principals.size()]));
}

Example 40 with IAuthorizationPrincipal

use of org.apereo.portal.security.IAuthorizationPrincipal in project uPortal by Jasig.

the class AuthorizationImpl method getAllPermissionsForPrincipal.

/**
 * Returns the <code>IPermissions</code> owner has granted this <code>Principal</code> for the
 * specified activity and target. Null parameters will be ignored, that is, all <code>
 * IPermissions</code> matching the non-null parameters are retrieved. So, <code>
 * getPermissions(principal,null, null, null)</code> should retrieve all <code>IPermissions
 * </code> for a <code>Principal</code>. Note that this includes <code>IPermissions</code>
 * inherited from groups the <code>Principal</code> belongs to.
 *
 * @return org.apereo.portal.security.IPermission[]
 * @param principal IAuthorizationPrincipal
 * @param owner java.lang.String
 * @param activity java.lang.String
 * @param target java.lang.String
 * @exception AuthorizationException indicates authorization information could not be retrieved.
 */
@Override
public IPermission[] getAllPermissionsForPrincipal(IAuthorizationPrincipal principal, String owner, String activity, String target) throws AuthorizationException {
    IPermission[] perms = getPermissionsForPrincipal(principal, owner, activity, target);
    ArrayList<IPermission> al = new ArrayList<>(Arrays.asList(perms));
    Iterator i = getInheritedPrincipals(principal);
    while (i.hasNext()) {
        IAuthorizationPrincipal p = (IAuthorizationPrincipal) i.next();
        perms = getPermissionsForPrincipal(p, owner, activity, target);
        al.addAll(Arrays.asList(perms));
    }
    logger.trace("query for all permissions for principal=[{}], owner=[{}], activity=[{}], target=[{}] returned permissions [{}]", principal, owner, activity, target, al);
    return ((IPermission[]) al.toArray(new IPermission[al.size()]));
}