use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class ApiPermissionsService method getAssignmentsForPerson.
@Override
public Set<Assignment> getAssignmentsForPerson(String username, boolean includeInherited) {
Set<Assignment> rslt = new HashSet<Assignment>();
if (StringUtils.isBlank(username)) {
return null;
}
IAuthorizationPrincipal authP = this.authorizationService.newPrincipal(username, EntityEnum.PERSON.getClazz());
// first get the permissions explicitly set for this principal
IPermission[] directPermissions = permissionStore.select(null, authP.getPrincipalString(), null, null, null);
for (IPermission permission : directPermissions) {
if (authP.hasPermission(permission.getOwner(), permission.getActivity(), permission.getTarget())) {
Assignment a = createAssignment(permission, authP, false);
if (a != null) {
rslt.add(a);
}
}
}
if (includeInherited) {
IGroupMember member = GroupService.getGroupMember(authP.getKey(), authP.getType());
for (IEntityGroup parent : member.getAncestorGroups()) {
IAuthorizationPrincipal parentPrincipal = this.authorizationService.newPrincipal(parent);
IPermission[] parentPermissions = permissionStore.select(null, parentPrincipal.getPrincipalString(), null, null, null);
for (IPermission permission : parentPermissions) {
if (authP.hasPermission(permission.getOwner(), permission.getActivity(), permission.getTarget())) {
Assignment a = createAssignment(permission, authP, true);
if (a != null) {
rslt.add(a);
}
}
}
}
}
return rslt;
}
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class PermissionsRESTController method getAssignmentsOnTarget.
@PreAuthorize("hasPermission('ALL', 'java.lang.String', new org.apereo.portal.spring.security.evaluator.AuthorizableActivity('UP_PERMISSIONS', 'VIEW_PERMISSIONS'))")
@RequestMapping("/assignments/target/{target}.json")
public ModelAndView getAssignmentsOnTarget(@PathVariable("target") String target, @RequestParam(value = "includeInherited", required = false) boolean includeInherited, HttpServletRequest request, HttpServletResponse response) {
Set<UniquePermission> directAssignments = new HashSet<UniquePermission>();
// first get the permissions explicitly set for this principal
IPermission[] directPermissions = permissionStore.select(null, null, null, target, null);
for (IPermission permission : directPermissions) {
directAssignments.add(new UniquePermission(permission.getOwner(), permission.getActivity(), permission.getPrincipal(), false));
}
JsonEntityBean entity = groupListHelper.getEntityForPrincipal(target);
Set<UniquePermission> inheritedAssignments = new HashSet<UniquePermission>();
List<JsonPermission> permissions = new ArrayList<JsonPermission>();
if (entity != null) {
IAuthorizationPrincipal p = this.authorizationService.newPrincipal(entity.getId(), entity.getEntityType().getClazz());
if (includeInherited) {
IGroupMember member = GroupService.getGroupMember(p.getKey(), p.getType());
for (IEntityGroup parent : member.getAncestorGroups()) {
IAuthorizationPrincipal parentPrincipal = this.authorizationService.newPrincipal(parent);
IPermission[] parentPermissions = permissionStore.select(null, null, null, parentPrincipal.getKey(), null);
for (IPermission permission : parentPermissions) {
inheritedAssignments.add(new UniquePermission(permission.getOwner(), permission.getActivity(), permission.getPrincipal(), true));
}
}
}
for (UniquePermission permission : directAssignments) {
JsonEntityBean e = groupListHelper.getEntityForPrincipal(permission.getIdentifier());
Class<?> clazz;
EntityEnum entityType = EntityEnum.getEntityEnum(e.getEntityTypeAsString());
if (entityType.isGroup()) {
clazz = IEntityGroup.class;
} else {
clazz = entityType.getClazz();
}
IAuthorizationPrincipal principal = this.authorizationService.newPrincipal(e.getId(), clazz);
if (principal.hasPermission(permission.getOwner(), permission.getActivity(), p.getKey())) {
permissions.add(getPermissionOnTarget(permission, entity));
}
}
for (UniquePermission permission : inheritedAssignments) {
JsonEntityBean e = groupListHelper.getEntityForPrincipal(permission.getIdentifier());
Class<?> clazz;
EntityEnum entityType = EntityEnum.getEntityEnum(e.getEntityTypeAsString());
if (entityType.isGroup()) {
clazz = IEntityGroup.class;
} else {
clazz = entityType.getClazz();
}
IAuthorizationPrincipal principal = this.authorizationService.newPrincipal(e.getId(), clazz);
if (principal.hasPermission(permission.getOwner(), permission.getActivity(), p.getKey())) {
permissions.add(getPermissionOnTarget(permission, entity));
}
}
Collections.sort(permissions);
}
ModelAndView mv = new ModelAndView();
mv.addObject("assignments", permissions);
mv.setViewName("json");
return mv;
}
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class PortletDefinitionImporterExporter method savePortletDefinition.
/**
* Save a portlet definition.
*
* @param definition the portlet definition
* @param publisher the person publishing the portlet
* @param categories the list of categories for the portlet
* @param permissionMap a map of permission name -> list of groups who are granted that
* permission (Note: for now, only grant is supported and only for the FRAMEWORK_OWNER perm
* manager)
*/
private IPortletDefinition savePortletDefinition(IPortletDefinition definition, IPerson publisher, List<PortletCategory> categories, Map<ExternalPermissionDefinition, Set<IGroupMember>> permissionMap) {
boolean newChannel = (definition.getPortletDefinitionId() == null);
// save the channel
definition = portletDefinitionDao.savePortletDefinition(definition);
definition = portletDefinitionDao.getPortletDefinitionByFname(definition.getFName());
final String defId = definition.getPortletDefinitionId().getStringId();
final IEntity portletDefEntity = GroupService.getEntity(defId, IPortletDefinition.class);
//The groups service needs to deal with concurrent modification better.
synchronized (this.groupUpdateLock) {
// Delete existing category memberships for this channel
if (!newChannel) {
for (IEntityGroup group : portletDefEntity.getAncestorGroups()) {
group.removeChild(portletDefEntity);
group.update();
}
}
// For each category ID, add channel to category
for (PortletCategory category : categories) {
final IEntityGroup categoryGroup = GroupService.findGroup(category.getId());
categoryGroup.addChild(portletDefEntity);
categoryGroup.updateMembers();
}
// Set groups
final AuthorizationService authService = AuthorizationService.instance();
final String target = PermissionHelper.permissionTargetIdForPortletDefinition(definition);
// Loop over the affected permission managers...
Map<String, Collection<ExternalPermissionDefinition>> permissionsBySystem = getPermissionsBySystem(permissionMap.keySet());
for (String system : permissionsBySystem.keySet()) {
Collection<ExternalPermissionDefinition> systemPerms = permissionsBySystem.get(system);
// get the permission manager for this system...
final IUpdatingPermissionManager upm = authService.newUpdatingPermissionManager(system);
final List<IPermission> permissions = new ArrayList<>();
// add activity grants for each permission..
for (ExternalPermissionDefinition permissionDef : systemPerms) {
Set<IGroupMember> members = permissionMap.get(permissionDef);
for (final IGroupMember member : members) {
final IAuthorizationPrincipal authPrincipal = authService.newPrincipal(member);
final IPermission permEntity = upm.newPermission(authPrincipal);
permEntity.setType(IPermission.PERMISSION_TYPE_GRANT);
permEntity.setActivity(permissionDef.getActivity());
permEntity.setTarget(target);
permissions.add(permEntity);
}
}
// If modifying the channel, remove the existing permissions before adding the new ones
if (!newChannel) {
for (ExternalPermissionDefinition permissionName : permissionMap.keySet()) {
IPermission[] oldPermissions = upm.getPermissions(permissionName.getActivity(), target);
upm.removePermissions(oldPermissions);
}
}
upm.addPermissions(permissions.toArray(new IPermission[permissions.size()]));
}
}
if (logger.isDebugEnabled()) {
logger.debug("Portlet " + defId + " has been " + (newChannel ? "published" : "modified") + ".");
}
return definition;
}
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class GroupListHelperImpl method getIndividualBestRootEntity.
@Override
public JsonEntityBean getIndividualBestRootEntity(final IPerson person, final String groupType, final String permissionOwner, final String[] permissionActivities) {
if (log.isDebugEnabled()) {
String username = (person == null) ? "null" : person.getUserName();
log.debug("Choosing best root group for user='" + username + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "'");
}
final IAuthorizationPrincipal principal = AuthorizationPrincipalHelper.principalFromUser(person);
final JsonEntityBean canonicalRootGroup = getRootEntity(groupType);
if (log.isDebugEnabled()) {
log.debug("Found for groupType='" + groupType + "' the following canonicalRootGroup: " + canonicalRootGroup);
}
/*
* First check the canonical root group for the applicable activities
* (NOTE: the uPortal permissions infrastructure handles checking of
* special, collective targets like "ALL_GROUPS" and "All_categories").
*/
for (String activity : permissionActivities) {
if (principal.hasPermission(permissionOwner, activity, canonicalRootGroup.getId())) {
return canonicalRootGroup;
}
}
// So much for the easy path -- see if the user has any records at all for this specific
// owner/activity
// Default
JsonEntityBean rslt = null;
final List<IPermission> permissionsOfRelevantActivity = new ArrayList<IPermission>();
for (String activity : permissionActivities) {
permissionsOfRelevantActivity.addAll(Arrays.asList(principal.getAllPermissions(permissionOwner, activity, null)));
}
if (log.isDebugEnabled()) {
log.debug("For user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "' permissionsOfRelevantTypes.size()=" + permissionsOfRelevantActivity.size());
}
switch(permissionsOfRelevantActivity.size()) {
case 0:
// No problem -- user doesn't have any of this sort of permission (leave it null)
break;
default:
// root group to send back. With luck there aren't many matches.
for (IPermission p : permissionsOfRelevantActivity) {
IEntityGroup groupMember = GroupService.findGroup(p.getTarget());
final JsonEntityBean candidate = getEntity(groupMember);
// Pass on any matches of the wrong groupType...
if (!candidate.getEntityTypeAsString().equalsIgnoreCase(groupType)) {
continue;
}
if (rslt == null) {
// First allowable selection; run with this one
// unless/until we're forced to make a choice.
rslt = candidate;
} else {
// the same rich hierarchy.
if (candidate.getChildren().size() > rslt.getChildren().size()) {
rslt = candidate;
}
}
}
break;
}
if (log.isDebugEnabled()) {
log.debug("Selected for user='" + person.getUserName() + "', groupType='" + groupType + "', permissionOwner='" + permissionOwner + "', permissionActivities='" + Arrays.toString(permissionActivities) + "' the following best root group: " + rslt);
}
return rslt;
}
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class AnyUnblockedGrantPermissionPolicy method hasUnblockedPathToGrant.
/**
* This method performs the actual, low-level checking of a single activity and target. Is IS
* responsible for performing the same check for affiliated groups in the Groups hierarchy, but
* it is NOT responsible for understanding the nuances of relationships some activities and/or
* targets have with one another (e.g. MANAGE_APPROVED, ALL_PORTLETS, etc.). It performs the
* following steps, in order:
*
* <ol>
* <li>Find out if the specified principal is <em>specifically</em> granted or denied; if an
* answer is found in this step, return it
* <li>Find out what groups this principal belongs to; convert each one to a principal and
* seek an answer by invoking ourselves recursively; if an answer is found in this step,
* return it
* <li>Return false (no explicit GRANT means no permission)
* </ol>
*/
private boolean hasUnblockedPathToGrant(IAuthorizationService service, IAuthorizationPrincipal principal, IPermissionOwner owner, IPermissionActivity activity, IPermissionTarget target, Set<IGroupMember> seenGroups) throws GroupsException {
if (log.isTraceEnabled()) {
log.trace("Searching for unblocked path to GRANT for principal '{}' to " + "'{}' on target '{}' having already checked: {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
}
/*
* Step #1: Specific GRANT/DENY attached to this principal
*/
final IPermission[] permissions = service.getPermissionsForPrincipal(principal, owner.getFname(), activity.getFname(), target.getKey());
final Set<IPermission> activePermissions = removeInactivePermissions(permissions);
final boolean denyExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_DENY);
if (denyExists) {
// We need go no further; DENY trumps both GRANT & inherited permissions
return false;
}
final boolean grantExists = containsType(activePermissions, IPermission.PERMISSION_TYPE_GRANT);
if (grantExists) {
// We need go no further; explicit GRANT at this level of the hierarchy
if (log.isTraceEnabled()) {
log.trace("Found unblocked path to this permission set including a GRANT: {}", activePermissions);
}
return true;
}
/*
* Step #2: Seek an answer from affiliated groups
*/
IGroupMember principalAsGroupMember = service.getGroupMember(principal);
if (seenGroups.contains(principalAsGroupMember)) {
if (log.isTraceEnabled()) {
log.trace("Declining to re-examine principal '{}' for permission to '{}' " + "on '{}' because this group is among already checked groups: {}", principal.getKey(), activity.getFname(), target.getKey(), seenGroups);
}
return false;
}
seenGroups.add(principalAsGroupMember);
Set<IEntityGroup> immediatelyContainingGroups = principalAsGroupMember.getParentGroups();
for (IGroupMember parentGroup : immediatelyContainingGroups) {
try {
if (parentGroup != null) {
IAuthorizationPrincipal parentPrincipal = service.newPrincipal(parentGroup);
boolean parentHasUnblockedPathToGrant = hasUnblockedPathToGrantWithCache(service, parentPrincipal, owner, activity, target, seenGroups);
if (parentHasUnblockedPathToGrant) {
return true;
}
// Parent didn't have a path to grant, fall through and try another parent (if
// any)
}
} catch (Exception e) {
// problem evaluating this path, but let's not let it stop
// us from exploring other paths. Though a portion of the
// group structure is broken, permission may be granted by
// an unbroken portion
log.error("Error evaluating permissions of parent group [" + parentGroup + "]", e);
}
}
/*
* Step #3: No explicit GRANT means no permission
*/
return false;
}
Aggregations