Example 16 with IPermission
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class PermissionsRESTController method getPermissionsForEntity.
protected List<JsonPermission> getPermissionsForEntity(JsonEntityBean entity, boolean includeInherited) {
Set<UniquePermission> directAssignments = new HashSet<UniquePermission>();
IAuthorizationPrincipal p = this.authorizationService.newPrincipal(entity.getId(), entity.getEntityType().getClazz());
// first get the permissions explicitly set for this principal
IPermission[] directPermissions = permissionStore.select(null, p.getPrincipalString(), null, null, null);
for (IPermission permission : directPermissions) {
directAssignments.add(new UniquePermission(permission.getOwner(), permission.getActivity(), permission.getTarget(), false));
}
Set<UniquePermission> inheritedAssignments = new HashSet<UniquePermission>();
if (includeInherited) {
IGroupMember member = GroupService.getGroupMember(p.getKey(), p.getType());
for (IEntityGroup parent : member.getAncestorGroups()) {
IAuthorizationPrincipal parentPrincipal = this.authorizationService.newPrincipal(parent);
IPermission[] parentPermissions = permissionStore.select(null, parentPrincipal.getPrincipalString(), null, null, null);
for (IPermission permission : parentPermissions) {
inheritedAssignments.add(new UniquePermission(permission.getOwner(), permission.getActivity(), permission.getTarget(), true));
}
}
}
List<JsonPermission> rslt = new ArrayList<JsonPermission>();
for (UniquePermission permission : directAssignments) {
if (p.hasPermission(permission.getOwner(), permission.getActivity(), permission.getIdentifier())) {
rslt.add(getPermissionForPrincipal(permission, entity));
}
}
for (UniquePermission permission : inheritedAssignments) {
if (p.hasPermission(permission.getOwner(), permission.getActivity(), permission.getIdentifier())) {
rslt.add(getPermissionForPrincipal(permission, entity));
}
}
Collections.sort(rslt);
return rslt;
}
Also used :
IEntityGroup(org.apereo.portal.groups.IEntityGroup)
IGroupMember(org.apereo.portal.groups.IGroupMember)
IPermission(org.apereo.portal.security.IPermission)
IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
Example 17 with IPermission
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class PermissionAdministrationHelper method getCurrentPrincipals.
public Set<String> getCurrentPrincipals(IPermissionOwner owner, IPermissionActivity activity, String targetKey) {
// Find permissions that match the inputs from the IPermissionStore
IPermission[] permissions = permissionStore.select(owner.getFname(), null, activity.getFname(), targetKey, null);
// Build the set of existing assignments
Set<String> principals = new HashSet<String>();
for (IPermission p : permissions) {
principals.add(p.getPrincipal());
}
return principals;
}
Also used :
IPermission(org.apereo.portal.security.IPermission)
HashSet(java.util.HashSet)
Example 18 with IPermission
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class PermissionAssignmentMapController method updatePermission.
@RequestMapping(value = "/updatePermission", method = RequestMethod.GET)
public ModelAndView updatePermission(@RequestParam("principal") String principal, @RequestParam("assignment") String assignment, @RequestParam("principals[]") String[] principals, @RequestParam("owner") String owner, @RequestParam("activity") String activity, @RequestParam("target") String target, HttpServletRequest request, HttpServletResponse response) throws Exception {
// ensure the current user is authorized to update and view permissions
final IPerson currentUser = personManager.getPerson((HttpServletRequest) request);
if (!permissionAdministrationHelper.canEditPermission(currentUser, target) || !permissionAdministrationHelper.canViewPermission(currentUser, target)) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return null;
}
JsonEntityBean bean = groupListHelper.getEntityForPrincipal(principal);
if (bean != null) {
IAuthorizationPrincipal p = groupListHelper.getPrincipalForEntity(bean);
IPermission[] directPermissions = permissionStore.select(owner, p.getPrincipalString(), activity, target, null);
this.authorizationService.removePermissions(directPermissions);
assignment = assignment.toUpperCase();
if (assignment.equals(Assignment.Type.GRANT.toString()) || assignment.equals(Assignment.Type.DENY.toString())) {
IPermission permission = new PermissionImpl(owner);
permission.setActivity(activity);
permission.setPrincipal(bean.getPrincipalString());
permission.setTarget(target);
permission.setType(assignment);
this.authorizationService.addPermissions(new IPermission[] { permission });
}
} else {
log.warn("Unable to resolve the following principal (will " + "be omitted from the list of assignments): " + principal);
}
return getOwners(principals, owner, activity, target, request, response);
}
Also used :
IPerson(org.apereo.portal.security.IPerson)
JsonEntityBean(org.apereo.portal.layout.dlm.remoting.JsonEntityBean)
IPermission(org.apereo.portal.security.IPermission)
PermissionImpl(org.apereo.portal.security.provider.PermissionImpl)
IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 19 with IPermission
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class MaxInactiveInterceptor method preHandle.
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
final HttpSession session = request.getSession(false);
if (session == null) {
return true;
}
// Now see if authentication was successful...
final IPerson person = this.personManager.getPerson((HttpServletRequest) request);
if (person == null) {
return true;
}
// Check if the session max inactive value has already been set
Boolean isAlreadySet = (Boolean) person.getAttribute(this.SESSION_MAX_INACTIVE_SET_ATTR);
if (isAlreadySet != null && isAlreadySet.equals(Boolean.TRUE)) {
if (log.isDebugEnabled()) {
log.debug("Session.setMaxInactiveInterval() has already been determined for user '" + person.getAttribute(IPerson.USERNAME) + "'");
}
return true;
}
final ISecurityContext securityContext = person.getSecurityContext();
if (securityContext != null && securityContext.isAuthenticated()) {
// We have an authenticated user... let's see if any MAX_INACTIVE settings apply...
IAuthorizationPrincipal principal = authorizationService.newPrincipal((String) person.getAttribute(IPerson.USERNAME), IPerson.class);
Integer rulingGrant = null;
Integer rulingDeny = null;
IPermission[] permissions = authorizationService.getAllPermissionsForPrincipal(principal, IPermission.PORTAL_SYSTEM, "MAX_INACTIVE", null);
assert (permissions != null);
if (permissions.length == 0) {
// No max inactive permission set for this user
if (log.isInfoEnabled()) {
log.info("No MAX_INACTIVE permissions apply to user '" + person.getAttribute(IPerson.USERNAME) + "'");
}
person.setAttribute(this.SESSION_MAX_INACTIVE_SET_ATTR, Boolean.TRUE);
return true;
}
for (IPermission p : permissions) {
// First be sure the record applies currently...
long now = System.currentTimeMillis();
if (p.getEffective() != null && p.getEffective().getTime() > now) {
// It's *TOO EARLY* for this record... move on.
continue;
}
if (p.getExpires() != null && p.getExpires().getTime() < now) {
// It's *TOO LATE* for this record... move on.
continue;
}
if (p.getType().equals(IPermission.PERMISSION_TYPE_GRANT)) {
try {
Integer grantEntry = Integer.valueOf(p.getTarget());
if (rulingGrant == null || grantEntry.intValue() < 0 || /* Any negative number trumps all */
rulingGrant.intValue() < grantEntry.intValue()) {
rulingGrant = grantEntry;
}
} catch (NumberFormatException nfe) {
log.warn("Invalid MAX_INACTIVE permission grant '" + p.getTarget() + "'; target must be an integer value.");
}
} else if (p.getType().equals(IPermission.PERMISSION_TYPE_DENY)) {
try {
Integer denyEntry = Integer.valueOf(p.getTarget());
if (rulingDeny == null || rulingDeny.intValue() > denyEntry.intValue()) {
rulingDeny = denyEntry;
}
} catch (NumberFormatException nfe) {
log.warn("Invalid MAX_INACTIVE permission deny '" + p.getTarget() + "'; target must be an integer value.");
}
} else {
log.warn("Unknown permission type: " + p.getType());
}
}
if (rulingDeny != null && rulingDeny.intValue() < 0) {
// Negative MaxInactiveInterval values mean the session never
// times out, so a negative DENY is somewhat nonsensical... just
// clear it.
log.warn("A MAX_INACTIVE DENY entry improperly specified a negative target: " + rulingDeny.intValue());
rulingDeny = null;
}
if (rulingGrant != null || rulingDeny != null) {
// We only want to intervene if there's some actual value
// specified... otherwise we'll just let the container settings
//govern.
int maxInactive = rulingGrant != null ? rulingGrant.intValue() : // If rulingGrant is null, rulingDeny won't be...
0;
if (rulingDeny != null) {
// Applying DENY entries is tricky b/c GRANT entries may be negative...
int limit = rulingDeny.intValue();
if (maxInactive >= 0) {
maxInactive = limit < maxInactive ? limit : maxInactive;
} else {
// The best grant was negative (unlimited), so go with limit...
maxInactive = limit;
}
}
// Apply the specified setting...
session.setMaxInactiveInterval(maxInactive);
person.setAttribute(this.SESSION_MAX_INACTIVE_SET_ATTR, Boolean.TRUE);
if (log.isInfoEnabled()) {
log.info("Setting maxInactive to '" + maxInactive + "' for user '" + person.getAttribute(IPerson.USERNAME) + "'");
}
}
}
return true;
}
Also used :
IPerson(org.apereo.portal.security.IPerson)
HttpSession(javax.servlet.http.HttpSession)
IPermission(org.apereo.portal.security.IPermission)
IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal)
ISecurityContext(org.apereo.portal.security.ISecurityContext)
Example 20 with IPermission
use of org.apereo.portal.security.IPermission in project uPortal by Jasig.
the class AuthorizationTester method testPermissionStore.
public void testPermissionStore() throws Exception {
print("***** ENTERING AuthorizationTester.testPermissionStore() *****");
String msg = null;
String activity = IPermission.PORTLET_SUBSCRIBER_ACTIVITY;
String existingTarget = "CHAN_ID.1";
String nonExistingTarget = "CHAN_ID.000";
// String noonePrincipal = "3.local.999";
IPermission[] permissions, addedPermissions = null;
IPermission newPermission, retrievedPermission = null;
java.util.Date effectiveDate = new java.util.Date();
java.util.Date expirationDate = new java.util.Date(System.currentTimeMillis() + (60 * 60 * 24 * 1000));
int numAddedPermissions = 10;
int idx = 0;
// Add a new permission.
msg = "Creating a new permission for everyone (" + EVERYONE_GROUP_PRINCIPAL_KEY + ").";
print(msg);
newPermission = getPermissionStore().newInstance(OWNER);
assertNotNull(msg, newPermission);
newPermission.setPrincipal(EVERYONE_GROUP_PRINCIPAL_KEY);
newPermission.setActivity(activity);
newPermission.setTarget(nonExistingTarget);
newPermission.setType(IPermission.PERMISSION_TYPE_GRANT);
msg = "Testing if new permission exists in store.";
print(msg);
permissions = getPermissionStore().select(OWNER, EVERYONE_GROUP_PRINCIPAL_KEY, activity, nonExistingTarget, IPermission.PERMISSION_TYPE_GRANT);
assertEquals(msg, 0, permissions.length);
msg = "Adding permission to store.";
print(msg);
getPermissionStore().add(newPermission);
permissions = getPermissionStore().select(OWNER, EVERYONE_GROUP_PRINCIPAL_KEY, activity, nonExistingTarget, IPermission.PERMISSION_TYPE_GRANT);
assertEquals(msg, 1, permissions.length);
// Update the new permission we have just added.
msg = "Updating permission.";
print(msg);
retrievedPermission = permissions[0];
retrievedPermission.setType(IPermission.PERMISSION_TYPE_DENY);
retrievedPermission.setEffective(effectiveDate);
retrievedPermission.setExpires(expirationDate);
getPermissionStore().update(retrievedPermission);
permissions = getPermissionStore().select(OWNER, EVERYONE_GROUP_PRINCIPAL_KEY, activity, nonExistingTarget, IPermission.PERMISSION_TYPE_DENY);
assertEquals(msg, 1, permissions.length);
assertEquals(msg, IPermission.PERMISSION_TYPE_DENY, permissions[0].getType());
assertEquals(msg, effectiveDate, permissions[0].getEffective());
assertEquals(msg, expirationDate, permissions[0].getExpires());
// Delete the retrieved permission.
msg = "Deleting the updated permission.";
print(msg);
getPermissionStore().delete(retrievedPermission);
permissions = getPermissionStore().select(OWNER, EVERYONE_GROUP_PRINCIPAL_KEY, activity, nonExistingTarget, IPermission.PERMISSION_TYPE_DENY);
assertEquals(msg, 0, permissions.length);
// Add and delete an array of permissions.
msg = "Creating and adding an Array of " + numAddedPermissions + " Permissions.";
print(msg);
addedPermissions = new IPermission[numAddedPermissions];
for (idx = 0; idx < numAddedPermissions; idx++) {
addedPermissions[idx] = getPermissionStore().newInstance(OWNER);
addedPermissions[idx].setActivity(activity);
addedPermissions[idx].setPrincipal(NOONE_GROUP_PRINCIPAL_KEY);
addedPermissions[idx].setTarget(existingTarget + "_" + idx);
addedPermissions[idx].setType(IPermission.PERMISSION_TYPE_GRANT);
addedPermissions[idx].setEffective(effectiveDate);
addedPermissions[idx].setExpires(expirationDate);
}
getPermissionStore().add(addedPermissions);
permissions = getPermissionStore().select(OWNER, NOONE_GROUP_PRINCIPAL_KEY, activity, null, null);
assertEquals(msg, numAddedPermissions, permissions.length);
msg = "Deleting the Array of " + numAddedPermissions + " Permissions.";
print(msg);
getPermissionStore().delete(permissions);
permissions = getPermissionStore().select(OWNER, NOONE_GROUP_PRINCIPAL_KEY, activity, null, null);
assertEquals(msg, 0, permissions.length);
print("***** LEAVING AuthorizationTester.testPermissionStore() *****" + CR);
}
Also used :
IPermission(org.apereo.portal.security.IPermission)
Aggregations
IPermission (org.apereo.portal.security.IPermission)23
IAuthorizationPrincipal (org.apereo.portal.security.IAuthorizationPrincipal)13
ArrayList (java.util.ArrayList)9
IEntityGroup (org.apereo.portal.groups.IEntityGroup)8
IGroupMember (org.apereo.portal.groups.IGroupMember)7
HashSet (java.util.HashSet)5
AuthorizationException (org.apereo.portal.AuthorizationException)4
JsonEntityBean (org.apereo.portal.layout.dlm.remoting.JsonEntityBean)4
IPerson (org.apereo.portal.security.IPerson)4
IUpdatingPermissionManager (org.apereo.portal.security.IUpdatingPermissionManager)3
RequestMapping (org.springframework.web.bind.annotation.RequestMapping)3
IOException (java.io.IOException)2
Date (java.util.Date)2
IEntity (org.apereo.portal.groups.IEntity)2
IPermissionActivity (org.apereo.portal.permission.IPermissionActivity)2
IPortletDefinition (org.apereo.portal.portlet.om.IPortletDefinition)2
PortalSecurityException (org.apereo.portal.security.PortalSecurityException)2
AuthorizationService (org.apereo.portal.services.AuthorizationService)2
Connection (java.sql.Connection)1
PreparedStatement (java.sql.PreparedStatement)1
