Search in sources :

Example 1 with DelegationTypeService

use of org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService in project cu-kfs by CU-CommunityApps.

the class RoleServiceImpl method matchesOnDelegation.

/**
 * Support method for principalHasRole. Checks delegations on the passed in roles for the given principal and
 * groups. (It's assumed that the principal belongs to the given groups.)
 * <p>
 * Delegation checks are mostly the same as role checks except that the delegateType itself is qualified against the
 * original role (like a RolePrincipal or RoleGroup.) And then, the members of that delegateType may have additional
 * qualifiers which are not part of the original role qualifiers.
 * <p>
 * For example:
 * <p>
 * A role could be qualified by organization. So, there is a person in the organization with primary authority for
 * that org. But, then they delegate authority for that organization (not their authority - the delegateType is
 * attached to the org.) So, in this case the delegateType has a qualifier of the organization when it is attached
 * to the role.
 * <p>
 * The principals then attached to that delegateType (which is specific to the organization), may have additional
 * qualifiers.
 * For Example: dollar amount range, effective dates, document types.
 * As a subsequent step, those qualifiers are checked against the qualification passed in from the client.
 */
protected boolean matchesOnDelegation(Set<String> allRoleIds, String principalId, List<String> principalGroupIds, Map<String, String> qualification, Context context) {
    // get the list of delegations for the roles
    Map<String, DelegateType> delegations = getStoredDelegationImplMapFromRoleIds(allRoleIds);
    // roles do not have dynamic membership
    if (delegations.isEmpty()) {
        for (String roleId : allRoleIds) {
            RoleLite role = loadRole(roleId);
            RoleTypeService roleTypeService = context.getRoleTypeService(role.getKimTypeId());
            if (!context.isDerivedRoleType(role.getKimTypeId()) || roleTypeService == null || !roleTypeService.dynamicRoleMembership(role.getNamespaceCode(), role.getName())) {
                putPrincipalHasRoleInCache(false, principalId, roleId, qualification, true);
            }
        }
        return false;
    }
    // Build a map from a role ID to the delegations for that role ID
    Map<String, List<DelegateType>> roleToDelegations = new HashMap<>();
    for (DelegateType delegation : delegations.values()) {
        List<DelegateType> roleDelegations = roleToDelegations.computeIfAbsent(delegation.getRoleId(), k -> new ArrayList<>());
        roleDelegations.add(delegation);
    }
    // Iterate through each role and check its delegations to determine if the principal has one of the roles
    for (String roleId : roleToDelegations.keySet()) {
        boolean matchesOnRoleDelegation = false;
        RoleLite role = getRoleWithoutMembers(roleId);
        RoleTypeService roleTypeService = context.getRoleTypeService(role.getKimTypeId());
        // delegation
        for (DelegateType delegation : roleToDelegations.get(roleId)) {
            // If the delegation isn't active skip it
            if (!delegation.isActive()) {
                continue;
            }
            // principal
            for (DelegateMember delegateMember : delegation.getMembers()) {
                // If the membership isn't active skip the rest of the checks
                if (!delegateMember.isActive(new Timestamp(new Date().getTime()))) {
                    continue;
                }
                // principal ID
                if (MemberType.PRINCIPAL.equals(delegateMember.getType()) && !delegateMember.getMemberId().equals(principalId)) {
                    continue;
                }
                // of groups the principal belongs to
                if (MemberType.GROUP.equals(delegateMember.getType()) && !principalGroupIds.contains(delegateMember.getMemberId())) {
                    continue;
                }
                // principal is a member of that role
                if (MemberType.ROLE.equals(delegateMember.getType()) && !principalHasRole(principalId, Collections.singletonList(delegateMember.getMemberId()), qualification, false)) {
                    continue;
                }
                // it can't be guaranteed that it is up and working, so using a try/catch to catch this possibility.
                try {
                    if (roleTypeService != null && !roleTypeService.doesRoleQualifierMatchQualification(qualification, delegateMember.getQualifier())) {
                        continue;
                    }
                } catch (Exception ex) {
                    LOG.warn("Unable to call doesRoleQualifierMatchQualification on role type service for " + "role Id: " + delegation.getRoleId() + " / " + qualification + " / " + delegateMember.getQualifier(), ex);
                    continue;
                }
                // role service matches this qualifier
                // now try the delegateType service
                DelegationTypeService delegationTypeService = getDelegationTypeService(delegateMember.getDelegationId());
                // QUESTION: does the qualifier map need to be merged with the main delegateType qualification?
                if (delegationTypeService != null && !delegationTypeService.doesDelegationQualifierMatchQualification(qualification, delegateMember.getQualifier())) {
                    continue;
                }
                // if so, check that the original role member would match the given qualifiers
                if (StringUtils.isNotBlank(delegateMember.getRoleMemberId())) {
                    RoleMember rm = getRoleMember(delegateMember.getRoleMemberId());
                    if (rm != null) {
                        // membership
                        if (!rm.isActive(new Timestamp(new Date().getTime()))) {
                            continue;
                        }
                        Map<String, String> roleQualifier = rm.getAttributes();
                        // catch this possibility.
                        try {
                            if (roleTypeService != null && !roleTypeService.doesRoleQualifierMatchQualification(qualification, roleQualifier)) {
                                continue;
                            }
                        } catch (Exception ex) {
                            LOG.warn("Unable to call doesRoleQualifierMatchQualification on role type " + "service for role Id: " + delegation.getRoleId() + " / " + qualification + " / " + roleQualifier, ex);
                            continue;
                        }
                    } else {
                        LOG.warn("Unknown role member ID cited in the delegateType member table:");
                        LOG.warn("       assignedToId: " + delegateMember.getDelegationMemberId() + " / roleMemberId: " + delegateMember.getRoleMemberId());
                    }
                }
                // If we've made it here then all of the tests pass so the principal must belong to this
                // delegation so set the flag to true and break out of this loop
                matchesOnRoleDelegation = true;
                break;
            }
            // If we've found a match for one of the delegations break out of this loop
            if (matchesOnRoleDelegation) {
                break;
            }
        }
        // through one of these delegations
        if (!context.isDerivedRoleType(role.getKimTypeId()) || roleTypeService == null || !roleTypeService.dynamicRoleMembership(role.getNamespaceCode(), role.getName())) {
            putPrincipalHasRoleInCache(matchesOnRoleDelegation, principalId, roleId, qualification, true);
        }
        // If we've found a matching delegation skip processing the rest of the roles
        if (matchesOnRoleDelegation) {
            return true;
        }
    }
    // If we get here we didn't find a matching delegation so return false
    return false;
}
Also used : HashMap(java.util.HashMap) DelegationTypeService(org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService) Timestamp(java.sql.Timestamp) Date(java.util.Date) RoleTypeService(org.kuali.kfs.kim.framework.role.RoleTypeService) DelegateMember(org.kuali.kfs.kim.impl.common.delegate.DelegateMember) List(java.util.List) ArrayList(java.util.ArrayList) DelegateType(org.kuali.kfs.kim.impl.common.delegate.DelegateType)

Example 2 with DelegationTypeService

use of org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService in project cu-kfs by CU-CommunityApps.

the class RoleServiceImpl method getDelegationTypeService.

protected DelegationTypeService getDelegationTypeService(String delegationId) {
    DelegationTypeService service = null;
    DelegateType delegateType = getKimDelegationImpl(delegationId);
    KimType kimType = KimApiServiceLocator.getKimTypeInfoService().getKimType(delegateType.getKimTypeId());
    if (kimType != null) {
        KimTypeService tempService = KimFrameworkServiceLocator.getKimTypeService(kimType);
        if (tempService instanceof DelegationTypeService) {
            service = (DelegationTypeService) tempService;
        } else {
            LOG.error("Service returned for type " + kimType + "(" + kimType.getName() + ") was not a DelegationTypeService.  Was a " + (tempService != null ? tempService.getClass() : "(null)"));
        }
    } else {
        // delegateType has no type - default to role type if possible
        RoleTypeService roleTypeService = getRoleTypeService(delegateType.getRoleId());
        if (roleTypeService instanceof DelegationTypeService) {
            service = (DelegationTypeService) roleTypeService;
        }
    }
    return service;
}
Also used : KimType(org.kuali.kfs.kim.impl.type.KimType) RoleTypeService(org.kuali.kfs.kim.framework.role.RoleTypeService) KimTypeService(org.kuali.kfs.kim.framework.type.KimTypeService) DelegationTypeService(org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService) DelegateType(org.kuali.kfs.kim.impl.common.delegate.DelegateType)

Example 3 with DelegationTypeService

use of org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService in project cu-kfs by CU-CommunityApps.

the class RoleServiceImpl method applyDelegationsToRoleMembers.

/**
 * Checks each of the result records to determine if there are potentially applicable delegation members for that
 * role membership. If there are, applicable delegations and members will be linked to the RoleMemberships in the
 * given list. An updated list will be returned from this method which includes the appropriate linked delegations.
 */
protected List<RoleMembership.Builder> applyDelegationsToRoleMembers(List<RoleMembership> roleMemberships, Collection<DelegateType> delegations, Map<String, String> qualification) {
    MultiValueMap<String, String> roleIdToRoleMembershipIds = new LinkedMultiValueMap<>();
    Map<String, RoleMembership.Builder> roleMembershipIdToBuilder = new HashMap<>();
    List<RoleMembership.Builder> roleMembershipBuilders = new ArrayList<>();
    // builders
    for (RoleMembership roleMembership : roleMemberships) {
        roleIdToRoleMembershipIds.add(roleMembership.getRoleId(), roleMembership.getId());
        RoleMembership.Builder builder = RoleMembership.Builder.create(roleMembership);
        roleMembershipBuilders.add(builder);
        roleMembershipIdToBuilder.put(roleMembership.getId(), builder);
    }
    for (DelegateType delegation : delegations) {
        // determine the candidate role memberships where this delegation can be mapped
        List<String> candidateRoleMembershipIds = roleIdToRoleMembershipIds.get(delegation.getRoleId());
        if (CollectionUtils.isNotEmpty(candidateRoleMembershipIds)) {
            DelegationTypeService delegationTypeService = getDelegationTypeService(delegation.getDelegationId());
            for (DelegateMember delegationMember : delegation.getMembers()) {
                // Make sure that the delegation member is active
                if (delegationMember.isActive(DateTime.now()) && (delegationTypeService == null || delegationTypeService.doesDelegationQualifierMatchQualification(qualification, delegationMember.getQualifier()))) {
                    // memberships on the role
                    if (StringUtils.isBlank(delegationMember.getRoleMemberId())) {
                        RoleTypeService roleTypeService = getRoleTypeService(delegation.getRoleId());
                        for (String roleMembershipId : candidateRoleMembershipIds) {
                            RoleMembership.Builder roleMembershipBuilder = roleMembershipIdToBuilder.get(roleMembershipId);
                            if (roleTypeService == null || roleTypeService.doesRoleQualifierMatchQualification(roleMembershipBuilder.getQualifier(), delegationMember.getQualifier())) {
                                linkDelegateToRoleMembership(delegation, delegationMember, roleMembershipBuilder);
                            }
                        }
                    } else if (candidateRoleMembershipIds.contains(delegationMember.getRoleMemberId())) {
                        RoleMembership.Builder roleMembershipBuilder = roleMembershipIdToBuilder.get(delegationMember.getRoleMemberId());
                        linkDelegateToRoleMembership(delegation, delegationMember, roleMembershipBuilder);
                    }
                }
            }
        }
    }
    return roleMembershipBuilders;
}
Also used : LinkedMultiValueMap(org.springframework.util.LinkedMultiValueMap) HashMap(java.util.HashMap) DelegationTypeService(org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService) ArrayList(java.util.ArrayList) RoleTypeService(org.kuali.kfs.kim.framework.role.RoleTypeService) DelegateMember(org.kuali.kfs.kim.impl.common.delegate.DelegateMember) RoleMembership(org.kuali.kfs.kim.api.role.RoleMembership) DelegateType(org.kuali.kfs.kim.impl.common.delegate.DelegateType)

Aggregations

DelegationTypeService (org.kuali.kfs.kim.framework.common.delegate.DelegationTypeService)3 RoleTypeService (org.kuali.kfs.kim.framework.role.RoleTypeService)3 DelegateType (org.kuali.kfs.kim.impl.common.delegate.DelegateType)3 ArrayList (java.util.ArrayList)2 HashMap (java.util.HashMap)2 DelegateMember (org.kuali.kfs.kim.impl.common.delegate.DelegateMember)2 Timestamp (java.sql.Timestamp)1 Date (java.util.Date)1 List (java.util.List)1 RoleMembership (org.kuali.kfs.kim.api.role.RoleMembership)1 KimTypeService (org.kuali.kfs.kim.framework.type.KimTypeService)1 KimType (org.kuali.kfs.kim.impl.type.KimType)1 LinkedMultiValueMap (org.springframework.util.LinkedMultiValueMap)1