@Override public void checkPermission(String moduleName, Action action) { getAllowedActions(moduleName) .map((allowed) -> { allowed.checkPermission(action); return null; }) .orElseThrow(() -> new AccessControlException("No actions are defined for a madule named: " + moduleName)); }
/** * A convenience method to update the supplied AllowedActions to disable all the permissions currently allowed to all principals * in the given role memberships, excluding the principals in the supplied exclusion set. * @param allMemberships the role memberships * @param exclusionSet a set of principals to exclude from having their permissions disabled * @param allowed the actions to update */ public static void disableForAll(Stream<RoleMembership> allMemberships, Set<Principal> exclusionSet, AllowedActions allowed) { // Collect all principals of all memberships. Set<Principal> principals = allMemberships .flatMap(membership -> membership.getMembers().stream()) .filter(princ -> ! exclusionSet.contains(princ)) .collect(Collectors.toSet()); // For each principal, disable all of its permissions. principals.forEach(principal -> allowed.disableAll(principal)); }
/** * Users with access to datasources always need access to the connector. * This will ensure any user with a m * embership to ACCESS_DATASOURCE will get the required ACCESS_CONNECTOR access to the connector */ private void ensureDataSourceConnectorAccess() { Set<Principal> principalsWithAccess = connector.getAllowedActions().getPrincipalsAllowedAny(ConnectorAccessControl.ACCESS_CONNECTOR); this.connector.getDataSources() .stream() .flatMap( ds -> ds.getRoleMemberships().stream()) .filter(h -> h.getMembers() != null && !h.getMembers().isEmpty() && h.getRole().getAllowedActions().hasPermission(DatasourceAccessControl.ACCESS_DATASOURCE)) .flatMap(h -> h.getMembers().stream()) .filter(principal -> !principalsWithAccess.contains(principal)) .forEach(principal -> { //add back in the ACCESS_CONNECTOR connector.getAllowedActions().enable(principal,ConnectorAccessControl.ACCESS_CONNECTOR); }); } }
/** * A convenience method for enabling only the permissions granted by the role memberships among the passed in set * of which the given principal is a member. The supplied allowedActions must be compatible with the kinds of actions * that the RoleMemberships control. * * @param principal the principal involved * @param allMemberships a stream of all potential role memberships that may be involved in enabling permissions for this principal * @param allowed the allowed actions that should be updated to allow the new permissions */ public static void enableOnly(Principal principal, Stream<RoleMembership> allMemberships, AllowedActions allowed) { // Get a union of all actions allowed by all role memberships containing the principal as a member. Set<Action> actions = allMemberships .filter(membership -> membership.getMembers().contains(principal)) .map(membership -> membership.getRole()) .flatMap(role -> role.getAllowedActions().getAvailableActions().stream()) .flatMap(avail -> avail.stream()) .collect(Collectors.toSet()); // Update the given allowed actions to enable only the derived set of permitted actions based // on the current set of role memberships of the principal. allowed.enableOnly(principal, actions); }
.map(FeedDetails::getTemplate) .map(FeedManagerTemplate::getAllowedActions) .filter(allowedActions -> allowedActions.hasPermission(TemplateAccessControl.CHANGE_PERMS)) .ifPresent(allowedActions -> allowedActions.enable(principal, TemplateAccessControl.ACCESS_TEMPLATE));
@Override public boolean disable(Principal principal, AllowedActions actions) { return disable(principal, actions.getAvailableActions().stream() .flatMap(avail -> avail.stream()) .collect(Collectors.toSet())); }
if (actions != null) { List<Action> actionsList = Arrays.asList(actions); boolean needsUpdate = actionsList.stream().anyMatch(action -> !role.getAllowedActions().hasPermission(action)); if (needsUpdate) { role.setPermissions(actions);
dataSource.getConnector().getAllowedActions().enable(principal, ConnectorAccessControl.ACCESS_CONNECTOR);
@Override public boolean enableOnly(Principal principal, AllowedActions actions) { return enableOnly(principal, actions.getAvailableActions().stream() .flatMap(avail -> avail.stream()) .collect(Collectors.toSet())); }
@Override public void checkPermission(String moduleName, Set<Action> actions) { this.metadata.read(() -> { return this.actionsProvider.getAllowedActions(moduleName) .map((allowed) -> { allowed.checkPermission(actions); return moduleName; }) .<AccessControlException>orElseThrow(() -> new AccessControlException("No actions are defined for the module named: " + moduleName)); }); }
@Override public void deleteGroup(@Nonnull final UserGroup group) { this.actionsProvider.getAllowedActions(AccessController.SERVICES).ifPresent(allowed -> allowed.disableAll(group.getPrincipal())); this.membershipProvider.findAll().forEach(membership -> membership.removeMember(group.getPrincipal())); delete(group); }
/** * Creates a new role for a particular entity type; using an existing base role for initial definition of permissions. * This method must be call within a metadata transaction. * @param entityName the name of the entity type (generally from SecurityRole.<entity type>) * @param roleName the system name of the role * @param title the title of the role * @param desc a description of the role * @param baseRole a base role from which to derive this new role's allowed permissions * @param actions any additional permitted actions allowed by this role * @return the new role instance */ public SecurityRole createDefaultRole(@Nonnull final String entityName, @Nonnull final String roleName, @Nonnull final String title, final String desc, @Nonnull final SecurityRole baseRole, final Action... actions) { final Stream<Action> baseActions = baseRole.getAllowedActions().getAvailableActions().stream().flatMap(AllowableAction::stream); final Action[] allowedActions = Stream.concat(baseActions, Stream.of(actions)).toArray(Action[]::new); return createDefaultRole(entityName, roleName, title, desc, allowedActions); }
@Override public List<Project> getMyEditableProjects() { UsernamePrincipal user = JcrMetadataAccess.getActiveUser(); logger.debug("user={}", user); List<Project> projects = getProjects(); return projects.stream() .filter(prj -> { try { prj.getAllowedActions().checkPermission(ProjectAccessControl.EDIT_PROJECT); return true; } catch (AccessControlException ace) { return false; } }).collect(Collectors.toList()); }
@Override public void deleteUser(@Nonnull final User user) { this.actionsProvider.getAllowedActions(AccessController.SERVICES).ifPresent(allowed -> allowed.disableAll(user.getPrincipal())); this.membershipProvider.findAll().forEach(membership -> membership.removeMember(user.getPrincipal())); delete(user); }
@Override public Category update(Category category) { if (accessController.isEntityAccessControlled()) { category.getAllowedActions().checkPermission(CategoryAccessControl.EDIT_DETAILS); } return super.update(category); }
@Override public void deleteProject(Project domain) { if (accessController.isEntityAccessControlled()) { domain.getAllowedActions().checkPermission(ProjectAccessControl.DELETE_PROJECT); } super.delete(domain); }
@Override public void setDeployed(ID feedId, EntityVersion.ID versionId) { final JcrFeed feed = (JcrFeed) super.findById(feedId); if (feed != null) { if (accessController.isEntityAccessControlled()) { // TODO: Add deploy feed action? feed.getAllowedActions().checkPermission(FeedAccessControl.EDIT_DETAILS); } findVersion(feedId, versionId, false) .map(JcrEntityVersion.class::cast) .map(JcrEntityVersion::getVersion) .ifPresent(version -> { feed.setDeployedVersion(version); }); } else { throw new FeedNotFoundException(feedId); } }
public boolean deleteTemplate(FeedManagerTemplate feedManagerTemplate) throws TemplateDeletionException { if (feedManagerTemplate != null && (feedManagerTemplate.getFeeds() == null || feedManagerTemplate.getFeeds().size() == 0)) { feedManagerTemplate.getAllowedActions().checkPermission(TemplateAccessControl.DELETE); addPostFeedChangeAction(feedManagerTemplate, ChangeType.DELETE); super.delete(feedManagerTemplate); return true; } else { throw new TemplateDeletionException(feedManagerTemplate.getName(), feedManagerTemplate.getId().toString(), "There are still feeds assigned to this template."); } }
@Override public void delete(Feed feed) { if (accessController.isEntityAccessControlled()) { feed.getAllowedActions().checkPermission(FeedAccessControl.DELETE); } addPostFeedChangeAction(feed, ChangeType.DELETE); // Remove dependent feeds final Node node = ((JcrFeed) feed).getNode(); feed.getDependentFeeds().forEach(dep -> feed.removeDependentFeed((JcrFeed) dep)); JcrMetadataAccess.getAutoCheckinNodes().removeIf(node::equals); // Remove destinations and sources ((JcrFeed) feed).removeFeedDestinations(); ((JcrFeed) feed).removeFeedSources(); // Delete feed FeedManagerTemplate template = feed.getTemplate(); if (template != null) { template.removeFeed(feed); } // Remove all Ops access control entries this.opsAccessProvider.revokeAllAccess(feed.getId()); super.delete(feed); }
@Override public boolean enableFeed(Feed.ID id) { Feed feed = getFeed(id); if (accessController.isEntityAccessControlled()) { feed.getAllowedActions().checkPermission(FeedAccessControl.ENABLE_DISABLE); } if (!feed.getState().equals(Feed.State.ENABLED)) { feed.setState(Feed.State.ENABLED); //Enable any SLAs on this feed List<ServiceLevelAgreement> serviceLevelAgreements = feed.getServiceLevelAgreements(); if (serviceLevelAgreements != null) { for (ServiceLevelAgreement sla : serviceLevelAgreements) { JcrServiceLevelAgreement jcrSla = (JcrServiceLevelAgreement) sla; jcrSla.enable(); } } return true; } return false; }