@Override public String toString() { return String.format("identifier[%s], resource[%s], users[%s], groups[%s], action[%s]", getIdentifier(), getResource(), getUsers(), getGroups(), getAction()); }
/** * @return a new AccessPolicy constructed from the state of the builder */ public AccessPolicy build() { return new AccessPolicy(this); } }
/** * Formats the name of the specified policy. * * @param policy policy * @return formatted name */ private String formatPolicyName(final AccessPolicy policy) { return policy.getAction().toString() + " " + policy.getResource(); }
/** * Checks if another policy exists with the same resource and action as the given policy. * * @param checkAccessPolicy an access policy being checked * @return true if another access policy exists with the same resource and action, false otherwise */ private static boolean policyExists(final AccessPolicyProvider accessPolicyProvider, final AccessPolicy checkAccessPolicy) { for (AccessPolicy accessPolicy : accessPolicyProvider.getAccessPolicies()) { if (!accessPolicy.getIdentifier().equals(checkAccessPolicy.getIdentifier()) && accessPolicy.getResource().equals(checkAccessPolicy.getResource()) && accessPolicy.getAction().equals(checkAccessPolicy.getAction())) { return true; } } return false; }
@Override public AccessPolicyEntity updateAccessPolicy(final Revision revision, final AccessPolicyDTO accessPolicyDTO) { final Authorizable authorizable = authorizableLookup.getAccessPolicyById(accessPolicyDTO.getId()); final RevisionUpdate<AccessPolicyDTO> snapshot = updateComponent(revision, authorizable, () -> accessPolicyDAO.updateAccessPolicy(accessPolicyDTO), accessPolicy -> { final Set<TenantEntity> users = accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()); final Set<TenantEntity> userGroups = accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource()); return dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference); }); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizable); return entityFactory.createAccessPolicyEntity(snapshot.getComponent(), dtoFactory.createRevisionDTO(snapshot.getLastModification()), permissions); }
/** * Creates a Map from policy identifier to AccessPolicy. * * @param policies the set of all access policies * @return the Map from policy identifier to AccessPolicy */ private Map<String, AccessPolicy> createPoliciesByIdMap(final Set<AccessPolicy> policies) { Map<String,AccessPolicy> policyMap = new HashMap<>(); for (AccessPolicy policy : policies) { policyMap.put(policy.getIdentifier(), policy); } return policyMap; }
@Override public Set<AccessPolicy> getAccessPoliciesForUser(String userId) { return accessPolicyProvider.getAccessPolicies().stream() .filter(p -> { // policy contains the user if (p.getUsers().contains(userId)) { return true; } // policy contains a group with the user return !p.getGroups().stream().filter(g -> userGroupProvider.getGroup(g).getUsers().contains(userId)).collect(Collectors.toSet()).isEmpty(); }) .collect(Collectors.toSet()); }
private AccessPolicySummaryEntity createAccessPolicySummaryEntity(final AccessPolicy ap) { final ComponentReferenceEntity componentReference = createComponentReferenceEntity(ap.getResource()); final AccessPolicySummaryDTO apSummary = dtoFactory.createAccessPolicySummaryDto(ap, componentReference); final PermissionsDTO apPermissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(ap.getIdentifier())); final RevisionDTO apRevision = dtoFactory.createRevisionDTO(revisionManager.getRevision(ap.getIdentifier())); return entityFactory.createAccessPolicySummaryEntity(apSummary, apRevision, apPermissions); }
@Override public String getIdentifier() { return accessPolicy.getResource(); }
@Override public Set<AccessPolicy> getAccessPoliciesForUserGroup(String userGroupId) { return accessPolicyProvider.getAccessPolicies().stream() .filter(p -> { // policy contains the user group return p.getGroups().contains(userGroupId); }) .collect(Collectors.toSet()); }
@Override public User deleteUser(final String userId) { if (userGroupProvider instanceof ConfigurableUserGroupProvider) { final ConfigurableUserGroupProvider configurableUserGroupProvider = (ConfigurableUserGroupProvider) userGroupProvider; final User user = getUser(userId); final User removedUser = configurableUserGroupProvider.deleteUser(user); // ensure the user was removed if (removedUser == null) { throw new ResourceNotFoundException(String.format("Unable to find user with id '%s'.", userId)); } // remove any references to the user being deleted from policies if possible if (accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) { for (AccessPolicy policy : accessPolicyProvider.getAccessPolicies()) { final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; // ensure this policy contains a reference to the user and this policy is configurable (check proactively to prevent an exception) if (policy.getUsers().contains(removedUser.getIdentifier()) && configurableAccessPolicyProvider.isConfigurable(policy)) { final AccessPolicy.Builder builder = new AccessPolicy.Builder(policy).removeUser(removedUser.getIdentifier()); configurableAccessPolicyProvider.updateAccessPolicy(builder.build()); } } } return removedUser; } else { throw new IllegalStateException(MSG_NON_CONFIGURABLE_USERS); } }
public AccessPolicy getAccessPolicy(final String resourceIdentifier, final RequestAction action) { if (resourceIdentifier == null) { throw new IllegalArgumentException("Resource Identifier cannot be null"); } final Set<AccessPolicy> resourcePolicies = policiesByResource.get(resourceIdentifier); if (resourcePolicies == null) { return null; } for (AccessPolicy accessPolicy : resourcePolicies) { if (accessPolicy.getAction() == action) { return accessPolicy; } } return null; }
@Override public AccessPolicy updateAccessPolicy(final AccessPolicyDTO accessPolicyDTO) { if (supportsConfigurableAuthorizer()) { final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = (ConfigurableAccessPolicyProvider) accessPolicyProvider; final AccessPolicy currentAccessPolicy = getAccessPolicy(accessPolicyDTO.getId()); return configurableAccessPolicyProvider.updateAccessPolicy(buildAccessPolicy(currentAccessPolicy.getIdentifier(), currentAccessPolicy.getResource(), currentAccessPolicy.getAction(), accessPolicyDTO)); } else { throw new IllegalStateException(MSG_NON_CONFIGURABLE_POLICIES); } }
@Override public AccessPolicyEntity deleteAccessPolicy(final Revision revision, final String accessPolicyId) { final AccessPolicy accessPolicy = accessPolicyDAO.getAccessPolicy(accessPolicyId); final ComponentReferenceEntity componentReference = createComponentReferenceEntity(accessPolicy.getResource()); final PermissionsDTO permissions = dtoFactory.createPermissionsDto(authorizableLookup.getAccessPolicyById(accessPolicyId)); final Set<TenantEntity> userGroups = accessPolicy != null ? accessPolicy.getGroups().stream().map(mapUserGroupIdToTenantEntity()).collect(Collectors.toSet()) : null; final Set<TenantEntity> users = accessPolicy != null ? accessPolicy.getUsers().stream().map(mapUserIdToTenantEntity()).collect(Collectors.toSet()) : null; final AccessPolicyDTO snapshot = deleteComponent( revision, new Resource() { @Override public String getIdentifier() { return accessPolicy.getResource(); } @Override public String getName() { return accessPolicy.getResource(); } @Override public String getSafeDescription() { return "Policy " + accessPolicyId; } }, () -> accessPolicyDAO.deleteAccessPolicy(accessPolicyId), false, // no need to clean up any policies as it's already been removed above dtoFactory.createAccessPolicyDto(accessPolicy, userGroups, users, componentReference)); return entityFactory.createAccessPolicyEntity(snapshot, null, permissions); }
@Override public AccessPolicy getAccessPolicy(String resourceIdentifier, RequestAction action) { return policies.stream() .filter(policy -> policy.getResource().equals(resourceIdentifier) && policy.getAction().equals(action)) .findFirst().orElse(null); }
@Override public AccessPolicy getAccessPolicy(String identifier) throws AuthorizationAccessException { return policies.stream().filter(p -> p.getIdentifier().equals(identifier)).findFirst().get(); }
/** * Extracts the values for the configured properties from the specified policy. */ private Map<String, String> extractConfiguredPropertyValues(AccessPolicy policy, AccessPolicyDTO policyDTO) { Map<String, String> values = new HashMap<>(); if (policyDTO.getUsers() != null) { // get each of the auto terminated relationship names final List<String> currentUsers = new ArrayList<>(policy.getUsers()); // sort them and include in the configuration Collections.sort(currentUsers, Collator.getInstance(Locale.US)); values.put(USERS, StringUtils.join(currentUsers, ", ")); } if (policyDTO.getUserGroups() != null) { // get each of the auto terminated relationship names final List<String> currentUserGroups = new ArrayList<>(policy.getGroups()); // sort them and include in the configuration Collections.sort(currentUserGroups, Collator.getInstance(Locale.US)); values.put(USER_GROUPS, StringUtils.join(currentUserGroups, ", ")); } return values; }
@Override public String getName() { return accessPolicy.getResource(); }
/** * Determines if the policy contains one of the user's groups. * * @param userGroups the set of the user's groups * @param policy the policy * @return true if one of the Groups in userGroups is contained in the policy */ private boolean containsGroup(final Set<Group> userGroups, final AccessPolicy policy) { if (userGroups.isEmpty() || policy.getGroups().isEmpty()) { return false; } for (Group userGroup : userGroups) { if (policy.getGroups().contains(userGroup.getIdentifier())) { return true; } } return false; }
@Override public AuthorizationResult authorize(AuthorizationRequest request) throws AuthorizationAccessException { final String resourceIdentifier = request.getResource().getIdentifier(); final AccessPolicy policy = accessPolicyProvider.getAccessPolicy(resourceIdentifier, request.getAction()); if (policy == null) { return AuthorizationResult.resourceNotFound(); } final UserAndGroups userAndGroups = userGroupProvider.getUserAndGroups(request.getIdentity()); final User user = userAndGroups.getUser(); if (user == null) { return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", request.getIdentity())); } final Set<Group> userGroups = userAndGroups.getGroups(); if (policy.getUsers().contains(user.getIdentifier()) || containsGroup(userGroups, policy)) { return AuthorizationResult.approved(); } return AuthorizationResult.denied(request.getExplanationSupplier().get()); }