/** * Compute ACL permissions relevant for a {@code ThingModifyCommand}. The field "/acl" is handled * specially with the "ADMINISTRATE" permission. * * @param command the command. * @return permissions needed to execute the command. */ private static Permissions computeAclPermissions(final ThingModifyCommand command) { return command.changesAuthorization() ? Permissions.newInstance(Permission.WRITE, ADMINISTRATE.name()) : Permissions.newInstance(Permission.WRITE); }
/** * Indicates whether the effected permissions of this node revoke all of the specified permissions. * * @param possiblyRevokedPermissions the permissions the be evaluated against the effected revoked permissions of * this node. * @return {@code true} if the effected revoked permissions of this node contain all of * {@code possiblyRevokedPermissions}, {@code false} else. * @throws NullPointerException if {@code possiblyRevokedPermissions} is {@code null}. */ public boolean areAllRevoked(@Nonnull final Collection<String> possiblyRevokedPermissions) { checkPermissionsToBeEvaluated(possiblyRevokedPermissions); final Permissions actuallyRevokedPermissions = permissions.getRevokedPermissions(); return actuallyRevokedPermissions.containsAll(possiblyRevokedPermissions); }
/** * Returns a new {@code ResourceNode} for the given {@code parent} and {@code name}. * * @param parent the parent node of this resource node. * @param name the sub resource name of this node. * @return the ResourceNode. * @throws NullPointerException if any argument is {@code null} */ public static ResourceNode of(final PolicyTreeNode parent, final String name) { return of(parent, name, EffectedPermissions.newInstance(Permissions.none(), Permissions.none())); }
private boolean hasPermissionGranted(final PolicyEntry policyEntry) { return policyEntry.getResources().stream() // .anyMatch(resource -> { final boolean isRootResource = ROOT_RESOURCE.equals(resource.getResourceKey()); final boolean containsGrantedPermissions = resource.getEffectedPermissions() .getGrantedPermissions() .contains(Permission.MIN_REQUIRED_POLICY_PERMISSIONS); return isRootResource && containsGrantedPermissions; }); }
private boolean determineResult() { final Map<String, WeightedPermission> granted = weightedPermissions.getGrantedWithHighestWeight(expectedPermissions); return granted.size() == expectedPermissions.size() && !isAnyRevokedWithHigherWeight(granted); }
/** * Map policy permissions to ACL permissions of the same name. * * @param policyPermissions policy permissions. * @return ACL permissions of the same name. */ private static org.eclipse.ditto.model.things.Permissions mapPermissions(final Permissions policyPermissions) { final List<org.eclipse.ditto.model.things.Permission> permissionList = policyPermissions.stream() .flatMap(name -> { if (THING_PERMISSION_NAMES.contains(name)) { return Stream.of(org.eclipse.ditto.model.things.Permission.valueOf(name)); } else { return Stream.empty(); } }) .collect(Collectors.toList()); return ThingsModelFactory.newPermissions(permissionList); } }
@Override public JsonObject toJson(final JsonSchemaVersion schemaVersion, final Predicate<JsonField> thePredicate) { final Predicate<JsonField> predicate = schemaVersion.and(thePredicate); return JsonFactory.newObjectBuilder() .set(JsonFields.SCHEMA_VERSION, schemaVersion.toInt(), predicate) .set(JsonFields.GRANT, grantedPermissions.toJson(), predicate) .set(JsonFields.REVOKE, revokedPermissions.toJson(), predicate) .build(); }
private static void mergePermissions(final Resource resource, final ResourceNode existingChild) { final EffectedPermissions existingChildPermissions = existingChild.getPermissions(); final Collection<String> mergedGrantedPermissions = new HashSet<>(existingChildPermissions.getGrantedPermissions()); final Collection<String> mergedRevokedPermissions = new HashSet<>(existingChildPermissions.getRevokedPermissions()); if (!resource.getEffectedPermissions().getRevokedPermissions().isEmpty()) { mergedRevokedPermissions.addAll(resource.getEffectedPermissions().getRevokedPermissions()); } if (!resource.getEffectedPermissions().getGrantedPermissions().isEmpty()) { mergedGrantedPermissions.addAll(resource.getEffectedPermissions().getGrantedPermissions()); } existingChild.setPermissions( EffectedPermissions.newInstance(mergedGrantedPermissions, mergedRevokedPermissions)); }
private boolean hasPermissionRevoked(final PolicyEntry policyEntry) { return policyEntry.getResources().stream() // .anyMatch(resource -> { final boolean isRootResource = ROOT_RESOURCE.equals(resource.getResourceKey()); final boolean containsRevokedPermissions = resource.getEffectedPermissions() .getRevokedPermissions() .contains(Permission.MIN_REQUIRED_POLICY_PERMISSIONS); return isRootResource && containsRevokedPermissions; }); }
private boolean areExpectedPermissionsEffectivelyRevoked(final Map<String, WeightedPermission> revoked, final Map<String, WeightedPermission> granted) { if (revoked.size() != expectedPermissions.size()) { return false; } for (final String expectedPermission : expectedPermissions) { final WeightedPermission revokedPermission = revoked.get(expectedPermission); final WeightedPermission grantedPermission = granted.get(expectedPermission); if (null != grantedPermission) { final int grantedPermissionWeight = grantedPermission.getWeight(); final int revokedPermissionWeight = revokedPermission.getWeight(); if (grantedPermissionWeight > revokedPermissionWeight) { return false; } } } return true; }
private EffectedResources getGrantedAndRevokedSubResource(final JsonPointer resource, final String type, final Iterable<String> subjectIds, final Permissions permissions) { final Set<PointerAndPermission> revokedResources = new HashSet<>(); final Set<PointerAndPermission> grantedResources = permissions.stream() .map(permission -> { final EffectedResources result = checkPermissionOnAnySubResource(resource, type, subjectIds, permission); revokedResources.addAll(result.getRevokedResources()); return result.getGrantedResources(); }) .reduce(TreeBasedPolicyEnforcer::retainElements) .orElseGet(Collections::emptySet); final Set<PointerAndPermission> clearedGrantedResources = removeDeeperRevokes(resource, grantedResources, revokedResources); return EffectedResources.of(clearedGrantedResources, revokedResources); }
/** * Returns a set of subject ids each of which has all the given permissions granted on exactly the given resource, * and a set of subject ids each of which has 1 or more given permissions revoked on the given resource. Does not * consider "REVOKE"s down in the hierarchy. * * @param resourceKey the ResourceKey (containing Resource type and path) to check the permission(s) for. * @param permission the permission to check. * @param furtherPermissions further permissions to check. * @return An {@code EffectedSubjectIds} object containing the grant set and the revoke set. * @throws NullPointerException if any argument is {@code null}. */ default EffectedSubjectIds getSubjectIdsWithPermission(final ResourceKey resourceKey, final String permission, final String... furtherPermissions) { return getSubjectIdsWithPermission(resourceKey, Permissions.newInstance(permission, furtherPermissions)); }
private boolean hasPermissionRevoked(final PolicyEntry policyEntry) { return policyEntry.getResources().stream() // .anyMatch(resource -> { final boolean isRootResource = ROOT_RESOURCE.equals(resource.getResourceKey()); final boolean containsRevokedPermissions = resource.getEffectedPermissions() .getRevokedPermissions() .contains(Permission.MIN_REQUIRED_POLICY_PERMISSIONS); return isRootResource && containsRevokedPermissions; }); }
private boolean areExpectedPermissionsEffectivelyGranted(final Map<String, WeightedPermission> granted, final Map<String, WeightedPermission> revoked) { if (granted.size() != expectedPermissions.size()) { return false; } for (final String expectedPermission : expectedPermissions) { final WeightedPermission grantedPermission = granted.get(expectedPermission); final WeightedPermission revokedPermission = revoked.get(expectedPermission); if (null != revokedPermission) { final int revokedPermissionWeight = revokedPermission.getWeight(); final int grantedPermissionWeight = grantedPermission.getWeight(); if (revokedPermissionWeight >= grantedPermissionWeight) { return false; } } } return true; }
/** * Indicates whether the effected permissions of this node grant all of the specified permissions and do revoke * none of them. * * @param possiblyGrantedPermissions the permissions to be evaluated against the effected permissions of this node. * @return {@code true} if the effected granted permissions of this node contain all of * {@code possiblyGrantedPermissions} and none of {@code possiblyGrantedPermissions} is revoked, {@code false} else. * @throws NullPointerException if {@code possiblyGrantedPermissions} is {@code null}. */ public boolean areAllGranted(@Nonnull final Collection<String> possiblyGrantedPermissions) { checkPermissionsToBeEvaluated(possiblyGrantedPermissions); final Permissions actuallyGrantedPermissions = permissions.getGrantedPermissions(); final Permissions actuallyRevokedPermissions = permissions.getRevokedPermissions(); final boolean areAllGranted = actuallyGrantedPermissions.containsAll(possiblyGrantedPermissions); final boolean isNoneRevoked = Collections.disjoint(actuallyRevokedPermissions, possiblyGrantedPermissions); return areAllGranted && isNoneRevoked; }
/** * Returns a set of subject ids each of which has all the given permissions granted on the given resource or on any * sub resource down in the hierarchy. Revoked permissions are not taken into account. * * @param resourceKey the ResourceKey (containing Resource type and path) to use as starting point to check the * partial permission(s) in the hierarchy for. * @param permission the permission to check. * @param furtherPermissions further permissions to check. * @return A Set containing the subject ids with partial permissions on the passed resourceKey or any other * resources in the hierarchy below. * @throws NullPointerException if any argument is {@code null}. */ default Set<String> getSubjectIdsWithPartialPermission(final ResourceKey resourceKey, final String permission, final String... furtherPermissions) { return getSubjectIdsWithPartialPermission(resourceKey, Permissions.newInstance(permission, furtherPermissions)); }
private boolean hasPermissionGranted(final PolicyEntry policyEntry) { return policyEntry.getResources().stream() // .anyMatch(resource -> { final boolean isRootResource = ROOT_RESOURCE.equals(resource.getResourceKey()); final boolean containsGrantedPermissions = resource.getEffectedPermissions() .getGrantedPermissions() .contains(Permission.MIN_REQUIRED_POLICY_PERMISSIONS); return isRootResource && containsGrantedPermissions; }); }
@SuppressWarnings("MethodWithMultipleReturnPoints") private boolean areExpectedPermissionsEffectivelyGranted(final Map<String, WeightedPermission> granted, final Map<String, WeightedPermission> revoked) { if (granted.size() != expectedPermissions.size()) { return false; } for (final String expectedPermission : expectedPermissions) { final WeightedPermission grantedPermission = granted.get(expectedPermission); final WeightedPermission revokedPermission = revoked.get(expectedPermission); if (null != revokedPermission) { final int revokedPermissionWeight = revokedPermission.getWeight(); final int grantedPermissionWeight = grantedPermission.getWeight(); if (revokedPermissionWeight >= grantedPermissionWeight) { return false; } } } return true; }
/** * Set the given permissions on the specified {@code resourceKey} in the specified {@code label} * as "revoked" to this builder. * * @param label the label identifying the PolicyEntry to modify. * @param resourceKey the ResourceKey to set the permissions on. * @param revokedPermission the Permission to set as "revoke"ed on the resource in the label. * @param furtherRevokedPermissions further Permissions to set as "revoke"ed on the resource in the label. * @return this builder to allow method chaining. * @throws NullPointerException if any argument is {@code null}. */ default PolicyBuilder setRevokedPermissionsFor(final CharSequence label, final ResourceKey resourceKey, final String revokedPermission, final String... furtherRevokedPermissions) { return setRevokedPermissionsFor(label, resourceKey, Permissions.newInstance(revokedPermission, furtherRevokedPermissions)); }
private static void addPermission(final String permission, final JsonPointer resource, final Collection<PointerAndPermission> grantedResources, final Collection<PointerAndPermission> revokedResources, final int level, final ResourceNode resourceNode) { final JsonPointer resourceToAdd = ROOT_RESOURCE.equals(resource.toString()) ? JsonFactory.newPointer(ROOT_RESOURCE) : getPrefixPointerOrThrow(resource, level); final EffectedPermissions effectedPermissions = resourceNode.getPermissions(); if (effectedPermissions.getGrantedPermissions().contains(permission)) { grantedResources.add(new PointerAndPermission(resourceToAdd, permission)); } if (effectedPermissions.getRevokedPermissions().contains(permission)) { revokedResources.add(new PointerAndPermission(resourceToAdd, permission)); } }