/** * Compute ACL permissions relevant for a {@code ThingModifyCommand}. The field "/acl" is handled * specially with the "ADMINISTRATE" permission. * * @param command the command. * @return permissions needed to execute the command. */ private static Permissions computeAclPermissions(final ThingModifyCommand command) { return command.changesAuthorization() ? Permissions.newInstance(Permission.WRITE, ADMINISTRATE.name()) : Permissions.newInstance(Permission.WRITE); }
/** * Returns a set of subject ids each of which has all the given permissions granted on exactly the given resource, * and a set of subject ids each of which has 1 or more given permissions revoked on the given resource. Does not * consider "REVOKE"s down in the hierarchy. * * @param resourceKey the ResourceKey (containing Resource type and path) to check the permission(s) for. * @param permission the permission to check. * @param furtherPermissions further permissions to check. * @return An {@code EffectedSubjectIds} object containing the grant set and the revoke set. * @throws NullPointerException if any argument is {@code null}. */ default EffectedSubjectIds getSubjectIdsWithPermission(final ResourceKey resourceKey, final String permission, final String... furtherPermissions) { return getSubjectIdsWithPermission(resourceKey, Permissions.newInstance(permission, furtherPermissions)); }
/** * Returns a set of subject ids each of which has all the given permissions granted on the given resource or on any * sub resource down in the hierarchy. Revoked permissions are not taken into account. * * @param resourceKey the ResourceKey (containing Resource type and path) to use as starting point to check the * partial permission(s) in the hierarchy for. * @param permission the permission to check. * @param furtherPermissions further permissions to check. * @return A Set containing the subject ids with partial permissions on the passed resourceKey or any other * resources in the hierarchy below. * @throws NullPointerException if any argument is {@code null}. */ default Set<String> getSubjectIdsWithPartialPermission(final ResourceKey resourceKey, final String permission, final String... furtherPermissions) { return getSubjectIdsWithPartialPermission(resourceKey, Permissions.newInstance(permission, furtherPermissions)); }
/** * Checks whether for the {@code authorizationContext} either implicitly or explicitly * has "GRANT" for the {@code permissions} on the specified {@code resourceKey} considering "REVOKE"s down in the * hierarchy, so if there is a REVOKE for the {@code authorizationContext} somewhere down the hierarchy of the * {@code resourceKey}, the result will be {@code false}. * * @param resourceKey the ResourceKey (containing Resource type and path) to check the permission(s) for. * @param authorizationContext the authorization context to check. * @param permission the permission to check. * @param furtherPermissions further permissions to check. * @return {@code true} if {@code authorizationContext} has the given permission(s), {@code false} otherwise. * @throws NullPointerException if any argument is {@code null}. */ default boolean hasUnrestrictedPermissions(final ResourceKey resourceKey, final AuthorizationContext authorizationContext, final String permission, final String... furtherPermissions) { return hasUnrestrictedPermissions(resourceKey, authorizationContext, Permissions.newInstance(permission, furtherPermissions)); }
/** * Set the given permissions on the specified {@code resourceKey} in the specified {@code label} * as "revoked" to this builder. * * @param label the label identifying the PolicyEntry to modify. * @param resourceKey the ResourceKey to set the permissions on. * @param revokedPermission the Permission to set as "revoke"ed on the resource in the label. * @param furtherRevokedPermissions further Permissions to set as "revoke"ed on the resource in the label. * @return this builder to allow method chaining. * @throws NullPointerException if any argument is {@code null}. */ default PolicyBuilder setRevokedPermissionsFor(final CharSequence label, final ResourceKey resourceKey, final String revokedPermission, final String... furtherRevokedPermissions) { return setRevokedPermissionsFor(label, resourceKey, Permissions.newInstance(revokedPermission, furtherRevokedPermissions)); }
/** * Set the given permissions on the specified {@code resourceKey} in the specified {@code label} * as "granted" to this builder. * * @param label the label identifying the PolicyEntry to modify. * @param resourceKey the ResourceKey to set the permissions on. * @param grantedPermission the Permission to set as "grant"ed on the resource in the label. * @param furtherGrantedPermissions further Permissions to set as "grant"ed on the resource in the label. * @return this builder to allow method chaining. * @throws NullPointerException if any argument is {@code null}. * @throws IllegalArgumentException if {@code label} is empty. */ default PolicyBuilder setGrantedPermissionsFor(final CharSequence label, final ResourceKey resourceKey, final String grantedPermission, final String... furtherGrantedPermissions) { return setGrantedPermissionsFor(label, resourceKey, Permissions.newInstance(grantedPermission, furtherGrantedPermissions)); }
/** * Checks whether the {@code authorizationContext} either implicitly or explicitly * has "GRANT" for the specified permissions on the passed in {@code resourceKey} or on any {@code resource} down in * the hierarchy of the {@code resourceKey}. * * @param resourceKey the ResourceKey (containing Resource type and path) to check the permission(s) for. * @param authorizationContext the authorization context to check. * @param permission the permission to check. * @param furtherPermissions further permissions to check. * @return {@code true} if {@code authorizationContext} has the given permission(s) somewhere down in the hierarchy, * {@code false} otherwise. * @throws NullPointerException if any argument is {@code null}. */ default boolean hasPartialPermissions(final ResourceKey resourceKey, final AuthorizationContext authorizationContext, final String permission, final String... furtherPermissions) { return hasPartialPermissions(resourceKey, authorizationContext, Permissions.newInstance(permission, furtherPermissions)); }
/** * Builds a view of the passed {@code jsonFields} (e.g. a {@link JsonObject} or a {@link * org.eclipse.ditto.json.JsonObjectBuilder}) {@code authorizationContext} and {@code permissions}. The resulting * {@code JsonObject} only contains {@code JsonFields} for which the {@code authorizationContext} has the required * permissions. * * @param resourceKey the ResourceKey (containing Resource type and path) to start from. * @param jsonFields the full JsonFields from which to build the view based on the permissions. * @param authorizationContext the AuthorizationContext containing the AuthorizationSubjects. * @param permission the permission. * @param furtherPermissions further permissions. * @return a view of the passed {@code jsonFields} as JsonObject for which the required permissions are given. * @throws NullPointerException if any argument is {@code null}. */ default JsonObject buildJsonView(final ResourceKey resourceKey, final Iterable<JsonField> jsonFields, final AuthorizationContext authorizationContext, final String permission, final String... furtherPermissions) { return buildJsonView(resourceKey, jsonFields, authorizationContext, Permissions.newInstance(permission, furtherPermissions)); }
/** * Set the given permissions on the specified {@code resourceType} and {@code resourcePath} in the specified * {@code label} as "granted" to this builder. * * @param label the label identifying the PolicyEntry to modify. * @param resourceType the type of the Resource to set the permissions on. * @param resourcePath the path of the Resource to set the permissions on. * @param grantedPermission the Permission to set as "grant"ed on the Resource in the label. * @param furtherGrantedPermissions further Permissions to set as "grant"ed on the Resource in the label. * @return this builder to allow method chaining. * @throws NullPointerException if any argument is {@code null}. * @throws IllegalArgumentException if {@code label} or {@code resourceType} is empty. */ default PolicyBuilder setGrantedPermissionsFor(final CharSequence label, final String resourceType, final CharSequence resourcePath, final String grantedPermission, final String... furtherGrantedPermissions) { return setGrantedPermissionsFor(label, ResourceKey.newInstance(resourceType, resourcePath), Permissions.newInstance(grantedPermission, furtherGrantedPermissions)); }
/** * Set the given permissions on the specified {@code resourceType} and {@code resourcePath} in the specified * {@code label} as "revoked" to this builder. * * @param label the label identifying the PolicyEntry to modify. * @param resourceType the type of the Resource to set the permissions on. * @param resourcePath the path of the Resource to set the permissions on. * @param revokedPermission the Permission to set as "revoke"ed on the Resource in the label. * @param furtherRevokedPermissions further Permissions to set as "revoke"ed on the Resource in the label. * @return this builder to allow method chaining. * @throws NullPointerException if any argument is {@code null}. * @throws IllegalArgumentException if {@code label} or {@code resourceType} is empty. */ default PolicyBuilder setRevokedPermissionsFor(final CharSequence label, final String resourceType, final CharSequence resourcePath, final String revokedPermission, final String... furtherRevokedPermissions) { return setRevokedPermissionsFor(label, ResourceKey.newInstance(resourceType, JsonPointer.of(resourcePath)), Permissions.newInstance(revokedPermission, furtherRevokedPermissions)); }
/** * Builds a view of the passed {@code jsonFields} (e.g. a {@link JsonObject} or a {@link * org.eclipse.ditto.json.JsonObjectBuilder}) {@code authorizationContext} and {@code permissions}. The resulting * {@code JsonObject} only contains {@code JsonFields} for which the {@code authorizationContext} has the required * permissions. * * @param jsonFields the full JsonFields from which to build the view based on the permissions. * @param resourceType the type of the Resource * @param authorizationContext the AuthorizationContext containing the AuthorizationSubjects. * @param permission the permission. * @param furtherPermissions further permissions. * @return a view of the passed {@code jsonFields} as JsonObject for which the required permissions are given. * @throws NullPointerException if any argument is {@code null}. * @throws IllegalArgumentException if {@code resourceType} is empty. */ default JsonObject buildJsonView(final Iterable<JsonField> jsonFields, final CharSequence resourceType, final AuthorizationContext authorizationContext, final String permission, final String... furtherPermissions) { return buildJsonView(ResourceKey.newInstance(resourceType, JsonFactory.emptyPointer()), jsonFields, authorizationContext, Permissions.newInstance(permission, furtherPermissions)); }
private static JsonObject getJsonViewForPolicyQueryCommandResponse(final JsonObject responseEntity, final PolicyQueryCommandResponse response, final Enforcer enforcer) { final ResourceKey resourceKey = ResourceKey.newInstance(PolicyCommand.RESOURCE_TYPE, response.getResourcePath()); final AuthorizationContext authorizationContext = response.getDittoHeaders().getAuthorizationContext(); return enforcer.buildJsonView(resourceKey, responseEntity, authorizationContext, POLICY_QUERY_COMMAND_RESPONSE_WHITELIST, Permissions.newInstance(Permission.READ)); }
/** * Authorize a thing-command by an ACL enforcer. * * @param <T> type of the thing-command. * @param aclEnforcer the ACL enforcer. * @param command the command to authorize. * @return optionally the authorized command extended by read subjects. */ static <T extends ThingCommand> Optional<T> authorizeByAcl(final Enforcer aclEnforcer, final ThingCommand<T> command) { final ResourceKey thingResourceKey = PoliciesResourceType.thingResource(command.getResourcePath()); final AuthorizationContext authorizationContext = command.getDittoHeaders().getAuthorizationContext(); final Permissions permissions = command instanceof ThingModifyCommand ? computeAclPermissions((ThingModifyCommand) command) : Permissions.newInstance(Permission.READ); return aclEnforcer.hasUnrestrictedPermissions(thingResourceKey, authorizationContext, permissions) ? Optional.of(AbstractEnforcement.addReadSubjectsToThingSignal(command, aclEnforcer)) : Optional.empty(); }
/** * Restrict view on a JSON object by enforcer. * * @param responseEntity the JSON object to restrict view on. * @param response the response containing the object. * @param enforcer the enforcer. * @return JSON object with view restricted by enforcer. */ private static JsonObject getJsonViewForThingQueryCommandResponse(final JsonObject responseEntity, final ThingQueryCommandResponse response, final Enforcer enforcer) { final ResourceKey resourceKey = ResourceKey.newInstance(ThingCommand.RESOURCE_TYPE, response.getResourcePath()); final AuthorizationContext authorizationContext = response.getDittoHeaders().getAuthorizationContext(); return enforcer.buildJsonView(resourceKey, responseEntity, authorizationContext, THING_QUERY_COMMAND_RESPONSE_WHITELIST, Permissions.newInstance(Permission.READ)); }