/** * Authorize a policy-command by a policy enforcer. * * @param <T> type of the policy-command. * @param enforcer the policy enforcer. * @param command the command to authorize. * @return optionally the authorized command. */ public static <T extends PolicyCommand> Optional<T> authorizePolicyCommand(final T command, final Enforcer enforcer) { final ResourceKey policyResourceKey = PoliciesResourceType.policyResource(command.getResourcePath()); final AuthorizationContext authorizationContext = command.getDittoHeaders().getAuthorizationContext(); final boolean authorized; if (command instanceof PolicyModifyCommand) { final String permission = Permission.WRITE; authorized = enforcer.hasUnrestrictedPermissions(policyResourceKey, authorizationContext, permission); } else { final String permission = Permission.READ; authorized = enforcer.hasPartialPermissions(policyResourceKey, authorizationContext, permission); } return authorized ? Optional.of(command) : Optional.empty(); }
private static Optional<Policy> getDefaultPolicy(final AuthorizationContext authorizationContext, final CharSequence thingId) { final Optional<Subject> subjectOptional = authorizationContext.getFirstAuthorizationSubject() .map(AuthorizationSubject::getId) .map(SubjectId::newInstance) .map(Subject::newInstance); return subjectOptional.map(subject -> Policy.newBuilder(thingId) .forLabel(DEFAULT_POLICY_ENTRY_LABEL) .setSubject(subject) .setGrantedPermissions(PoliciesResourceType.thingResource("/"), org.eclipse.ditto.services.models.things.Permission.DEFAULT_THING_PERMISSIONS) .setGrantedPermissions(PoliciesResourceType.policyResource("/"), org.eclipse.ditto.services.models.policies.Permission.DEFAULT_POLICY_PERMISSIONS) .setGrantedPermissions(PoliciesResourceType.messageResource("/"), org.eclipse.ditto.services.models.policies.Permission.DEFAULT_POLICY_PERMISSIONS) .build()); }
aclEntry.getPermissions() .contains(org.eclipse.ditto.model.things.Permission.WRITE)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ, Permission.WRITE); Permission.WRITE); } else if (aclEntry.getPermissions().contains(org.eclipse.ditto.model.things.Permission.READ)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ, Permission.WRITE);
aclEntry.getPermissions() .contains(org.eclipse.ditto.model.things.Permission.WRITE)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ, Permission.WRITE); Permission.WRITE); } else if (aclEntry.getPermissions().contains(org.eclipse.ditto.model.things.Permission.READ)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ, Permission.WRITE);