/** * Authorize a thing-command by a policy enforcer. * * @param <T> type of the thing-command. * @param policyEnforcer the policy enforcer. * @param command the command to authorize. * @return optionally the authorized command extended by read subjects. */ static <T extends ThingCommand> Optional<T> authorizeByPolicy(final Enforcer policyEnforcer, final ThingCommand<T> command) { final ResourceKey thingResourceKey = PoliciesResourceType.thingResource(command.getResourcePath()); final AuthorizationContext authorizationContext = command.getDittoHeaders().getAuthorizationContext(); final boolean authorized; if (command instanceof ThingModifyCommand) { final String permission = Permission.WRITE; authorized = policyEnforcer.hasUnrestrictedPermissions(thingResourceKey, authorizationContext, permission); } else { final String permission = Permission.READ; authorized = policyEnforcer.hasPartialPermissions(thingResourceKey, authorizationContext, permission); } return authorized ? Optional.of(AbstractEnforcement.addReadSubjectsToThingSignal(command, policyEnforcer)) : Optional.empty(); }
private static Optional<Policy> getDefaultPolicy(final AuthorizationContext authorizationContext, final CharSequence thingId) { final Optional<Subject> subjectOptional = authorizationContext.getFirstAuthorizationSubject() .map(AuthorizationSubject::getId) .map(SubjectId::newInstance) .map(Subject::newInstance); return subjectOptional.map(subject -> Policy.newBuilder(thingId) .forLabel(DEFAULT_POLICY_ENTRY_LABEL) .setSubject(subject) .setGrantedPermissions(PoliciesResourceType.thingResource("/"), org.eclipse.ditto.services.models.things.Permission.DEFAULT_THING_PERMISSIONS) .setGrantedPermissions(PoliciesResourceType.policyResource("/"), org.eclipse.ditto.services.models.policies.Permission.DEFAULT_POLICY_PERMISSIONS) .setGrantedPermissions(PoliciesResourceType.messageResource("/"), org.eclipse.ditto.services.models.policies.Permission.DEFAULT_POLICY_PERMISSIONS) .build()); }
/** * Authorize a thing-command by an ACL enforcer. * * @param <T> type of the thing-command. * @param aclEnforcer the ACL enforcer. * @param command the command to authorize. * @return optionally the authorized command extended by read subjects. */ static <T extends ThingCommand> Optional<T> authorizeByAcl(final Enforcer aclEnforcer, final ThingCommand<T> command) { final ResourceKey thingResourceKey = PoliciesResourceType.thingResource(command.getResourcePath()); final AuthorizationContext authorizationContext = command.getDittoHeaders().getAuthorizationContext(); final Permissions permissions = command instanceof ThingModifyCommand ? computeAclPermissions((ThingModifyCommand) command) : Permissions.newInstance(Permission.READ); return aclEnforcer.hasUnrestrictedPermissions(thingResourceKey, authorizationContext, permissions) ? Optional.of(AbstractEnforcement.addReadSubjectsToThingSignal(command, aclEnforcer)) : Optional.empty(); }
.contains(org.eclipse.ditto.model.things.Permission.WRITE)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ, Permission.WRITE); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.READ, } else if (aclEntry.getPermissions().contains(org.eclipse.ditto.model.things.Permission.READ)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.READ); } else if (aclEntry.getPermissions().contains(org.eclipse.ditto.model.things.Permission.WRITE)) { labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.WRITE); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.WRITE); Permission.READ, Permission.WRITE); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(Thing.JsonFields.ACL.getPointer()), Permission.READ, Permission.WRITE); } else { labelScoped.setRevokedPermissions(PoliciesResourceType.thingResource(Thing.JsonFields.ACL.getPointer()), Permission.WRITE);
.contains(org.eclipse.ditto.model.things.Permission.WRITE)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ, Permission.WRITE); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.READ, } else if (aclEntry.getPermissions().contains(org.eclipse.ditto.model.things.Permission.READ)) { labelScoped.setGrantedPermissions(PoliciesResourceType.policyResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.READ); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.READ); } else if (aclEntry.getPermissions().contains(org.eclipse.ditto.model.things.Permission.WRITE)) { labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(ROOT_PATH), Permission.WRITE); labelScoped.setGrantedPermissions(PoliciesResourceType.messageResource(ROOT_PATH), Permission.WRITE); Permission.READ, Permission.WRITE); labelScoped.setGrantedPermissions(PoliciesResourceType.thingResource(Thing.JsonFields.ACL.getPointer()), Permission.READ, Permission.WRITE); } else { labelScoped.setRevokedPermissions(PoliciesResourceType.thingResource(Thing.JsonFields.ACL.getPointer()), Permission.WRITE);
PoliciesResourceType.thingResource("/"), signal.getDittoHeaders().getAuthorizationContext(), WRITE);