private ResourceState createACE(
String createdResourceURI, SecurityContext securityContext, AutoRuleConfig autoRuleConfig) {
DBObject dbObject = new BasicDBObject();
dbObject.put(ACE_REALM, securityContext.getRealm());
dbObject.put(ACE_USER_ID, securityContext.getSubject());
dbObject.put(ACE_RESOURCE_PATH, createdResourceURI);
dbObject.put(ACE_ACTIONS, autoRuleConfig.getAutoAddedOwnerPermissions().toArray());
dbObject.put(ACE_PERMITTED, true);
this.aclCollection.insert(dbObject);
log.debug("Created ACE: " + dbObject);
ResourceState createdState = new DefaultResourceState();
for (String key : dbObject.keySet()) {
createdState.putProperty(key, dbObject.get(key));
}
return createdState;
}
public AuthzDecision isAuthorized(RequestContext req) {
RequestType reqType = req.requestType();
ResourcePath resourcePath = req.resourcePath();
SecurityContext securityContext = req.securityContext();
BasicDBObject query = new BasicDBObject();
query.put(ACE_REALM, securityContext.getRealm());
query.put(ACE_RESOURCE_PATH, resourcePath.toString());
query.put(ACE_ACTIONS, reqType.toString());
// Pass if we find rule for either "userId" or some of his roles
List<DBObject> userRolesCondition = new LinkedList<>();
userRolesCondition.add(new BasicDBObject(ACE_USER_ID, securityContext.getSubject()));
if (securityContext.getRoles() != null) {
for (String role : securityContext.getRoles()) {
userRolesCondition.add(new BasicDBObject(ACE_ROLE_NAME, role));
}
}
query.put("$or", userRolesCondition);
if (log.isTraceEnabled()) {
log.trace("Sending ACE query: " + query);
}
DBCursor results = this.aclCollection.find(query);
AuthzDecision decision = AuthzDecision.IGNORE;
for (DBObject result : results) {
boolean currentDec = (Boolean) result.get(ACE_PERMITTED);
// For now, always merge. No rule priorities...
AuthzDecision currentDecision = currentDec ? AuthzDecision.ACCEPT : AuthzDecision.REJECT;
decision = decision.mergeDecision(currentDecision);
if (log.isTraceEnabled()) {
log.trace("Found result: " + result);
}
}
return decision;
}
