/** * retrieve if delegatable * * @param action * @param attributeDefName * @return if delegatable or grant */ private AttributeAssignDelegatable retrieveDelegatable( String action, AttributeDefName attributeDefName) { if (AttributeDefType.perm != attributeDefName.getAttributeDef().getAttributeDefType()) { throw new RuntimeException( "Can only delegate a permission: " + attributeDefName.getAttributeDef().getAttributeDefType()); } Set<PermissionEntry> permissionEntries = GrouperDAOFactory.getFactory() .getPermissionEntry() .findByMemberIdAndAttributeDefNameId( GrouperSession.staticGrouperSession().getMemberUuid(), attributeDefName.getId()); boolean isGrant = false; boolean isDelegate = false; action = StringUtils.defaultString(action, AttributeDef.ACTION_DEFAULT); for (PermissionEntry permissionEntry : permissionEntries) { if (permissionEntry.isEnabled() && StringUtils.equals(action, permissionEntry.getAction())) { AttributeAssignDelegatable localDelegatable = permissionEntry.getAttributeAssignDelegatable(); isGrant = isGrant || (localDelegatable == AttributeAssignDelegatable.GRANT); isDelegate = isDelegate || localDelegatable.delegatable(); } } if (isGrant) { return AttributeAssignDelegatable.GRANT; } if (isDelegate) { return AttributeAssignDelegatable.TRUE; } return AttributeAssignDelegatable.FALSE; }
/** * add a multi assignable attribute * * @param action is the action on the assignment (null means default action) * @param attributeDefName * @param checkSecurity * @param uuid uuid of the assignment * @return the result including if added or already there */ public AttributeAssignResult internal_addAttributeHelper( String action, AttributeDefName attributeDefName, boolean checkSecurity, String uuid) { AttributeDef attributeDef = attributeDefName.getAttributeDef(); if (!attributeDef.isMultiAssignable()) { throw new RuntimeException( "This attribute must be multi-assignable to call this method, use the non multi-assign method: " + attributeDefName.getName()); } if (checkSecurity) { this.assertCanUpdateAttributeDefName(attributeDefName); } this.assertScopeOk(attributeDef); AttributeAssign attributeAssign = newAttributeAssign(action, attributeDefName, uuid); if (StringUtils.isBlank(attributeAssign.getAttributeAssignActionId())) { attributeAssign.setAttributeAssignActionId( attributeDef.getAttributeDefActionDelegate().allowedAction(action, true).getId()); } attributeAssign.saveOrUpdate(checkSecurity); return new AttributeAssignResult(true, attributeAssign); }
/** * @param action is the action on the assignment (null means default action) * @param attributeDefName * @param checkSecurity * @return if removed or already not assigned */ private AttributeAssignResult removeAttributeHelper( String action, AttributeDefName attributeDefName, boolean checkSecurity) { if (checkSecurity) { this.assertCanUpdateAttributeDefName(attributeDefName); } AttributeAssignResult attributeAssignResult = new AttributeAssignResult(); attributeAssignResult.setChanged(false); // see if it exists if (!this.hasAttributeHelper(action, attributeDefName, false)) { return attributeAssignResult; } action = StringUtils.defaultIfEmpty(action, AttributeDef.ACTION_DEFAULT); Set<AttributeAssign> attributeAssigns = retrieveAttributeAssignsByOwnerAndAttributeDefNameId(attributeDefName.getId()); Set<AttributeAssign> attributeAssignsToReturn = new LinkedHashSet<AttributeAssign>(); for (AttributeAssign attributeAssign : attributeAssigns) { String currentAttributeAction = attributeAssign.getAttributeAssignAction().getName(); if (StringUtils.equals(action, currentAttributeAction)) { attributeAssignResult.setChanged(true); attributeAssignsToReturn.add(attributeAssign); attributeAssign.delete(); } } attributeAssignResult.setAttributeAssigns(attributeAssignsToReturn); return attributeAssignResult; }
/** * retrieve an assignment (should be single assign) * * @param action * @param attributeDefName * @param checkSecurity * @param exceptionIfNull * @return the assignment */ public AttributeAssign retrieveAssignment( String action, AttributeDefName attributeDefName, boolean checkSecurity, boolean exceptionIfNull) { if (checkSecurity) { this.assertCanReadAttributeDefName(attributeDefName); } Set<AttributeAssign> attributeAssigns = retrieveAttributeAssignsByOwnerAndAttributeDefNameId(attributeDefName.getId()); return retrieveAssignmentHelper(action, attributeDefName, exceptionIfNull, attributeAssigns); }
/** * @param action on the assignment * @param attributeDefName * @param checkSecurity * @return true if has attribute, false if not */ boolean hasAttributeHelper( String action, AttributeDefName attributeDefName, boolean checkSecurity) { if (checkSecurity) { this.assertCanReadAttributeDefName(attributeDefName); } Set<AttributeAssign> attributeAssigns = retrieveAttributeAssignsByOwnerAndAttributeDefNameId(attributeDefName.getId()); action = StringUtils.defaultIfEmpty(action, AttributeDef.ACTION_DEFAULT); for (AttributeAssign attributeAssign : attributeAssigns) { String currentAttributeAction = attributeAssign.getAttributeAssignAction().getName(); if (StringUtils.equals(action, currentAttributeAction)) { return true; } } return false; }
/** * @param action is the action on the assignment (null means default action) * @param attributeDefName * @param assign true to assign, false to unassign * @param attributeAssignDelegateOptions if there are more options, null if not * @return the result including if added or already there */ public AttributeAssignResult delegateAttribute( final String action, final AttributeDefName attributeDefName, final boolean assign, final AttributeAssignDelegateOptions attributeAssignDelegateOptions) { AttributeDef attributeDef = attributeDefName.getAttributeDef(); if (attributeDef.isMultiAssignable()) { throw new RuntimeException( "This attribute must not be multi-assignable to call " + "this method, use the multi-assign methods: " + attributeDefName.getName()); } this.assertCanDelegateAttributeDefName(action, attributeDefName); if (attributeAssignDelegateOptions != null && attributeAssignDelegateOptions.isAssignAttributeAssignDelegatable()) { if (attributeAssignDelegateOptions.getAttributeAssignDelegatable() == AttributeAssignDelegatable.GRANT || attributeAssignDelegateOptions.getAttributeAssignDelegatable() == AttributeAssignDelegatable.TRUE) { this.assertCanGrantAttributeDefName(action, attributeDefName); } } AttributeAssignResult attributeAssignResult = (AttributeAssignResult) GrouperSession.callbackGrouperSession( GrouperSession.staticGrouperSession().internal_getRootSession(), new GrouperSessionHandler() { public Object callback(GrouperSession grouperSession) throws GrouperSessionException { if (assign) { // do the same thing that an assign would do // do this as root since the user who can delegate might not be able to // assign... AttributeAssignResult attributeAssignResult2 = AttributeAssignBaseDelegate.this.internal_assignAttributeHelper( action, attributeDefName, false, null, null); if (attributeAssignDelegateOptions != null) { AttributeAssign attributeAssign = attributeAssignResult2.getAttributeAssign(); if (attributeAssignDelegateOptions.isAssignAttributeAssignDelegatable()) { attributeAssign.setAttributeAssignDelegatable( attributeAssignDelegateOptions.getAttributeAssignDelegatable()); } if (attributeAssignDelegateOptions.isAssignDisabledDate()) { attributeAssign.setDisabledTime( attributeAssignDelegateOptions.getDisabledTime()); } if (attributeAssignDelegateOptions.isAssignEnabledDate()) { attributeAssign.setDisabledTime( attributeAssignDelegateOptions.getEnabledTime()); } attributeAssign.saveOrUpdate(true); } return attributeAssignResult2; } return AttributeAssignBaseDelegate.this.removeAttributeHelper( action, attributeDefName, false); } }); return attributeAssignResult; }
/** * make sure the user can read the attribute (including looking at object if necessary) * * @param attributeDefName */ public void assertCanReadAttributeDefName(AttributeDefName attributeDefName) { AttributeDef attributeDef = attributeDefName.getAttributeDef(); assertCanReadAttributeDef(attributeDef); }
/** * @param action is the action on the assignment (null means default action) * @param attributeDefName * @param checkSecurity * @param uuid uuid of the assignment * @param permissionAllowed if permission this is the allowed flag * @return the result including if added or already there */ public AttributeAssignResult internal_assignAttributeHelper( String action, AttributeDefName attributeDefName, boolean checkSecurity, String uuid, PermissionAllowed permissionAllowed) { if (permissionAllowed == null) { permissionAllowed = PermissionAllowed.ALLOWED; } AttributeDef attributeDef = attributeDefName.getAttributeDef(); if (checkSecurity) { this.assertCanUpdateAttributeDefName(attributeDefName); } boolean isPermission = AttributeDefType.perm.equals(attributeDefName.getAttributeDef().getAttributeDefType()); if (permissionAllowed != null && permissionAllowed.isDisallowed() && !isPermission) { throw new RuntimeException( "Can only assign a permissionAllowed with attributeDefName as perm (permission) type: " + attributeDefName.getName() + ", " + attributeDefName.getAttributeDef().getAttributeDefType()); } AttributeAssign attributeAssign = retrieveAssignment(action, attributeDefName, false, false); if (attributeAssign != null) { if (permissionAllowed != null && permissionAllowed.isDisallowed() != attributeAssign.isDisallowed()) { throw new RuntimeException( "Assigning disallowed: " + permissionAllowed.isDisallowed() + ", but the existing assignment " + attributeAssign.getId() + " has: " + attributeAssign.isDisallowed() + ", you need to delete assignment and reassign."); } return new AttributeAssignResult(false, attributeAssign); } attributeAssign = newAttributeAssign(action, attributeDefName, uuid); attributeAssign.setDisallowed( permissionAllowed == null ? false : permissionAllowed.isDisallowed()); if (StringUtils.isBlank(attributeAssign.getAttributeAssignActionId())) { attributeAssign.setAttributeAssignActionId( attributeDef.getAttributeDefActionDelegate().allowedAction(action, true).getId()); } this.assertScopeOk(attributeDef); attributeAssign.internalSetAttributeDef(attributeDef); attributeAssign.internalSetAttributeDefName(attributeDefName); attributeAssign.saveOrUpdate(checkSecurity); return new AttributeAssignResult(true, attributeAssign); }
/** * @param attributeDefName * @return the assignments for a def name */ public Set<AttributeAssign> retrieveAssignments(AttributeDefName attributeDefName) { this.assertCanReadAttributeDefName(attributeDefName); return retrieveAttributeAssignsByOwnerAndAttributeDefNameId(attributeDefName.getId()); }