|
1 |
| |
|
2 |
| |
|
3 |
| |
|
4 |
| |
|
5 |
| |
|
6 |
| |
|
7 |
| |
|
8 |
| |
|
9 |
| |
|
10 |
| |
|
11 |
| package org.globus.cas.impl.databaseAccess; |
|
12 |
| |
|
13 |
| import org.apache.commons.logging.Log; |
|
14 |
| import org.apache.commons.logging.LogFactory; |
|
15 |
| |
|
16 |
| import org.globus.cas.types.PolicyData; |
|
17 |
| import org.globus.cas.types.ObjectData; |
|
18 |
| import org.globus.cas.types.CasObjectData; |
|
19 |
| |
|
20 |
| import org.globus.cas.impl.CasConstants; |
|
21 |
| |
|
22 |
| import org.globus.cas.impl.service.ObjectComparison; |
|
23 |
| |
|
24 |
| |
|
25 |
| |
|
26 |
| |
|
27 |
| public class PermissionsHandler { |
|
28 |
| |
|
29 |
| static Log logger = LogFactory.getLog(PermissionsHandler.class.getName()); |
|
30 |
| |
|
31 |
0
| public static boolean canEnrollTrustAnchor(String userName)
|
|
32 |
| throws CasDBException { |
|
33 |
0
| try {
|
|
34 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
35 |
| userName, |
|
36 |
| CasConstants.trustEnrollPolicy); |
|
37 |
| } |
|
38 |
| catch (CasDBException exp) { |
|
39 |
0
| String err = "Could not ascertain enroll trust anchor priviledges "
|
|
40 |
| + "for user. "; |
|
41 |
0
| logger.error(err, exp);
|
|
42 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
43 |
| } |
|
44 |
| } |
|
45 |
| |
|
46 |
0
| public static boolean canUnenrollTrustAnchor(String userName,
|
|
47 |
| String nickname) |
|
48 |
| throws CasDBException { |
|
49 |
0
| CasConstants.unenrollPolicy.setObjectSpec(nickname.trim());
|
|
50 |
0
| CasConstants.unenrollPolicy.setObjectSpecDesc(
|
|
51 |
| CasConstants.TRUSTANCHOR_SPEC); |
|
52 |
0
| try {
|
|
53 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
54 |
| userName, |
|
55 |
| CasConstants.unenrollPolicy); |
|
56 |
| } |
|
57 |
| catch (CasDBException exp) { |
|
58 |
0
| String err = "Could not ascertain unenroll trust anchor "
|
|
59 |
| + " priviledges for user. "; |
|
60 |
0
| logger.error(err, exp);
|
|
61 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
62 |
| } |
|
63 |
| } |
|
64 |
| |
|
65 |
0
| public static boolean canEnrollUser(String userName) throws CasDBException {
|
|
66 |
0
| try {
|
|
67 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
68 |
| userName, |
|
69 |
| CasConstants.userEnrollPolicy); |
|
70 |
| } |
|
71 |
| catch (CasDBException exp) { |
|
72 |
0
| String err = "Could not ascertain enroll user priviledges for "
|
|
73 |
| + "user."; |
|
74 |
0
| logger.error(err, exp);
|
|
75 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
76 |
| } |
|
77 |
| } |
|
78 |
| |
|
79 |
0
| public static boolean canUnenrollUser(String userName, String userNickname)
|
|
80 |
| throws CasDBException { |
|
81 |
0
| CasConstants.unenrollPolicy.setObjectSpec(userNickname.trim());
|
|
82 |
0
| CasConstants.unenrollPolicy.setObjectSpecDesc(
|
|
83 |
| CasConstants.USER_SPEC); |
|
84 |
0
| try {
|
|
85 |
0
| return PermissionsEvaluator.userHasPermissions(userName,
|
|
86 |
| CasConstants.unenrollPolicy); |
|
87 |
| } |
|
88 |
| catch (CasDBException exp) { |
|
89 |
0
| String err = "Could not ascertain unenroll user priviledges for "
|
|
90 |
| + "user."; |
|
91 |
0
| logger.error(err, exp);
|
|
92 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
93 |
| } |
|
94 |
| } |
|
95 |
| |
|
96 |
0
| public static boolean canCreateGps(String type, String userName)
|
|
97 |
| throws CasDBException { |
|
98 |
| |
|
99 |
0
| try {
|
|
100 |
0
| if (type.trim().equals(CasConstants.USER_SPEC)) {
|
|
101 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
102 |
| userName, |
|
103 |
| CasConstants.userGpCreationPolicy); |
|
104 |
0
| } else if (type.trim().equals(CasConstants.OBJECT_SPEC)) {
|
|
105 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
106 |
| userName, |
|
107 |
| CasConstants.objectGpCreationPolicy); |
|
108 |
0
| } else if (type.trim().equals(CasConstants.SERVICEACTION_SPEC)) {
|
|
109 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
110 |
| userName, |
|
111 |
| CasConstants.serviceActionGpCreationPolicy); |
|
112 |
| } else { |
|
113 |
0
| logger.error("type shoud be " + CasConstants.USER_SPEC
|
|
114 |
| + " or " + CasConstants.OBJECT_SPEC + " or " |
|
115 |
| + CasConstants.SERVICEACTION_SPEC); |
|
116 |
0
| throw new CasDBException("type shoud be "
|
|
117 |
| + CasConstants.USER_SPEC + " or " |
|
118 |
| + CasConstants.OBJECT_SPEC + " or " |
|
119 |
| + CasConstants.SERVICEACTION_SPEC); |
|
120 |
| } |
|
121 |
| } |
|
122 |
| catch (CasDBException exp) { |
|
123 |
0
| String err = "Could not ascertain create group priviledges for "
|
|
124 |
| + "user."; |
|
125 |
0
| logger.error(err, exp);
|
|
126 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
127 |
| } |
|
128 |
| } |
|
129 |
| |
|
130 |
0
| public static boolean canDeleteGps(String type, String userName,
|
|
131 |
| String gpName) |
|
132 |
| throws CasDBException { |
|
133 |
| |
|
134 |
0
| try {
|
|
135 |
0
| CasConstants.gpDeletionPolicy.setObjectSpec(gpName.trim());
|
|
136 |
0
| if (type.trim().equals(CasConstants.USER_SPEC)) {
|
|
137 |
0
| CasConstants.gpDeletionPolicy.setObjectSpecDesc(
|
|
138 |
| CasConstants.USERGP_SPEC); |
|
139 |
0
| } else if (type.trim().equals(CasConstants.OBJECT_SPEC)) {
|
|
140 |
0
| CasConstants.gpDeletionPolicy.setObjectSpecDesc(
|
|
141 |
| CasConstants.OBJECTGP_SPEC); |
|
142 |
0
| } else if (type.trim().equals(CasConstants.SERVICEACTION_SPEC)) {
|
|
143 |
0
| CasConstants.gpDeletionPolicy.setObjectSpecDesc(
|
|
144 |
| CasConstants.SERVICEACTIONGP_SPEC); |
|
145 |
| } else { |
|
146 |
0
| logger.error("type shoud be " + CasConstants.USER_SPEC
|
|
147 |
| + " or " + CasConstants.OBJECT_SPEC + " or " |
|
148 |
| + CasConstants.SERVICEACTION_SPEC); |
|
149 |
0
| throw new CasDBException("type shoud be "
|
|
150 |
| + CasConstants.USER_SPEC + " or " |
|
151 |
| + CasConstants.OBJECT_SPEC + " or " |
|
152 |
| + CasConstants.SERVICEACTION_SPEC); |
|
153 |
| } |
|
154 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
155 |
| userName, |
|
156 |
| CasConstants.gpDeletionPolicy); |
|
157 |
| } |
|
158 |
| catch (CasDBException exp) { |
|
159 |
0
| String err = "Could not ascertain delete group priviledges for "
|
|
160 |
| + "user."; |
|
161 |
0
| logger.error(err, exp);
|
|
162 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
163 |
| } |
|
164 |
| } |
|
165 |
| |
|
166 |
0
| public static boolean canManipObjectGps(String type, String userName,
|
|
167 |
| String gpName) |
|
168 |
| throws CasDBException { |
|
169 |
| |
|
170 |
0
| try {
|
|
171 |
0
| if (type.trim().equals(CasConstants.ADD_OPERATION)) {
|
|
172 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpec(gpName.trim());
|
|
173 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpecDesc(
|
|
174 |
| CasConstants.OBJECTGP_SPEC); |
|
175 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
176 |
| userName, |
|
177 |
| CasConstants.gpAddEntryPolicy); |
|
178 |
| } |
|
179 |
0
| else if (type.trim().equals(CasConstants.REMOVE_OPERATION)) {
|
|
180 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpec(gpName.trim());
|
|
181 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpecDesc(
|
|
182 |
| CasConstants.OBJECTGP_SPEC); |
|
183 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
184 |
| userName, |
|
185 |
| CasConstants.gpDeleteEntryPolicy); |
|
186 |
| } |
|
187 |
| else { |
|
188 |
0
| logger.error("type should be " + CasConstants.ADD_OPERATION
|
|
189 |
| + " or " + CasConstants.REMOVE_OPERATION); |
|
190 |
0
| throw new CasDBException("type should be "
|
|
191 |
| + CasConstants.ADD_OPERATION + " or " |
|
192 |
| + CasConstants.REMOVE_OPERATION); |
|
193 |
| } |
|
194 |
| } |
|
195 |
| catch (CasDBException exp) { |
|
196 |
0
| String err = "Could not ascertain add/remove from object group "
|
|
197 |
| + " priviledges for user."; |
|
198 |
0
| logger.error(err + exp.toString());
|
|
199 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
200 |
| } |
|
201 |
| } |
|
202 |
| |
|
203 |
0
| public static boolean canManipUserGps(String type, String userName,
|
|
204 |
| String gpName) |
|
205 |
| throws CasDBException { |
|
206 |
| |
|
207 |
0
| try {
|
|
208 |
0
| if (type.trim().equals(CasConstants.ADD_OPERATION)) {
|
|
209 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpec(gpName.trim());
|
|
210 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpecDesc(
|
|
211 |
| CasConstants.USERGP_SPEC); |
|
212 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
213 |
| userName, |
|
214 |
| CasConstants.gpAddEntryPolicy); |
|
215 |
| } |
|
216 |
0
| else if (type.trim().equals(CasConstants.REMOVE_OPERATION)) {
|
|
217 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpec(gpName.trim());
|
|
218 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpecDesc(
|
|
219 |
| CasConstants.USERGP_SPEC); |
|
220 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
221 |
| userName, |
|
222 |
| CasConstants.gpDeleteEntryPolicy); |
|
223 |
| } |
|
224 |
| else { |
|
225 |
0
| logger.error("type should be " + CasConstants.ADD_OPERATION
|
|
226 |
| + " or " + CasConstants.REMOVE_OPERATION); |
|
227 |
0
| throw new CasDBException("type should be "
|
|
228 |
| + CasConstants.ADD_OPERATION + " or " |
|
229 |
| + CasConstants.REMOVE_OPERATION); |
|
230 |
| } |
|
231 |
| } |
|
232 |
| catch (CasDBException exp) { |
|
233 |
0
| String err = "Could not ascertain add/remove from user group "
|
|
234 |
| + " priviledges for user."; |
|
235 |
0
| logger.error(err + exp.toString());
|
|
236 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
237 |
| } |
|
238 |
| } |
|
239 |
| |
|
240 |
0
| public static boolean canManipServiceActionGps(String type, String userName,
|
|
241 |
| String gpName) |
|
242 |
| throws CasDBException { |
|
243 |
| |
|
244 |
0
| try {
|
|
245 |
0
| if (type.trim().equals(CasConstants.ADD_OPERATION)) {
|
|
246 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpec(gpName.trim());
|
|
247 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpecDesc(
|
|
248 |
| CasConstants.SERVICEACTIONGP_SPEC); |
|
249 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
250 |
| userName, |
|
251 |
| CasConstants.gpAddEntryPolicy); |
|
252 |
| } |
|
253 |
0
| else if (type.trim().equals(CasConstants.REMOVE_OPERATION)) {
|
|
254 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpec(gpName.trim());
|
|
255 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpecDesc(
|
|
256 |
| CasConstants.SERVICEACTIONGP_SPEC); |
|
257 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
258 |
| userName, |
|
259 |
| CasConstants.gpDeleteEntryPolicy); |
|
260 |
| } |
|
261 |
| else { |
|
262 |
0
| logger.error("type should be " + CasConstants.ADD_OPERATION
|
|
263 |
| + " or " + CasConstants.REMOVE_OPERATION); |
|
264 |
0
| throw new CasDBException("type should be "
|
|
265 |
| + CasConstants.ADD_OPERATION + " or " |
|
266 |
| + CasConstants.REMOVE_OPERATION); |
|
267 |
| } |
|
268 |
| } |
|
269 |
| catch (CasDBException exp) { |
|
270 |
0
| String err = "Could not ascertain add/remove from service action "
|
|
271 |
| + "group priviledges for user."; |
|
272 |
0
| logger.error(err + exp.toString());
|
|
273 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
274 |
| } |
|
275 |
| } |
|
276 |
| |
|
277 |
0
| public static boolean canRemoveServiceActionId(String userName,
|
|
278 |
| String serviceActionId) |
|
279 |
| throws CasDBException { |
|
280 |
0
| String serviceAction = ServiceTypeActionHandler.getServiceActionMapping(
|
|
281 |
| Integer.parseInt(serviceActionId)); |
|
282 |
0
| String serviceTypeName = serviceAction.substring(0,
|
|
283 |
| serviceAction.indexOf("/")); |
|
284 |
0
| return canManipServiceActionMapping(CasConstants.REMOVE_OPERATION,
|
|
285 |
| userName, serviceTypeName); |
|
286 |
| } |
|
287 |
| |
|
288 |
0
| public static boolean canManipServiceActionMapping(String type,
|
|
289 |
| String userName, |
|
290 |
| String serviceType) |
|
291 |
| throws CasDBException { |
|
292 |
| |
|
293 |
0
| try {
|
|
294 |
0
| if (type.trim().equals(CasConstants.ADD_OPERATION)) {
|
|
295 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpec(serviceType.trim());
|
|
296 |
0
| CasConstants.gpAddEntryPolicy.setObjectSpecDesc(
|
|
297 |
| CasConstants.SERVICETYPE_SPEC); |
|
298 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
299 |
| userName, |
|
300 |
| CasConstants.gpAddEntryPolicy); |
|
301 |
| } |
|
302 |
0
| else if (type.trim().equals(CasConstants.REMOVE_OPERATION)) {
|
|
303 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpec(
|
|
304 |
| serviceType.trim()); |
|
305 |
0
| CasConstants.gpDeleteEntryPolicy.setObjectSpecDesc(
|
|
306 |
| CasConstants.SERVICETYPE_SPEC); |
|
307 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
308 |
| userName, |
|
309 |
| CasConstants.gpDeleteEntryPolicy); |
|
310 |
| } |
|
311 |
| else { |
|
312 |
0
| logger.error("type should be " + CasConstants.ADD_OPERATION
|
|
313 |
| + " or " + CasConstants.REMOVE_OPERATION); |
|
314 |
0
| throw new CasDBException("type should be "
|
|
315 |
| + CasConstants.ADD_OPERATION + " or " |
|
316 |
| + CasConstants.REMOVE_OPERATION); |
|
317 |
| } |
|
318 |
| } |
|
319 |
| catch (CasDBException exp) { |
|
320 |
0
| String err = "Could not ascertain add/remove service action "
|
|
321 |
| + "mapping priviledges for user."; |
|
322 |
0
| logger.error(err + exp.toString());
|
|
323 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
324 |
| } |
|
325 |
| } |
|
326 |
| |
|
327 |
0
| public static boolean canCreateNamespace(String userName)
|
|
328 |
| throws CasDBException { |
|
329 |
0
| try {
|
|
330 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
331 |
| userName, |
|
332 |
| CasConstants.namespaceEnrollPolicy); |
|
333 |
| } |
|
334 |
| catch (CasDBException exp) { |
|
335 |
0
| String err = "Could not ascertain create namespace priviledges for "
|
|
336 |
| + "user."; |
|
337 |
0
| logger.error(err + exp.toString());
|
|
338 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
339 |
| } |
|
340 |
| } |
|
341 |
| |
|
342 |
0
| public static boolean canDeleteNamespace(String userName, String nsNickname)
|
|
343 |
| throws CasDBException { |
|
344 |
| |
|
345 |
0
| CasConstants.unenrollPolicy.setObjectSpec(nsNickname.trim());
|
|
346 |
0
| CasConstants.unenrollPolicy.setObjectSpecDesc(
|
|
347 |
| CasConstants.NAMESPACE_SPEC); |
|
348 |
0
| try {
|
|
349 |
0
| return PermissionsEvaluator.userHasPermissions(userName,
|
|
350 |
| CasConstants.unenrollPolicy); |
|
351 |
| } |
|
352 |
| catch (CasDBException exp) { |
|
353 |
0
| String err = "Could not ascertain delete namespace priviledges for "
|
|
354 |
| + "user."; |
|
355 |
0
| logger.error(err + exp.toString());
|
|
356 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
357 |
| } |
|
358 |
| } |
|
359 |
| |
|
360 |
0
| private static boolean hasEnrollObjPermission(String userName,
|
|
361 |
| ObjectData objData) |
|
362 |
| throws CasDBException { |
|
363 |
| |
|
364 |
0
| PolicyData enrollObjPolicy = CasConstants.objectEnrollPolicy;
|
|
365 |
0
| enrollObjPolicy.setObjectSpec(objData.getObjectId());
|
|
366 |
0
| enrollObjPolicy.setObjectSpecDesc(CasConstants.OBJECT_SPEC);
|
|
367 |
0
| return PermissionsEvaluator.userHasPermissions(userName,
|
|
368 |
| enrollObjPolicy); |
|
369 |
| } |
|
370 |
| |
|
371 |
0
| private static boolean hasGrantAllObjPermission(String userName,
|
|
372 |
| ObjectData objData) |
|
373 |
| throws CasDBException { |
|
374 |
| |
|
375 |
0
| PolicyData grantAllObjPolicy = CasConstants.grantAllPolicy;
|
|
376 |
0
| grantAllObjPolicy.setObjectSpec(objData.getObjectId());
|
|
377 |
0
| grantAllObjPolicy.setObjectSpecDesc(CasConstants.OBJECT_SPEC);
|
|
378 |
0
| return PermissionsEvaluator.userHasPermissions(userName,
|
|
379 |
| grantAllObjPolicy); |
|
380 |
| |
|
381 |
| } |
|
382 |
| |
|
383 |
0
| public static boolean canCreateObject(String userName, String namespaceNick,
|
|
384 |
| String objectName) |
|
385 |
| throws CasDBException { |
|
386 |
| |
|
387 |
0
| logger.debug("canCreateObj " + userName + " " + namespaceNick + " "
|
|
388 |
| + objectName); |
|
389 |
| |
|
390 |
0
| try {
|
|
391 |
0
| if (!PermissionsEvaluator.userHasPermissions(
|
|
392 |
| userName, |
|
393 |
| CasConstants.objectEnrollPolicy)) { |
|
394 |
0
| logger.debug("Does not have cas/enrollObject");
|
|
395 |
0
| return false;
|
|
396 |
| } |
|
397 |
| } |
|
398 |
| catch (CasDBException exp) { |
|
399 |
0
| String err = "Could not ascertain create object priviledges for "
|
|
400 |
| + "user."; |
|
401 |
0
| logger.error(err + exp.toString());
|
|
402 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
403 |
| } |
|
404 |
0
| logger.debug("cas/enroll exists");
|
|
405 |
| |
|
406 |
| |
|
407 |
0
| String compAlg = ObjectDataHandler.getComparisonAlg(namespaceNick);
|
|
408 |
0
| ObjectComparison objComp =
|
|
409 |
| ObjectDataHandler.getComparisonClass(compAlg); |
|
410 |
| |
|
411 |
0
| ObjectData objData = new ObjectData();
|
|
412 |
0
| objData.setObjectName(objectName);
|
|
413 |
0
| objData.setObjectNamespace(namespaceNick);
|
|
414 |
| |
|
415 |
0
| if (objComp.exactMatchExists(objData)) {
|
|
416 |
0
| logger.error("Object already exists");
|
|
417 |
0
| throw new CasDBException("Object already exists");
|
|
418 |
| } |
|
419 |
0
| logger.debug("no exact match ");
|
|
420 |
| |
|
421 |
| |
|
422 |
0
| ObjectData[] superSet = objComp.matchingSuperset(objData);
|
|
423 |
0
| boolean permissionTrue = false;
|
|
424 |
| |
|
425 |
0
| if (superSet != null) {
|
|
426 |
0
| logger.debug("Super set is not null");
|
|
427 |
0
| for (int i=0; i<superSet.length; i++) {
|
|
428 |
0
| if (hasEnrollObjPermission(userName, superSet[i])) {
|
|
429 |
0
| permissionTrue = true;
|
|
430 |
0
| break;
|
|
431 |
| } |
|
432 |
| } |
|
433 |
0
| if (!permissionTrue) {
|
|
434 |
| |
|
435 |
0
| logger.debug("None of super set objects have cas/enrollObject");
|
|
436 |
0
| throw new CasDBException("Object already exists as super set "
|
|
437 |
| + "and relevant permissions don't " |
|
438 |
| + "exist to create this oject"); |
|
439 |
| } |
|
440 |
| } |
|
441 |
0
| logger.debug("Super set went thro'");
|
|
442 |
| |
|
443 |
| |
|
444 |
| |
|
445 |
0
| ObjectData[] subset = objComp.matchingSubset(objData);
|
|
446 |
0
| if (subset != null) {
|
|
447 |
0
| logger.debug("Sub set is not null");
|
|
448 |
0
| for (int i=0; i<subset.length; i++) {
|
|
449 |
0
| logger.debug("Subset " + subset[i].getObjectName());
|
|
450 |
0
| if (!hasGrantAllObjPermission(userName, subset[i])) {
|
|
451 |
| |
|
452 |
0
| logger.debug("Subset member does not have permissions");
|
|
453 |
0
| throw new CasDBException("Object already exists as subset"
|
|
454 |
| + " and relevant permissions don't" |
|
455 |
| + " exist to create this oject"); |
|
456 |
| } |
|
457 |
| } |
|
458 |
| } |
|
459 |
0
| logger.debug("Subset went thro'");
|
|
460 |
| |
|
461 |
0
| return true;
|
|
462 |
| } |
|
463 |
| |
|
464 |
0
| public static boolean canRemoveObject(String userName, String objName,
|
|
465 |
| String objNamespace) |
|
466 |
| throws CasDBException { |
|
467 |
| |
|
468 |
0
| try {
|
|
469 |
0
| int objId = ObjectDataHandler.getObjectId(objName, objNamespace);
|
|
470 |
0
| if (objId == -1) {
|
|
471 |
0
| logger.error("Object does not exist");
|
|
472 |
0
| throw new CasDBException("Object does not exist");
|
|
473 |
| } |
|
474 |
0
| return canRemoveObjectId(userName, Integer.toString(objId));
|
|
475 |
| } |
|
476 |
| catch (CasDBException exp) { |
|
477 |
0
| String err = "Could not ascertain remove object priviledges for "
|
|
478 |
| + "user."; |
|
479 |
0
| logger.error(err + exp.toString());
|
|
480 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
481 |
| } |
|
482 |
| } |
|
483 |
| |
|
484 |
0
| public static boolean canRemoveObjectId(String userName, String objId)
|
|
485 |
| throws CasDBException { |
|
486 |
0
| CasConstants.unenrollPolicy.setObjectSpec(objId.trim());
|
|
487 |
0
| CasConstants.unenrollPolicy.setObjectSpecDesc(
|
|
488 |
| CasConstants.OBJECT_SPEC); |
|
489 |
0
| try {
|
|
490 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
491 |
| userName, |
|
492 |
| CasConstants.unenrollPolicy); |
|
493 |
| } |
|
494 |
| catch (CasDBException exp) { |
|
495 |
0
| String err = "Could not ascertain remove object priviledges for "
|
|
496 |
| + "user."; |
|
497 |
0
| logger.error(err + exp.toString());
|
|
498 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
499 |
| } |
|
500 |
| } |
|
501 |
| |
|
502 |
0
| public static boolean canCreateServiceType(String userName)
|
|
503 |
| throws CasDBException { |
|
504 |
| |
|
505 |
0
| try {
|
|
506 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
507 |
| userName, |
|
508 |
| CasConstants.serviceTypeCreationPolicy); |
|
509 |
| } |
|
510 |
| catch (CasDBException exp) { |
|
511 |
0
| String err = "Could not ascertain create service type priviledges "
|
|
512 |
| + "for user."; |
|
513 |
0
| logger.error(err + exp.toString());
|
|
514 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
515 |
| } |
|
516 |
| } |
|
517 |
| |
|
518 |
0
| public static boolean canDeleteServiceType(String userName,
|
|
519 |
| String serviceTypeName) |
|
520 |
| throws CasDBException { |
|
521 |
| |
|
522 |
0
| CasConstants.unenrollPolicy.setObjectSpec(serviceTypeName.trim());
|
|
523 |
0
| CasConstants.unenrollPolicy.setObjectSpecDesc(
|
|
524 |
| CasConstants.SERVICETYPE_SPEC); |
|
525 |
0
| try {
|
|
526 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
527 |
| userName, |
|
528 |
| CasConstants.unenrollPolicy); |
|
529 |
| } |
|
530 |
| catch (CasDBException exp) { |
|
531 |
0
| String err = "Could not ascertain delete service type priviledges "
|
|
532 |
| + "for user."; |
|
533 |
0
| logger.error(err + exp.toString());
|
|
534 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
535 |
| } |
|
536 |
| } |
|
537 |
| |
|
538 |
0
| public static boolean canGrant(String userName, String userGpName,
|
|
539 |
| CasObjectData objSpec, String objSpecDesc, |
|
540 |
| String actionSpec, String actionSpecDesc) |
|
541 |
| throws CasDBException { |
|
542 |
| |
|
543 |
0
| String objString = PolicyDataHandler.getObjectSpecString(objSpec,
|
|
544 |
| objSpecDesc); |
|
545 |
0
| return canGrant(userName, userGpName, objString, objSpecDesc,
|
|
546 |
| actionSpec,actionSpecDesc); |
|
547 |
| } |
|
548 |
| |
|
549 |
0
| public static boolean canGrant(String userName, String userGpName,
|
|
550 |
| String objSpec, String objSpecDesc, |
|
551 |
| String actionSpec, String actionSpecDesc) |
|
552 |
| throws CasDBException { |
|
553 |
| |
|
554 |
0
| PolicyData policyData = new PolicyData();
|
|
555 |
0
| policyData.setActionSpec(actionSpec.trim());
|
|
556 |
0
| policyData.setActionSpecDesc(actionSpecDesc.trim());
|
|
557 |
0
| policyData.setObjectSpec(objSpec.trim());
|
|
558 |
0
| policyData.setObjectSpecDesc(objSpecDesc.trim());
|
|
559 |
| |
|
560 |
0
| try {
|
|
561 |
0
| if (!PermissionsEvaluator.userHasPermissions(userName, policyData)) {
|
|
562 |
0
| logger.warn("No permissions to perform the service/action that"
|
|
563 |
| + " has to be granted"); |
|
564 |
0
| return false;
|
|
565 |
| } |
|
566 |
0
| logger.debug("action is allowed, but grant not found");
|
|
567 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
568 |
| userName, |
|
569 |
| CasConstants.grantPolicy); |
|
570 |
| } |
|
571 |
| catch (CasDBException exp) { |
|
572 |
0
| String err = "Could not ascertain grant rights priviledges for "
|
|
573 |
| + "user."; |
|
574 |
0
| logger.error(err + exp.toString());
|
|
575 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
576 |
| } |
|
577 |
| } |
|
578 |
| |
|
579 |
0
| public static boolean canRevoke(String userName, String policyId)
|
|
580 |
| throws CasDBException { |
|
581 |
| |
|
582 |
0
| logger.debug("Policy id is " + policyId);
|
|
583 |
| |
|
584 |
0
| if (policyId == null) {
|
|
585 |
0
| logger.error("Policy id to check permission is null");
|
|
586 |
0
| throw new CasDBException("Policy id to check permission is null");
|
|
587 |
| } |
|
588 |
| |
|
589 |
0
| CasConstants.revokePolicy.setObjectSpec(policyId.trim());
|
|
590 |
0
| CasConstants.revokePolicy.setObjectSpecDesc(
|
|
591 |
| CasConstants.POLICY_SPEC); |
|
592 |
0
| try {
|
|
593 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
594 |
| userName, |
|
595 |
| CasConstants.revokePolicy); |
|
596 |
| } |
|
597 |
| catch (CasDBException exp) { |
|
598 |
0
| String err = "Could not ascertain revoke rights priviledges for "
|
|
599 |
| + "user."; |
|
600 |
0
| logger.error(err + exp.toString());
|
|
601 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
602 |
| } |
|
603 |
| } |
|
604 |
| |
|
605 |
0
| public static boolean canQuery(String userName)
|
|
606 |
| throws CasDBException { |
|
607 |
| |
|
608 |
0
| try {
|
|
609 |
0
| return (PermissionsEvaluator.userHasPermissions(
|
|
610 |
| userName, |
|
611 |
| CasConstants.queryPolicy)); |
|
612 |
| } |
|
613 |
| catch (CasDBException exp) { |
|
614 |
0
| String err = "Could not ascertain query priviledges for user.";
|
|
615 |
0
| logger.error(err + exp.toString());
|
|
616 |
0
| throw new CasDBException(err + exp.getMessage(), exp);
|
|
617 |
| } |
|
618 |
| } |
|
619 |
| |
|
620 |
0
| public static void grantAllPermission(String userGpName, String spec,
|
|
621 |
| String specDesc) |
|
622 |
| throws CasDBException { |
|
623 |
0
| CasConstants.grantAllPolicy.setUserGroupName(userGpName.trim());
|
|
624 |
0
| CasConstants.grantAllPolicy.setObjectSpec(spec.trim());
|
|
625 |
0
| CasConstants.grantAllPolicy.setObjectSpecDesc(specDesc.trim());
|
|
626 |
0
| PolicyDataHandler.storeObject(CasConstants.grantAllPolicy);
|
|
627 |
| } |
|
628 |
| |
|
629 |
| |
|
630 |
| |
|
631 |
| |
|
632 |
| |
|
633 |
| |
|
634 |
| |
|
635 |
0
| public static boolean isAuthorizedPolicy(String userName,
|
|
636 |
| PolicyData policyData) |
|
637 |
| |
|
638 |
| throws CasDBException { |
|
639 |
0
| return PermissionsEvaluator.userHasPermissions(
|
|
640 |
| userName.trim(), |
|
641 |
| policyData, |
|
642 |
| true); |
|
643 |
| } |
|
644 |
| } |
