com.broadleafcommerce.auth.security.service

Class DefaultPrivilegeService

java.lang.Object

com.broadleafcommerce.auth.security.service.DefaultPrivilegeService

All Implemented Interfaces:

PrivilegeService

public class DefaultPrivilegeService
extends Object
implements PrivilegeService

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	DefaultPrivilegeService.PrivilegeHydrationResult An intermediary data structure used internally by PrivilegeService to hold all the restrictions, flat permissions, restricted roles, and restricted permissions of a user entity and permissions from a server entity to prevent querying the data multiple times.

Constructor Summary

Constructors

Constructor and Description
DefaultPrivilegeService(UserRoleService<UserRole> userRoleService, UserRoleAncestryHydrationService roleAncestryHydrationService, AuthorizationServerService<AuthorizationServer> serverService)

Method Summary

Modifier and Type	Method and Description
protected void	addRestrictionByExpandedPermissionNames(@NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName, @NonNull Restriction restriction, @NonNull String permissionName) Add both ALL_* permissions and expanded CRUD_* permissions with the given restriction to the map.
protected Set<String>	getAllAuthorities(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets all the authorities from the flat permissions, permissions from restricted roles, and permissions from restricted permissions.
protected Set<UserPermissionRef>	getAllFlatPermissions(@NonNull Collection<UserRole> roles) Gets a set of all UserRole.getPermissions() from the given roles
protected Set<UserPermissionRef>	getAllFlatPermissions(@NonNull User user, @NonNull AuthorizationServer server, @NonNull Collection<UserRole> userAndServerRolesWithAncestors) Gets a set of all flat permissions from User.getPermissions(), AuthorizationServer.getDefaultUserPermissions(), and permissions from the given roles.
protected DefaultPrivilegeService.PrivilegeHydrationResult	getHydratedPrivileges(@NonNull User user, @NonNull String serverId)
protected Map<String,Set<String>>	getMergedRestrictionTargetsByRestrictionType(@NonNull Map<String,Set<String>> restrictionTargetsByRestrictionType1, @NonNull Map<String,Set<String>> restrictionTargetsByRestrictionType2) Gets a Map that is a combination of the two given restrictions maps.
protected Map<String,Map<String,Set<String>>>	getMergedRestrictionTypeAndTargetsByPermissionName(@NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName1, @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName2) Gets a Map that is a combination of the two given restrictionTypeAndTargetsByPermissionName maps.
protected Set<UserPermissionRef>	getPermissionsFromRestrictedPrivileges(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets all the permissions from restricted roles and their ancestors, and restricted permissions.
Map<String,Set<String>>	getRestrictionTargetsByRestrictionType(@NonNull Set<Restriction> restrictions) Converts the Set of Restriction to a Map with the structure of: {restrictionType: [restrictionTargets]}.
protected Map<String,Map<String,Set<String>>>	getRestrictionTypeAndTargetsByPermissionName(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets a consolidated map of restricted permissions with the combination of flat permissions and restrictions, restricted roles, and restricted permissions from a User.
protected Map<String,Map<String,Set<String>>>	getRestrictionTypeAndTargetsByPermissionName(@NonNull Set<UserPermissionRef> flatPermissions, @NonNull Set<Restriction> restrictions) Maps each UserPermissionRef with all of Restriction.
protected Map<String,Map<String,Set<String>>>	getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Converts the Set of RestrictedPermission to a Map with the structure of: { permissionName: { restrictionType: [restrictionTargets] } }.
protected Map<String,Map<String,Set<String>>>	getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Maps each UserPermissionRef from the RestrictedRole with the corresponding restriction.
protected UserRoleAncestryHydrationService	getRoleAncestryHydrationService()
protected Map<String,Collection<UserRole>>	getRoleWithAncestorsByRoleId(@NonNull Set<String> roleIds) Gets roles along with their ancestry roles mapped by given role id.
protected AuthorizationServerService<AuthorizationServer>	getServerService()
PrivilegeSummary	getUserPrivilegeSummary(@NonNull User user, @NonNull String serverId) Gets a PrivilegeSummary of user's consolidated authorities, restrictions, and restricted authorities.
protected UserRoleService<UserRole>	getUserRoleService()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultPrivilegeService

public DefaultPrivilegeService(UserRoleService<UserRole> userRoleService,
                               UserRoleAncestryHydrationService roleAncestryHydrationService,
                               AuthorizationServerService<AuthorizationServer> serverService)

Method Detail

getUserPrivilegeSummary

public PrivilegeSummary getUserPrivilegeSummary(@NonNull
                                                @NonNull User user,
                                                @NonNull
                                                @NonNull String serverId)

Description copied from interface: PrivilegeService

Gets a PrivilegeSummary of user's consolidated authorities, restrictions, and restricted authorities.

Specified by:

getUserPrivilegeSummary in interface PrivilegeService

Parameters:

user - User to get the PrivilegeSummary for

serverId - id of the AuthorizationServer

Returns:

a PrivilegeSummary of user's authorities, restrictions, and restricted authorities

See Also:

PrivilegeSummary

getHydratedPrivileges

protected DefaultPrivilegeService.PrivilegeHydrationResult getHydratedPrivileges(@NonNull
                                                                                 @NonNull User user,
                                                                                 @NonNull
                                                                                 @NonNull String serverId)

getAllAuthorities

protected Set<String> getAllAuthorities(@NonNull
                                        @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)

Gets all the authorities from the flat permissions, permissions from restricted roles, and permissions from restricted permissions.

The expanded CRUD_* permissions from ALL_* permissions are also added into the authorities (on top of the ALL_* permissions).

Parameters:

privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get all the authorities from

Returns:

a set of all authorities, restricted or not

getPermissionsFromRestrictedPrivileges

protected Set<UserPermissionRef> getPermissionsFromRestrictedPrivileges(@NonNull
                                                                        @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)

Gets all the permissions from restricted roles and their ancestors, and restricted permissions.

Parameters:

privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get all the permissions from restricted privileges

Returns:

a set of all permissions from the restricted privileges

getRestrictionTypeAndTargetsByPermissionName

protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionName(@NonNull
                                                                                           @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)

Gets a consolidated map of restricted permissions with the combination of flat permissions and restrictions, restricted roles, and restricted permissions from a User. This also includes the flat permissions from AuthorizationServer.getDefaultUserPermissions() and those inherited from AuthorizationServer.getDefaultUserRoles() and their ancestors. Flat permissions and restrictions are converted into a map of equivalent restricted permissions. Similarly, restricted roles are also converted into equivalent restricted permissions.

For example, if an entity has READ_PRODUCT as flat permission (that came either from its direct flat permissions or from a flat role) with a flat vendor restriction on vendorA, it is then converted into a restricted permission as such: {READ_PRODUCT: {VENDOR: [vendorA]}}.

Likewise, if an entity has a role that has READ_PRODUCT permission assigned, and has the role added as restricted role on vendorA, it is then converted into a restricted permission as well: {READ_PRODUCT: {VENDOR: [vendorA]}}.

Parameters:

privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to consolidate the permissions, restrictions, restricted roles, and restricted permissions for a user

Returns:

a consolidated map of restricted permissions from flat permissions, restrictions, restricted roles, and restricted permissions from a User, along with flat permissions from the AuthorizationServer

getRestrictionTypeAndTargetsByPermissionName

protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionName(@NonNull
                                                                                           @NonNull Set<UserPermissionRef> flatPermissions,
                                                                                           @NonNull
                                                                                           @NonNull Set<Restriction> restrictions)

Maps each UserPermissionRef with all of Restriction. Doing this to convert flat permissions and restrictions into the map structure of restricted permissions, which helps the restricted authorities consolidation.

However, when there's no flat permissions, the restrictions are not added.

Note: The expanded CRUD_* permissions from ALL_* permissions are also added into the map (on top of the ALL_* permissions).

Parameters:

flatPermissions - Set of UserPermissionRef

restrictions - Set of Restriction

Returns:

a map of restricted permissions converted from restrictions and flat permissions

getRoleWithAncestorsByRoleId

protected Map<String,Collection<UserRole>> getRoleWithAncestorsByRoleId(@NonNull
                                                                        @NonNull Set<String> roleIds)

Gets roles along with their ancestry roles mapped by given role id.

Parameters:

roleIds - role ids to get the roles and ancestry roles for

Returns:

a collection containing the given roles along with their ancestors mapped by given role id

getAllFlatPermissions

protected Set<UserPermissionRef> getAllFlatPermissions(@NonNull
                                                       @NonNull User user,
                                                       @NonNull
                                                       @NonNull AuthorizationServer server,
                                                       @NonNull
                                                       @NonNull Collection<UserRole> userAndServerRolesWithAncestors)

Gets a set of all flat permissions from User.getPermissions(), AuthorizationServer.getDefaultUserPermissions(), and permissions from the given roles.

Parameters:

user - User to get the permissions for

server - AuthorizationServer to get the permissions for

userAndServerRolesWithAncestors - Collection of roles to get all the permissions from. This is typically a collection of user's and server's roles along with their ancestors to prevent the need of querying all ancestry roles every time

Returns:

a set containing the flat permissions from the given user, server, and roles

getAllFlatPermissions

protected Set<UserPermissionRef> getAllFlatPermissions(@NonNull
                                                       @NonNull Collection<UserRole> roles)

Gets a set of all UserRole.getPermissions() from the given roles

Parameters:

roles - Collection of roles to get all the permissions from

Returns:

a set containing the flat permissions from the given roles

getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles

protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles(@NonNull
                                                                                                             @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)

Maps each UserPermissionRef from the RestrictedRole with the corresponding restriction. Doing this to convert permissions assigned to the restricted role and restricted role restrictions into the map structure of restricted permissions, which helps the comparisons of restrictiveness.

The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).

Parameters:

privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get restricted roles from

Returns:

a map converted from the given set of restricted roles

getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions

protected Map<String,Map<String,Set<String>>> getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions(@NonNull
                                                                                                                   @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)

Converts the Set of RestrictedPermission to a Map with the structure of: { permissionName: { restrictionType: [restrictionTargets] } }.

The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).

Parameters:

privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get restricted permissions from

Returns:

Converted Map

getMergedRestrictionTypeAndTargetsByPermissionName

protected Map<String,Map<String,Set<String>>> getMergedRestrictionTypeAndTargetsByPermissionName(@NonNull
                                                                                                 @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName1,
                                                                                                 @NonNull
                                                                                                 @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName2)

Gets a Map that is a combination of the two given restrictionTypeAndTargetsByPermissionName maps.

Parameters:

restrictionTypeAndTargetsByPermissionName1 - first Map to combine with

restrictionTypeAndTargetsByPermissionName2 - second Map to combine with

Returns:

a map that is a combination of the two given maps

getMergedRestrictionTargetsByRestrictionType

protected Map<String,Set<String>> getMergedRestrictionTargetsByRestrictionType(@NonNull
                                                                               @NonNull Map<String,Set<String>> restrictionTargetsByRestrictionType1,
                                                                               @NonNull
                                                                               @NonNull Map<String,Set<String>> restrictionTargetsByRestrictionType2)

Gets a Map that is a combination of the two given restrictions maps.

Parameters:

restrictionTargetsByRestrictionType1 - first Map to combine with

restrictionTargetsByRestrictionType2 - second Map to combine with

Returns:

a map that is a combination of the two given maps

getRestrictionTargetsByRestrictionType

public Map<String,Set<String>> getRestrictionTargetsByRestrictionType(@NonNull
                                                                      @NonNull Set<Restriction> restrictions)

Description copied from interface: PrivilegeService

Converts the Set of Restriction to a Map with the structure of: {restrictionType: [restrictionTargets]}.

Specified by:

getRestrictionTargetsByRestrictionType in interface PrivilegeService

Parameters:

restrictions - Set of Restriction

Returns:

a map with restriction type as key and restriction targets as value converted from the given set of restrictions

addRestrictionByExpandedPermissionNames

protected void addRestrictionByExpandedPermissionNames(@NonNull
                                                       @NonNull Map<String,Map<String,Set<String>>> restrictionTypeAndTargetsByPermissionName,
                                                       @NonNull
                                                       @NonNull Restriction restriction,
                                                       @NonNull
                                                       @NonNull String permissionName)

Add both ALL_* permissions and expanded CRUD_* permissions with the given restriction to the map.

Parameters:

restrictionTypeAndTargetsByPermissionName - the restrictionTypeAndTargetsByPermissionName map to add the permission names with restriction to

restriction - restriction to be added with the given permission name

permissionName - permission name to add along with the given restriction

getUserRoleService

protected UserRoleService<UserRole> getUserRoleService()

getRoleAncestryHydrationService

protected UserRoleAncestryHydrationService getRoleAncestryHydrationService()

getServerService

protected AuthorizationServerService<AuthorizationServer> getServerService()