Package com.broadleafcommerce.auth.security.service

Class DefaultPrivilegeService

    • Method Detail

      • getAllAuthorities

        protected Set<String> getAllAuthorities​(@NonNull
                                        @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
        Gets all the authorities from the flat permissions, permissions from restricted roles, and permissions from restricted permissions.

        The expanded CRUD_* permissions from ALL_* permissions are also added into the authorities (on top of the ALL_* permissions).

        Parameters:
        privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get all the authorities from
        Returns:
        a set of all authorities, restricted or not

      • getRestrictionTypeAndTargetsByPermissionName

        protected Map<String,​Map<String,​Set<String>>> getRestrictionTypeAndTargetsByPermissionName​(@NonNull
                                                                                                       @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
        Gets a consolidated map of restricted permissions with the combination of flat permissions and restrictions, restricted roles, and restricted permissions from a User. This also includes the flat permissions from AuthorizationServer.getDefaultUserPermissions() and those inherited from AuthorizationServer.getDefaultUserRoles() and their ancestors. Flat permissions and restrictions are converted into a map of equivalent restricted permissions. Similarly, restricted roles are also converted into equivalent restricted permissions.

        For example, if an entity has READ_PRODUCT as flat permission (that came either from its direct flat permissions or from a flat role) with a flat vendor restriction on vendorA, it is then converted into a restricted permission as such: {READ_PRODUCT: {VENDOR: [vendorA]}}.

        Likewise, if an entity has a role that has READ_PRODUCT permission assigned, and has the role added as restricted role on vendorA, it is then converted into a restricted permission as well: {READ_PRODUCT: {VENDOR: [vendorA]}}.

        Parameters:
        privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to consolidate the permissions, restrictions, restricted roles, and restricted permissions for a user
        Returns:
        a consolidated map of restricted permissions from flat permissions, restrictions, restricted roles, and restricted permissions from a User, along with flat permissions from the AuthorizationServer

      • getRestrictionTypeAndTargetsByPermissionName

        protected Map<String,​Map<String,​Set<String>>> getRestrictionTypeAndTargetsByPermissionName​(@NonNull
                                                                                                       @NonNull Set<UserPermissionRef> flatPermissions,
                                                                                                       @NonNull
                                                                                                       @NonNull Set<Restriction> restrictions)
        Maps each UserPermissionRef with all of Restriction. Doing this to convert flat permissions and restrictions into the map structure of restricted permissions, which helps the restricted authorities consolidation.

        However, when there's no flat permissions, the restrictions are not added.

        Note: The expanded CRUD_* permissions from ALL_* permissions are also added into the map (on top of the ALL_* permissions).

        Parameters:
        flatPermissions - Set of UserPermissionRef
        restrictions - Set of Restriction
        Returns:
        a map of restricted permissions converted from restrictions and flat permissions

      • getRoleWithAncestorsByRoleId

        protected Map<String,​Collection<UserRole>> getRoleWithAncestorsByRoleId​(@NonNull
                                                                              @NonNull Set<String> roleIds)
        Gets roles along with their ancestry roles mapped by given role id.
        Parameters:
        roleIds - role ids to get the roles and ancestry roles for
        Returns:
        a collection containing the given roles along with their ancestors mapped by given role id

      • getAllFlatPermissions

        protected Set<UserPermissionRef> getAllFlatPermissions​(@NonNull
                                                       @NonNull User user,
                                                       @NonNull
                                                       @NonNull AuthorizationServer server,
                                                       @NonNull
                                                       @NonNull Collection<UserRole> userAndServerRolesWithAncestors)
        Gets a set of all flat permissions from User.getPermissions(), AuthorizationServer.getDefaultUserPermissions(), and permissions from the given roles.
        Parameters:
        user - User to get the permissions for
        server - AuthorizationServer to get the permissions for
        userAndServerRolesWithAncestors - Collection of roles to get all the permissions from. This is typically a collection of user's and server's roles along with their ancestors to prevent the need of querying all ancestry roles every time
        Returns:
        a set containing the flat permissions from the given user, server, and roles

      • getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles

        protected Map<String,​Map<String,​Set<String>>> getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles​(@NonNull
                                                                                                                         @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult)
        Maps each UserPermissionRef from the RestrictedRole with the corresponding restriction. Doing this to convert permissions assigned to the restricted role and restricted role restrictions into the map structure of restricted permissions, which helps the comparisons of restrictiveness.

        The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).

        Parameters:
        privilegeHydrationResult - DefaultPrivilegeService.PrivilegeHydrationResult to get restricted roles from
        Returns:
        a map converted from the given set of restricted roles

      • getMergedRestrictionTypeAndTargetsByPermissionName

        protected Map<String,​Map<String,​Set<String>>> getMergedRestrictionTypeAndTargetsByPermissionName​(@NonNull
                                                                                                             @NonNull Map<String,​Map<String,​Set<String>>> restrictionTypeAndTargetsByPermissionName1,
                                                                                                             @NonNull
                                                                                                             @NonNull Map<String,​Map<String,​Set<String>>> restrictionTypeAndTargetsByPermissionName2)
        Gets a Map that is a combination of the two given restrictionTypeAndTargetsByPermissionName maps.
        Parameters:
        restrictionTypeAndTargetsByPermissionName1 - first Map to combine with
        restrictionTypeAndTargetsByPermissionName2 - second Map to combine with
        Returns:
        a map that is a combination of the two given maps

      • getMergedRestrictionTargetsByRestrictionType

        protected Map<String,​Set<String>> getMergedRestrictionTargetsByRestrictionType​(@NonNull
                                                                                     @NonNull Map<String,​Set<String>> restrictionTargetsByRestrictionType1,
                                                                                     @NonNull
                                                                                     @NonNull Map<String,​Set<String>> restrictionTargetsByRestrictionType2)
        Gets a Map that is a combination of the two given restrictions maps.
        Parameters:
        restrictionTargetsByRestrictionType1 - first Map to combine with
        restrictionTargetsByRestrictionType2 - second Map to combine with
        Returns:
        a map that is a combination of the two given maps

      • addRestrictionByExpandedPermissionNames

        protected void addRestrictionByExpandedPermissionNames​(@NonNull
                                                       @NonNull Map<String,​Map<String,​Set<String>>> restrictionTypeAndTargetsByPermissionName,
                                                       @NonNull
                                                       @NonNull Restriction restriction,
                                                       @NonNull
                                                       @NonNull String permissionName)
        Add both ALL_* permissions and expanded CRUD_* permissions with the given restriction to the map.
        Parameters:
        restrictionTypeAndTargetsByPermissionName - the restrictionTypeAndTargetsByPermissionName map to add the permission names with restriction to
        restriction - restriction to be added with the given permission name
        permissionName - permission name to add along with the given restriction