Class DefaultPrivilegeService
- All Implemented Interfaces:
PrivilegeService
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
An intermediary data structure used internally byPrivilegeService
to hold all the restrictions, flat permissions, restricted roles, and restricted permissions of auser entity
and permissions from aserver entity
to prevent querying the data multiple times. -
Field Summary
-
Constructor Summary
ConstructorDescriptionDefaultPrivilegeService
(UserRoleService<UserRole> userRoleService, UserRoleAncestryHydrationService roleAncestryHydrationService, AuthorizationServerService<AuthorizationServer> serverService) Deprecated, for removal: This API element is subject to removal in a future version.Since 1.8.0.DefaultPrivilegeService
(UserRoleService<UserRole> userRoleService, UserRoleAncestryHydrationService roleAncestryHydrationService, AuthorizationServerService<AuthorizationServer> serverService, AccountAncestorService accountAncestorService, TokenProperties tokenProperties) -
Method Summary
Modifier and TypeMethodDescriptionprotected void
addRestrictionByExpandedPermissionNames
(@NonNull Map<String, Map<String, Set<String>>> restrictionTypeAndTargetsByPermissionName, @NonNull Restriction restriction, @NonNull String permissionName) Add both ALL_* permissions and expanded CRUD_* permissions with the given restriction to the map.protected void
addRestrictionToMap
(@NonNull Map<String, Set<String>> map, @NonNull Restriction restriction) AddRestriction
targets to the given Map by restriction type.protected AccountAncestorService
protected Collection<String>
getAccountRoles
(User user) Get aUser's
account roles for the active account.getAccountWithAncestors
(User user) Get a list of Account ids for the active account id and any parent accounts.getAllAuthorities
(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets all the authorities from the flat permissions, permissions from restricted roles, and permissions from restricted permissions.protected Set<UserPermissionRef>
getAllFlatPermissions
(@NonNull User user, @NonNull AuthorizationServer server, @NonNull Collection<UserRole> userAndServerRolesWithAncestors) Gets a set of all flat permissions fromUser.getPermissions()
,AuthorizationServer.getDefaultUserPermissions()
, and permissions from the given roles.protected Set<UserPermissionRef>
getAllFlatPermissions
(@NonNull Collection<UserRole> roles) Gets a set of allUserRole.getPermissions()
from the given rolesgetHydratedPrivileges
(@NonNull User user, @NonNull String serverId) Determine restrictions, flat permissions, restricted roles, and restricted permissions for aUser
and on anAuthorizationServer
.getMergedRestrictionTargetsByRestrictionType
(@NonNull Map<String, Set<String>> restrictionTargetsByRestrictionType1, @NonNull Map<String, Set<String>> restrictionTargetsByRestrictionType2) Gets a Map that is a combination of the two given restrictions maps.getMergedRestrictionTypeAndTargetsByPermissionName
(@NonNull Map<String, Map<String, Set<String>>> restrictionTypeAndTargetsByPermissionName1, @NonNull Map<String, Map<String, Set<String>>> restrictionTypeAndTargetsByPermissionName2) Gets a Map that is a combination of the two given restrictionTypeAndTargetsByPermissionName maps.protected Set<UserPermissionRef>
getPermissionsFromRestrictedPrivileges
(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets all the permissions from restricted roles and their ancestors, and restricted permissions.getRestrictionTargetsByRestrictionType
(@NonNull Set<Restriction> restrictions) Converts the Set ofRestriction
to a Map with the structure of: {restrictionType: [restrictionTargets]}.getRestrictionTypeAndTargetsByPermissionName
(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets a consolidated map of restricted permissions with the combination of flat permissions and restrictions, restricted roles, and restricted permissions from aUser
.getRestrictionTypeAndTargetsByPermissionName
(@NonNull Set<UserPermissionRef> flatPermissions, @NonNull Set<Restriction> restrictions) Maps eachUserPermissionRef
with all ofRestriction
.getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions
(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Converts the Set ofRestrictedPermission
to a Map with the structure of: { permissionName: { restrictionType: [restrictionTargets] } }.getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles
(@NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) protected UserRoleAncestryHydrationService
getRoleIds
(@NonNull User user) Get the set of all of a user's roles, including account roles for the active account.getRoleIds
(@NonNull AuthorizationServer server) Get the ids of the defaultUserRoles
for the givenAuthorizationServer
.getRoleIds
(@NonNull Set<RestrictedRole> restrictedRoles) Transform a set ofRestrictedRole
into a set of role ids.protected Map<String,
Collection<UserRole>> getRoleWithAncestorsByRoleId
(@NonNull Set<String> roleIds) Gets roles along with their ancestry roles mapped by given role id.protected AuthorizationServerService<AuthorizationServer>
protected TokenProperties
getUserPrivilegeSummary
(@NonNull User user, @NonNull String serverId) Gets aPrivilegeSummary
of user's consolidated authorities, restrictions, and restricted authorities.protected UserRoleService<UserRole>
protected boolean
isAllPermission
(String permissionName) Determine if the given permission is an "ALL_" permission.boolean
-
Field Details
-
ACCOUNT_ID_PARAM
- See Also:
-
-
Constructor Details
-
DefaultPrivilegeService
@Deprecated(forRemoval=true) public DefaultPrivilegeService(UserRoleService<UserRole> userRoleService, UserRoleAncestryHydrationService roleAncestryHydrationService, AuthorizationServerService<AuthorizationServer> serverService) Deprecated, for removal: This API element is subject to removal in a future version. -
DefaultPrivilegeService
public DefaultPrivilegeService(UserRoleService<UserRole> userRoleService, UserRoleAncestryHydrationService roleAncestryHydrationService, AuthorizationServerService<AuthorizationServer> serverService, AccountAncestorService accountAncestorService, TokenProperties tokenProperties)
-
-
Method Details
-
getUserPrivilegeSummary
public PrivilegeSummary getUserPrivilegeSummary(@NonNull @NonNull User user, @NonNull @NonNull String serverId) Description copied from interface:PrivilegeService
Gets aPrivilegeSummary
of user's consolidated authorities, restrictions, and restricted authorities.- Specified by:
getUserPrivilegeSummary
in interfacePrivilegeService
- Parameters:
user
-User
to get thePrivilegeSummary
forserverId
- id of theAuthorizationServer
- Returns:
- a
PrivilegeSummary
of user's authorities, restrictions, and restricted authorities - See Also:
-
getHydratedPrivileges
protected DefaultPrivilegeService.PrivilegeHydrationResult getHydratedPrivileges(@NonNull @NonNull User user, @NonNull @NonNull String serverId) Determine restrictions, flat permissions, restricted roles, and restricted permissions for aUser
and on anAuthorizationServer
.- Parameters:
user
- TheUser
to get the permissions for.serverId
- The ID of theAuthorizationServer
that is being authenticated against.- Returns:
- A
DefaultPrivilegeService.PrivilegeHydrationResult
with the permissions, roles, and restrictions of the given User on the indicated server.
-
getRoleIds
Get the set of all of a user's roles, including account roles for the active account.- Parameters:
user
- TheUser
to get the roles for- Returns:
- The set of role ids for the given User.
-
getAccountRoles
Get aUser's
account roles for the active account. -
getRoleIds
Get the ids of the defaultUserRoles
for the givenAuthorizationServer
.- Parameters:
server
- TheAuthorizationServer
to get defaultUserRoles
from.- Returns:
- The set of role ids for the default
UserRoles
of the givenAuthorizationServer
.
-
getRoleIds
Transform a set ofRestrictedRole
into a set of role ids.- Parameters:
restrictedRoles
- The set ofRestrictedRole
from which to get role ids.- Returns:
- The set of
UserRole
ids from the givenRestrictedRoles
.
-
getAccountWithAncestors
Get a list of Account ids for the active account id and any parent accounts. The active account id is specified by a request parameter and set as a request attribute by theClientIdFilter
. The list will be ordered from top parent to the active account.- Returns:
- List of account ids of the active account and all ancestor accounts.
- See Also:
-
getAllAuthorities
protected Set<String> getAllAuthorities(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets all the authorities from the flat permissions, permissions from restricted roles, and permissions from restricted permissions.The expanded CRUD_* permissions from ALL_* permissions are also added into the authorities (on top of the ALL_* permissions).
- Parameters:
privilegeHydrationResult
-DefaultPrivilegeService.PrivilegeHydrationResult
to get all the authorities from- Returns:
- a set of all authorities, restricted or not
-
isAllPermission
Determine if the given permission is an "ALL_" permission.- Parameters:
permissionName
- The permission to check.- Returns:
- True if the given permission starts with "ALL_".
- See Also:
-
getPermissionsFromRestrictedPrivileges
protected Set<UserPermissionRef> getPermissionsFromRestrictedPrivileges(@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets all the permissions from restricted roles and their ancestors, and restricted permissions.- Parameters:
privilegeHydrationResult
-DefaultPrivilegeService.PrivilegeHydrationResult
to get all the permissions from restricted privileges- Returns:
- a set of all permissions from the restricted privileges
-
getRestrictionTypeAndTargetsByPermissionName
protected Map<String,Map<String, getRestrictionTypeAndTargetsByPermissionNameSet<String>>> (@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Gets a consolidated map of restricted permissions with the combination of flat permissions and restrictions, restricted roles, and restricted permissions from aUser
. This also includes the flat permissions fromAuthorizationServer.getDefaultUserPermissions()
and those inherited fromAuthorizationServer.getDefaultUserRoles()
and their ancestors. Flat permissions and restrictions are converted into a map of equivalent restricted permissions. Similarly, restricted roles are also converted into equivalent restricted permissions.For example, if an entity has READ_PRODUCT as flat permission (that came either from its direct flat permissions or from a flat role) with a flat vendor restriction on vendorA, it is then converted into a restricted permission as such: {READ_PRODUCT: {VENDOR: [vendorA]}}.
Likewise, if an entity has a role that has READ_PRODUCT permission assigned, and has the role added as restricted role on vendorA, it is then converted into a restricted permission as well: {READ_PRODUCT: {VENDOR: [vendorA]}}.
- Parameters:
privilegeHydrationResult
-DefaultPrivilegeService.PrivilegeHydrationResult
to consolidate the permissions, restrictions, restricted roles, and restricted permissions for a user- Returns:
- a consolidated map of restricted permissions from flat permissions, restrictions,
restricted roles, and restricted permissions from a
User
, along with flat permissions from theAuthorizationServer
-
getRestrictionTypeAndTargetsByPermissionName
protected Map<String,Map<String, getRestrictionTypeAndTargetsByPermissionNameSet<String>>> (@NonNull @NonNull Set<UserPermissionRef> flatPermissions, @NonNull @NonNull Set<Restriction> restrictions) Maps eachUserPermissionRef
with all ofRestriction
. Doing this to convert flat permissions and restrictions into the map structure of restricted permissions, which helps the restricted authorities consolidation.However, when there's no flat permissions, the restrictions are not added.
Note: The expanded CRUD_* permissions from ALL_* permissions are also added into the map (on top of the ALL_* permissions).
- Parameters:
flatPermissions
-Set
ofUserPermissionRef
restrictions
-Set
ofRestriction
- Returns:
- a map of restricted permissions converted from restrictions and flat permissions
-
getRoleWithAncestorsByRoleId
protected Map<String,Collection<UserRole>> getRoleWithAncestorsByRoleId(@NonNull @NonNull Set<String> roleIds) Gets roles along with their ancestry roles mapped by given role id.- Parameters:
roleIds
- role ids to get the roles and ancestry roles for- Returns:
- a collection containing the given roles along with their ancestors mapped by given role id
-
getAllFlatPermissions
protected Set<UserPermissionRef> getAllFlatPermissions(@NonNull @NonNull User user, @NonNull @NonNull AuthorizationServer server, @NonNull @NonNull Collection<UserRole> userAndServerRolesWithAncestors) Gets a set of all flat permissions fromUser.getPermissions()
,AuthorizationServer.getDefaultUserPermissions()
, and permissions from the given roles.- Parameters:
user
-User
to get the permissions forserver
-AuthorizationServer
to get the permissions foruserAndServerRolesWithAncestors
-Collection
of roles to get all the permissions from. This is typically a collection of user's and server's roles along with their ancestors to prevent the need of querying all ancestry roles every time- Returns:
- a set containing the flat permissions from the given user, server, and roles
-
getAllFlatPermissions
protected Set<UserPermissionRef> getAllFlatPermissions(@NonNull @NonNull Collection<UserRole> roles) Gets a set of allUserRole.getPermissions()
from the given roles- Parameters:
roles
-Collection
of roles to get all the permissions from- Returns:
- a set containing the flat permissions from the given roles
-
getRestrictionTypeAndTargetsByPermissionNameForRestrictedRoles
protected Map<String,Map<String, getRestrictionTypeAndTargetsByPermissionNameForRestrictedRolesSet<String>>> (@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Maps eachUserPermissionRef
from theRestrictedRole
with the correspondingrestriction
. Doing this to convert permissions assigned to the restricted role and restricted role restrictions into the map structure of restricted permissions, which helps the comparisons of restrictiveness.The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).
- Parameters:
privilegeHydrationResult
-DefaultPrivilegeService.PrivilegeHydrationResult
to get restricted roles from- Returns:
- a map converted from the given set of restricted roles
-
getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissions
protected Map<String,Map<String, getRestrictionTypeAndTargetsByPermissionNameForRestrictedPermissionsSet<String>>> (@NonNull @NonNull DefaultPrivilegeService.PrivilegeHydrationResult privilegeHydrationResult) Converts the Set ofRestrictedPermission
to a Map with the structure of: { permissionName: { restrictionType: [restrictionTargets] } }.The expanded CRUD_* permissions from ALL_* permissions are also added into the map with the same restrictions (on top of the ALL_* permissions).
- Parameters:
privilegeHydrationResult
-DefaultPrivilegeService.PrivilegeHydrationResult
to get restricted permissions from- Returns:
- Converted
Map
-
getMergedRestrictionTypeAndTargetsByPermissionName
protected Map<String,Map<String, getMergedRestrictionTypeAndTargetsByPermissionNameSet<String>>> (@NonNull @NonNull Map<String, Map<String, Set<String>>> restrictionTypeAndTargetsByPermissionName1, @NonNull @NonNull Map<String, Map<String, Set<String>>> restrictionTypeAndTargetsByPermissionName2) Gets a Map that is a combination of the two given restrictionTypeAndTargetsByPermissionName maps. -
getMergedRestrictionTargetsByRestrictionType
protected Map<String,Set<String>> getMergedRestrictionTargetsByRestrictionType(@NonNull @NonNull Map<String, Set<String>> restrictionTargetsByRestrictionType1, @NonNull @NonNull Map<String, Set<String>> restrictionTargetsByRestrictionType2) Gets a Map that is a combination of the two given restrictions maps. -
getRestrictionTargetsByRestrictionType
public Map<String,Set<String>> getRestrictionTargetsByRestrictionType(@NonNull @NonNull Set<Restriction> restrictions) Description copied from interface:PrivilegeService
Converts the Set ofRestriction
to a Map with the structure of: {restrictionType: [restrictionTargets]}.- Specified by:
getRestrictionTargetsByRestrictionType
in interfacePrivilegeService
- Parameters:
restrictions
-Set
ofRestriction
- Returns:
- a map with restriction type as key and restriction targets as value converted from the given set of restrictions
-
addRestrictionToMap
protected void addRestrictionToMap(@NonNull @NonNull Map<String, Set<String>> map, @NonNull @NonNull Restriction restriction) AddRestriction
targets to the given Map by restriction type.- Parameters:
map
- The map to addRestriction
targets.restriction
- ARestriction
on the data in which a user has access.
-
addRestrictionByExpandedPermissionNames
protected void addRestrictionByExpandedPermissionNames(@NonNull @NonNull Map<String, Map<String, Set<String>>> restrictionTypeAndTargetsByPermissionName, @NonNull @NonNull Restriction restriction, @NonNull @NonNull String permissionName) Add both ALL_* permissions and expanded CRUD_* permissions with the given restriction to the map.- Parameters:
restrictionTypeAndTargetsByPermissionName
- the restrictionTypeAndTargetsByPermissionName map to add the permission names with restriction torestriction
- restriction to be added with the given permission namepermissionName
- permission name to add along with the given restriction
-
isExplodePermissions
public boolean isExplodePermissions() -
getUserRoleService
-
getRoleAncestryHydrationService
-
getServerService
-
getAccountAncestorService
-
getTokenProperties
-