com.broadleafcommerce.data.tracking.core.policy.trackable

Class DefaultTrackablePolicyUtils

java.lang.Object

com.broadleafcommerce.data.tracking.core.policy.trackable.DefaultTrackablePolicyUtils

All Implemented Interfaces:

PolicyUtils, TrackablePolicyUtils

Direct Known Subclasses:

VendorAwareTrackablePolicyUtils

public class DefaultTrackablePolicyUtils
extends Object
implements TrackablePolicyUtils

Field Summary

Fields inherited from interface com.broadleafcommerce.data.tracking.core.policy.trackable.TrackablePolicyUtils

AUTH_DETAILS_ADMIN_USER_ID_KEY, AUTH_DETAILS_APPLICATION_ACCESS_KEY, AUTH_DETAILS_APPLICATIONS_KEY, AUTH_DETAILS_CUSTOMER_CONTEXT_IDS, AUTH_DETAILS_GLOBAL_KEY, AUTH_DETAILS_TENANT_ACCESS_KEY, AUTH_DETAILS_TENANT_KEY

Fields inherited from interface com.broadleafcommerce.data.tracking.core.policy.PolicyUtils

DEFAULT_AUTH_DETAILS_OWNER_ID, ROLE_ANONYMOUS

Constructor Summary

Constructors

Constructor and Description
DefaultTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil trackableBehaviorUtil)
DefaultTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil behaviorUtil, String ownerIdentifier)

Method Summary

Modifier and Type	Method and Description
protected Map<String,List<String>>	expandPermissionRootsToPermissions(@NonNull String[] permissionRoots, OperationType operationType)
org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>>	getAttributesConverter()
String	getAuthDetailsOwnerIdentifier() Returns the owner identifier when evaluating owned entities.
Map<String,Object>	getAuthenticationAttributes() Retrieves the attributes on the current Authentication that are useful in making policy determinations.
protected Collection<String>	getCustomerContextIdsForUser()
protected Optional<String>	getImplicitApplicationCatalog(Application application, Catalog catalog)
protected PolicyResponse	invalidPolicyResponse(PolicyResponse response, String reason, ContextInfo contextInfo)
protected PolicyResponse	invalidPolicyResponse(PolicyResponse response, String reason, org.apache.commons.lang3.tuple.Pair<String,String>... details)
protected boolean	isAdminUser(Map<String,Object> details)
boolean	isAnonymous() Determine whether or not a user is an anonymous user.
protected boolean	isApplicationCatalogAddAllowed(Application application, Catalog catalog)
protected boolean	isApplicationVisible(Application application)
boolean	isCatalogMutable(@NonNull Application application, @NonNull Catalog catalog) Check if a catalog is mutable, given an application.
boolean	isCatalogVisible(@NonNull Application application, Catalog catalog) Check if a catalog is visible, given an application.
protected boolean	isCatalogVisible(Catalog catalog, Application application)
protected boolean	isContextVisible(ContextInfo contextInfo)
protected boolean	isGlobalApplication(String applicationId)
protected boolean	isGlobalChangeInHiddenCatalog(Application application, Catalog catalog)
protected boolean	isGlobalTenant(String tenantId)
boolean	isGlobalTenantUser() Whether or not the current user is a global user.
protected boolean	isGlobalTenantUser(Map<String,Object> details)
boolean	isMutationPossibleForContext(ContextInfo contextInfo) Return whether or not the currently identified user has the necessary assigned tenant relationships to make a mutating operation possible given the requested application, and/or catalog, and/or lack thereof.
protected boolean	isNotUser(Map<String,Object> details)
boolean	isOwnerUser(String ownerIdentifier) Detect whether or not the currently logged in user (if applicable) is a user capable of operating as a IdentityType.OWNER.
protected boolean	isSandboxVisible(ContextInfo contextInfo)
protected boolean	isTenantVisible(String tenantId, String applicationId)
boolean	isUserApplicationLevelAccess() Whether or not the current user has access to the application level context.
protected boolean	isUserApplicationLevelAccess(Map<String,Object> authDetails)
boolean	isUserApplicationRestricted() Whether or not the current user has any application restrictions.
protected boolean	isUserApplicationRestricted(Map<String,Object> details)
boolean	isUserTenantLevelAccess() Whether or not the current user has access to the tenant level context.
protected boolean	isUserTenantLevelAccess(Map<String,Object> authDetails)
boolean	isValidApplicationUser(Application application) Check if the user described by the current Authentication is a member of the application instance provided.
boolean	isValidApplicationUser(Application application, boolean isGlobalChange) Check if the user described by the current Authentication is a member of the application instance provided.
boolean	isValidApplicationUser(String applicationId) Version of TrackablePolicyUtils.isValidApplicationUser(Application) that takes just he application's ID.
boolean	isValidApplicationUser(String applicationId, boolean isTenantChange) Version of TrackablePolicyUtils.isValidApplicationUser(Application, boolean) that takes just he application's ID.
protected boolean	isValidCustomerContext(String customerContextId)
boolean	isValidSandboxUser() Return whether or not the currently identified user is capable of viewing a sandbox context.
boolean	isValidTenantUser(String tenantId, boolean isTenantLevelContext, boolean isGlobalChange) Check if the user described by the current Authentication is a member of the tenant instance provided.
void	setAttributesConverter(org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>> attributesConverter)
protected Stream<String>	streamApplications(Map<String,Object> details)
protected PolicyResponse	validateApplicationCatalogUpdate(@NonNull Trackable entity, @NonNull Application application) If a catalog discriminated entity, validate that the current user is capable of updating an entity via the catalogs visible to the current application.
protected PolicyResponse	validateApplicationUpdate(@NonNull Trackable entity, @NonNull Application application) If an application discriminated entity, validate that the current user is capable of updating an entity via the application requested in the context.
protected boolean	validateCatalogInsert(@NonNull ContextInfo contextInfo) If a catalog discriminated entity, validate that the current user is capable of inserting an entity via the application and catalog requested in the context.
PolicyResponse	validateContext(ContextInfo contextInfo) Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.
PolicyResponse	validateContext(ContextInfo contextInfo, String[] requiredPermissionRoots, PermissionMatchingStrategy permissionMatchingStrategy, OperationType operationType) Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.
PolicyResponse	validateDelete(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before deleting (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.
protected PolicyResponse	validateEntityOperation(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType)
protected PolicyResponse	validateEntityUpdate(Trackable entity, @NonNull ContextInfo contextInfo) Check update validity for a given entity instance
protected PolicyResponse	validateEntityUpdateForTenantFactors(Trackable entity, Application application, String tenantId, TrackableBehaviorPackage behavior)
protected PolicyResponse	validateGlobalMutateToInheritedCatalog(Trackable entity, ContextInfo contextInfo)
protected PolicyResponse	validateGlobalUpdateToHiddenCatalog(Trackable entity)
PolicyResponse	validateInsert(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before inserting (if catalog discrimination is in play and the current entity is catalog discriminatable) that the current catalog target for insertion is mutable.
protected PolicyResponse	validateOperation(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy)
protected PolicyResponse	validateOperation(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType)
PolicyResponse	validateOther(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before misc operation, the required permission is available
PolicyResponse	validateOwner(Object test, IdentityType[] identityTypes, String ownerIdentifier) Validate the object against the currently logged in user.
PolicyResponse	validatePermission(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate the permission against the granted authorities of the current Authentication.
PolicyResponse	validatePermission(String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType, ContextInfo contextInfo) Validate the permission against the granted authorities of the current Authentication.
PolicyResponse	validateRead(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before reading, the required permission is available.
protected boolean	validateTenantTrackableUpdate(Trackable entity, Application application, TrackableBehaviorPackage behavior)
protected PolicyResponse	validateTenantUpdate(@NonNull Trackable entity, String tenantId)
PolicyResponse	validateUpdate(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before updating (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.broadleafcommerce.data.tracking.core.policy.PolicyUtils

getAuthentication, validatePermissions

Constructor Detail

DefaultTrackablePolicyUtils

public DefaultTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder,
                                   TrackableBehaviorUtil trackableBehaviorUtil)

DefaultTrackablePolicyUtils

public DefaultTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder,
                                   TrackableBehaviorUtil behaviorUtil,
                                   String ownerIdentifier)

Method Detail

setAttributesConverter

@Autowired
 @Qualifier(value="authenticationAttributesConverter")
public void setAttributesConverter(@Nullable
                                                                                                     org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>> attributesConverter)

getAuthDetailsOwnerIdentifier

public String getAuthDetailsOwnerIdentifier()

Returns the owner identifier when evaluating owned entities. To modify this value on a global level, set the key broadleaf.common.policy.validation.ownerIdentifier

Specified by:

getAuthDetailsOwnerIdentifier in interface PolicyUtils

Returns:

The key of the owner identifier to retrieve from Auth details.

getAuthenticationAttributes

public Map<String,Object> getAuthenticationAttributes()

Description copied from interface: PolicyUtils

Retrieves the attributes on the current Authentication that are useful in making policy determinations. This method is expected to return the attributes in a map which is generally achieved by a registered Converter bean.

Specified by:

getAuthenticationAttributes in interface PolicyUtils

Returns:

the attributes, if any, on the current Authentication

validateContext

public PolicyResponse validateContext(@Nullable
                                      ContextInfo contextInfo)

Description copied from interface: TrackablePolicyUtils

Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.

Specified by:

validateContext in interface TrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application, tenant and catalog information

Returns:

Whether or not the contextInfo contains valid tenant information

validateContext

public PolicyResponse validateContext(@Nullable
                                      ContextInfo contextInfo,
                                      @Nullable
                                      String[] requiredPermissionRoots,
                                      @Nullable
                                      PermissionMatchingStrategy permissionMatchingStrategy,
                                      @Nullable
                                      OperationType operationType)

Description copied from interface: TrackablePolicyUtils

Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.

Additionally allows supplying policy requirements to inform validation decisions.

Specified by:

validateContext in interface TrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application, tenant and catalog information

requiredPermissionRoots - the permission roots required by the policy

permissionMatchingStrategy - how to validate multiple permissions

operationType - the operation type required by the policy

Returns:

Whether or not the contextInfo is valid with consideration to the current authentication and provided policy requirements

isValidSandboxUser

public boolean isValidSandboxUser()

Description copied from interface: TrackablePolicyUtils

Return whether or not the currently identified user is capable of viewing a sandbox context. This can be fulfilled with an empty authentication for the request (i.e. anonymous security), or with an admin user identification.

Specified by:

isValidSandboxUser in interface TrackablePolicyUtils

Returns:

Whether or not the user identified for the current request is permitted to resolve sandbox state.

isMutationPossibleForContext

public boolean isMutationPossibleForContext(@Nullable
                                            ContextInfo contextInfo)

Description copied from interface: TrackablePolicyUtils

Return whether or not the currently identified user has the necessary assigned tenant relationships to make a mutating operation possible given the requested application, and/or catalog, and/or lack thereof.

Specified by:

isMutationPossibleForContext in interface TrackablePolicyUtils

Parameters:

contextInfo - The requested context

Returns:

Whether or not the current user is permitted

isSandboxVisible

protected boolean isSandboxVisible(ContextInfo contextInfo)

isContextVisible

protected boolean isContextVisible(ContextInfo contextInfo)

isAdminUser

protected boolean isAdminUser(Map<String,Object> details)

isValidCustomerContext

protected boolean isValidCustomerContext(String customerContextId)

getCustomerContextIdsForUser

@NonNull
protected Collection<String> getCustomerContextIdsForUser()

isTenantVisible

protected boolean isTenantVisible(@Nullable
                                  String tenantId,
                                  @Nullable
                                  String applicationId)

isApplicationVisible

protected boolean isApplicationVisible(@Nullable
                                       Application application)

isCatalogVisible

protected boolean isCatalogVisible(@Nullable
                                   Catalog catalog,
                                   @Nullable
                                   Application application)

isValidTenantUser

public boolean isValidTenantUser(@Nullable
                                 String tenantId,
                                 boolean isTenantLevelContext,
                                 boolean isGlobalChange)

Description copied from interface: TrackablePolicyUtils

Check if the user described by the current Authentication is a member of the tenant instance provided. This is generally determined by looking at PolicyUtils.getAuthenticationAttributes().

Specified by:

isValidTenantUser in interface TrackablePolicyUtils

Parameters:

tenantId - The ID of the tenant instance with which to check user membership

isTenantLevelContext - Whether or not the current context is for the tenant level itself

isGlobalChange - Whether or not the current change is mutating a "global" resource, belonging to no particular tenant

Returns:

Whether or not the current user has access given the tenant and global change status

isGlobalTenant

protected boolean isGlobalTenant(@Nullable
                                 String tenantId)

isUserTenantLevelAccess

public boolean isUserTenantLevelAccess()

Description copied from interface: TrackablePolicyUtils

Whether or not the current user has access to the tenant level context. This is usually determined by examining the details in PolicyUtils.getAuthenticationAttributes().

Specified by:

isUserTenantLevelAccess in interface TrackablePolicyUtils

Returns:

Whether or not the current user has tenant level access

isUserTenantLevelAccess

protected boolean isUserTenantLevelAccess(Map<String,Object> authDetails)

isValidApplicationUser

public boolean isValidApplicationUser(@NonNull
                                      Application application)

Description copied from interface: TrackablePolicyUtils

Check if the user described by the current Authentication is a member of the application instance provided. This is generally determined by looking at PolicyUtils.getAuthenticationAttributes().

Specified by:

isValidApplicationUser in interface TrackablePolicyUtils

Parameters:

application - The application instance with which to check user membership

Returns:

Whether or not the current user is a member of the application, or the user is a global user.

isValidApplicationUser

public boolean isValidApplicationUser(@NonNull
                                      String applicationId)

Description copied from interface: TrackablePolicyUtils

Version of TrackablePolicyUtils.isValidApplicationUser(Application) that takes just he application's ID. If null, that means this is the global application.

Specified by:

isValidApplicationUser in interface TrackablePolicyUtils

Parameters:

applicationId - The ID of the application instance with which to check user membership

Returns:

Whether or not the current user is capable of the change given the application and global status of the change

isValidApplicationUser

public boolean isValidApplicationUser(@NonNull
                                      Application application,
                                      boolean isGlobalChange)

Description copied from interface: TrackablePolicyUtils

Check if the user described by the current Authentication is a member of the application instance provided. This is generally determined by looking at PolicyUtils.getAuthenticationAttributes().

Specified by:

isValidApplicationUser in interface TrackablePolicyUtils

Parameters:

application - The application instance with which to check user membership

isGlobalChange - Whether or not the current mutating change is against a "tenant" resource, belonging to a tenant but not particular application

Returns:

Whether or not the current user is capable of the change given the application and global status of the change

isValidApplicationUser

public boolean isValidApplicationUser(@Nullable
                                      String applicationId,
                                      boolean isTenantChange)

Description copied from interface: TrackablePolicyUtils

Version of TrackablePolicyUtils.isValidApplicationUser(Application, boolean) that takes just he application's ID. If null, that means this is the global application.

Specified by:

isValidApplicationUser in interface TrackablePolicyUtils

Parameters:

applicationId - The ID of the application instance with which to check user membership

isTenantChange - Whether or not the current mutating change is against a "tenant" resource, belonging to a tenant but not particular application

Returns:

Whether or not the current user is capable of the change given the application and global status of the change

isNotUser

protected boolean isNotUser(Map<String,Object> details)

isUserApplicationLevelAccess

public boolean isUserApplicationLevelAccess()

Description copied from interface: TrackablePolicyUtils

Whether or not the current user has access to the application level context. This is usually determined by examining the details in PolicyUtils.getAuthenticationAttributes().

Specified by:

isUserApplicationLevelAccess in interface TrackablePolicyUtils

Returns:

Whether or not the current user has application level access

isUserApplicationLevelAccess

protected boolean isUserApplicationLevelAccess(Map<String,Object> authDetails)

isUserApplicationRestricted

public boolean isUserApplicationRestricted()

Description copied from interface: TrackablePolicyUtils

Whether or not the current user has any application restrictions. This is usually determined by examining the details in PolicyUtils.getAuthenticationAttributes().

Specified by:

isUserApplicationRestricted in interface TrackablePolicyUtils

Returns:

Whether or not the current user has any application restrictions

isUserApplicationRestricted

protected boolean isUserApplicationRestricted(Map<String,Object> details)

streamApplications

protected Stream<String> streamApplications(Map<String,Object> details)

isGlobalApplication

protected boolean isGlobalApplication(@Nullable
                                      String applicationId)

isGlobalTenantUser

public boolean isGlobalTenantUser()

Description copied from interface: TrackablePolicyUtils

Whether or not the current user is a global user. This is usually determined by examining the details in PolicyUtils.getAuthenticationAttributes().

Specified by:

isGlobalTenantUser in interface TrackablePolicyUtils

Returns:

Whether or not the current user is a global user

isGlobalTenantUser

protected boolean isGlobalTenantUser(Map<String,Object> details)

isOwnerUser

public boolean isOwnerUser(@Nullable
                           String ownerIdentifier)

Description copied from interface: TrackablePolicyUtils

Detect whether or not the currently logged in user (if applicable) is a user capable of operating as a IdentityType.OWNER. If so, the user may participate in validation for owned entities. See Policy.identityTypes().

Specified by:

isOwnerUser in interface TrackablePolicyUtils

Parameters:

ownerIdentifier - The identifier key to use when verifying ownership.

Returns:

Detect whether or not the currently logged in user can validate against IdentityType.OWNER.

See Also:

getAuthDetailsOwnerIdentifier(), Policy.ownerIdentifier(), Owned

isAnonymous

public boolean isAnonymous()

Description copied from interface: TrackablePolicyUtils

Determine whether or not a user is an anonymous user.

Specified by:

isAnonymous in interface TrackablePolicyUtils

Returns:

true if anonymous, else false.

isCatalogVisible

public boolean isCatalogVisible(@NonNull
                                @NonNull Application application,
                                Catalog catalog)

Description copied from interface: TrackablePolicyUtils

Check if a catalog is visible, given an application. This should also take into account any * qualifying information regarding the current Authentication, especially details * regarding application membership.

Specified by:

isCatalogVisible in interface TrackablePolicyUtils

Parameters:

application - The application instance with which to weigh catalog visibility against

catalog - The catalog for which visibility status is being checked

Returns:

Whether or not the catalog is visible

isCatalogMutable

public boolean isCatalogMutable(@NonNull
                                @NonNull Application application,
                                @NonNull
                                @NonNull Catalog catalog)

Description copied from interface: TrackablePolicyUtils

Check if a catalog is mutable, given an application. This should also take into account any qualifying information regarding the current Authentication, especially details regarding application membership.

Specified by:

isCatalogMutable in interface TrackablePolicyUtils

Parameters:

application - The application instance with which to weigh catalog mutability against

catalog - The catalog for which mutability status is being checked

Returns:

Whether or not the catalog is mutable

getImplicitApplicationCatalog

protected Optional<String> getImplicitApplicationCatalog(Application application,
                                                         Catalog catalog)

validateInsert

public PolicyResponse validateInsert(@Nullable
                                     Trackable entity,
                                     @Nullable
                                     ContextInfo contextInfo,
                                     @Nullable
                                     String[] permissionRoots,
                                     @Nullable
                                     PermissionMatchingStrategy strategy)

Description copied from interface: TrackablePolicyUtils

Validate that before inserting (if catalog discrimination is in play and the current entity is catalog discriminatable) that the current catalog target for insertion is mutable.

Specified by:

validateInsert in interface TrackablePolicyUtils

Parameters:

entity - The item being inserted

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

Returns:

Whether or not the update request on the entity should be allowed

validateCatalogInsert

protected boolean validateCatalogInsert(@NonNull
                                        @NonNull ContextInfo contextInfo)

If a catalog discriminated entity, validate that the current user is capable of inserting an entity via the application and catalog requested in the context.

Parameters:

contextInfo - The context containing the current application and current catalog

Returns:

Whether or not the insert request is valid

isGlobalChangeInHiddenCatalog

protected boolean isGlobalChangeInHiddenCatalog(@Nullable
                                                Application application,
                                                @Nullable
                                                Catalog catalog)

isApplicationCatalogAddAllowed

protected boolean isApplicationCatalogAddAllowed(Application application,
                                                 Catalog catalog)

validateRead

public PolicyResponse validateRead(@Nullable
                                   ContextInfo contextInfo,
                                   @Nullable
                                   String[] permissionRoots,
                                   @Nullable
                                   PermissionMatchingStrategy strategy)

Description copied from interface: TrackablePolicyUtils

Validate that before reading, the required permission is available.

Specified by:

validateRead in interface TrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

Returns:

Whether or not the read request should be allowed

validateUpdate

public PolicyResponse validateUpdate(@Nullable
                                     Trackable entity,
                                     @Nullable
                                     ContextInfo contextInfo,
                                     @Nullable
                                     String[] permissionRoots,
                                     @Nullable
                                     PermissionMatchingStrategy strategy)

Description copied from interface: TrackablePolicyUtils

Validate that before updating (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.

Specified by:

validateUpdate in interface TrackablePolicyUtils

Parameters:

entity - The item being updated

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

Returns:

Whether or not the update request on the entity should be allowed

validateDelete

public PolicyResponse validateDelete(@Nullable
                                     Trackable entity,
                                     @Nullable
                                     ContextInfo contextInfo,
                                     @Nullable
                                     String[] permissionRoots,
                                     @Nullable
                                     PermissionMatchingStrategy strategy)

Description copied from interface: TrackablePolicyUtils

Validate that before deleting (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.

Specified by:

validateDelete in interface TrackablePolicyUtils

Parameters:

entity - The item being deleted

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

Returns:

Whether or not the delete request on the entity should be allowed

validateEntityOperation

protected PolicyResponse validateEntityOperation(@Nullable
                                                 Trackable entity,
                                                 @Nullable
                                                 ContextInfo contextInfo,
                                                 @Nullable
                                                 String[] permissionRoots,
                                                 @Nullable
                                                 PermissionMatchingStrategy strategy,
                                                 @Nullable
                                                 OperationType operationType)

validateEntityUpdate

protected PolicyResponse validateEntityUpdate(@Nullable
                                              Trackable entity,
                                              @NonNull
                                              @NonNull ContextInfo contextInfo)

Check update validity for a given entity instance

Parameters:

entity - The Trackable entity

contextInfo - The context containing the current application and current catalog

Returns:

Whether or not the entity update request is valid

validateEntityUpdateForTenantFactors

@Nullable
protected PolicyResponse validateEntityUpdateForTenantFactors(Trackable entity,
                                                                        @Nullable
                                                                        Application application,
                                                                        String tenantId,
                                                                        TrackableBehaviorPackage behavior)

validateTenantTrackableUpdate

protected boolean validateTenantTrackableUpdate(Trackable entity,
                                                @Nullable
                                                Application application,
                                                TrackableBehaviorPackage behavior)

validateGlobalUpdateToHiddenCatalog

protected PolicyResponse validateGlobalUpdateToHiddenCatalog(Trackable entity)

validateGlobalMutateToInheritedCatalog

protected PolicyResponse validateGlobalMutateToInheritedCatalog(Trackable entity,
                                                                @Nullable
                                                                ContextInfo contextInfo)

validateApplicationCatalogUpdate

protected PolicyResponse validateApplicationCatalogUpdate(@NonNull
                                                          @NonNull Trackable entity,
                                                          @NonNull
                                                          @NonNull Application application)

If a catalog discriminated entity, validate that the current user is capable of updating an entity via the catalogs visible to the current application.

Parameters:

entity - The catalog discriminated entity

application - The application whose associated catalogs should be reviewed

Returns:

Whether or not the update request is valid

validateApplicationUpdate

protected PolicyResponse validateApplicationUpdate(@NonNull
                                                   @NonNull Trackable entity,
                                                   @NonNull
                                                   @NonNull Application application)

If an application discriminated entity, validate that the current user is capable of updating an entity via the application requested in the context.

Parameters:

entity - The application discriminated entity

application - The current application

Returns:

Whether or not the update request is valid

validateTenantUpdate

protected PolicyResponse validateTenantUpdate(@NonNull
                                              @NonNull Trackable entity,
                                              String tenantId)

validateOther

public PolicyResponse validateOther(@Nullable
                                    ContextInfo contextInfo,
                                    @Nullable
                                    String[] permissionRoots,
                                    @Nullable
                                    PermissionMatchingStrategy strategy)

Description copied from interface: TrackablePolicyUtils

Validate that before misc operation, the required permission is available

Specified by:

validateOther in interface TrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application and catalog information

permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.

strategy - how to treat multiple permissions

Returns:

Whether or not the misc request should be allowed

validateOperation

protected PolicyResponse validateOperation(@Nullable
                                           ContextInfo contextInfo,
                                           @Nullable
                                           String[] permissionRoots,
                                           @Nullable
                                           PermissionMatchingStrategy strategy)

validateOperation

protected PolicyResponse validateOperation(@Nullable
                                           ContextInfo contextInfo,
                                           @Nullable
                                           String[] permissionRoots,
                                           @Nullable
                                           PermissionMatchingStrategy strategy,
                                           @Nullable
                                           OperationType operationType)

validatePermission

public PolicyResponse validatePermission(@Nullable
                                         ContextInfo contextInfo,
                                         @Nullable
                                         String[] permissionRoots,
                                         @Nullable
                                         PermissionMatchingStrategy strategy)

Description copied from interface: TrackablePolicyUtils

Validate the permission against the granted authorities of the current Authentication. If not defined, the response will be PolicyResponse.VALID.

Specified by:

validatePermission in interface TrackablePolicyUtils

Parameters:

contextInfo - the context containing multitenant application and catalog information

permissionRoots - the permission roots requested

strategy - how to treat multiple permissions

Returns:

Whether or not the discovered permission is in scope for the current user

validatePermission

public PolicyResponse validatePermission(@Nullable
                                         String[] permissionRoots,
                                         @Nullable
                                         PermissionMatchingStrategy strategy,
                                         @Nullable
                                         OperationType operationType,
                                         @Nullable
                                         ContextInfo contextInfo)

Description copied from interface: TrackablePolicyUtils

Validate the permission against the granted authorities of the current Authentication. If neither parameter is defined, the response will be PolicyResponse.VALID.

Specified by:

validatePermission in interface TrackablePolicyUtils

Parameters:

permissionRoots - the permission roots requested

operationType - the explicit type of operation to validate

contextInfo - the context containing multitenant application, tenant and catalog information. Not used in the default implementation, though custom implementations may use this for validation purposes.

Returns:

Whether or not the discovered permission is in scope for the current user

expandPermissionRootsToPermissions

protected Map<String,List<String>> expandPermissionRootsToPermissions(@NonNull
                                                                      @NonNull String[] permissionRoots,
                                                                      @Nullable
                                                                      OperationType operationType)

validateOwner

public PolicyResponse validateOwner(@Nullable
                                    Object test,
                                    @Nullable
                                    IdentityType[] identityTypes,
                                    @Nullable
                                    String ownerIdentifier)

Description copied from interface: TrackablePolicyUtils

Validate the object against the currently logged in user. If the test object is null, the response will be PolicyResponse.VALID. If the test object is provided, but no identityTypes are provided, the response will be PolicyResponse.NOT_PERMITTED. Furthermore, if the identityTypes are provided, and none are of the type IdentityType.OWNER, then the response will be PolicyResponse.VALID. Otherwise, the identifier from the authenticated user (if applicable) will be compared against the identifier of the Owned entity for validation.

Specified by:

validateOwner in interface TrackablePolicyUtils

Parameters:

test - The entity object to test for ownership agains the currently logged in user

identityTypes - The type of identities requested for the policy call. Validating ownership is only applicable against IdentityType.OWNER.

ownerIdentifier - The identifier key to use when verifying ownership.

Returns:

Whether or not the test object passed ownership validation for the logged in user

See Also:

Owned, Policy.ownerIdentifier()

invalidPolicyResponse

protected PolicyResponse invalidPolicyResponse(PolicyResponse response,
                                               String reason,
                                               org.apache.commons.lang3.tuple.Pair<String,String>... details)

invalidPolicyResponse

protected PolicyResponse invalidPolicyResponse(PolicyResponse response,
                                               String reason,
                                               @Nullable
                                               ContextInfo contextInfo)

getAttributesConverter

public org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,Map<String,Object>> getAttributesConverter()