Package com.broadleafcommerce.data.tracking.core.policy.trackable

Class DefaultTrackablePolicyUtils

    • Method Detail

      • setAttributesConverter

        @Autowired
@Qualifier("authenticationAttributesConverter")
public void setAttributesConverter​(@Nullable
                                   org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,​Map<String,​Object>> attributesConverter)

      • getAuthDetailsOwnerIdentifier

        public String getAuthDetailsOwnerIdentifier()
        Returns the owner identifier when evaluating owned entities. To modify this value on a global level, set the key broadleaf.common.policy.validation.ownerIdentifier
        Specified by:
        getAuthDetailsOwnerIdentifier in interface PolicyUtils
        Returns:
        The key of the owner identifier to retrieve from Auth details.

      • getAuthenticationAttributes

        public Map<String,​Object> getAuthenticationAttributes()
        Description copied from interface: PolicyUtils
        Retrieves the attributes on the current Authentication that are useful in making policy determinations. This method is expected to return the attributes in a map which is generally achieved by a registered Converter bean.
        Specified by:
        getAuthenticationAttributes in interface PolicyUtils
        Returns:
        the attributes, if any, on the current Authentication

      • validateContext

        public PolicyResponse validateContext​(@Nullable
                                      ContextInfo contextInfo)
        Description copied from interface: TrackablePolicyUtils
        Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.
        Specified by:
        validateContext in interface TrackablePolicyUtils
        Parameters:
        contextInfo - the context containing multitenant application, tenant and catalog information
        Returns:
        Whether or not the contextInfo contains valid tenant information

      • validateContext

        public PolicyResponse validateContext​(@Nullable
                                      ContextInfo contextInfo,
                                      @Nullable
                                      String[] requiredPermissionRoots,
                                      @Nullable
                                      PermissionMatchingStrategy permissionMatchingStrategy,
                                      @Nullable
                                      OperationType operationType)
        Description copied from interface: TrackablePolicyUtils
        Review the ContextInfo parameter for valid tenant user membership and valid catalog visibility based on the current Authentication and requested tenant information in the contextInfo.

        Additionally allows supplying policy requirements to inform validation decisions.

        Specified by:
        validateContext in interface TrackablePolicyUtils
        Parameters:
        contextInfo - the context containing multitenant application, tenant and catalog information
        requiredPermissionRoots - the permission roots required by the policy
        permissionMatchingStrategy - how to validate multiple permissions
        operationType - the operation type required by the policy
        Returns:
        Whether or not the contextInfo is valid with consideration to the current authentication and provided policy requirements

      • isValidSandboxUser

        public boolean isValidSandboxUser()
        Description copied from interface: TrackablePolicyUtils
        Return whether or not the currently identified user is capable of viewing a sandbox context. This can be fulfilled with an empty authentication for the request (i.e. anonymous security), or with an admin user identification.
        Specified by:
        isValidSandboxUser in interface TrackablePolicyUtils
        Returns:
        Whether or not the user identified for the current request is permitted to resolve sandbox state.

      • isMutationPossibleForContext

        public boolean isMutationPossibleForContext​(@Nullable
                                            ContextInfo contextInfo)
        Description copied from interface: TrackablePolicyUtils
        Return whether or not the currently identified user has the necessary assigned tenant relationships to make a mutating operation possible given the requested application, and/or catalog, and/or lack thereof.
        Specified by:
        isMutationPossibleForContext in interface TrackablePolicyUtils
        Parameters:
        contextInfo - The requested context
        Returns:
        Whether or not the current user is permitted

      • isSandboxVisible

        protected boolean isSandboxVisible​(ContextInfo contextInfo)

      • isContextVisible

        protected boolean isContextVisible​(ContextInfo contextInfo)

      • isAdminUser

        protected boolean isAdminUser​(Map<String,​Object> details)

      • isValidCustomerContext

        protected boolean isValidCustomerContext​(String customerContextId)

      • getCustomerContextIdsForUser

        @NonNull
protected Collection<String> getCustomerContextIdsForUser()

      • isTenantVisible

        protected boolean isTenantVisible​(@Nullable
                                  String tenantId,
                                  @Nullable
                                  String applicationId)

      • isApplicationVisible

        protected boolean isApplicationVisible​(@Nullable
                                       Application application)

      • isCatalogVisible

        protected boolean isCatalogVisible​(@Nullable
                                   Catalog catalog,
                                   @Nullable
                                   Application application)

      • isValidTenantUser

        public boolean isValidTenantUser​(@Nullable
                                 String tenantId,
                                 boolean isTenantLevelContext,
                                 boolean isGlobalChange)
        Description copied from interface: TrackablePolicyUtils
        Check if the user described by the current Authentication is a member of the tenant instance provided. This is generally determined by looking at PolicyUtils.getAuthenticationAttributes().
        Specified by:
        isValidTenantUser in interface TrackablePolicyUtils
        Parameters:
        tenantId - The ID of the tenant instance with which to check user membership
        isTenantLevelContext - Whether or not the current context is for the tenant level itself
        isGlobalChange - Whether or not the current change is mutating a "global" resource, belonging to no particular tenant
        Returns:
        Whether or not the current user has access given the tenant and global change status

      • isGlobalTenant

        protected boolean isGlobalTenant​(@Nullable
                                 String tenantId)

      • isUserTenantLevelAccess

        protected boolean isUserTenantLevelAccess​(Map<String,​Object> authDetails)

      • isValidApplicationUser

        public boolean isValidApplicationUser​(@NonNull
                                      Application application)
        Description copied from interface: TrackablePolicyUtils
        Check if the user described by the current Authentication is a member of the application instance provided. This is generally determined by looking at PolicyUtils.getAuthenticationAttributes().
        Specified by:
        isValidApplicationUser in interface TrackablePolicyUtils
        Parameters:
        application - The application instance with which to check user membership
        Returns:
        Whether or not the current user is a member of the application, or the user is a global user.

      • isValidApplicationUser

        public boolean isValidApplicationUser​(@NonNull
                                      Application application,
                                      boolean isGlobalChange)
        Description copied from interface: TrackablePolicyUtils
        Check if the user described by the current Authentication is a member of the application instance provided. This is generally determined by looking at PolicyUtils.getAuthenticationAttributes().
        Specified by:
        isValidApplicationUser in interface TrackablePolicyUtils
        Parameters:
        application - The application instance with which to check user membership
        isGlobalChange - Whether or not the current mutating change is against a "tenant" resource, belonging to a tenant but not particular application
        Returns:
        Whether or not the current user is capable of the change given the application and global status of the change

      • isValidApplicationUser

        public boolean isValidApplicationUser​(@Nullable
                                      String applicationId,
                                      boolean isTenantChange)
        Description copied from interface: TrackablePolicyUtils
        Version of TrackablePolicyUtils.isValidApplicationUser(Application, boolean) that takes just he application's ID. If null, that means this is the global application.
        Specified by:
        isValidApplicationUser in interface TrackablePolicyUtils
        Parameters:
        applicationId - The ID of the application instance with which to check user membership
        isTenantChange - Whether or not the current mutating change is against a "tenant" resource, belonging to a tenant but not particular application
        Returns:
        Whether or not the current user is capable of the change given the application and global status of the change

      • isNotUser

        protected boolean isNotUser​(Map<String,​Object> details)

      • isUserApplicationLevelAccess

        protected boolean isUserApplicationLevelAccess​(Map<String,​Object> authDetails)

      • isUserApplicationRestricted

        protected boolean isUserApplicationRestricted​(Map<String,​Object> details)

      • isGlobalApplication

        protected boolean isGlobalApplication​(@Nullable
                                      String applicationId)

      • isGlobalTenantUser

        protected boolean isGlobalTenantUser​(Map<String,​Object> details)

      • isAnonymous

        public boolean isAnonymous()
        Description copied from interface: TrackablePolicyUtils
        Determine whether or not a user is an anonymous user.
        Specified by:
        isAnonymous in interface TrackablePolicyUtils
        Returns:
        true if anonymous, else false.

      • isCatalogVisible

        public boolean isCatalogVisible​(@NonNull
                                @NonNull Application application,
                                Catalog catalog)
        Description copied from interface: TrackablePolicyUtils
        Check if a catalog is visible, given an application. This should also take into account any * qualifying information regarding the current Authentication, especially details * regarding application membership.
        Specified by:
        isCatalogVisible in interface TrackablePolicyUtils
        Parameters:
        application - The application instance with which to weigh catalog visibility against
        catalog - The catalog for which visibility status is being checked
        Returns:
        Whether or not the catalog is visible

      • isCatalogMutable

        public boolean isCatalogMutable​(@NonNull
                                @NonNull Application application,
                                @NonNull
                                @NonNull Catalog catalog)
        Description copied from interface: TrackablePolicyUtils
        Check if a catalog is mutable, given an application. This should also take into account any qualifying information regarding the current Authentication, especially details regarding application membership.
        Specified by:
        isCatalogMutable in interface TrackablePolicyUtils
        Parameters:
        application - The application instance with which to weigh catalog mutability against
        catalog - The catalog for which mutability status is being checked
        Returns:
        Whether or not the catalog is mutable

      • validateInsert

        public PolicyResponse validateInsert​(@Nullable
                                     Trackable entity,
                                     @Nullable
                                     ContextInfo contextInfo,
                                     @Nullable
                                     String[] permissionRoots,
                                     @Nullable
                                     PermissionMatchingStrategy strategy)
        Description copied from interface: TrackablePolicyUtils
        Validate that before inserting (if catalog discrimination is in play and the current entity is catalog discriminatable) that the current catalog target for insertion is mutable.
        Specified by:
        validateInsert in interface TrackablePolicyUtils
        Parameters:
        entity - The item being inserted
        contextInfo - the context containing multitenant application and catalog information
        permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.
        strategy - how to treat multiple permissions
        Returns:
        Whether or not the update request on the entity should be allowed

      • validateCatalogInsert

        protected boolean validateCatalogInsert​(@NonNull
                                        @NonNull ContextInfo contextInfo)
        If a catalog discriminated entity, validate that the current user is capable of inserting an entity via the application and catalog requested in the context.
        Parameters:
        contextInfo - The context containing the current application and current catalog
        Returns:
        Whether or not the insert request is valid

      • isGlobalChangeInHiddenCatalog

        protected boolean isGlobalChangeInHiddenCatalog​(@Nullable
                                                Application application,
                                                @Nullable
                                                Catalog catalog)

      • isApplicationCatalogAddAllowed

        protected boolean isApplicationCatalogAddAllowed​(Application application,
                                                 Catalog catalog)

      • validateRead

        public PolicyResponse validateRead​(@Nullable
                                   ContextInfo contextInfo,
                                   @Nullable
                                   String[] permissionRoots,
                                   @Nullable
                                   PermissionMatchingStrategy strategy)
        Description copied from interface: TrackablePolicyUtils
        Validate that before reading, the required permission is available.
        Specified by:
        validateRead in interface TrackablePolicyUtils
        Parameters:
        contextInfo - the context containing multitenant application and catalog information
        permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.
        strategy - how to treat multiple permissions
        Returns:
        Whether or not the read request should be allowed

      • validateUpdate

        public PolicyResponse validateUpdate​(@Nullable
                                     Trackable entity,
                                     @Nullable
                                     ContextInfo contextInfo,
                                     @Nullable
                                     String[] permissionRoots,
                                     @Nullable
                                     PermissionMatchingStrategy strategy)
        Description copied from interface: TrackablePolicyUtils
        Validate that before updating (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.
        Specified by:
        validateUpdate in interface TrackablePolicyUtils
        Parameters:
        entity - The item being updated
        contextInfo - the context containing multitenant application and catalog information
        permissionRoots - The permission to validate. If not specified, then permission validation will not be performed.
        strategy - how to treat multiple permissions
        Returns:
        Whether or not the update request on the entity should be allowed

      • validateDelete

        public PolicyResponse validateDelete​(@Nullable
                                     Trackable entity,
                                     @Nullable
                                     ContextInfo contextInfo,
                                     @Nullable
                                     String[] permissionRoots,
                                     @Nullable
                                     PermissionMatchingStrategy strategy)
        Description copied from interface: TrackablePolicyUtils
        Validate that before deleting (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.
        Specified by:
        validateDelete in interface TrackablePolicyUtils
        Parameters:
        entity - The item being deleted
        contextInfo - the context containing multitenant application and catalog information
        permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.
        strategy - how to treat multiple permissions
        Returns:
        Whether or not the delete request on the entity should be allowed

      • validateEntityUpdate

        protected PolicyResponse validateEntityUpdate​(@Nullable
                                              Trackable entity,
                                              @NonNull
                                              @NonNull ContextInfo contextInfo)
        Check update validity for a given entity instance
        Parameters:
        entity - The Trackable entity
        contextInfo - The context containing the current application and current catalog
        Returns:
        Whether or not the entity update request is valid

      • validateGlobalUpdateToHiddenCatalog

        protected PolicyResponse validateGlobalUpdateToHiddenCatalog​(Trackable entity)

      • validateApplicationCatalogUpdate

        protected PolicyResponse validateApplicationCatalogUpdate​(@NonNull
                                                          @NonNull Trackable entity,
                                                          @NonNull
                                                          @NonNull Application application)
        If a catalog discriminated entity, validate that the current user is capable of updating an entity via the catalogs visible to the current application.
        Parameters:
        entity - The catalog discriminated entity
        application - The application whose associated catalogs should be reviewed
        Returns:
        Whether or not the update request is valid

      • validateApplicationUpdate

        protected PolicyResponse validateApplicationUpdate​(@NonNull
                                                   @NonNull Trackable entity,
                                                   @NonNull
                                                   @NonNull Application application)
        If an application discriminated entity, validate that the current user is capable of updating an entity via the application requested in the context.
        Parameters:
        entity - The application discriminated entity
        application - The current application
        Returns:
        Whether or not the update request is valid

      • validateOther

        public PolicyResponse validateOther​(@Nullable
                                    ContextInfo contextInfo,
                                    @Nullable
                                    String[] permissionRoots,
                                    @Nullable
                                    PermissionMatchingStrategy strategy)
        Description copied from interface: TrackablePolicyUtils
        Validate that before misc operation, the required permission is available
        Specified by:
        validateOther in interface TrackablePolicyUtils
        Parameters:
        contextInfo - the context containing multitenant application and catalog information
        permissionRoots - The permission roots to validate. If not specified, then permission validation will not be performed.
        strategy - how to treat multiple permissions
        Returns:
        Whether or not the misc request should be allowed

      • validatePermission

        public PolicyResponse validatePermission​(@Nullable
                                         ContextInfo contextInfo,
                                         @Nullable
                                         String[] permissionRoots,
                                         @Nullable
                                         PermissionMatchingStrategy strategy)
        Description copied from interface: TrackablePolicyUtils
        Validate the permission against the granted authorities of the current Authentication. If not defined, the response will be PolicyResponse.VALID.
        Specified by:
        validatePermission in interface TrackablePolicyUtils
        Parameters:
        contextInfo - the context containing multitenant application and catalog information
        permissionRoots - the permission roots requested
        strategy - how to treat multiple permissions
        Returns:
        Whether or not the discovered permission is in scope for the current user

      • validatePermission

        public PolicyResponse validatePermission​(@Nullable
                                         String[] permissionRoots,
                                         @Nullable
                                         PermissionMatchingStrategy strategy,
                                         @Nullable
                                         OperationType operationType,
                                         @Nullable
                                         ContextInfo contextInfo)
        Description copied from interface: TrackablePolicyUtils
        Validate the permission against the granted authorities of the current Authentication. If neither parameter is defined, the response will be PolicyResponse.VALID.
        Specified by:
        validatePermission in interface TrackablePolicyUtils
        Parameters:
        permissionRoots - the permission roots requested
        operationType - the explicit type of operation to validate
        contextInfo - the context containing multitenant application, tenant and catalog information. Not used in the default implementation, though custom implementations may use this for validation purposes.
        Returns:
        Whether or not the discovered permission is in scope for the current user

      • expandPermissionRootsToPermissions

        protected Map<String,​List<String>> expandPermissionRootsToPermissions​(@NonNull
                                                                            @NonNull String[] permissionRoots,
                                                                            @Nullable
                                                                            OperationType operationType)

      • validateOwner

        public PolicyResponse validateOwner​(@Nullable
                                    Object test,
                                    @Nullable
                                    IdentityType[] identityTypes,
                                    @Nullable
                                    String ownerIdentifier)
        Description copied from interface: TrackablePolicyUtils
        Validate the object against the currently logged in user. If the test object is null, the response will be PolicyResponse.VALID. If the test object is provided, but no identityTypes are provided, the response will be PolicyResponse.NOT_PERMITTED. Furthermore, if the identityTypes are provided, and none are of the type IdentityType.OWNER, then the response will be PolicyResponse.VALID. Otherwise, the identifier from the authenticated user (if applicable) will be compared against the identifier of the Owned entity for validation.
        Specified by:
        validateOwner in interface TrackablePolicyUtils
        Parameters:
        test - The entity object to test for ownership agains the currently logged in user
        identityTypes - The type of identities requested for the policy call. Validating ownership is only applicable against IdentityType.OWNER.
        ownerIdentifier - The identifier key to use when verifying ownership.
        Returns:
        Whether or not the test object passed ownership validation for the logged in user
        See Also:
        Owned, Policy.ownerIdentifier()

      • getAttributesConverter

        public org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,​Map<String,​Object>> getAttributesConverter()