Class DefaultTrackablePolicyUtils
java.lang.Object
com.broadleafcommerce.data.tracking.core.policy.trackable.DefaultTrackablePolicyUtils
- All Implemented Interfaces:
PolicyUtils
,TrackablePolicyUtils
- Direct Known Subclasses:
VendorAwareTrackablePolicyUtils
-
Field Summary
Fields inherited from interface com.broadleafcommerce.data.tracking.core.policy.PolicyUtils
DEFAULT_AUTH_DETAILS_OWNER_ID, ROLE_ANONYMOUS
Fields inherited from interface com.broadleafcommerce.data.tracking.core.policy.trackable.TrackablePolicyUtils
AUTH_DETAILS_ACCOUNT_KEY, AUTH_DETAILS_ADMIN_USER_ID_KEY, AUTH_DETAILS_APPLICATION_ACCESS_KEY, AUTH_DETAILS_APPLICATIONS_KEY, AUTH_DETAILS_CUSTOMER_CONTEXT_IDS, AUTH_DETAILS_GLOBAL_KEY, AUTH_DETAILS_TENANT_ACCESS_KEY, AUTH_DETAILS_TENANT_KEY
-
Constructor Summary
ConstructorDescriptionDefaultTrackablePolicyUtils
(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil trackableBehaviorUtil) DefaultTrackablePolicyUtils
(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil behaviorUtil, String ownerIdentifier) -
Method Summary
Modifier and TypeMethodDescriptionexpandPermissionRootsToPermissions
(@NonNull String[] permissionRoots, OperationType operationType) org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication,
Map<String, Object>> Returns the owner identifier when evaluating owned entities.Retrieves the attributes on the currentAuthentication
that are useful in making policy determinations.protected String
protected Collection<String>
getImplicitApplicationCatalog
(Application application, Catalog catalog) Given an application, find a matching implicit catalog for the requested catalog, if applicable.protected PolicyResponse
invalidPolicyResponse
(PolicyResponse response, String reason, ContextInfo contextInfo) protected PolicyResponse
invalidPolicyResponse
(PolicyResponse response, String reason, org.apache.commons.lang3.tuple.Pair<String, String>... details) protected boolean
isAccountVisible
(String accountId) protected boolean
isAdminUser
(Map<String, Object> details) boolean
Determine whether or not a user is an anonymous user.protected boolean
isApplicationCatalogAddAllowed
(Application application, Catalog catalog) protected boolean
isApplicationVisible
(Application application) boolean
isCatalogMutable
(@NonNull Application application, @NonNull Catalog catalog) Check if a catalog is mutable, given an application.boolean
isCatalogVisible
(@NonNull Application application, Catalog catalog) Check if a catalog is visible, given an application.protected boolean
isCatalogVisible
(Catalog catalog, Application application) protected boolean
isContextVisible
(ContextInfo contextInfo) protected boolean
isGlobalApplication
(String applicationId) protected boolean
isGlobalChangeInHiddenCatalog
(Application application, Catalog catalog) protected boolean
isGlobalTenant
(String tenantId) boolean
Whether or not the current user is a global user.protected boolean
isGlobalTenantUser
(Map<String, Object> details) boolean
isMutationPossibleForContext
(ContextInfo contextInfo) Return whether or not the currently identified user has the necessary assigned tenant relationships to make a mutating operation possible given the requested application, and/or catalog, and/or lack thereof.protected boolean
boolean
isOwnerUser
(String ownerIdentifier) Detect whether or not the currently logged in user (if applicable) is a user capable of operating as aIdentityType.OWNER
.protected boolean
isSandboxVisible
(ContextInfo contextInfo) protected boolean
isTenantVisible
(String tenantId, String applicationId) boolean
Whether or not the current user has access to the application level context.protected boolean
isUserApplicationLevelAccess
(Map<String, Object> authDetails) boolean
Whether or not the current user has any application restrictions.protected boolean
isUserApplicationRestricted
(Map<String, Object> details) boolean
Whether or not the current user has access to the tenant level context.protected boolean
isUserTenantLevelAccess
(Map<String, Object> authDetails) boolean
isValidApplicationUser
(Application application) Check if the user described by the currentAuthentication
is a member of the application instance provided.boolean
isValidApplicationUser
(Application application, boolean isGlobalChange) Check if the user described by the currentAuthentication
is a member of the application instance provided.boolean
isValidApplicationUser
(String applicationId) Version ofTrackablePolicyUtils.isValidApplicationUser(Application)
that takes just he application's ID.boolean
isValidApplicationUser
(String applicationId, boolean isTenantChange) Version ofTrackablePolicyUtils.isValidApplicationUser(Application, boolean)
that takes just he application's ID.protected boolean
isValidCustomerContext
(String customerContextId) boolean
Return whether or not the currently identified user is capable of viewing a sandbox context.boolean
isValidTenantUser
(String tenantId, boolean isTenantLevelContext, boolean isGlobalChange) Check if the user described by the currentAuthentication
is a member of the tenant instance provided.protected Optional<InheritanceLine>
matchInheritanceLine
(Application application, Catalog catalog) protected int
rateMember
(InheritanceMember member) Rate a member on precedence of usage.void
setAttributesConverter
(org.springframework.core.convert.converter.Converter<org.springframework.security.core.Authentication, Map<String, Object>> attributesConverter) streamApplications
(Map<String, Object> details) protected PolicyResponse
validateApplicationCatalogUpdate
(@NonNull Trackable entity, @NonNull Application application) If a catalog discriminated entity, validate that the current user is capable of updating an entity via the catalogs visible to the current application.protected PolicyResponse
validateApplicationUpdate
(@NonNull Trackable entity, @NonNull Application application) If an application discriminated entity, validate that the current user is capable of updating an entity via the application requested in the context.protected boolean
validateCatalogInsert
(@NonNull ContextInfo contextInfo) If a catalog discriminated entity, validate that the current user is capable of inserting an entity via the application and catalog requested in the context.validateContext
(ContextInfo contextInfo) Review theContextInfo
parameter for valid tenant user membership and valid catalog visibility based on the currentAuthentication
and requested tenant information in the contextInfo.validateContext
(ContextInfo contextInfo, String[] requiredPermissionRoots, PermissionMatchingStrategy permissionMatchingStrategy, OperationType operationType) Review theContextInfo
parameter for valid tenant user membership and valid catalog visibility based on the currentAuthentication
and requested tenant information in the contextInfo.validateDelete
(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before deleting (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.protected PolicyResponse
validateEntityOperation
(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType) protected PolicyResponse
validateEntityUpdate
(Trackable entity, @NonNull ContextInfo contextInfo) Check update validity for a given entity instanceprotected PolicyResponse
validateEntityUpdateForTenantFactors
(Trackable entity, Application application, String tenantId, TrackableBehaviorPackage behavior) protected PolicyResponse
validateGlobalMutateToInheritedCatalog
(Trackable entity, ContextInfo contextInfo) protected PolicyResponse
validateInsert
(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before inserting (if catalog discrimination is in play and the current entity is catalog discriminatable) that the current catalog target for insertion is mutable.protected PolicyResponse
validateOperation
(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) protected PolicyResponse
validateOperation
(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType) validateOther
(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before misc operation, the required permission is availablevalidateOwner
(Object test, IdentityType[] identityTypes, String ownerIdentifier) Validate the object against the currently logged in user.validatePermission
(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate the permission against the granted authorities of the currentAuthentication
.validatePermission
(String[] permissionRoots, PermissionMatchingStrategy strategy, OperationType operationType, ContextInfo contextInfo) Validate the permission against the granted authorities of the currentAuthentication
.validateRead
(ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before reading, the required permission is available.protected boolean
validateTenantTrackableUpdate
(Trackable entity, Application application, TrackableBehaviorPackage behavior) protected PolicyResponse
validateTenantUpdate
(@NonNull Trackable entity, String tenantId) validateUpdate
(Trackable entity, ContextInfo contextInfo, String[] permissionRoots, PermissionMatchingStrategy strategy) Validate that before updating (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface com.broadleafcommerce.data.tracking.core.policy.PolicyUtils
getAuthentication, validatePermissions
-
Field Details
-
ADMIN_CLAIM
- See Also:
-
USER_TYPE_ATTR
- See Also:
-
-
Constructor Details
-
DefaultTrackablePolicyUtils
public DefaultTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil trackableBehaviorUtil) -
DefaultTrackablePolicyUtils
public DefaultTrackablePolicyUtils(CatalogFinder<Catalog> catalogFinder, TrackableBehaviorUtil behaviorUtil, String ownerIdentifier)
-
-
Method Details
-
setAttributesConverter
-
getAuthDetailsOwnerIdentifier
Returns the owner identifier when evaluating owned entities. To modify this value on a global level, set the key broadleaf.common.policy.validation.ownerIdentifier- Specified by:
getAuthDetailsOwnerIdentifier
in interfacePolicyUtils
- Returns:
- The key of the owner identifier to retrieve from Auth details.
-
getAuthenticationAttributes
Description copied from interface:PolicyUtils
Retrieves the attributes on the currentAuthentication
that are useful in making policy determinations. This method is expected to return the attributes in a map which is generally achieved by a registeredConverter
bean.- Specified by:
getAuthenticationAttributes
in interfacePolicyUtils
- Returns:
- the attributes, if any, on the current
Authentication
-
validateContext
Description copied from interface:TrackablePolicyUtils
Review theContextInfo
parameter for valid tenant user membership and valid catalog visibility based on the currentAuthentication
and requested tenant information in the contextInfo.- Specified by:
validateContext
in interfaceTrackablePolicyUtils
- Parameters:
contextInfo
- the context containing multitenant application, tenant and catalog information- Returns:
- Whether or not the contextInfo contains valid tenant information
-
validateContext
public PolicyResponse validateContext(@Nullable ContextInfo contextInfo, @Nullable String[] requiredPermissionRoots, @Nullable PermissionMatchingStrategy permissionMatchingStrategy, @Nullable OperationType operationType) Description copied from interface:TrackablePolicyUtils
Review theContextInfo
parameter for valid tenant user membership and valid catalog visibility based on the currentAuthentication
and requested tenant information in the contextInfo.Additionally allows supplying policy requirements to inform validation decisions.
- Specified by:
validateContext
in interfaceTrackablePolicyUtils
- Parameters:
contextInfo
- the context containing multitenant application, tenant and catalog informationrequiredPermissionRoots
- the permission roots required by the policypermissionMatchingStrategy
- how to validate multiple permissionsoperationType
- the operation type required by the policy- Returns:
- Whether or not the contextInfo is valid with consideration to the current authentication and provided policy requirements
-
isValidSandboxUser
public boolean isValidSandboxUser()Description copied from interface:TrackablePolicyUtils
Return whether or not the currently identified user is capable of viewing a sandbox context. This can be fulfilled with an empty authentication for the request (i.e. anonymous security), or with an admin user identification.- Specified by:
isValidSandboxUser
in interfaceTrackablePolicyUtils
- Returns:
- Whether or not the user identified for the current request is permitted to resolve sandbox state.
-
isMutationPossibleForContext
Description copied from interface:TrackablePolicyUtils
Return whether or not the currently identified user has the necessary assigned tenant relationships to make a mutating operation possible given the requested application, and/or catalog, and/or lack thereof.- Specified by:
isMutationPossibleForContext
in interfaceTrackablePolicyUtils
- Parameters:
contextInfo
- The requested context- Returns:
- Whether or not the current user is permitted
-
isSandboxVisible
-
isContextVisible
-
isAccountVisible
-
isAdminUser
-
isValidCustomerContext
-
getCurrentUserAccountId
-
getCustomerContextIdsForUser
-
isTenantVisible
-
isApplicationVisible
-
isCatalogVisible
-
isValidTenantUser
public boolean isValidTenantUser(@Nullable String tenantId, boolean isTenantLevelContext, boolean isGlobalChange) Description copied from interface:TrackablePolicyUtils
Check if the user described by the currentAuthentication
is a member of the tenant instance provided. This is generally determined by looking atPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isValidTenantUser
in interfaceTrackablePolicyUtils
- Parameters:
tenantId
- The ID of the tenant instance with which to check user membershipisTenantLevelContext
- Whether or not the current context is for the tenant level itselfisGlobalChange
- Whether or not the current change is mutating a "global" resource, belonging to no particular tenant- Returns:
- Whether or not the current user has access given the tenant and global change status
-
isGlobalTenant
-
isUserTenantLevelAccess
public boolean isUserTenantLevelAccess()Description copied from interface:TrackablePolicyUtils
Whether or not the current user has access to the tenant level context. This is usually determined by examining the details inPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isUserTenantLevelAccess
in interfaceTrackablePolicyUtils
- Returns:
- Whether or not the current user has tenant level access
-
isUserTenantLevelAccess
-
isValidApplicationUser
Description copied from interface:TrackablePolicyUtils
Check if the user described by the currentAuthentication
is a member of the application instance provided. This is generally determined by looking atPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isValidApplicationUser
in interfaceTrackablePolicyUtils
- Parameters:
application
- The application instance with which to check user membership- Returns:
- Whether or not the current user is a member of the application, or the user is a global user.
-
isValidApplicationUser
Description copied from interface:TrackablePolicyUtils
Version ofTrackablePolicyUtils.isValidApplicationUser(Application)
that takes just he application's ID. If null, that means this is the global application.- Specified by:
isValidApplicationUser
in interfaceTrackablePolicyUtils
- Parameters:
applicationId
- The ID of the application instance with which to check user membership- Returns:
- Whether or not the current user is capable of the change given the application and global status of the change
-
isValidApplicationUser
Description copied from interface:TrackablePolicyUtils
Check if the user described by the currentAuthentication
is a member of the application instance provided. This is generally determined by looking atPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isValidApplicationUser
in interfaceTrackablePolicyUtils
- Parameters:
application
- The application instance with which to check user membershipisGlobalChange
- Whether or not the current mutating change is against a "tenant" resource, belonging to a tenant but not particular application- Returns:
- Whether or not the current user is capable of the change given the application and global status of the change
-
isValidApplicationUser
Description copied from interface:TrackablePolicyUtils
Version ofTrackablePolicyUtils.isValidApplicationUser(Application, boolean)
that takes just he application's ID. If null, that means this is the global application.- Specified by:
isValidApplicationUser
in interfaceTrackablePolicyUtils
- Parameters:
applicationId
- The ID of the application instance with which to check user membershipisTenantChange
- Whether or not the current mutating change is against a "tenant" resource, belonging to a tenant but not particular application- Returns:
- Whether or not the current user is capable of the change given the application and global status of the change
-
isNotUser
-
isUserApplicationLevelAccess
public boolean isUserApplicationLevelAccess()Description copied from interface:TrackablePolicyUtils
Whether or not the current user has access to the application level context. This is usually determined by examining the details inPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isUserApplicationLevelAccess
in interfaceTrackablePolicyUtils
- Returns:
- Whether or not the current user has application level access
-
isUserApplicationLevelAccess
-
isUserApplicationRestricted
public boolean isUserApplicationRestricted()Description copied from interface:TrackablePolicyUtils
Whether or not the current user has any application restrictions. This is usually determined by examining the details inPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isUserApplicationRestricted
in interfaceTrackablePolicyUtils
- Returns:
- Whether or not the current user has any application restrictions
-
isUserApplicationRestricted
-
streamApplications
-
isGlobalApplication
-
isGlobalTenantUser
public boolean isGlobalTenantUser()Description copied from interface:TrackablePolicyUtils
Whether or not the current user is a global user. This is usually determined by examining the details inPolicyUtils.getAuthenticationAttributes()
.- Specified by:
isGlobalTenantUser
in interfaceTrackablePolicyUtils
- Returns:
- Whether or not the current user is a global user
-
isGlobalTenantUser
-
isOwnerUser
Description copied from interface:TrackablePolicyUtils
Detect whether or not the currently logged in user (if applicable) is a user capable of operating as aIdentityType.OWNER
. If so, the user may participate in validation for owned entities. SeePolicy.identityTypes()
.- Specified by:
isOwnerUser
in interfaceTrackablePolicyUtils
- Parameters:
ownerIdentifier
- The identifier key to use when verifying ownership.- Returns:
- Detect whether or not the currently logged in user can validate against
IdentityType.OWNER
. - See Also:
-
isAnonymous
public boolean isAnonymous()Description copied from interface:TrackablePolicyUtils
Determine whether or not a user is an anonymous user.- Specified by:
isAnonymous
in interfaceTrackablePolicyUtils
- Returns:
- true if anonymous, else false.
-
isCatalogVisible
Description copied from interface:TrackablePolicyUtils
Check if a catalog is visible, given an application. This should also take into account any * qualifying information regarding the currentAuthentication
, especially details * regarding application membership.- Specified by:
isCatalogVisible
in interfaceTrackablePolicyUtils
- Parameters:
application
- The application instance with which to weigh catalog visibility againstcatalog
- The catalog for which visibility status is being checked- Returns:
- Whether or not the catalog is visible
-
isCatalogMutable
public boolean isCatalogMutable(@NonNull @NonNull Application application, @NonNull @NonNull Catalog catalog) Description copied from interface:TrackablePolicyUtils
Check if a catalog is mutable, given an application. This should also take into account any qualifying information regarding the currentAuthentication
, especially details regarding application membership.- Specified by:
isCatalogMutable
in interfaceTrackablePolicyUtils
- Parameters:
application
- The application instance with which to weigh catalog mutability againstcatalog
- The catalog for which mutability status is being checked- Returns:
- Whether or not the catalog is mutable
-
getImplicitApplicationCatalog
Description copied from interface:TrackablePolicyUtils
Given an application, find a matching implicit catalog for the requested catalog, if applicable. Note, in multi-level trees, it is required to traverse theApplication.getInheritanceLines()
to make a branch catalog discovery before making an implict catalog match determination for a higher level requested catalog.- Specified by:
getImplicitApplicationCatalog
in interfaceTrackablePolicyUtils
- Parameters:
application
- The application to check for existence of the requested catalog in inheritance linescatalog
- The requested catalog to use for the determination- Returns:
- Whether or not the requested catalog appears in the application's inheritance line, and if so, either the application's implicit catalog matching the requested catalog, or the implicit catalog for a downstream branch catalog.
-
matchInheritanceLine
-
rateMember
Rate a member on precedence of usage. Useful in scenarios where multiple inheritance lines share a common ancestor, but may have different inheritance characteristics in each case. By rating, the system can prefer one inheritance line over another when selecting an appropriate implicit catalog to use for entity mutation.- Parameters:
member
- The matching member to inspect from the inheritance line.- Returns:
- The member rating. Smaller values have higher precedence.
-
validateInsert
public PolicyResponse validateInsert(@Nullable Trackable entity, @Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) Description copied from interface:TrackablePolicyUtils
Validate that before inserting (if catalog discrimination is in play and the current entity is catalog discriminatable) that the current catalog target for insertion is mutable.- Specified by:
validateInsert
in interfaceTrackablePolicyUtils
- Parameters:
entity
- The item being insertedcontextInfo
- the context containing multitenant application and catalog informationpermissionRoots
- The permission roots to validate. If not specified, then permission validation will not be performed.strategy
- how to treat multiple permissions- Returns:
- Whether or not the update request on the entity should be allowed
-
validateCatalogInsert
If a catalog discriminated entity, validate that the current user is capable of inserting an entity via the application and catalog requested in the context.- Parameters:
contextInfo
- The context containing the current application and current catalog- Returns:
- Whether or not the insert request is valid
-
isGlobalChangeInHiddenCatalog
protected boolean isGlobalChangeInHiddenCatalog(@Nullable Application application, @Nullable Catalog catalog) -
isApplicationCatalogAddAllowed
-
validateRead
public PolicyResponse validateRead(@Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) Description copied from interface:TrackablePolicyUtils
Validate that before reading, the required permission is available.- Specified by:
validateRead
in interfaceTrackablePolicyUtils
- Parameters:
contextInfo
- the context containing multitenant application and catalog informationpermissionRoots
- The permission roots to validate. If not specified, then permission validation will not be performed.strategy
- how to treat multiple permissions- Returns:
- Whether or not the read request should be allowed
-
validateUpdate
public PolicyResponse validateUpdate(@Nullable Trackable entity, @Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) Description copied from interface:TrackablePolicyUtils
Validate that before updating (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.- Specified by:
validateUpdate
in interfaceTrackablePolicyUtils
- Parameters:
entity
- The item being updatedcontextInfo
- the context containing multitenant application and catalog informationpermissionRoots
- The permission to validate. If not specified, then permission validation will not be performed.strategy
- how to treat multiple permissions- Returns:
- Whether or not the update request on the entity should be allowed
-
validateDelete
public PolicyResponse validateDelete(@Nullable Trackable entity, @Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) Description copied from interface:TrackablePolicyUtils
Validate that before deleting (if the catalog discrimination is in play) that the item's catalog is both visible to the current application, and mutable.- Specified by:
validateDelete
in interfaceTrackablePolicyUtils
- Parameters:
entity
- The item being deletedcontextInfo
- the context containing multitenant application and catalog informationpermissionRoots
- The permission roots to validate. If not specified, then permission validation will not be performed.strategy
- how to treat multiple permissions- Returns:
- Whether or not the delete request on the entity should be allowed
-
validateEntityOperation
protected PolicyResponse validateEntityOperation(@Nullable Trackable entity, @Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy, @Nullable OperationType operationType) -
validateEntityUpdate
protected PolicyResponse validateEntityUpdate(@Nullable Trackable entity, @NonNull @NonNull ContextInfo contextInfo) Check update validity for a given entity instance- Parameters:
entity
- The Trackable entitycontextInfo
- The context containing the current application and current catalog- Returns:
- Whether or not the entity update request is valid
-
validateEntityUpdateForTenantFactors
@Nullable protected PolicyResponse validateEntityUpdateForTenantFactors(Trackable entity, @Nullable Application application, String tenantId, TrackableBehaviorPackage behavior) -
validateTenantTrackableUpdate
protected boolean validateTenantTrackableUpdate(Trackable entity, @Nullable Application application, TrackableBehaviorPackage behavior) -
validateGlobalUpdateToHiddenCatalog
-
validateGlobalMutateToInheritedCatalog
protected PolicyResponse validateGlobalMutateToInheritedCatalog(Trackable entity, @Nullable ContextInfo contextInfo) -
validateApplicationCatalogUpdate
protected PolicyResponse validateApplicationCatalogUpdate(@NonNull @NonNull Trackable entity, @NonNull @NonNull Application application) If a catalog discriminated entity, validate that the current user is capable of updating an entity via the catalogs visible to the current application.- Parameters:
entity
- The catalog discriminated entityapplication
- The application whose associated catalogs should be reviewed- Returns:
- Whether or not the update request is valid
-
validateApplicationUpdate
protected PolicyResponse validateApplicationUpdate(@NonNull @NonNull Trackable entity, @NonNull @NonNull Application application) If an application discriminated entity, validate that the current user is capable of updating an entity via the application requested in the context.- Parameters:
entity
- The application discriminated entityapplication
- The current application- Returns:
- Whether or not the update request is valid
-
validateTenantUpdate
-
validateOther
public PolicyResponse validateOther(@Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) Description copied from interface:TrackablePolicyUtils
Validate that before misc operation, the required permission is available- Specified by:
validateOther
in interfaceTrackablePolicyUtils
- Parameters:
contextInfo
- the context containing multitenant application and catalog informationpermissionRoots
- The permission roots to validate. If not specified, then permission validation will not be performed.strategy
- how to treat multiple permissions- Returns:
- Whether or not the misc request should be allowed
-
validateOperation
protected PolicyResponse validateOperation(@Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) -
validateOperation
protected PolicyResponse validateOperation(@Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy, @Nullable OperationType operationType) -
validatePermission
public PolicyResponse validatePermission(@Nullable ContextInfo contextInfo, @Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy) Description copied from interface:TrackablePolicyUtils
Validate the permission against the granted authorities of the currentAuthentication
. If not defined, the response will bePolicyResponse.VALID
.- Specified by:
validatePermission
in interfaceTrackablePolicyUtils
- Parameters:
contextInfo
- the context containing multitenant application and catalog informationpermissionRoots
- the permission roots requestedstrategy
- how to treat multiple permissions- Returns:
- Whether or not the discovered permission is in scope for the current user
-
validatePermission
public PolicyResponse validatePermission(@Nullable String[] permissionRoots, @Nullable PermissionMatchingStrategy strategy, @Nullable OperationType operationType, @Nullable ContextInfo contextInfo) Description copied from interface:TrackablePolicyUtils
Validate the permission against the granted authorities of the currentAuthentication
. If neither parameter is defined, the response will bePolicyResponse.VALID
.- Specified by:
validatePermission
in interfaceTrackablePolicyUtils
- Parameters:
permissionRoots
- the permission roots requestedoperationType
- the explicit type of operation to validatecontextInfo
- the context containing multitenant application, tenant and catalog information. Not used in the default implementation, though custom implementations may use this for validation purposes.- Returns:
- Whether or not the discovered permission is in scope for the current user
-
expandPermissionRootsToPermissions
-
validateOwner
public PolicyResponse validateOwner(@Nullable Object test, @Nullable IdentityType[] identityTypes, @Nullable String ownerIdentifier) Description copied from interface:TrackablePolicyUtils
Validate the object against the currently logged in user. If the test object is null, the response will bePolicyResponse.VALID
. If the test object is provided, but no identityTypes are provided, the response will bePolicyResponse.NOT_PERMITTED
. Furthermore, if the identityTypes are provided, and none are of the typeIdentityType.OWNER
, then the response will bePolicyResponse.VALID
. Otherwise, the identifier from the authenticated user (if applicable) will be compared against the identifier of theOwned
entity for validation.- Specified by:
validateOwner
in interfaceTrackablePolicyUtils
- Parameters:
test
- The entity object to test for ownership agains the currently logged in useridentityTypes
- The type of identities requested for the policy call. Validating ownership is only applicable againstIdentityType.OWNER
.ownerIdentifier
- The identifier key to use when verifying ownership.- Returns:
- Whether or not the test object passed ownership validation for the logged in user
- See Also:
-
invalidPolicyResponse
protected PolicyResponse invalidPolicyResponse(PolicyResponse response, String reason, org.apache.commons.lang3.tuple.Pair<String, String>... details) -
invalidPolicyResponse
protected PolicyResponse invalidPolicyResponse(PolicyResponse response, String reason, @Nullable ContextInfo contextInfo) -
getAttributesConverter
-