View Javadoc
1   /*
2    * Copyright (c) 2002-2022, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.service.rbac;
35  
36  import fr.paris.lutece.api.user.User;
37  import fr.paris.lutece.api.user.UserRole;
38  import fr.paris.lutece.portal.business.rbac.RBACHome;
39  import fr.paris.lutece.portal.business.user.AdminUser;
40  import fr.paris.lutece.util.ReferenceItem;
41  import fr.paris.lutece.util.ReferenceList;
42  
43  import java.util.ArrayList;
44  import java.util.Collection;
45  import java.util.Map;
46  
47  /**
48   * This class provides the main methods to control the access to a resource depending on the user's roles
49   */
50  public final class RBACService
51  {
52      /**
53       * Constructor
54       */
55      private RBACService( )
56      {
57      }
58  
59      /**
60       * Check that a given user is allowed to access a resource for a given permission
61       * 
62       * @param strResourceTypeCode
63       *            the key of the resource type being considered
64       * @param strResourceId
65       *            the id of the resource being considered
66       * @param strPermission
67       *            the permission needed
68       * @param user
69       *            the user trying to access the ressource
70       * @return true if the user can access the given resource with the given permission, false otherwise
71       */
72      public static boolean isAuthorized( String strResourceTypeCode, String strResourceId, String strPermission, User user )
73      {
74          // Check user roles
75          Collection<String> colRoles = RBACHome.findRoleKeys( strResourceTypeCode, strResourceId, strPermission );
76  
77          for ( String strRole : colRoles )
78          {
79              if ( isUserInRole( user, strRole ) )
80              {
81                  return true;
82              }
83          }
84  
85          return false;
86      }
87  
88      /**
89       * Check that a given user is allowed to access a resource for a given permission
90       * 
91       * @param strResourceTypeCode
92       *            the key of the resource type being considered
93       * @param strResourceId
94       *            the id of the resource being considered
95       * @param strPermission
96       *            the permission needed
97       * @param user
98       *            the user trying to access the ressource
99       * @return true if the user can access the given resource with the given permission, false otherwise
100      * @deprecated use isAuthorized( String, String, String, User )
101      */
102     @Deprecated
103     public static boolean isAuthorized( String strResourceTypeCode, String strResourceId, String strPermission, AdminUser user )
104     {
105         return isAuthorized( strResourceTypeCode, strResourceId, strPermission, (User) user );
106     }
107 
108     /**
109      * Check that a given user is allowed to access a resource for a given permission
110      * 
111      * @param resource
112      *            the resource object being considered
113      * @param strPermission
114      *            the permission needed
115      * @param user
116      *            the user trying to access the ressource
117      * @return true if the user can access the given resource with the given permission, false otherwise
118      */
119     public static boolean isAuthorized( RBACResource resource, String strPermission, User user )
120     {
121         boolean bAuthorized = false;
122 
123         if ( resource != null )
124         {
125             bAuthorized = isAuthorized( resource.getResourceTypeCode( ), resource.getResourceId( ), strPermission, user );
126         }
127 
128         return bAuthorized;
129     }
130 
131     /**
132      * Check that a given user is allowed to access a resource for a given permission
133      * 
134      * @param resource
135      *            the resource object being considered
136      * @param strPermission
137      *            the permission needed
138      * @param user
139      *            the user trying to access the ressource
140      * @return true if the user can access the given resource with the given permission, false otherwise
141      * @deprecated use isAuthorized( RBACResource, String, User )
142      */
143     @Deprecated
144     public static boolean isAuthorized( RBACResource resource, String strPermission, AdminUser user )
145     {
146         return isAuthorized( resource, strPermission, (User) user );
147     }
148 
149     /**
150      * Check that a given user is in the given role
151      * 
152      * @param user
153      *            The user
154      * @param strRole
155      *            The role
156      * @return true if the user has the given role, false otherwise
157      */
158     public static boolean isUserInRole( User user, String strRole )
159     {
160         Map<String, UserRole> userRoles = user.getUserRoles( );
161 
162         return userRoles.containsKey( strRole );
163     }
164 
165     /**
166      * Check that a given user is in the given role
167      * 
168      * @param user
169      *            The user
170      * @param strRole
171      *            The role
172      * @return true if the user has the given role, false otherwise
173      * @deprecated use isUserInRole( User, String )
174      */
175     @Deprecated
176     public static boolean isUserInRole( AdminUser user, String strRole )
177     {
178         return isUserInRole( (User) user, strRole );
179     }
180 
181     /**
182      * Filter a collection of resources for a given user
183      * 
184      * @param <E>
185      *            The RBAC resource
186      * @param collection
187      *            The collection to filter
188      * @param strPermission
189      *            Permission to check
190      * @param user
191      *            The user
192      * @return A filtered collection of resources
193      */
194     public static <E extends RBACResource> Collection<E> getAuthorizedCollection( Collection<E> collection, String strPermission, User user )
195     {
196         Collection<E> list = new ArrayList<>( );
197 
198         for ( E resource : collection )
199         {
200             if ( isAuthorized( resource, strPermission, user ) )
201             {
202                 list.add( resource );
203             }
204         }
205 
206         return list;
207     }
208 
209     /**
210      * Filter a collection of resources for a given user
211      * 
212      * @param <E>
213      *            The RBAC resource
214      * @param collection
215      *            The collection to filter
216      * @param strPermission
217      *            Permission to check
218      * @param user
219      *            The user
220      * @return A filtered collection of resources
221      * @deprecated use getAuthorizedCollection( Collection, String, User )
222      */
223     @Deprecated
224     public static <E extends RBACResource> Collection<E> getAuthorizedCollection( Collection<E> collection, String strPermission, AdminUser user )
225     {
226         return getAuthorizedCollection( collection, strPermission, (User) user );
227     }
228 
229     /**
230      * Filter a Reference List for a given user
231      * 
232      * @param listResources
233      *            The list to filter
234      * @param strResourceType
235      *            The resource type
236      * @param strPermission
237      *            The permission to check
238      * @param user
239      *            The user
240      * @return The filtered collection
241      */
242     public static ReferenceLists/lutece/util/ReferenceList.html#ReferenceList">ReferenceList getAuthorizedReferenceList( ReferenceList listResources, String strResourceType, String strPermission, User user )
243     {
244         ReferenceListnceList.html#ReferenceList">ReferenceList list = new ReferenceList( );
245 
246         for ( ReferenceItem item : listResources )
247         {
248             if ( isAuthorized( strResourceType, item.getCode( ), strPermission, user ) )
249             {
250                 list.addItem( item.getCode( ), item.getName( ) );
251             }
252         }
253 
254         return list;
255     }
256 
257     /**
258      * Filter a Reference List for a given user
259      * 
260      * @param listResources
261      *            The list to filter
262      * @param strResourceType
263      *            The resource type
264      * @param strPermission
265      *            The permission to check
266      * @param user
267      *            The user
268      * @return The filtered collection
269      * @deprecated use getAuthorizedReferenceList( ReferenceList, String, String, User )
270      */
271     @Deprecated
272     public static ReferenceLists/lutece/util/ReferenceList.html#ReferenceList">ReferenceList getAuthorizedReferenceList( ReferenceList listResources, String strResourceType, String strPermission, AdminUser user )
273     {
274         return getAuthorizedReferenceList( listResources, strResourceType, strPermission, (User) user );
275     }
276 
277     /**
278      * Filter a collection of RBACAction for a given user
279      * 
280      * @param <E>
281      *            The RBAC resource
282      * @param collection
283      *            The collection to filter
284      * @param resource
285      *            The resource
286      * @param user
287      *            The user
288      * @return The filtered collection
289      */
290     public static <E extends RBACAction> Collection<E> getAuthorizedActionsCollection( Collection<E> collection, RBACResource resource, User user )
291     {
292         Collection<E> list = new ArrayList<>( );
293 
294         for ( E action : collection )
295         {
296             if ( isAuthorized( resource, action.getPermission( ), user ) )
297             {
298                 list.add( action );
299             }
300         }
301 
302         return list;
303     }
304 
305     /**
306      * Filter a collection of RBACAction for a given user
307      * 
308      * @param <E>
309      *            The RBAC resource
310      * @param collection
311      *            The collection to filter
312      * @param resource
313      *            The resource
314      * @param user
315      *            The user
316      * @return The filtered collection
317      * @deprecated use getAuthorizedActionsCollection( Collection, RBACResource, User )
318      */
319     @Deprecated
320     public static <E extends RBACAction> Collection<E> getAuthorizedActionsCollection( Collection<E> collection, RBACResource resource, AdminUser user )
321     {
322         return getAuthorizedActionsCollection( collection, resource, (User) user );
323     }
324 
325 }