All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.gravitee.rest.api.service.impl.PermissionServiceImpl Maven / Gradle / Ivy

There is a newer version: 3.10.0
Show newest version
/**
 * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *         http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.gravitee.rest.api.service.impl;

import io.gravitee.rest.api.model.*;
import io.gravitee.rest.api.model.permissions.*;
import io.gravitee.rest.api.service.MembershipService;
import io.gravitee.rest.api.service.PermissionService;
import io.gravitee.rest.api.service.RoleService;
import io.gravitee.rest.api.service.UserService;
import io.gravitee.rest.api.service.common.GraviteeContext;
import java.util.*;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

/**
 * @author Nicolas GERAUD(nicolas.geraud at graviteesource.com)
 * @author GraviteeSource Team
 */
@Component
public class PermissionServiceImpl extends AbstractService implements PermissionService {

    @Autowired
    MembershipService membershipService;

    @Autowired
    RoleService roleService;

    @Autowired
    UserService userService;

    @Override
    public boolean hasPermission(RolePermission permission, String referenceId, RolePermissionAction... acls) {
        MembershipReferenceType membershipReferenceType;
        switch (permission.getScope()) {
            case API:
                membershipReferenceType = MembershipReferenceType.API;
                break;
            case APPLICATION:
                membershipReferenceType = MembershipReferenceType.APPLICATION;
                break;
            case ENVIRONMENT:
                membershipReferenceType = MembershipReferenceType.ENVIRONMENT;
                if (referenceId == null) {
                    referenceId = GraviteeContext.getCurrentEnvironment();
                }
                break;
            case ORGANIZATION:
                membershipReferenceType = MembershipReferenceType.ORGANIZATION;
                if (referenceId == null) {
                    referenceId = GraviteeContext.getCurrentOrganization();
                }
                break;
            default:
                membershipReferenceType = null;
        }

        Map permissions = membershipService.getUserMemberPermissions(
            membershipReferenceType,
            referenceId,
            getAuthenticatedUsername()
        );
        if (permissions == null) {
            return false;
        }
        return roleService.hasPermission(permissions, permission.getPermission(), acls);
    }

    @Override
    public boolean hasManagementRights(String userId) {
        UserEntity user = userService.findByIdWithRoles(userId);
        boolean hasManagementRights = this.hasRelevantManagementRole(user);

        if (!hasManagementRights) {
            Set userApisRole = membershipService
                .findUserMembership(MembershipReferenceType.API, userId)
                .stream()
                .map(UserMembership::getReference)
                .distinct()
                .flatMap(
                    apiId -> membershipService.getRoles(MembershipReferenceType.API, apiId, MembershipMemberType.USER, userId).stream()
                )
                .collect(Collectors.toSet());
            hasManagementRights =
                userApisRole
                    .stream()
                    .anyMatch(
                        roleEntity -> {
                            boolean hasCreateUpdateOrDeletePermission = false;
                            Map rolePermissions = roleEntity.getPermissions();
                            Iterator iterator = rolePermissions.keySet().iterator();
                            while (iterator.hasNext() && !hasCreateUpdateOrDeletePermission) {
                                String permissionName = iterator.next();
                                if (
                                    !ApiPermission.RATING.name().equals(permissionName) &&
                                    !ApiPermission.RATING_ANSWER.name().equals(permissionName)
                                ) {
                                    String permissionString = new String(rolePermissions.get(permissionName));
                                    hasCreateUpdateOrDeletePermission =
                                        permissionString != null &&
                                        !permissionString.isEmpty() &&
                                        (
                                            permissionString.contains("C") ||
                                            permissionString.contains("U") ||
                                            permissionString.contains("D")
                                        );
                                }
                            }
                            return hasCreateUpdateOrDeletePermission;
                        }
                    );
        }
        return hasManagementRights;
    }

    /**
     * Checks whether the user has an appropriate management role, which means he has create/update/delete permission
     * on Organization or Environment scope, with the exception of the Environment/Application scope (which does not
     * allow the user to access management)
     *
     * @param user
     * @return true if the user has an appropriate management role, else false
     */
    private boolean hasRelevantManagementRole(UserEntity user) {
        if (user.getRoles() == null) {
            return false;
        }

        for (UserRoleEntity userRoleEntity : user.getRoles()) {
            if (userRoleEntity.getPermissions() != null) {
                RoleScope currentScope = userRoleEntity.getScope();
                for (String permissionName : userRoleEntity.getPermissions().keySet()) {
                    String permissionString = new String(userRoleEntity.getPermissions().get((permissionName)));
                    boolean isCreateUpdateOrDelete =
                        permissionString.contains("C") || permissionString.contains("U") || permissionString.contains("D");

                    if (currentScope.equals(RoleScope.ORGANIZATION) && isCreateUpdateOrDelete) {
                        return true;
                    }

                    if (
                        currentScope.equals(RoleScope.ENVIRONMENT) &&
                        !EnvironmentPermission.valueOf(permissionName).equals(EnvironmentPermission.APPLICATION) &&
                        isCreateUpdateOrDelete
                    ) {
                        return true;
                    }
                }
            }
        }

        return false;
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy