All Downloads are FREE. Search and download functionalities are using the official Maven repository.
  • Log In
  • Register

    • org.cloudfoundry.identity.uaa.scim.security.GroupVoter Maven / Gradle / Ivy

    /*******************************************************************************
 *     Cloud Foundry 
 *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
 *
 *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
 *     You may not use this product except in compliance with the License.
 *
 *     This product includes a number of subcomponents with
 *     separate copyright notices and license terms. Your use of these
 *     subcomponents is subject to the terms and conditions of the
 *     subcomponent's license, as noted in the LICENSE file.
 *******************************************************************************/
package org.cloudfoundry.identity.uaa.scim.security;

import java.util.Collection;

import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMember;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMembershipManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.StringUtils;

public class GroupVoter implements AccessDecisionVoter {

    private ScimGroupMembershipManager membershipManager;

    private String groupPrefix = "groupScope=";

    public void setGroupPrefix(String groupPrefix) {
        this.groupPrefix = groupPrefix;
    }

    public void setMembershipManager(ScimGroupMembershipManager membershipManager) {
        this.membershipManager = membershipManager;
    }

    @Override
    public boolean supports(ConfigAttribute attribute) {
        return (StringUtils.hasText(attribute.getAttribute()) && attribute.getAttribute().startsWith(groupPrefix));
    }

    @Override
    public boolean supports(Class clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }

    @Override
    public int vote(Authentication authentication, Object object, Collection attributes) {

        if (authentication instanceof OAuth2Authentication && ((OAuth2Authentication) authentication).isClientOnly()) {
            return ACCESS_ABSTAIN;
        }
        String userId = ((UaaPrincipal) authentication.getPrincipal()).getId();
        String groupId = getGroupId(((FilterInvocation) object).getRequestUrl());

        for (ConfigAttribute attribute : attributes) {
            if (this.supports(attribute)) {
                String requiredAuthority = attribute.getAttribute().substring(groupPrefix.length());
                if (membershipManager
                                .getMembers(groupId, ScimGroupMember.Role.valueOf(requiredAuthority.toUpperCase()))
                                .contains(new ScimGroupMember(userId))) {
                    return ACCESS_GRANTED;
                } else
                    return ACCESS_DENIED;
            }
        }
        // no attribute supported by this voter
        return ACCESS_ABSTAIN;
    }

    private String getGroupId(String url) {
        int startIndex = url.lastIndexOf("/") + 1;
        int endIndex = url.indexOf("?") > 0 ? url.indexOf("?") : url.length();
        return url.substring(startIndex, endIndex);
    }
}
    
    
    
    

    




    
    
    © 2015 - 2025 Weber Informatics LLC | Privacy Policy