org.xlcloud.console.context.EntitlementEngine Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of framework Show documentation
The newest version!
/*
 * Copyright 2012 AMG.lab, a Bull Group Company
 * 
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *    http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.xlcloud.console.context;

import javax.faces.bean.ApplicationScoped;
import javax.inject.Inject;
import javax.inject.Named;

import org.apache.log4j.Logger;
import org.xlcloud.console.menu.MenuItem;
import org.xlcloud.service.AccessToken;
import org.xlcloud.service.Entitlement;
import org.xlcloud.service.Group;
import org.xlcloud.service.HttpAction;
import org.xlcloud.service.User;
import org.xlcloud.service.api.WebResourceRegistry;

/**
 * Engine responsible for checking access permission basing on user
 * entitlements. User is identitfied by current identity context or explicitly
 * given.
 * 
 * @author Tomek Adamczewski, AMG.net
 */
@Named
@ApplicationScoped
public class EntitlementEngine {

    private static final Logger LOG = Logger.getLogger(EntitlementEngine.class);

    @Inject
    private AccessEngineClient accessEngine;

    @Inject
    private IdentityContext idCtx;

    /**
     * Verifies whether user has permission to access path identified by menu
     * item.
     * 
     * @param item
     *            menu item
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean isAllowed(MenuItem item) {
        for (Entitlement entitlement : item.getEntitlements()) {
            for (HttpAction action : entitlement.getAction()) {
                if (canPerform(action, entitlement.getResource().replaceAll("\\{" + WebResourceRegistry.PARAM_ACCOUNT_ID + "\\}", String.valueOf(idCtx.getAccountId())))) {
                    return true;
                }
            }
        }
        return false;
    }

    /**
     * Verifies whether user has permission to perform a POST request on
     * specified path.
     * 
     * @param path
     *            request path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canPost(String path) {
        return this.canPerform(HttpAction.POST, path);
    }

    /**
     * Verifies whether user has permission to perform a GET request on
     * specified path.
     * 
     * @param path
     *            request path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canGet(String path) {
        return this.canPerform(HttpAction.GET, path);
    }

    /**
     * Verifies whether user has permission to perform a POST request on
     * specified path, prefixed with accounts path with specified account id
     * 
     * @param accountId
     *            account id
     * @param path
     *            request path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canPostOnAccount(Long accountId, String path) {
        return accountId != null && accountId != 0 && canPost(WebResourceRegistry.ACCOUNTS + "/" + accountId + path);
    }

    /**
     * Verifies whether user has permission to perform a GET request on
     * specified path, prefixed with accounts path with specified account id
     * 
     * @param accountId
     *            account id
     * @param path
     *            request path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canGetOnAccount(Long accountId, String path) {
        return accountId != null && accountId != 0 && canGet(WebResourceRegistry.ACCOUNTS + "/" + accountId + path);
    }

    /**
     * Verifies whether user has permission to perform a PUT request on
     * specified path.
     * 
     * @param path
     *            request path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canPut(String path) {
        return this.canPerform(HttpAction.PUT, path);
    }

    /**
     * Verifies whether user has permission to perform a DELETE request on
     * specified path.
     * 
     * @param path
     *            request path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canDelete(String path) {
        return this.canPerform(HttpAction.DELETE, path);
    }

    /**
     * Verifies whether user has permission to perform a PUT request on
     * specified path, prefixed with accounts path with specified account id
     * 
     * @param accountId
     * @param path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canPutOnAccount(Long accountId, String path) {
        return accountId != null && accountId != 0 && canPut(WebResourceRegistry.ACCOUNTS + "/" + accountId + path);
    }

    /**
     * Verifies whether user has permission to perform a DELETE request on
     * specified path, prefixed with accounts path with specified account id
     * 
     * @param accountId
     * @param path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canDeleteOnAccount(Long accountId, String path) {
        return accountId != null && accountId != 0 && canDelete(WebResourceRegistry.ACCOUNTS + "/" + accountId + path);
    }

    /**
     * Verifies whether specified group has permission to perform a request on
     * specified path, with specified action.
     * 
     * @param group
     * @param action
     * @param path
     * @return {@code true} if specified group has permission, {@code false}
     *         otherwise
     */
    public boolean canPerform(Group group, HttpAction action, String path) {
        return accessEngine.subjectHasAccess("g" + group.getId(), action, path);
    }

    /**
     * Verifies whether specified user has permission to perform a request on
     * specified path, with specified action.
     * 
     * @param user
     * @param action
     * @param path
     * @return {@code true} if specified user has permission, {@code false}
     *         otherwise
     */
    public boolean canPerform(User user, HttpAction action, String path) {
        return accessEngine.subjectHasAccess("u" + user.getId(), action, path);
    }

    /**
     * Verifies whether subject identified with specified access token has
     * permission to perform a request on specified path, with specified action.
     * 
     * @param accessToken
     * @param action
     * @param path
     * @return {@code true} if subject that identifies with specified access
     *         token has permission, {@code false} otherwise
     */
    public boolean canPerform(AccessToken accessToken, HttpAction action, String path) {
        return accessEngine.subjectHasAccess("at" + accessToken.getToken(), action, path);
    }

    /**
     * Verifies whether current user has permission to perform a request on
     * specified path, with specified action.
     * 
     * @param action
     * @param path
     * @return {@code true} if current user has permission, {@code false}
     *         otherwise
     */
    public boolean canPerform(HttpAction action, String path) {
        Boolean result = accessEngine.hasAccess(idCtx.getSsoToken(), action, path);
        LOG.debug(String.format("Checked entitlement for path %s with %s action [%s]", path, action, result.toString()));
        return result;
    }
}