Package cz.metacentrum.perun.core.api

Class AuthzResolver

java.lang.Object
cz.metacentrum.perun.core.api.AuthzResolver
public class AuthzResolver extends Object

  • Field Details

  • Method Details

    • authorizedExternal

      public static boolean authorizedExternal(PerunSession sess, String policyDefinition, List<PerunBean> objects) throws PolicyNotExistsException
      Checks if the principal is authorized. This method should be accessed through external components.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      objects - as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
      Throws:
      PolicyNotExistsException - when the given policyDefinition does not exist in the PerunPoliciesContainer.
      MfaPrivilegeException - when the principal isn't authenticated with MFA but the policy definition requires it

    • authorizedInternal

      public static boolean authorizedInternal(PerunSession sess, String policyDefinition, List<PerunBean> objects)
      Checks if the principal is authorized. This method should be used in the internal code.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      objects - as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
      Throws:
      MfaPrivilegeException - when the principal isn't authenticated with MFA but the policy definition requires it

    • authorizedInternal

      public static boolean authorizedInternal(PerunSession sess, String policyDefinition)
      Checks if the principal is authorized. Used when there are no PerunBeans needed for authorization. This method should be used in the internal code.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      Returns:
      true if the principal has particular rights, false otherwise.
      Throws:
      MfaPrivilegeException - when the principal isn't authenticated with MFA but the policy definition requires it

    • authorizedInternal

      public static boolean authorizedInternal(PerunSession sess, String policyDefinition, PerunBean... objects)
      Checks if the principal is authorized. This method should be used in the internal code.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      objects - an array of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
      Throws:
      MfaPrivilegeException - when the principal isn't authenticated with MFA but the policy definition requires it

    • authorizedToManageRole

      public static boolean authorizedToManageRole(PerunSession sess, PerunBean complementaryObject, String role) throws RoleManagementRulesNotExistsException
      Check whether the principal is authorized to manage the role on the object.
      Parameters:
      sess - principal's perun session
      complementaryObject - bounded with the role
      role - which will be managed
      Returns:
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.

    • authorizedToReadRole

      public static boolean authorizedToReadRole(PerunSession sess, PerunBean complementaryObject, String role) throws RoleManagementRulesNotExistsException
      Check whether the principal is authorized to read the role on the object.
      Parameters:
      sess - principal's perun session
      complementaryObject - bounded with the role
      role - which will be read
      Returns:
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.

    • getAdminGroups

      public static List<Group> getAdminGroups(PerunSession sess, PerunBean complementaryObject, String role) throws PrivilegeException, RoleCannotBeManagedException
      Get all authorizedGroups for complementary object and role.
      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator groups
      role - expected role to filter authorizedGroups by
      Returns:
      list of authorizedGroups for complementary object and role
      Throws:
      PrivilegeException
      RoleCannotBeManagedException

    • getAdmins

      public static List<User> getAdmins(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws PrivilegeException, RoleCannotBeManagedException
      Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.

      If onlyDirectAdmins is true, return only direct users of the complementary object for role.

      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator
      role - expected role to filter managers by
      onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)
      Returns:
      list of user administrators for complementary object and role.
      Throws:
      PrivilegeException
      RoleCannotBeManagedException

    • getAllPolicies

      public static List<PerunPolicy> getAllPolicies()
      Return all loaded perun policies.
      Returns:
      all loaded policies

    • getAllRolesManagementRules

      public static List<RoleManagementRules> getAllRolesManagementRules()
      Return all loaded roles management rules.
      Returns:
      all roles management rules

    • getComplementaryObjectsForRole

      public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role)
      Returns all complementary objects for defined role.
      Parameters:
      sess - perun session
      role - to get object for
      Returns:
      list of complementary objects

    • getComplementaryObjectsForRole

      public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role, Class perunBeanClass)
      Returns complementary objects for defined role filtered by particular class, e.g. Vo, Group, ...
      Parameters:
      sess - perun session
      role - to get object for
      perunBeanClass - particular class ( Vo | Group | ... )
      Returns:
      list of complementary objects

    • getFacilitiesWhereUserIsInRoles

      public static List<Facility> getFacilitiesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Facilities are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Facilities are retrieved
      roles - for which Facilities are retrieved
      Returns:
      List of Facilities
      Throws:
      PrivilegeException - when the principal is not authorized.

    • getGroupRoleNames

      public static List<String> getGroupRoleNames(PerunSession sess, Group group) throws GroupNotExistsException, PrivilegeException
      Get all group role names.
      Parameters:
      sess - perun session
      group - Group
      Returns:
      list of strings, which represents roles.
      Throws:
      InternalErrorException
      GroupNotExistsException
      PrivilegeException

    • getGroupRoles

      public static AuthzRoles getGroupRoles(PerunSession sess, int groupId) throws GroupNotExistsException, PrivilegeException
      Get all roles for a given group.
      Parameters:
      sess - perun session
      groupId - id of a group
      Returns:
      AuthzRoles object which contains all roles with perunbeans
      Throws:
      InternalErrorException
      GroupNotExistsException
      PrivilegeException

    • getGroupsWhereUserIsInRoles

      public static List<Group> getGroupsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Groups are retrieved for the given principal.

      Method does not return subgroups of the fetched groups.

      Parameters:
      sess - Perun session
      user - for who Groups are retrieved
      roles - for which Groups are retrieved
      Returns:
      List of Groups
      Throws:
      PrivilegeException - when the principal is not authorized.

    • getLoggedUser

      public static User getLoggedUser(PerunSession sess)
      Returns user which is associated with credentials used to log-in to Perun.
      Parameters:
      sess - perun session
      Returns:
      currently logged user

    • getMembersWhereUserIsInRoles

      public static List<Member> getMembersWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Members are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Members are retrieved
      roles - for which Members are retrieved
      Returns:
      List of Members
      Throws:
      PrivilegeException - when the principal is not authorized.

    • getPerunPrincipal

      public static PerunPrincipal getPerunPrincipal(PerunSession sess)
      Returns PerunPrincipal object associated with current session. It contains necessary information, including user identification, authorization and metadata. Each call of this method refresh the session including authorization data.
      Parameters:
      sess - perun session
      Returns:
      perunPrincipal object
      Throws:
      InternalErrorException - if the PerunSession is not valid.

    • getPrincipalRoleNames

      public static List<String> getPrincipalRoleNames(PerunSession sess)
      Get all principal role names.
      Parameters:
      sess - perun session
      Returns:
      list of strings, which represents roles.

    • getResourcesWhereUserIsInRoles

      public static List<Resource> getResourcesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Resources are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Resources are retrieved
      roles - for which Resources are retrieved
      Returns:
      List of Resources
      Throws:
      PrivilegeException - when the principal is not authorized.

    • getRichAdmins

      public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) throws PrivilegeException, RoleCannotBeManagedException
      Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.

      If onlyDirectAdmins is true, return only direct users of the complementary object for role with specific attributes. If allUserAttributes is true, do not specify attributes through list and return them all in objects richUser. Ignoring list of specific attributes.

      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator
      specificAttributes - list of specified attributes which are needed in object richUser
      role - expected role to filter managers by
      onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)
      allUserAttributes - if true, get all possible user attributes and ignore list of specificAttributes (if false, get only specific attributes)
      Returns:
      list of richUser administrators for complementary object and role with specified attributes.
      Throws:
      PrivilegeException
      RoleCannotBeManagedException

    • someAdminExists

      public static boolean someAdminExists(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws PrivilegeException, RoleCannotBeManagedException
      Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).
      Parameters:
      sess - perun session
      complementaryObject - for which we will find administrator
      role - expected role to filter managers by
      onlyDirectAdmins - if true, search only direct user admins (if false, search both direct and indirect)
      Returns:
      true, if some user with required role exists, false otherwise.
      Throws:
      PrivilegeException
      RoleCannotBeManagedException

    • getRoleComplementaryObjectsWithAuthorizedGroups

      public static Map<String,Map<String,Map<Integer,List<Group>>>> getRoleComplementaryObjectsWithAuthorizedGroups(PerunSession sess, int userId) throws UserNotExistsException, PrivilegeException
      Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. * together with list of authorized groups where user is member: * Map< RoleName, Map< BeanName, Map< BeanID, List >>>
      Parameters:
      sess - perun session
      userId - id of a user
      Returns:
      Map<String, Map < String, Map < Integer, List < Group>>>> roles with map of complementary objects with associated authorized groups
      Throws:
      UserNotExistsException
      PrivilegeException

    • getRolesObtainedFromAuthorizedGroupMemberships

      public static AuthzRoles getRolesObtainedFromAuthorizedGroupMemberships(PerunSession sess, int userId) throws UserNotExistsException, PrivilegeException
      Returns user's roles resulting from being a VALID member of authorized groups.
      Parameters:
      sess - perun session
      userId - id of a user
      Returns:
      AuthzRoles object which contains roles with perunbeans
      Throws:
      InternalErrorException
      UserNotExistsException
      PrivilegeException

    • getSecurityTeamsWhereUserIsInRoles

      public static List<SecurityTeam> getSecurityTeamsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then SecurityTeams are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who SecurityTeams are retrieved
      roles - for which SecurityTeams are retrieved
      Returns:
      List of SecurityTeams
      Throws:
      PrivilegeException - when the principal is not authorized.

    • getUserRoleNames

      public static List<String> getUserRoleNames(PerunSession sess, User user) throws UserNotExistsException, PrivilegeException
      Get all user role names. Does not include membership and sponsorship role.
      Parameters:
      sess - perun session
      user - User
      Returns:
      list of strings, which represents roles.
      Throws:
      UserNotExistsException
      PrivilegeException

    • getUserRoles

      public static AuthzRoles getUserRoles(PerunSession sess, int userId, boolean getAuthorizedGroupBasedRoles) throws UserNotExistsException, PrivilegeException
      Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups. Returns also sponsorship and membership roles.
      Parameters:
      sess - perun session
      userId - id of a user
      getAuthorizedGroupBasedRoles - include roles based on membership in authorized groups
      Returns:
      AuthzRoles object which contains all roles with perunbeans
      Throws:
      InternalErrorException
      UserNotExistsException
      PrivilegeException

    • getVosWhereUserIsInRoles

      public static List<Vo> getVosWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Vos are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Vos are retrieved
      roles - for which Vos are retrieved
      Returns:
      List of Vos
      Throws:
      PrivilegeException - when the principal is not authorized.

    • hasOneOfTheRolesForObject

      public static boolean hasOneOfTheRolesForObject(PerunSession sess, PerunBean complementaryObject, Set<String> allowedRoles)
      This methods verifies if the current principal has one of the given roles for the given object.
      Parameters:
      sess - session
      complementaryObject - complementary object
      allowedRoles - set of roles which are tested
      Returns:
      true, if the principal is authorized, false otherwise
      Throws:
      InternalErrorException - internal error

    • hasRole

      public static boolean hasRole(PerunPrincipal perunPrincipal, String role)
      Returns true if the perunPrincipal has requested role.
      Parameters:
      perunPrincipal - acting person for whom the role is checked
      role - role to be checked

    • isAuthorized

      @Deprecated public static boolean isAuthorized(PerunSession sess, String role)
      Deprecated.
      Checks if the principal is authorized.
      Parameters:
      sess - perun session
      role - required role
      Returns:
      true if the principal authorized, false otherwise
      Throws:
      InternalErrorException - if something goes wrong

    • isAuthorized

      @Deprecated public static boolean isAuthorized(PerunSession sess, String role, PerunBean complementaryObject)
      Deprecated.
      Checks if the principal is authorized.
      Parameters:
      sess - perunSession
      role - required role
      complementaryObject - object which specifies particular action of the role (e.g. group)
      Returns:
      true if the principal authorized, false otherwise
      Throws:
      InternalErrorException - if something goes wrong

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource)
      Deprecated.
      Checks if the principal is authorized to do some action of group-resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      resource - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource)
      Deprecated.
      Checks if the principal is authorized to do some action of resource-member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      member - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility)
      Deprecated.
      Checks if the principal is authorized to do some action of user-facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      facility - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group)
      Deprecated.
      Checks if the principal is authorized to do some action of member-group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      group - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, PerunBean bean)
      Deprecated.
      Checks if the principal is authorized to do some action of PerunBean attribute.
      Parameters:
      sess - session
      actionType - action type
      attrDef - attr def
      bean - bean
      Returns:
      true, if principal is authorized for attribute and action

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo)
      Deprecated.
      Checks if the principal is authorized to do some action of vo attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      vo - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user)
      Deprecated.
      Checks if the principal is authorized to do some action of user attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member)
      Deprecated.
      Checks if the principal is authorized to do some action of member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group)
      Deprecated.
      Checks if the principal is authorized to do some action of group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource)
      Deprecated.
      Checks if the principal is authorized to do some action of resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility)
      Deprecated.
      Checks if the principal is authorized to do some action of facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      facility - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host)
      Deprecated.
      Checks if the principal is authorized to do some action of host attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      host - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues)
      Deprecated.
      Checks if the principal is authorized to do some action of ues attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      ues - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      @Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key)
      Deprecated.
      Checks if the principal is authorized to do some action of entityless attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      key - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of group-resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      resource - secondary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of resource-member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      member - secondary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of user-facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      facility - secondary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of member-group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      group - secondary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, PerunBean bean, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of PerunBean attribute.
      Parameters:
      sess - session
      actionType - action type
      attrDef - attr def
      bean - bean
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true, if principal is authorized for attribute and action
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of vo attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      vo - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of user attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      facility - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of host attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      host - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of ues attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      ues - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key, boolean checkMfa) throws InternalErrorException
      Checks if the principal is authorized to do some action of entityless attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      key - primary Bean of Attribute (can't be null)
      checkMfa - if true, checks also MFA rules and throws exception if unmet
      Returns:
      true if principal is authorized, false if not
      Throws:
      MfaPrivilegeException - thrown when checkMfa is true and MFA rules are unmet
      InternalErrorException

    • isFacilityAdmin

      public static boolean isFacilityAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is facility admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is facility admin.

    • isGroupAdmin

      public static boolean isGroupAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is group admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is group admin.

    • isPerunAdmin

      public static boolean isPerunAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is perun admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is perun admin.

    • isVoAdmin

      public static boolean isVoAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is vo admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is vo admin

    • loadAuthorizationComponents

      public static void loadAuthorizationComponents(PerunSession sess) throws PrivilegeException
      Load perun roles and policies from the configuration file perun-roles.yml. Roles are loaded to the database and policies are loaded to the PerunPoliciesContainer.
      Throws:
      PrivilegeException - when the principal is not authorized.

    • refreshAuthz

      public static void refreshAuthz(PerunSession sess)
      Removes all existing roles for the perunPrincipal and call init again.
      Parameters:
      sess - perun session

    • refreshMfa

      public static void refreshMfa(PerunSession sess) throws ExpiredTokenException, MFAuthenticationException, PrivilegeException
      Calls UserInfo endpoint to obtain the newest information on performed MFA. Requires access token and issuer to be stored in the additionalInformations. If user used MFA to log in (MFA acr is returned from the endpoint), endpoint returns MFA timestamp. This method stores the timestamp into principal's additionalInformations.
      Parameters:
      sess - perun session with required additionalInformation in Principal
      Throws:
      ExpiredTokenException - expired access token
      MFAuthenticationException - wrong configuration or missing required information
      PrivilegeException - unauthorized

    • roleExists

      public static boolean roleExists(String role)
      Check if the given role exists in the database. Check is case insensitive.
      Parameters:
      role - which will be checked
      Returns:
      true if role exists, false otherwise.

    • selfAuthorizedForApplication

      public static boolean selfAuthorizedForApplication(PerunSession sess, Application app)
      Check if the principal is the owner of the application.
      Parameters:
      sess - PerunSession which contains the principal.
      app - application which principal wants to access
      Returns:
      true if the principal has particular rights, false otherwise.

    • setRole

      public static void setRole(PerunSession sess, User user, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, UserNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for user and all complementary objects.

      If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.

      Parameters:
      sess - perun session
      user - the user for setting role
      role - role of user in a session
      complementaryObjects - objects for which role will be set
      Throws:
      PrivilegeException
      UserNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
      RoleCannotBeSetException

    • setRole

      public static void setRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws PrivilegeException, UserNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for user and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      user - the user for setting role
      role - role of user in a session
      complementaryObject - object for which role will be set
      Throws:
      PrivilegeException
      UserNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
      RoleCannotBeSetException

    • setRole

      public static void setRole(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, GroupNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for auhtorizedGroup and all complementary objects.

      If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.

      Parameters:
      sess - perun session
      authorizedGroup - the group for setting role
      role - role of user in a session
      complementaryObjects - objects for which role will be set
      Throws:
      PrivilegeException
      GroupNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
      RoleCannotBeSetException

    • setRole

      public static void setRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws PrivilegeException, GroupNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for authorizedGroup and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      authorizedGroup - the group for setting role
      role - role of user in a session
      complementaryObject - object for which role will be set
      Throws:
      PrivilegeException
      GroupNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
      RoleCannotBeSetException

    • setRole

      public static void setRole(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) throws GroupNotExistsException, PrivilegeException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for authorizedGroups and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      authorizedGroups - the groups for setting role
      complementaryObject - object for which the role will be set
      role - desired role
      Throws:
      GroupNotExistsException - if the any of the group don't exist
      PrivilegeException - insufficient permissions
      AlreadyAdminException - if any of the given users is already admin
      RoleCannotBeManagedException - if it is not possible to manage given role
      RoleCannotBeSetException - if role can not be set for given user
      InternalErrorException - internal error

    • setRole

      public static void setRole(PerunSession sess, List<User> users, String role, PerunBean complementaryObject) throws UserNotExistsException, PrivilegeException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for given users and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      users - users for which the given role is set
      role - desired role
      complementaryObject - object for which the role is set
      Throws:
      UserNotExistsException - if any of the given users is not found
      PrivilegeException - insufficient permissions
      AlreadyAdminException - if any of the given users is already admin
      RoleCannotBeManagedException - if it is not possible to manage given role
      RoleCannotBeSetException - if role can not be set for given user
      InternalErrorException - internal error

    • unsetRole

      public static void unsetRole(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) throws GroupNotExistsException, PrivilegeException, GroupNotAdminException, RoleCannotBeManagedException
      Set role for authorizedGroups and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      authorizedGroups - the groups for setting role
      complementaryObject - object for which the role will be set
      role - desired role
      Throws:
      GroupNotExistsException - if the any of the group don't exist
      PrivilegeException - insufficient permissions
      GroupNotAdminException - if any of the given groups is not admin
      InternalErrorException - internal error
      RoleCannotBeManagedException

    • unsetRole

      public static void unsetRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws PrivilegeException, GroupNotExistsException, GroupNotAdminException, RoleCannotBeManagedException
      Unset role for group and one complementary object

      If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      authorizedGroup - the group for unsetting role
      role - role of user in a session
      complementaryObject - object for which role will be unset
      Throws:
      PrivilegeException
      GroupNotExistsException
      GroupNotAdminException
      RoleCannotBeManagedException

    • unsetRole

      public static void unsetRole(PerunSession sess, List<User> users, String role, PerunBean complementaryObject) throws UserNotExistsException, PrivilegeException, UserNotAdminException, RoleCannotBeManagedException
      Set role for given users and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      users - users for which the given role is set
      role - desired role
      complementaryObject - object for which the role is set
      Throws:
      UserNotExistsException - if any of the given users is not found
      PrivilegeException - insufficient permissions
      UserNotAdminException - if any of the given users is not admin
      InternalErrorException - internal error
      RoleCannotBeManagedException

    • unsetRole

      public static void unsetRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws PrivilegeException, UserNotExistsException, UserNotAdminException, RoleCannotBeManagedException
      Unset role for user and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      user - the user for unsetting role
      role - role of user in a session
      complementaryObject - object for which role will be unset
      Throws:
      PrivilegeException
      UserNotExistsException
      UserNotAdminException
      RoleCannotBeManagedException

    • unsetRole

      public static void unsetRole(PerunSession sess, User user, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, UserNotExistsException, UserNotAdminException, RoleCannotBeManagedException
      Unset role for user and all complementary objects

      If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.

      Parameters:
      sess - perun session
      user - the user for unsetting role
      role - role of user in a session
      complementaryObjects - objects for which role will be unset
      Throws:
      PrivilegeException
      UserNotExistsException
      UserNotAdminException
      RoleCannotBeManagedException

    • unsetRole

      public static void unsetRole(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, GroupNotExistsException, GroupNotAdminException, RoleCannotBeManagedException
      Unset role for group and all complementary objects

      If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.

      Parameters:
      sess - perun session
      authorizedGroup - the group for unsetting role
      role - role of user in a session
      complementaryObjects - objects for which role will be unset
      Throws:
      PrivilegeException
      GroupNotExistsException
      GroupNotAdminException
      RoleCannotBeManagedException