Class AuthzResolver

java.lang.Object
cz.metacentrum.perun.core.api.AuthzResolver

public class AuthzResolver extends Object
  • Constructor Details

    • AuthzResolver

      public AuthzResolver()
  • Method Details

    • authorizedExternal

      public static boolean authorizedExternal(PerunSession sess, String policyDefinition, List<PerunBean> objects) throws PolicyNotExistsException
      Checks if the principal is authorized. This method should be accessed through external components.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      objects - as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
      Throws:
      PolicyNotExistsException - when the given policyDefinition does not exist in the PerunPoliciesContainer.
    • authorizedInternal

      public static boolean authorizedInternal(PerunSession sess, String policyDefinition, List<PerunBean> objects)
      Checks if the principal is authorized. This method should be used in the internal code.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      objects - as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
    • authorizedInternal

      public static boolean authorizedInternal(PerunSession sess, String policyDefinition, PerunBean... objects)
      Checks if the principal is authorized. This method should be used in the internal code.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      objects - an array of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
    • authorizedInternal

      public static boolean authorizedInternal(PerunSession sess, String policyDefinition)
      Checks if the principal is authorized. Used when there are no PerunBeans needed for authorization. This method should be used in the internal code.
      Parameters:
      sess - PerunSession which contains the principal.
      policyDefinition - of policy which contains authorization rules.
      Returns:
      true if the principal has particular rights, false otherwise.
    • selfAuthorizedForApplication

      public static boolean selfAuthorizedForApplication(PerunSession sess, Application app)
      Check if the principal is the owner of the application.
      Parameters:
      sess - PerunSession which contains the principal.
      app - application which principal wants to access
      Returns:
      true if the principal has particular rights, false otherwise.
    • isAuthorized

      @Deprecated public static boolean isAuthorized(PerunSession sess, String role, PerunBean complementaryObject)
      Deprecated.
      Checks if the principal is authorized.
      Parameters:
      sess - perunSession
      role - required role
      complementaryObject - object which specifies particular action of the role (e.g. group)
      Returns:
      true if the principal authorized, false otherwise
      Throws:
      InternalErrorException - if something goes wrong
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource)
      Checks if the principal is authorized to do some action of group-resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      resource - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource)
      Checks if the principal is authorized to do some action of resource-member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      member - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility)
      Checks if the principal is authorized to do some action of user-facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      facility - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group)
      Checks if the principal is authorized to do some action of member-group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      group - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user)
      Checks if the principal is authorized to do some action of user attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member)
      Checks if the principal is authorized to do some action of member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo)
      Checks if the principal is authorized to do some action of vo attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      vo - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, PerunBean bean)
      Checks if the principal is authorized to do some action of PerunBean attribute.
      Parameters:
      sess - session
      actionType - action type
      attrDef - attr def
      bean - bean
      Returns:
      true, if principal is authorized for attribute and action
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group)
      Checks if the principal is authorized to do some action of group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource)
      Checks if the principal is authorized to do some action of resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility)
      Checks if the principal is authorized to do some action of facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      facility - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host)
      Checks if the principal is authorized to do some action of host attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      host - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues)
      Checks if the principal is authorized to do some action of ues attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      ues - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key)
      Checks if the principal is authorized to do some action of entityless attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute (ex.: write, read, etc...)
      attrDef - attribute what principal want to work with
      key - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource) throws InternalErrorException
      Checks if the principal is authorized to do some action of group-resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      resource - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource) throws InternalErrorException
      Checks if the principal is authorized to do some action of resource-member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      member - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility) throws InternalErrorException
      Checks if the principal is authorized to do some action of user-facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      facility - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group) throws InternalErrorException
      Checks if the principal is authorized to do some action of member-group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      group - secondary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user) throws InternalErrorException
      Checks if the principal is authorized to do some action of user attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      user - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member) throws InternalErrorException
      Checks if the principal is authorized to do some action of member attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      member - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo) throws InternalErrorException
      Checks if the principal is authorized to do some action of vo attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      vo - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, PerunBean bean) throws InternalErrorException
      Checks if the principal is authorized to do some action of PerunBean attribute.
      Parameters:
      sess - session
      actionType - action type
      attrDef - attr def
      bean - bean
      Returns:
      true, if principal is authorized for attribute and action
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group) throws InternalErrorException
      Checks if the principal is authorized to do some action of group attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      group - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource) throws InternalErrorException
      Checks if the principal is authorized to do some action of resource attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      resource - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility) throws InternalErrorException
      Checks if the principal is authorized to do some action of facility attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      facility - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host) throws InternalErrorException
      Checks if the principal is authorized to do some action of host attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      host - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues) throws InternalErrorException
      Checks if the principal is authorized to do some action of ues attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      ues - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key) throws InternalErrorException
      Checks if the principal is authorized to do some action of entityless attribute.
      Parameters:
      sess - perun session
      actionType - type of action on attribute
      attrDef - attribute what principal want to work with
      key - primary Bean of Attribute (can't be null)
      Returns:
      true if principal is authorized, false if not
      Throws:
      InternalErrorException
    • isAuthorized

      @Deprecated public static boolean isAuthorized(PerunSession sess, String role)
      Deprecated.
      Checks if the principal is authorized.
      Parameters:
      sess - perun session
      role - required role
      Returns:
      true if the principal authorized, false otherwise
      Throws:
      InternalErrorException - if something goes wrong
    • isVoAdmin

      public static boolean isVoAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is vo admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is vo admin
    • isGroupAdmin

      public static boolean isGroupAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is group admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is group admin.
    • isFacilityAdmin

      public static boolean isFacilityAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is facility admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is facility admin.
    • isPerunAdmin

      public static boolean isPerunAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is perun admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is perun admin.
    • getPrincipalRoleNames

      public static List<String> getPrincipalRoleNames(PerunSession sess)
      Get all principal role names.
      Parameters:
      sess - perun session
      Returns:
      list of strings, which represents roles.
    • getUserRoleNames

      public static List<String> getUserRoleNames(PerunSession sess, User user) throws UserNotExistsException, PrivilegeException
      Get all user role names.
      Parameters:
      sess - perun session
      user - User
      Returns:
      list of strings, which represents roles.
      Throws:
      UserNotExistsException
      PrivilegeException
    • getUserRoles

      public static AuthzRoles getUserRoles(PerunSession sess, int userId) throws UserNotExistsException, PrivilegeException
      Get all roles for a given user.
      Parameters:
      sess - perun session
      userId - id of a user
      Returns:
      AuthzRoles object which contains all roles with perunbeans
      Throws:
      InternalErrorException
      UserNotExistsException
      PrivilegeException
    • getGroupRoleNames

      public static List<String> getGroupRoleNames(PerunSession sess, Group group) throws GroupNotExistsException, PrivilegeException
      Get all group role names.
      Parameters:
      sess - perun session
      group - Group
      Returns:
      list of strings, which represents roles.
      Throws:
      InternalErrorException
      GroupNotExistsException
      PrivilegeException
    • getGroupRoles

      public static AuthzRoles getGroupRoles(PerunSession sess, int groupId) throws GroupNotExistsException, PrivilegeException
      Get all roles for a given group.
      Parameters:
      sess - perun session
      groupId - id of a group
      Returns:
      AuthzRoles object which contains all roles with perunbeans
      Throws:
      InternalErrorException
      GroupNotExistsException
      PrivilegeException
    • getLoggedUser

      public static User getLoggedUser(PerunSession sess)
      Returns user which is associated with credentials used to log-in to Perun.
      Parameters:
      sess - perun session
      Returns:
      currently logged user
    • hasRole

      public static boolean hasRole(PerunPrincipal perunPrincipal, String role)
      Returns true if the perunPrincipal has requested role.
      Parameters:
      perunPrincipal - acting person for whom the role is checked
      role - role to be checked
    • isAuthorizedToManageRole

      public static boolean isAuthorizedToManageRole(PerunSession sess, PerunBean complementaryObject, String role)
      Check if principal is allowed to manage the given role to the given object.
      Parameters:
      sess - session
      complementaryObject - complementary object
      role - role
      Returns:
      true, if the current principal can unset the given role for the given object, false otherwise
      Throws:
      InternalErrorException - internal error
    • authorizedToManageRole

      public static boolean authorizedToManageRole(PerunSession sess, PerunBean complementaryObject, String role) throws RoleManagementRulesNotExistsException
      Check wheter the principal is authorized to manage the role on the object.
      Parameters:
      sess - principal's perun session
      complementaryObject - bounded with the role
      role - which will be managed
      Returns:
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.
    • authorizedToReadRole

      public static boolean authorizedToReadRole(PerunSession sess, PerunBean complementaryObject, String role) throws RoleManagementRulesNotExistsException
      Check whether the principal is authorized to read the role on the object.
      Parameters:
      sess - principal's perun session
      complementaryObject - bounded with the role
      role - which will be read
      Returns:
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.
    • setRole

      public static void setRole(PerunSession sess, User user, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, UserNotExistsException, AlreadyAdminException, RoleCannotBeManagedException
      Set role for user and all complementary objects. If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
      Parameters:
      sess - perun session
      user - the user for setting role
      role - role of user in a session
      complementaryObjects - objects for which role will be set
      Throws:
      PrivilegeException
      UserNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
    • setRole

      public static void setRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws PrivilegeException, UserNotExistsException, AlreadyAdminException, RoleCannotBeManagedException
      Set role for user and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      user - the user for setting role
      role - role of user in a session
      complementaryObject - object for which role will be set
      Throws:
      PrivilegeException
      UserNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
    • setRole

      public static void setRole(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, GroupNotExistsException, AlreadyAdminException, RoleCannotBeManagedException
      Set role for auhtorizedGroup and all complementary objects. If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
      Parameters:
      sess - perun session
      authorizedGroup - the group for setting role
      role - role of user in a session
      complementaryObjects - objects for which role will be set
      Throws:
      PrivilegeException
      GroupNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
    • setRole

      public static void setRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws PrivilegeException, GroupNotExistsException, AlreadyAdminException, RoleCannotBeManagedException
      Set role for authorizedGroup and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      authorizedGroup - the group for setting role
      role - role of user in a session
      complementaryObject - object for which role will be set
      Throws:
      PrivilegeException
      GroupNotExistsException
      AlreadyAdminException
      RoleCannotBeManagedException
    • setRole

      public static void setRole(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) throws GroupNotExistsException, PrivilegeException, AlreadyAdminException, RoleCannotBeManagedException
      Set role for authorizedGroups and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      authorizedGroups - the groups for setting role
      complementaryObject - object for which the role will be set
      role - desired role
      Throws:
      GroupNotExistsException - if the any of the group don't exist
      PrivilegeException - insufficient permissions
      AlreadyAdminException - if any of the given groups is already admin
      InternalErrorException - internal error
      RoleCannotBeManagedException
    • setRole

      public static void setRole(PerunSession sess, List<User> users, String role, PerunBean complementaryObject) throws UserNotExistsException, PrivilegeException, AlreadyAdminException, RoleCannotBeManagedException
      Set role for given users and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      users - users for which the given role is set
      role - desired role
      complementaryObject - object for which the role is set
      Throws:
      UserNotExistsException - if any of the given users is not found
      PrivilegeException - insufficient permissions
      AlreadyAdminException - if any of the given users is already admin
      InternalErrorException - internal error
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) throws GroupNotExistsException, PrivilegeException, GroupNotAdminException, RoleCannotBeManagedException
      Set role for authorizedGroups and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      authorizedGroups - the groups for setting role
      complementaryObject - object for which the role will be set
      role - desired role
      Throws:
      GroupNotExistsException - if the any of the group don't exist
      PrivilegeException - insufficient permissions
      GroupNotAdminException - if any of the given groups is not admin
      InternalErrorException - internal error
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, List<User> users, String role, PerunBean complementaryObject) throws UserNotExistsException, PrivilegeException, UserNotAdminException, RoleCannotBeManagedException
      Set role for given users and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      users - users for which the given role is set
      role - desired role
      complementaryObject - object for which the role is set
      Throws:
      UserNotExistsException - if any of the given users is not found
      PrivilegeException - insufficient permissions
      UserNotAdminException - if any of the given users is not admin
      InternalErrorException - internal error
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, User user, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, UserNotExistsException, UserNotAdminException, RoleCannotBeManagedException
      Unset role for user and all complementary objects If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
      Parameters:
      sess - perun session
      user - the user for unsetting role
      role - role of user in a session
      complementaryObjects - objects for which role will be unset
      Throws:
      PrivilegeException
      UserNotExistsException
      UserNotAdminException
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws PrivilegeException, UserNotExistsException, UserNotAdminException, RoleCannotBeManagedException
      Unset role for user and one complementary object. If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      user - the user for unsetting role
      role - role of user in a session
      complementaryObject - object for which role will be unset
      Throws:
      PrivilegeException
      UserNotExistsException
      UserNotAdminException
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, GroupNotExistsException, GroupNotAdminException, RoleCannotBeManagedException
      Unset role for group and all complementary objects If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
      Parameters:
      sess - perun session
      authorizedGroup - the group for unsetting role
      role - role of user in a session
      complementaryObjects - objects for which role will be unset
      Throws:
      PrivilegeException
      GroupNotExistsException
      GroupNotAdminException
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws PrivilegeException, GroupNotExistsException, GroupNotAdminException, RoleCannotBeManagedException
      Unset role for group and one complementary object If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
      Parameters:
      sess - perun session
      authorizedGroup - the group for unsetting role
      role - role of user in a session
      complementaryObject - object for which role will be unset
      Throws:
      PrivilegeException
      GroupNotExistsException
      GroupNotAdminException
      RoleCannotBeManagedException
    • getRichAdmins

      public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) throws PrivilegeException, RoleCannotBeManagedException
      Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes. If onlyDirectAdmins is true, return only direct users of the complementary object for role with specific attributes. If allUserAttributes is true, do not specify attributes through list and return them all in objects richUser. Ignoring list of specific attributes.
      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator
      specificAttributes - list of specified attributes which are needed in object richUser
      role - expected role to filter managers by
      onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)
      allUserAttributes - if true, get all possible user attributes and ignore list of specificAttributes (if false, get only specific attributes)
      Returns:
      list of richUser administrators for complementary object and role with specified attributes.
      Throws:
      PrivilegeException
      RoleCannotBeManagedException
    • getAdminGroups

      public static List<Group> getAdminGroups(PerunSession sess, PerunBean complementaryObject, String role) throws PrivilegeException, RoleCannotBeManagedException
      Get all authorizedGroups for complementary object and role.
      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator groups
      role - expected role to filter authorizedGroups by
      Returns:
      list of authorizedGroups for complementary object and role
      Throws:
      PrivilegeException
      RoleCannotBeManagedException
    • getPerunPrincipal

      public static PerunPrincipal getPerunPrincipal(PerunSession sess)
      Returns PerunPrincipal object associated with current session. It contains necessary information, including user identification, authorization and metadata. Each call of this method refresh the session including authorization data.
      Parameters:
      sess - perun session
      Returns:
      perunPrincipal object
      Throws:
      InternalErrorException - if the PerunSession is not valid.
    • getComplementaryObjectsForRole

      public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role)
      Returns all complementary objects for defined role.
      Parameters:
      sess - perun session
      role - to get object for
      Returns:
      list of complementary objects
    • getComplementaryObjectsForRole

      public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role, Class perunBeanClass)
      Returns complementary objects for defined role filtered by particular class, e.g. Vo, Group, ...
      Parameters:
      sess - perun session
      role - to get object for
      perunBeanClass - particular class ( Vo | Group | ... )
      Returns:
      list of complementary objects
    • refreshAuthz

      public static void refreshAuthz(PerunSession sess)
      Removes all existing roles for the perunPrincipal and call init again.
      Parameters:
      sess - perun session
    • hasOneOfTheRolesForObject

      public static boolean hasOneOfTheRolesForObject(PerunSession sess, PerunBean complementaryObject, Set<String> allowedRoles)
      This methods verifies if the current principal has one of the given roles for the given object.
      Parameters:
      sess - session
      complementaryObject - complementary object
      allowedRoles - set of roles which are tested
      Returns:
      true, if the principal is authorized, false otherwise
      Throws:
      InternalErrorException - internal error
    • roleExists

      public static boolean roleExists(String role)
      Check if the given role exists in the database. Check is case insensitive.
      Parameters:
      role - which will be checked
      Returns:
      true if role exists, false otherwise.
    • loadAuthorizationComponents

      public static void loadAuthorizationComponents(PerunSession sess) throws PrivilegeException
      Load perun roles and policies from the configuration file perun-roles.yml. Roles are loaded to the database and policies are loaded to the PerunPoliciesContainer.
      Throws:
      PrivilegeException - when the principal is not authorized.
    • getAllPolicies

      public static List<PerunPolicy> getAllPolicies()
      Return all loaded perun policies.
      Returns:
      all loaded policies
    • getAllRolesManagementRules

      public static List<RoleManagementRules> getAllRolesManagementRules()
      Return all loaded roles management rules.
      Returns:
      all roles management rules
    • getVosWhereUserIsInRoles

      public static List<Vo> getVosWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Vos are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Vos are retrieved
      roles - for which Vos are retrieved
      Returns:
      List of Vos
      Throws:
      PrivilegeException - when the principal is not authorized.
    • getFacilitiesWhereUserIsInRoles

      public static List<Facility> getFacilitiesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Facilities are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Facilities are retrieved
      roles - for which Facilities are retrieved
      Returns:
      List of Facilities
      Throws:
      PrivilegeException - when the principal is not authorized.
    • getResourcesWhereUserIsInRoles

      public static List<Resource> getResourcesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Resources are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Resources are retrieved
      roles - for which Resources are retrieved
      Returns:
      List of Resources
      Throws:
      PrivilegeException - when the principal is not authorized.
    • getGroupsWhereUserIsInRoles

      public static List<Group> getGroupsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Groups are retrieved for the given principal. Method does not return subgroups of the fetched groups.
      Parameters:
      sess - Perun session
      user - for who Groups are retrieved
      roles - for which Groups are retrieved
      Returns:
      List of Groups
      Throws:
      PrivilegeException - when the principal is not authorized.
    • getMembersWhereUserIsInRoles

      public static List<Member> getMembersWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Members are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who Members are retrieved
      roles - for which Members are retrieved
      Returns:
      List of Members
      Throws:
      PrivilegeException - when the principal is not authorized.
    • getSecurityTeamsWhereUserIsInRoles

      public static List<SecurityTeam> getSecurityTeamsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException
      Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then SecurityTeams are retrieved for the given principal.
      Parameters:
      sess - Perun session
      user - for who SecurityTeams are retrieved
      roles - for which SecurityTeams are retrieved
      Returns:
      List of SecurityTeams
      Throws:
      PrivilegeException - when the principal is not authorized.