Package cz.metacentrum.perun.core.blImpl

Class AuthzResolverBlImpl

java.lang.Object

cz.metacentrum.perun.core.blImpl.AuthzResolverBlImpl

All Implemented Interfaces:

AuthzResolverBl

public class AuthzResolverBlImpl
extends Object
implements AuthzResolverBl

Authorization resolver. It decides if the perunPrincipal has rights to do the provided operation.

Author:

Michal Prochazka invalid input: '<'michalp@ics.muni.cz>

Constructor Summary

Constructors

Constructor	Description
AuthzResolverBlImpl()

Method Summary

Modifier and Type	Method	Description
static void	addAdmin(PerunSession sess, SecurityTeam securityTeam, Group group)
static void	addAdmin(PerunSession sess, SecurityTeam securityTeam, User user)
static AuthzRoles	addAllSubgroupsToAuthzRoles(PerunSession sess, AuthzRoles authzRoles, String role)	For the given role with association to "Group" add also all subgroups to authzRoles.
static void	addSpecificUserOwner(PerunSession sess, User specificUser, User owner)	Add owner for a specific user.
static boolean	authorized(PerunSession sess, String policyDefinition, List<PerunBean> objects)	Prepare necessary structures and resolve access rights for the session's principal.
static boolean	authorizedToManageRole(PerunSession sess, PerunBean object, String roleName)	Check whether the principal is authorized to manage the role on the object.
static boolean	authorizedToReadRole(PerunSession sess, PerunBean object, String roleName)	Check whether the principal is authorized to read the role on the object.
static List<Attribute>	filterNotAllowedAttributes(PerunSession sess, PerunBean bean, List<Attribute> attributes)	From given attributes filter out the ones which are not allowed for the current principal.
static List<Group>	getAdminGroups(PerunBean complementaryObject, String role)	Get all authorizedGroups for complementary object and role.
static List<User>	getAdmins(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins)	Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.
static List<PerunPolicy>	getAllPolicies()	Return all loaded perun policies.
static List<RoleManagementRules>	getAllRolesManagementRules()	Return all loaded roles management rules.
static List<PerunBean>	getComplementaryObjectsForRole(PerunSession sess, String role)	Returns all complementary objects for defined role.
static List<PerunBean>	getComplementaryObjectsForRole(PerunSession sess, String role, Class perunBeanClass)	Returns only complementary objects for defined role which fits perunBeanClass class.
static List<Facility>	getFacilitiesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)	Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
static List<String>	getGroupRoleNames(PerunSession sess, Group group)	Get all Group's roles.
static AuthzRoles	getGroupRoles(PerunSession sess, Group group)	Get all roles for a given group.
static List<Group>	getGroupsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)	Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
static User	getLoggedUser(PerunSession sess)	Returns user which is associated with credentials used to log-in to Perun.
static List<Member>	getMembersWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)	Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
static PerunPrincipal	getPerunPrincipal(PerunSession sess)	Returns PerunPrincipal object associated with current session.
static List<String>	getPrincipalRoleNames(PerunSession sess)	Get all principal role names.
static List<Resource>	getResourcesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)	Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
static List<RichUser>	getRichAdmins(PerunSession sess, PerunBean complementaryObject, String role)	Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role without any attributes.
static List<RichUser>	getRichAdmins(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes)	Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.
static Map<String,Map<String,Map<Integer,List<Group>>>>	getRoleComplementaryObjectsWithAuthorizedGroups(PerunSession sess, User user)	Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type.
static int	getRoleIdByName(String name)	Return id of the role by its name.
static AuthzRoles	getRolesObtainedFromAuthorizedGroupMemberships(PerunSession sess, User user)	Returns user's roles resulting from being a VALID member of authorized groups.
static Map<String,Set<ActionType>>	getRolesWhichCanWorkWithAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef)	Deprecated.
static List<SecurityTeam>	getSecurityTeamsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)	Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
static List<String>	getUserRoleNames(PerunSession sess, User user)	Get all User's roles.
static AuthzRoles	getUserRoles(PerunSession sess, User user, boolean getAuthorizedGroupBasedRoles)	Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups Returns also sponsorship and membership roles, which are not stored in DB as authzRoles but retrieved separately.
static List<Vo>	getVosWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)	Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
static boolean	groupMatchesUserRolesFilter(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types)	Check if the given group passes the user's roles filter.
static boolean	hasMFASkippableRole(PerunSession sess)	Returns true if principal has a role which should skip MFA check
static boolean	hasRole(PerunPrincipal perunPrincipal, String role)	Returns true if the perunPrincipal has requested role.
static boolean	isAnyObjectMfaCritical(PerunSession sess, List<Object> objects)	Returns true if any of the objects is marked as mfaCriticalObject in its attribute.
static boolean	isAuthorized(PerunSession sess, String role)	Deprecated.
static boolean	isAuthorized(PerunSession sess, String role, PerunBean complementaryObject)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key)	Deprecated.
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo)
static boolean	isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key)
static boolean	isAuthorizedForGroup(PerunSession sess, String policy, Integer groupId, Integer voId)
static boolean	isFacilityAdmin(PerunSession sess)	Returns true if the perun principal inside the perun session is facility admin.
static boolean	isGroupAdmin(PerunSession sess)	Returns true if the perun principal inside the perun session is group admin.
static List<Facility>	isGroupLastAdminInFacilities(PerunSession sess, Group group, List<Facility> facilities)	Checks the facilities and returns those in which group is the last admin
static List<Vo>	isGroupLastAdminInVos(PerunSession sess, Group group, List<Vo> vos)	Checks the vos and return those in which group is the last admin.
static boolean	isMfaAuthorizedForAttribute(PerunSession sess, AttributeDefinition attrDef, AttributeAction actionType, List<Object> objects)	Checks authorization for attribute according to MFA rules.
static boolean	isPerunAdmin(PerunSession sess)	Returns true if the perun principal inside the perun session is perun admin.
static boolean	isPerunObserver(PerunSession sess)	Returns true if the perun principal inside the perun session is Perun Observer.
static boolean	isResourceAdmin(PerunSession sess)	Returns true if the perun principal inside the perun session is resource admin.
static boolean	isSecurityAdmin(PerunSession sess)	Returns true if the perun principal inside the perun session is security admin.
static boolean	isTopGroupCreator(PerunSession sess)	Returns true if the perun principal inside the perun session is top group creator.
static List<Facility>	isUserLastAdminInFacilities(PerunSession sess, User user, List<Facility> facilities)	Checks the facilities and returns those in which user is the last admin
static List<Vo>	isUserLastAdminInVos(PerunSession sess, User user, List<Vo> vos)	Checks the vos and return those in which user is the last admin.
static boolean	isVoAdmin(PerunSession sess)	Returns true if the perun principal inside the perun session is vo admin.
static boolean	isVoAdminOrObserver(PerunSession sess, Vo vo)	Returns true if perun principal is Vo admin or Vo observer of specific Vo.
static boolean	isVoObserver(PerunSession sess)	Returns true if the perun principal inside the perun session is vo observer.
static void	loadAuthorizationComponents()
static void	logLastAdmin(PerunSession sess, PerunBean complementaryObject)	Checks whether removed admin user/group was the last admin of Vo/Facility, log an AuditEvent which will trigger a notification if this was the case.
static void	makeUserPerunAdmin(PerunSession sess, User user)	Make user to be PERUNADMIN!
static void	refreshAuthz(PerunSession sess)	Refresh authorization data inside session.
static void	refreshMfa(PerunSession sess)	Checks if MFA is supported and if it was used by the user, then updates MFA flag in the session.
static void	refreshSession(PerunSession sess)	Refresh all session data excluding Ext.
static void	removeAdmin(PerunSession sess, SecurityTeam securityTeam, Group group)
static void	removeAdmin(PerunSession sess, SecurityTeam securityTeam, User user)
static void	removeAllAuthzForFacility(PerunSession sess, Facility facility)
static void	removeAllAuthzForGroup(PerunSession sess, Group group)
static void	removeAllAuthzForResource(PerunSession sess, Resource resource)
static void	removeAllAuthzForSecurityTeam(PerunSession sess, SecurityTeam securityTeam)
static void	removeAllAuthzForService(PerunSession sess, Service service)
static void	removeAllAuthzForVo(PerunSession sess, Vo vo)
static void	removeSpecificUserOwner(PerunSession sess, User specificUser, User owner)	Remove owner for a specific user.
static boolean	roleExists(String role)
static boolean	selfAuthorizedForApplication(PerunSession sess, Application app)
static AuthzResolverImplApi	setAuthzResolverImpl(AuthzResolverImplApi authzResolverImpl)
static PerunBl	setPerunBl(PerunBl perunBl)
static void	setRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role)	Set role for authorizedGroup and one complementary object.
static void	setRole(PerunSession sess, User user, PerunBean complementaryObject, String role)	Set role for user and one complementary object.
static boolean	someAdminExists(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins)	Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).
String	toString()
static void	unsetRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role)	Unset role for group and one complementary object
static void	unsetRole(PerunSession sess, User user, PerunBean complementaryObject, String role)	Unset role for user and one complementary object.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Details

AuthzResolverBlImpl

public AuthzResolverBlImpl()

Method Details

addAdmin

public static void addAdmin(PerunSession sess,
 SecurityTeam securityTeam,
 User user)
                     throws AlreadyAdminException

Throws:

AlreadyAdminException

addAdmin

public static void addAdmin(PerunSession sess,
 SecurityTeam securityTeam,
 Group group)
                     throws AlreadyAdminException

Throws:

AlreadyAdminException

addAllSubgroupsToAuthzRoles

public static AuthzRoles addAllSubgroupsToAuthzRoles(PerunSession sess,
 AuthzRoles authzRoles,
 String role)

For the given role with association to "Group" add also all subgroups to authzRoles. If authzRoles is null, return empty AuthzRoles. If there is no role (given in parameter) or Group object for this role, return not changed authzRoles.

Parameters:

sess - perun session

authzRoles - authzRoles for some user

Returns:

the same object authzRoles, which is given in parameter, but also with subgroups of groups for given role

addSpecificUserOwner

public static void addSpecificUserOwner(PerunSession sess,
 User specificUser,
 User owner)
                                 throws AlreadyAdminException

Add owner for a specific user.

Parameters:

sess - Principal's session

specificUser - for which will be the owner set

owner - of the specific user

Throws:

AlreadyAdminException

authorized

public static boolean authorized(PerunSession sess,
 String policyDefinition,
 List<PerunBean> objects)
                          throws PolicyNotExistsException

Prepare necessary structures and resolve access rights for the session's principal.

Parameters:

sess - perunSession which contains the principal.

policyDefinition - is a definition of a policy which will define authorization rules.

objects - as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)

Returns:

true if the principal has particular rights, false otherwise.

Throws:

PolicyNotExistsException - when the given policyDefinition does not exist in the PerunPoliciesContainer.

MfaPrivilegeException - when the principal isn't authenticated with MFA but the policy definition requires it

authorizedToManageRole

public static boolean authorizedToManageRole(PerunSession sess,
 PerunBean object,
 String roleName)
                                      throws RoleManagementRulesNotExistsException

Check whether the principal is authorized to manage the role on the object.

Parameters:

sess - principal's perun session

object - bounded with the role

roleName - which will be managed

Returns:

Throws:

RoleManagementRulesNotExistsException - when the role does not have the management rules.

authorizedToReadRole

public static boolean authorizedToReadRole(PerunSession sess,
 PerunBean object,
 String roleName)
                                    throws RoleManagementRulesNotExistsException

Check whether the principal is authorized to read the role on the object.

Parameters:

sess - principal's perun session

object - bounded with the role

roleName - which will be managed

Returns:

true if principal is authorized. False otherwise.

Throws:

RoleManagementRulesNotExistsException - when the role does not have the management rules.

filterNotAllowedAttributes

public static List<Attribute> filterNotAllowedAttributes(PerunSession sess,
 PerunBean bean,
 List<Attribute> attributes)

From given attributes filter out the ones which are not allowed for the current principal.

Parameters:

sess - session

bean - perun bean

attributes - attributes

Returns:

list of attributes which can be accessed by current principal.

getAdminGroups

public static List<Group> getAdminGroups(PerunBean complementaryObject,
 String role)
                                  throws RoleCannotBeManagedException

Get all authorizedGroups for complementary object and role.

Parameters:

complementaryObject - for which we will get administrator groups

role - expected role to filter authorizedGroups by

Returns:

list of authorizedGroups for complementary object and role

Throws:

RoleCannotBeManagedException

getAdmins

public static List<User> getAdmins(PerunSession sess,
 PerunBean complementaryObject,
 String role,
 boolean onlyDirectAdmins)
                            throws RoleCannotBeManagedException

Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.

If onlyDirectAdmins is true, return only direct users of the complementary object for role.

Parameters:

sess - perun session

complementaryObject - for which we will get administrator

role - expected role to filter managers by

onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)

Returns:

list of user administrators for complementary object and role.

Throws:

RoleCannotBeManagedException

getAllPolicies

public static List<PerunPolicy> getAllPolicies()

Return all loaded perun policies.

Returns:

all loaded policies

getAllRolesManagementRules

public static List<RoleManagementRules> getAllRolesManagementRules()

Return all loaded roles management rules.

Returns:

all roles management rules

getComplementaryObjectsForRole

public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess,
 String role)

Returns all complementary objects for defined role.

Parameters:

sess - perun session

role - to get object for

Returns:

list of complementary objects

getComplementaryObjectsForRole

public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess,
 String role,
 Class perunBeanClass)

Returns only complementary objects for defined role which fits perunBeanClass class.

Parameters:

sess - perun session

role - to get object for

perunBeanClass - particular class ( Vo | Group | ... )

Returns:

list of complementary objects

getFacilitiesWhereUserIsInRoles

public static List<Facility> getFacilitiesWhereUserIsInRoles(PerunSession sess,
 User user,
 List<String> roles)

Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

Parameters:

sess - Perun session

user - for who Facilities are retrieved

roles - for which Facilities are retrieved

Returns:

List of Facilities

getGroupRoleNames

public static List<String> getGroupRoleNames(PerunSession sess,
 Group group)

Get all Group's roles.

Parameters:

sess - perun session

group - Group

Returns:

list of roles.

getGroupRoles

public static AuthzRoles getGroupRoles(PerunSession sess,
 Group group)

Get all roles for a given group.

Parameters:

sess - perun session

group - group

Returns:

AuthzRoles object which contains all roles with perunbeans

Throws:

InternalErrorException

getGroupsWhereUserIsInRoles

public static List<Group> getGroupsWhereUserIsInRoles(PerunSession sess,
 User user,
 List<String> roles)

Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

Method does not return subgroups of the fetched groups.

Parameters:

sess - Perun session

user - for who Groups are retrieved

roles - for which Groups are retrieved

Returns:

List of Groups

getLoggedUser

public static User getLoggedUser(PerunSession sess)

Returns user which is associated with credentials used to log-in to Perun.

Parameters:

sess - perun session

Returns:

currently logged user

getMembersWhereUserIsInRoles

public static List<Member> getMembersWhereUserIsInRoles(PerunSession sess,
 User user,
 List<String> roles)

Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

Parameters:

sess - Perun session

user - for who Members are retrieved

roles - for which Members are retrieved

Returns:

List of Members

getPerunPrincipal

public static PerunPrincipal getPerunPrincipal(PerunSession sess)

Returns PerunPrincipal object associated with current session. It contains necessary information, including user identification, authorization and metadata. Each call of this method refresh the session including authorization data.

Parameters:

sess - perun session

Returns:

perunPrincipal object

Throws:

InternalErrorException - if the PerunSession is not valid.

getPrincipalRoleNames

public static List<String> getPrincipalRoleNames(PerunSession sess)

Get all principal role names.

Parameters:

sess - perun session

Returns:

list of roles.

getResourcesWhereUserIsInRoles

public static List<Resource> getResourcesWhereUserIsInRoles(PerunSession sess,
 User user,
 List<String> roles)

Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

Parameters:

sess - Perun session

user - for who Resources are retrieved

roles - for which Resources are retrieved

Returns:

List of Resources

getRichAdmins

public static List<RichUser> getRichAdmins(PerunSession sess,
 PerunBean complementaryObject,
 String role)
                                    throws RoleCannotBeManagedException

Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role without any attributes.

Parameters:

sess - perun session

complementaryObject - for which we will get administrator

role - expected role to filter managers by

Returns:

list of richUser administrators for complementary object and role.

Throws:

RoleCannotBeManagedException

getRichAdmins

public static List<RichUser> getRichAdmins(PerunSession sess,
 PerunBean complementaryObject,
 List<String> specificAttributes,
 String role,
 boolean onlyDirectAdmins,
 boolean allUserAttributes)
                                    throws RoleCannotBeManagedException

Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.

If onlyDirectAdmins is true, return only direct users of the complementary object for role with specific attributes. If allUserAttributes is true, do not specify attributes through list and return them all in objects richUser. Ignoring list of specific attributes.

Parameters:

sess - perun session

complementaryObject - for which we will get administrator

specificAttributes - list of specified attributes which are needed in object richUser

role - expected role to filter managers by

onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)

allUserAttributes - if true, get all possible user attributes and ignore list of specificAttributes (if false, get only specific attributes)

Returns:

list of richUser administrators for complementary object and role with specified attributes.

Throws:

RoleCannotBeManagedException

someAdminExists

public static boolean someAdminExists(PerunSession sess,
 PerunBean complementaryObject,
 String role,
 boolean onlyDirectAdmins)
                               throws RoleCannotBeManagedException

Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).

Parameters:

sess - perun session

complementaryObject - for which we will find administrator

role - expected role to filter managers by

onlyDirectAdmins - if true, search only direct user admins (if false, search both direct and indirect)

Returns:

true, if some user with required role exists, false otherwise.

Throws:

RoleCannotBeManagedException

getRoleComplementaryObjectsWithAuthorizedGroups

public static Map<String,Map<String,Map<Integer,List<Group>>>> getRoleComplementaryObjectsWithAuthorizedGroups(PerunSession sess,
 User user)

Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. together with list of authorized groups where user is member: Mapinvalid input: '<' RoleName, Mapinvalid input: '<' BeanName, Mapinvalid input: '<' BeanID, List >>>

Parameters:

user -

Returns:

Mapinvalid input: '<'String, Map invalid input: '<' String, Map invalid input: '<' Integer, List invalid input: '<' Group>>>> roles with map of complementary objects with associated authorized groups

getRoleIdByName

public static int getRoleIdByName(String name)

Return id of the role by its name.

Parameters:

name - - name of the role

Returns:

- id of the role

getRolesObtainedFromAuthorizedGroupMemberships

public static AuthzRoles getRolesObtainedFromAuthorizedGroupMemberships(PerunSession sess,
 User user)

Returns user's roles resulting from being a VALID member of authorized groups.

Parameters:

sess - perun session

user - user

Returns:

AuthzRoles object which contains roles with perunbeans

Throws:

InternalErrorException

getRolesWhichCanWorkWithAttribute

@Deprecated
public static Map<String,Set<ActionType>> getRolesWhichCanWorkWithAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef)
                                                                     throws AttributeNotExistsException,
ActionTypeNotExistsException

Deprecated.

Return map of roles, with allowed actions, which are authorized for doing "action" on "attribute".

Parameters:

sess - perun session

actionType - type of action on attribute (ex.: write, read, etc...)

attrDef - attribute what principal want to work with

Returns:

map of roles with allowed action types

Throws:

AttributeNotExistsException

ActionTypeNotExistsException

getSecurityTeamsWhereUserIsInRoles

public static List<SecurityTeam> getSecurityTeamsWhereUserIsInRoles(PerunSession sess,
 User user,
 List<String> roles)

Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

Parameters:

sess - Perun session

user - for who SecurityTeams are retrieved

roles - for which SecurityTeams are retrieved

Returns:

List of SecurityTeams

getUserRoleNames

public static List<String> getUserRoleNames(PerunSession sess,
 User user)

Get all User's roles. Does not include membership and sponsorship role.

Parameters:

sess - perun session

user - User

Returns:

list of roles.

getUserRoles

public static AuthzRoles getUserRoles(PerunSession sess,
 User user,
 boolean getAuthorizedGroupBasedRoles)

Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups Returns also sponsorship and membership roles, which are not stored in DB as authzRoles but retrieved separately.

Parameters:

sess - perun session

user - user

getAuthorizedGroupBasedRoles - include roles based on membership in authorized groups

Returns:

AuthzRoles object which contains all roles with perunbeans

Throws:

InternalErrorException

getVosWhereUserIsInRoles

public static List<Vo> getVosWhereUserIsInRoles(PerunSession sess,
 User user,
 List<String> roles)

Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

Parameters:

sess - Perun session

user - for who Vos are retrieved

roles - for which Vos are retrieved

Returns:

List of Vos

groupMatchesUserRolesFilter

public static boolean groupMatchesUserRolesFilter(PerunSession sess,
 User user,
 Group group,
 List<String> roles,
 List<RoleAssignmentType> types)

Check if the given group passes the user's roles filter.

Parameters:

sess - session

user - user

group - group

roles - list of selected roles (if empty, then return groups by all roles)

types - list of selected types of roles (if empty, then return by roles of all types)

Returns:

list of groups

hasMFASkippableRole

public static boolean hasMFASkippableRole(PerunSession sess)
                                   throws RoleManagementRulesNotExistsException

Returns true if principal has a role which should skip MFA check

Parameters:

sess - principal's perun session

Returns:

true if principal has system role

Throws:

RoleManagementRulesNotExistsException - when the role does not have the management rules.

hasRole

public static boolean hasRole(PerunPrincipal perunPrincipal,
 String role)

Returns true if the perunPrincipal has requested role.

Parameters:

perunPrincipal - acting person for whom the role is checked

role - role to be checked

isAnyObjectMfaCritical

public static boolean isAnyObjectMfaCritical(PerunSession sess,
 List<Object> objects)

Returns true if any of the objects is marked as mfaCriticalObject in its attribute. Not usable for entityless attributes!

Parameters:

sess - session

objects - objects to be checked

Returns:

if any object is critical

isAuthorized

@Deprecated
public static boolean isAuthorized(PerunSession sess,
 String role,
 PerunBean complementaryObject)

Deprecated.

Checks if the principal is authorized.

Parameters:

sess - perunSession

role - required role

complementaryObject - object which specifies particular action of the role (e.g. group)

Returns:

true if the principal authorized, false otherwise

Throws:

InternalErrorException - if something goes wrong

isAuthorized

@Deprecated
public static boolean isAuthorized(PerunSession sess,
 String role)

Deprecated.

Checks if the principal is authorized.

Parameters:

sess - perunSession

role - required role

Returns:

true if the principal authorized, false otherwise

Throws:

InternalErrorException - if something goes wrong

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Member member,
 Resource resource)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Group group,
 Resource resource)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 User user,
 Facility facility)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Member member,
 Group group)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 User user)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Member member)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Vo vo)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Group group)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Resource resource)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Facility facility)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 Host host)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 UserExtSource ues)
                                        throws WrongAttributeAssignmentException

Deprecated.

Throws:

WrongAttributeAssignmentException

isAuthorizedForAttribute

@Deprecated
public static boolean isAuthorizedForAttribute(PerunSession sess,
 ActionType actionType,
 AttributeDefinition attrDef,
 String key)

Deprecated.

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Member member,
 Resource resource)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Group group,
 Resource resource)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 User user,
 Facility facility)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Member member,
 Group group)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 User user)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Member member)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Vo vo)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Group group)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Resource resource)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Facility facility)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 Host host)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 UserExtSource ues)
                                        throws InternalErrorException,
AttributeNotExistsException,
WrongAttributeAssignmentException

Throws:

InternalErrorException

AttributeNotExistsException

WrongAttributeAssignmentException

isAuthorizedForAttribute

public static boolean isAuthorizedForAttribute(PerunSession sess,
 AttributeAction actionType,
 AttributeDefinition attrDef,
 String key)
                                        throws InternalErrorException,
AttributeNotExistsException

Throws:

InternalErrorException

AttributeNotExistsException

isAuthorizedForGroup

public static boolean isAuthorizedForGroup(PerunSession sess,
 String policy,
 Integer groupId,
 Integer voId)

isFacilityAdmin

public static boolean isFacilityAdmin(PerunSession sess)

Returns true if the perun principal inside the perun session is facility admin.

Parameters:

sess - perun session

Returns:

true if the perun principal is facility admin.

isGroupAdmin

public static boolean isGroupAdmin(PerunSession sess)

Returns true if the perun principal inside the perun session is group admin.

Parameters:

sess - perun session

Returns:

true if the perun principal is group admin.

isGroupLastAdminInFacilities

public static List<Facility> isGroupLastAdminInFacilities(PerunSession sess,
 Group group,
 List<Facility> facilities)

Checks the facilities and returns those in which group is the last admin

Parameters:

sess - sess

group - group

facilities - facilities to check

Returns:

facilities in which the user is last admin

isGroupLastAdminInVos

public static List<Vo> isGroupLastAdminInVos(PerunSession sess,
 Group group,
 List<Vo> vos)

Checks the vos and return those in which group is the last admin.

Parameters:

sess - sess

group - group

vos - vos to check

Returns:

vos in which the user is last admin

isMfaAuthorizedForAttribute

public static boolean isMfaAuthorizedForAttribute(PerunSession sess,
 AttributeDefinition attrDef,
 AttributeAction actionType,
 List<Object> objects)

Checks authorization for attribute according to MFA rules. Returns false if attribute action is marked as critical, attribute's object is marked as critical and principal is not authorized by MFA and hasn't got a system role. If MFA is globally disabled for whole instance, returns true.

Parameters:

sess - session

attrDef - attribute definition

actionType - type of action (READ / WRITE)

objects - objects related to the attribute

Returns:

true if MFA requirements are met, false otherwise

isPerunAdmin

public static boolean isPerunAdmin(PerunSession sess)

Returns true if the perun principal inside the perun session is perun admin.

Parameters:

sess - perun session

Returns:

true if the perun principal is perun admin.

isPerunObserver

public static boolean isPerunObserver(PerunSession sess)

Returns true if the perun principal inside the perun session is Perun Observer.

Parameters:

sess - perun session

Returns:

true if the perun principal is top group creator.

isResourceAdmin

public static boolean isResourceAdmin(PerunSession sess)

Returns true if the perun principal inside the perun session is resource admin.

Parameters:

sess - perun session

Returns:

true if the perun principal is resource admin.

isSecurityAdmin

public static boolean isSecurityAdmin(PerunSession sess)

Returns true if the perun principal inside the perun session is security admin.

Parameters:

sess - perun session

Returns:

true if the perun principal is security admin.

isTopGroupCreator

public static boolean isTopGroupCreator(PerunSession sess)

Returns true if the perun principal inside the perun session is top group creator.

Parameters:

sess - perun session

Returns:

true if the perun principal is top group creator.

isUserLastAdminInFacilities

public static List<Facility> isUserLastAdminInFacilities(PerunSession sess,
 User user,
 List<Facility> facilities)

Checks the facilities and returns those in which user is the last admin

Parameters:

sess - sess

user - user

facilities - facilities to check

Returns:

facilities in which the user is last admin

isUserLastAdminInVos

public static List<Vo> isUserLastAdminInVos(PerunSession sess,
 User user,
 List<Vo> vos)

Checks the vos and return those in which user is the last admin.

Parameters:

sess - sess

user - user

vos - vos to check

Returns:

vos in which the user is last admin

isVoAdmin

public static boolean isVoAdmin(PerunSession sess)

Returns true if the perun principal inside the perun session is vo admin.

Parameters:

sess - perun session

Returns:

true if the perun principal is vo admin

isVoAdminOrObserver

public static boolean isVoAdminOrObserver(PerunSession sess,
 Vo vo)

Returns true if perun principal is Vo admin or Vo observer of specific Vo.

Parameters:

sess - - perun session

vo - -specific vo

Returns:

bolean

isVoObserver

public static boolean isVoObserver(PerunSession sess)

Returns true if the perun principal inside the perun session is vo observer.

Parameters:

sess - perun session

Returns:

true if the perun principal is vo observer

loadAuthorizationComponents

public static void loadAuthorizationComponents()

makeUserPerunAdmin

public static void makeUserPerunAdmin(PerunSession sess,
 User user)
                               throws AlreadyAdminException

Make user to be PERUNADMIN!

Parameters:

sess - PerunSession with authorization

user - which will get role "PERUNADMIN" in the system

Throws:

InternalErrorException - When implementation fails

AlreadyAdminException - When user is already perun admin

refreshAuthz

public static void refreshAuthz(PerunSession sess)

Refresh authorization data inside session.

Fill in proper roles and their relative entities (vos, groups, ....). User itself or ext source data is NOT updated.

Parameters:

sess - perun session to refresh authz for

refreshMfa

public static void refreshMfa(PerunSession sess)
                       throws MFAuthenticationException

Checks if MFA is supported and if it was used by the user, then updates MFA flag in the session.

Parameters:

sess - PerunSession

Throws:

MFAuthenticationException - when MFA is not supported or can't be verified

refreshSession

public static void refreshSession(PerunSession sess)

Refresh all session data excluding Ext. Source and additional information.

This method update user in session (try to find user by ext. source data). Then it updates authorization data in session.

Parameters:

sess - Perun session to refresh data for

removeAdmin

public static void removeAdmin(PerunSession sess,
 SecurityTeam securityTeam,
 User user)
                        throws UserNotAdminException

Throws:

UserNotAdminException

removeAdmin

public static void removeAdmin(PerunSession sess,
 SecurityTeam securityTeam,
 Group group)
                        throws GroupNotAdminException

Throws:

GroupNotAdminException

removeAllAuthzForFacility

public static void removeAllAuthzForFacility(PerunSession sess,
 Facility facility)

removeAllAuthzForGroup

public static void removeAllAuthzForGroup(PerunSession sess,
 Group group)

removeAllAuthzForResource

public static void removeAllAuthzForResource(PerunSession sess,
 Resource resource)

removeAllAuthzForSecurityTeam

public static void removeAllAuthzForSecurityTeam(PerunSession sess,
 SecurityTeam securityTeam)

removeAllAuthzForService

public static void removeAllAuthzForService(PerunSession sess,
 Service service)

removeAllAuthzForVo

public static void removeAllAuthzForVo(PerunSession sess,
 Vo vo)

removeSpecificUserOwner

public static void removeSpecificUserOwner(PerunSession sess,
 User specificUser,
 User owner)
                                    throws UserNotAdminException

Remove owner for a specific user.

Parameters:

sess - Principal's session

specificUser - from which will be the owner unset

owner - of the specific user

Throws:

UserNotAdminException

roleExists

public static boolean roleExists(String role)

selfAuthorizedForApplication

public static boolean selfAuthorizedForApplication(PerunSession sess,
 Application app)

setAuthzResolverImpl

public static AuthzResolverImplApi setAuthzResolverImpl(AuthzResolverImplApi authzResolverImpl)

setPerunBl

public static PerunBl setPerunBl(PerunBl perunBl)

setRole

public static void setRole(PerunSession sess,
 User user,
 PerunBean complementaryObject,
 String role)
                    throws AlreadyAdminException,
RoleCannotBeManagedException,
RoleCannotBeSetException

Set role for user and one complementary object.

If complementary object is wrong for the role, throw an exception.

Parameters:

sess - perun session

user - the user for setting role

complementaryObject - object for which role will be set

role - role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | SECURITYADMIN | RESOURCESELFSERVICE | RESOURCEADMIN | SERVICEACCOUNTCREATOR )

Throws:

AlreadyAdminException

RoleCannotBeManagedException

RoleCannotBeSetException

setRole

public static void setRole(PerunSession sess,
 Group authorizedGroup,
 PerunBean complementaryObject,
 String role)
                    throws AlreadyAdminException,
RoleCannotBeManagedException,
RoleCannotBeSetException

Set role for authorizedGroup and one complementary object.

If complementary object is wrong for the role, throw an exception.

Parameters:

sess - perun session

authorizedGroup - the group for setting role

complementaryObject - object for which role will be set

role - role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN )

Throws:

AlreadyAdminException

RoleCannotBeManagedException

RoleCannotBeSetException

unsetRole

public static void unsetRole(PerunSession sess,
 User user,
 PerunBean complementaryObject,
 String role)
                      throws UserNotAdminException,
RoleCannotBeManagedException

Unset role for user and one complementary object.

If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

Parameters:

sess - perun session

user - the user for unsetting role

complementaryObject - object for which role will be unset

role - role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN | SERVICEACCOUNTCREATOR)

Throws:

UserNotAdminException

RoleCannotBeManagedException

unsetRole

public static void unsetRole(PerunSession sess,
 Group authorizedGroup,
 PerunBean complementaryObject,
 String role)
                      throws GroupNotAdminException,
RoleCannotBeManagedException

Unset role for group and one complementary object

If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

Parameters:

sess - perun session

authorizedGroup - the group for unsetting role

complementaryObject - object for which role will be unset

role - role of user in a session ( PERUNADMIN | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN )

Throws:

GroupNotAdminException

RoleCannotBeManagedException

logLastAdmin

public static void logLastAdmin(PerunSession sess,
 PerunBean complementaryObject)

Checks whether removed admin user/group was the last admin of Vo/Facility, log an AuditEvent which will trigger a notification if this was the case.

Parameters:

sess - session

complementaryObject - Vo/Facility object

toString

public String toString()

Overrides:

toString in class Object