Class AuthzResolverBlImpl

java.lang.Object
cz.metacentrum.perun.core.blImpl.AuthzResolverBlImpl
All Implemented Interfaces:
AuthzResolverBl

public class AuthzResolverBlImpl extends Object implements AuthzResolverBl
Authorization resolver. It decides if the perunPrincipal has rights to do the provided operation.
Author:
Michal Prochazka invalid input: '<'michalp@ics.muni.cz>
  • Constructor Details

    • AuthzResolverBlImpl

      public AuthzResolverBlImpl()
  • Method Details

    • addAllSubgroupsToAuthzRoles

      public static AuthzRoles addAllSubgroupsToAuthzRoles(PerunSession sess, AuthzRoles authzRoles, String role)
      For the given role with association to "Group" add also all subgroups to authzRoles. If authzRoles is null, return empty AuthzRoles. If there is no role (given in parameter) or Group object for this role, return not changed authzRoles.
      Parameters:
      sess - perun session
      authzRoles - authzRoles for some user
      Returns:
      the same object authzRoles, which is given in parameter, but also with subgroups of groups for given role
    • addSpecificUserOwner

      public static void addSpecificUserOwner(PerunSession sess, User specificUser, User owner) throws AlreadyAdminException
      Add owner for a specific user.
      Parameters:
      sess - Principal's session
      specificUser - for which will be the owner set
      owner - of the specific user
      Throws:
      AlreadyAdminException
    • authorized

      public static boolean authorized(PerunSession sess, String policyDefinition, List<PerunBean> objects) throws PolicyNotExistsException
      Prepare necessary structures and resolve access rights for the session's principal.
      Parameters:
      sess - perunSession which contains the principal.
      policyDefinition - is a definition of a policy which will define authorization rules.
      objects - as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)
      Returns:
      true if the principal has particular rights, false otherwise.
      Throws:
      PolicyNotExistsException - when the given policyDefinition does not exist in the PerunPoliciesContainer.
      MfaPrivilegeException - when the principal isn't authenticated with MFA but the policy definition requires it
    • authorizedToManageRole

      public static boolean authorizedToManageRole(PerunSession sess, PerunBean object, String roleName) throws RoleManagementRulesNotExistsException
      Check whether the principal is authorized to manage the role on the object.
      Parameters:
      sess - principal's perun session
      object - bounded with the role
      roleName - which will be managed
      Returns:
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.
    • authorizedToReadRole

      public static boolean authorizedToReadRole(PerunSession sess, PerunBean object, String roleName) throws RoleManagementRulesNotExistsException
      Check whether the principal is authorized to read the role on the object.
      Parameters:
      sess - principal's perun session
      object - bounded with the role
      roleName - which will be managed
      Returns:
      true if principal is authorized. False otherwise.
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.
    • filterNotAllowedAttributes

      public static List<Attribute> filterNotAllowedAttributes(PerunSession sess, PerunBean bean, List<Attribute> attributes)
      From given attributes filter out the ones which are not allowed for the current principal.
      Parameters:
      sess - session
      bean - perun bean
      attributes - attributes
      Returns:
      list of attributes which can be accessed by current principal.
    • getAdminGroups

      public static List<Group> getAdminGroups(PerunBean complementaryObject, String role) throws RoleCannotBeManagedException
      Get all authorizedGroups for complementary object and role.
      Parameters:
      complementaryObject - for which we will get administrator groups
      role - expected role to filter authorizedGroups by
      Returns:
      list of authorizedGroups for complementary object and role
      Throws:
      RoleCannotBeManagedException
    • getAdmins

      public static List<User> getAdmins(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws RoleCannotBeManagedException
      Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.

      If onlyDirectAdmins is true, return only direct users of the complementary object for role.

      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator
      role - expected role to filter managers by
      onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)
      Returns:
      list of user administrators for complementary object and role.
      Throws:
      RoleCannotBeManagedException
    • getAllPolicies

      public static List<PerunPolicy> getAllPolicies()
      Return all loaded perun policies.
      Returns:
      all loaded policies
    • getAllRolesManagementRules

      public static List<RoleManagementRules> getAllRolesManagementRules()
      Return all loaded roles management rules.
      Returns:
      all roles management rules
    • getComplementaryObjectsForRole

      public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role)
      Returns all complementary objects for defined role.
      Parameters:
      sess - perun session
      role - to get object for
      Returns:
      list of complementary objects
    • getComplementaryObjectsForRole

      public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role, Class perunBeanClass)
      Returns only complementary objects for defined role which fits perunBeanClass class.
      Parameters:
      sess - perun session
      role - to get object for
      perunBeanClass - particular class ( Vo | Group | ... )
      Returns:
      list of complementary objects
    • getFacilitiesWhereUserIsInRoles

      public static List<Facility> getFacilitiesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)
      Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
      Parameters:
      sess - Perun session
      user - for who Facilities are retrieved
      roles - for which Facilities are retrieved
      Returns:
      List of Facilities
    • getGroupRoleNames

      public static List<String> getGroupRoleNames(PerunSession sess, Group group)
      Get all Group's roles.
      Parameters:
      sess - perun session
      group - Group
      Returns:
      list of roles.
    • getGroupRoles

      public static AuthzRoles getGroupRoles(PerunSession sess, Group group)
      Get all roles for a given group.
      Parameters:
      sess - perun session
      group - group
      Returns:
      AuthzRoles object which contains all roles with perunbeans
      Throws:
      InternalErrorException
    • getGroupsWhereUserIsInRoles

      public static List<Group> getGroupsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)
      Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.

      Method does not return subgroups of the fetched groups.

      Parameters:
      sess - Perun session
      user - for who Groups are retrieved
      roles - for which Groups are retrieved
      Returns:
      List of Groups
    • getLoggedUser

      public static User getLoggedUser(PerunSession sess)
      Returns user which is associated with credentials used to log-in to Perun.
      Parameters:
      sess - perun session
      Returns:
      currently logged user
    • getMembersWhereUserIsInRoles

      public static List<Member> getMembersWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)
      Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
      Parameters:
      sess - Perun session
      user - for who Members are retrieved
      roles - for which Members are retrieved
      Returns:
      List of Members
    • getPerunPrincipal

      public static PerunPrincipal getPerunPrincipal(PerunSession sess)
      Returns PerunPrincipal object associated with current session. It contains necessary information, including user identification, authorization and metadata. Each call of this method refresh the session including authorization data.
      Parameters:
      sess - perun session
      Returns:
      perunPrincipal object
      Throws:
      InternalErrorException - if the PerunSession is not valid.
    • getPrincipalRoleNames

      public static List<String> getPrincipalRoleNames(PerunSession sess)
      Get all principal role names.
      Parameters:
      sess - perun session
      Returns:
      list of roles.
    • getResourcesWhereUserIsInRoles

      public static List<Resource> getResourcesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)
      Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
      Parameters:
      sess - Perun session
      user - for who Resources are retrieved
      roles - for which Resources are retrieved
      Returns:
      List of Resources
    • getRichAdmins

      public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, String role) throws RoleCannotBeManagedException
      Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role without any attributes.
      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator
      role - expected role to filter managers by
      Returns:
      list of richUser administrators for complementary object and role.
      Throws:
      RoleCannotBeManagedException
    • getRichAdmins

      public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) throws RoleCannotBeManagedException
      Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.

      If onlyDirectAdmins is true, return only direct users of the complementary object for role with specific attributes. If allUserAttributes is true, do not specify attributes through list and return them all in objects richUser. Ignoring list of specific attributes.

      Parameters:
      sess - perun session
      complementaryObject - for which we will get administrator
      specificAttributes - list of specified attributes which are needed in object richUser
      role - expected role to filter managers by
      onlyDirectAdmins - if true, get only direct user administrators (if false, get both direct and indirect)
      allUserAttributes - if true, get all possible user attributes and ignore list of specificAttributes (if false, get only specific attributes)
      Returns:
      list of richUser administrators for complementary object and role with specified attributes.
      Throws:
      RoleCannotBeManagedException
    • someAdminExists

      public static boolean someAdminExists(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws RoleCannotBeManagedException
      Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).
      Parameters:
      sess - perun session
      complementaryObject - for which we will find administrator
      role - expected role to filter managers by
      onlyDirectAdmins - if true, search only direct user admins (if false, search both direct and indirect)
      Returns:
      true, if some user with required role exists, false otherwise.
      Throws:
      RoleCannotBeManagedException
    • getRoleComplementaryObjectsWithAuthorizedGroups

      public static Map<String,Map<String,Map<Integer,List<Group>>>> getRoleComplementaryObjectsWithAuthorizedGroups(PerunSession sess, User user)
      Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. together with list of authorized groups where user is member: Mapinvalid input: '<' RoleName, Mapinvalid input: '<' BeanName, Mapinvalid input: '<' BeanID, List >>>
      Parameters:
      user -
      Returns:
      Mapinvalid input: '<'String, Map invalid input: '<' String, Map invalid input: '<' Integer, List invalid input: '<' Group>>>> roles with map of complementary objects with associated authorized groups
    • getRoleIdByName

      public static int getRoleIdByName(String name)
      Return id of the role by its name.
      Parameters:
      name - - name of the role
      Returns:
      - id of the role
    • getRolesObtainedFromAuthorizedGroupMemberships

      public static AuthzRoles getRolesObtainedFromAuthorizedGroupMemberships(PerunSession sess, User user)
      Returns user's roles resulting from being a VALID member of authorized groups.
      Parameters:
      sess - perun session
      user - user
      Returns:
      AuthzRoles object which contains roles with perunbeans
      Throws:
      InternalErrorException
    • getUserRoleNames

      public static List<String> getUserRoleNames(PerunSession sess, User user)
      Get all User's roles. Does not include membership and sponsorship role.
      Parameters:
      sess - perun session
      user - User
      Returns:
      list of roles.
    • getUserRoles

      public static AuthzRoles getUserRoles(PerunSession sess, User user, boolean getAuthorizedGroupBasedRoles)
      Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups Returns also sponsorship and membership roles, which are not stored in DB as authzRoles but retrieved separately.
      Parameters:
      sess - perun session
      user - user
      getAuthorizedGroupBasedRoles - include roles based on membership in authorized groups
      Returns:
      AuthzRoles object which contains all roles with perunbeans
      Throws:
      InternalErrorException
    • getVosWhereUserIsInRoles

      public static List<Vo> getVosWhereUserIsInRoles(PerunSession sess, User user, List<String> roles)
      Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.
      Parameters:
      sess - Perun session
      user - for who Vos are retrieved
      roles - for which Vos are retrieved
      Returns:
      List of Vos
    • groupMatchesUserRolesFilter

      public static boolean groupMatchesUserRolesFilter(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types)
      Check if the given group passes the user's roles filter.
      Parameters:
      sess - session
      user - user
      group - group
      roles - list of selected roles (if empty, then return groups by all roles)
      types - list of selected types of roles (if empty, then return by roles of all types)
      Returns:
      list of groups
    • hasMFASkippableRole

      public static boolean hasMFASkippableRole(PerunSession sess) throws RoleManagementRulesNotExistsException
      Returns true if principal has a role which should skip MFA check
      Parameters:
      sess - principal's perun session
      Returns:
      true if principal has system role
      Throws:
      RoleManagementRulesNotExistsException - when the role does not have the management rules.
    • hasRole

      public static boolean hasRole(PerunPrincipal perunPrincipal, String role)
      Returns true if the perunPrincipal has requested role.
      Parameters:
      perunPrincipal - acting person for whom the role is checked
      role - role to be checked
    • isAnyObjectMfaCritical

      public static boolean isAnyObjectMfaCritical(PerunSession sess, List<Object> objects)
      Returns true if any of the objects is marked as mfaCriticalObject in its attribute. Not usable for entityless attributes!
      Parameters:
      sess - session
      objects - objects to be checked
      Returns:
      if any object is critical
    • isAuthorized

      @Deprecated public static boolean isAuthorized(PerunSession sess, String role, PerunBean complementaryObject)
      Deprecated.
      Checks if the principal is authorized.
      Parameters:
      sess - perunSession
      role - required role
      complementaryObject - object which specifies particular action of the role (e.g. group)
      Returns:
      true if the principal authorized, false otherwise
      Throws:
      InternalErrorException - if something goes wrong
    • isAuthorized

      @Deprecated public static boolean isAuthorized(PerunSession sess, String role)
      Deprecated.
      Checks if the principal is authorized.
      Parameters:
      sess - perunSession
      role - required role
      Returns:
      true if the principal authorized, false otherwise
      Throws:
      InternalErrorException - if something goes wrong
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException
      Throws:
      InternalErrorException
      AttributeNotExistsException
      WrongAttributeAssignmentException
    • isAuthorizedForAttribute

      public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key) throws InternalErrorException, AttributeNotExistsException
      Throws:
      InternalErrorException
      AttributeNotExistsException
    • isAuthorizedForGroup

      public static boolean isAuthorizedForGroup(PerunSession sess, String policy, Integer groupId, Integer voId)
    • isFacilityAdmin

      public static boolean isFacilityAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is facility admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is facility admin.
    • isGroupAdmin

      public static boolean isGroupAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is group admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is group admin.
    • isGroupLastAdminInFacilities

      public static List<Facility> isGroupLastAdminInFacilities(PerunSession sess, Group group, List<Facility> facilities)
      Checks the facilities and returns those in which group is the last admin
      Parameters:
      sess - sess
      group - group
      facilities - facilities to check
      Returns:
      facilities in which the user is last admin
    • isGroupLastAdminInVos

      public static List<Vo> isGroupLastAdminInVos(PerunSession sess, Group group, List<Vo> vos)
      Checks the vos and return those in which group is the last admin.
      Parameters:
      sess - sess
      group - group
      vos - vos to check
      Returns:
      vos in which the user is last admin
    • isMfaAuthorizedForAttribute

      public static boolean isMfaAuthorizedForAttribute(PerunSession sess, AttributeDefinition attrDef, AttributeAction actionType, List<Object> objects)
      Checks authorization for attribute according to MFA rules. Returns false if attribute action is marked as critical, attribute's object is marked as critical and principal is not authorized by MFA and hasn't got a system role. If MFA is globally disabled for whole instance, returns true.
      Parameters:
      sess - session
      attrDef - attribute definition
      actionType - type of action (READ / WRITE)
      objects - objects related to the attribute
      Returns:
      true if MFA requirements are met, false otherwise
    • isPerunAdmin

      public static boolean isPerunAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is perun admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is perun admin.
    • isPerunObserver

      public static boolean isPerunObserver(PerunSession sess)
      Returns true if the perun principal inside the perun session is Perun Observer.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is top group creator.
    • isResourceAdmin

      public static boolean isResourceAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is resource admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is resource admin.
    • isTopGroupCreator

      public static boolean isTopGroupCreator(PerunSession sess)
      Returns true if the perun principal inside the perun session is top group creator.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is top group creator.
    • isUserLastAdminInFacilities

      public static List<Facility> isUserLastAdminInFacilities(PerunSession sess, User user, List<Facility> facilities)
      Checks the facilities and returns those in which user is the last admin
      Parameters:
      sess - sess
      user - user
      facilities - facilities to check
      Returns:
      facilities in which the user is last admin
    • isUserLastAdminInVos

      public static List<Vo> isUserLastAdminInVos(PerunSession sess, User user, List<Vo> vos)
      Checks the vos and return those in which user is the last admin.
      Parameters:
      sess - sess
      user - user
      vos - vos to check
      Returns:
      vos in which the user is last admin
    • isVoAdmin

      public static boolean isVoAdmin(PerunSession sess)
      Returns true if the perun principal inside the perun session is vo admin.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is vo admin
    • isVoAdminOrObserver

      public static boolean isVoAdminOrObserver(PerunSession sess, Vo vo)
      Returns true if perun principal is Vo admin or Vo observer of specific Vo.
      Parameters:
      sess - - perun session
      vo - -specific vo
      Returns:
      bolean
    • isVoObserver

      public static boolean isVoObserver(PerunSession sess)
      Returns true if the perun principal inside the perun session is vo observer.
      Parameters:
      sess - perun session
      Returns:
      true if the perun principal is vo observer
    • loadAuthorizationComponents

      public static void loadAuthorizationComponents()
    • makeUserPerunAdmin

      public static void makeUserPerunAdmin(PerunSession sess, User user) throws AlreadyAdminException
      Make user to be PERUNADMIN!
      Parameters:
      sess - PerunSession with authorization
      user - which will get role "PERUNADMIN" in the system
      Throws:
      InternalErrorException - When implementation fails
      AlreadyAdminException - When user is already perun admin
    • refreshAuthz

      public static void refreshAuthz(PerunSession sess)
      Refresh authorization data inside session.

      Fill in proper roles and their relative entities (vos, groups, ....). User itself or ext source data is NOT updated.

      Parameters:
      sess - perun session to refresh authz for
    • refreshMfa

      public static void refreshMfa(PerunSession sess) throws MFAuthenticationException
      Checks if MFA is supported and if it was used by the user, then updates MFA flag in the session.
      Parameters:
      sess - PerunSession
      Throws:
      MFAuthenticationException - when MFA is not supported or can't be verified
    • refreshSession

      public static void refreshSession(PerunSession sess)
      Refresh all session data excluding Ext. Source and additional information.

      This method update user in session (try to find user by ext. source data). Then it updates authorization data in session.

      Parameters:
      sess - Perun session to refresh data for
    • removeAllAuthzForFacility

      public static void removeAllAuthzForFacility(PerunSession sess, Facility facility)
    • removeAllAuthzForGroup

      public static void removeAllAuthzForGroup(PerunSession sess, Group group)
    • removeAllAuthzForResource

      public static void removeAllAuthzForResource(PerunSession sess, Resource resource)
    • removeAllAuthzForService

      public static void removeAllAuthzForService(PerunSession sess, Service service)
    • removeAllAuthzForVo

      public static void removeAllAuthzForVo(PerunSession sess, Vo vo)
    • removeSpecificUserOwner

      public static void removeSpecificUserOwner(PerunSession sess, User specificUser, User owner) throws UserNotAdminException
      Remove owner for a specific user.
      Parameters:
      sess - Principal's session
      specificUser - from which will be the owner unset
      owner - of the specific user
      Throws:
      UserNotAdminException
    • roleExists

      public static boolean roleExists(String role)
    • selfAuthorizedForApplication

      public static boolean selfAuthorizedForApplication(PerunSession sess, Application app)
    • setAuthzResolverImpl

      public static AuthzResolverImplApi setAuthzResolverImpl(AuthzResolverImplApi authzResolverImpl)
    • setPerunBl

      public static PerunBl setPerunBl(PerunBl perunBl)
    • setRole

      public static void setRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for user and one complementary object.

      If complementary object is wrong for the role, throw an exception.

      Parameters:
      sess - perun session
      user - the user for setting role
      complementaryObject - object for which role will be set
      role - role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN | SERVICEACCOUNTCREATOR )
      Throws:
      AlreadyAdminException
      RoleCannotBeManagedException
      RoleCannotBeSetException
    • setRole

      public static void setRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException
      Set role for authorizedGroup and one complementary object.

      If complementary object is wrong for the role, throw an exception.

      Parameters:
      sess - perun session
      authorizedGroup - the group for setting role
      complementaryObject - object for which role will be set
      role - role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN )
      Throws:
      AlreadyAdminException
      RoleCannotBeManagedException
      RoleCannotBeSetException
    • unsetRole

      public static void unsetRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws UserNotAdminException, RoleCannotBeManagedException
      Unset role for user and one complementary object.

      If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      user - the user for unsetting role
      complementaryObject - object for which role will be unset
      role - role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN | SERVICEACCOUNTCREATOR)
      Throws:
      UserNotAdminException
      RoleCannotBeManagedException
    • unsetRole

      public static void unsetRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws GroupNotAdminException, RoleCannotBeManagedException
      Unset role for group and one complementary object

      If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.

      Parameters:
      sess - perun session
      authorizedGroup - the group for unsetting role
      complementaryObject - object for which role will be unset
      role - role of user in a session ( PERUNADMIN | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN )
      Throws:
      GroupNotAdminException
      RoleCannotBeManagedException
    • logLastAdmin

      public static void logLastAdmin(PerunSession sess, PerunBean complementaryObject)
      Checks whether removed admin user/group was the last admin of Vo/Facility, log an AuditEvent which will trigger a notification if this was the case.
      Parameters:
      sess - session
      complementaryObject - Vo/Facility object
    • toString

      public String toString()
      Overrides:
      toString in class Object