Class AuthzResolverBlImpl
- All Implemented Interfaces:
AuthzResolverBl
- Author:
- Michal Prochazka <michalp@ics.muni.cz>
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic void
addAdmin
(PerunSession sess, SecurityTeam securityTeam, Group group) static void
addAdmin
(PerunSession sess, SecurityTeam securityTeam, User user) static AuthzRoles
addAllSubgroupsToAuthzRoles
(PerunSession sess, AuthzRoles authzRoles, String role) For the given role with association to "Group" add also all subgroups to authzRoles.static void
addSpecificUserOwner
(PerunSession sess, User specificUser, User owner) Add owner for a specific user.static boolean
authorized
(PerunSession sess, String policyDefinition, List<PerunBean> objects) Prepare necessary structures and resolve access rights for the session's principal.static boolean
authorizedToManageRole
(PerunSession sess, PerunBean object, String roleName) Check whether the principal is authorized to manage the role on the object.static boolean
authorizedToReadRole
(PerunSession sess, PerunBean object, String roleName) Check whether the principal is authorized to read the role on the object.filterNotAllowedAttributes
(PerunSession sess, PerunBean bean, List<Attribute> attributes) From given attributes filter out the ones which are not allowed for the current principal.getAdminGroups
(PerunBean complementaryObject, String role) Get all authorizedGroups for complementary object and role.getAdmins
(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.static List<PerunPolicy>
Return all loaded perun policies.static List<RoleManagementRules>
Return all loaded roles management rules.getComplementaryObjectsForRole
(PerunSession sess, String role) Returns all complementary objects for defined role.getComplementaryObjectsForRole
(PerunSession sess, String role, Class perunBeanClass) Returns only complementary objects for defined role which fits perunBeanClass class.getFacilitiesWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getGroupRoleNames
(PerunSession sess, Group group) Get all Group's roles.static AuthzRoles
getGroupRoles
(PerunSession sess, Group group) Get all roles for a given group.getGroupsWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.static User
getLoggedUser
(PerunSession sess) Returns user which is associated with credentials used to log-in to Perun.getMembersWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.static PerunPrincipal
Returns PerunPrincipal object associated with current session.Get all principal role names.getResourcesWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getRichAdmins
(PerunSession sess, PerunBean complementaryObject, String role) Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role without any attributes.getRichAdmins
(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type.static int
getRoleIdByName
(String name) Return id of the role by its name.static AuthzRoles
Returns user's roles resulting from being a VALID member of authorized groups.static Map<String,
Set<ActionType>> getRolesWhichCanWorkWithAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef) Deprecated.static List<SecurityTeam>
getSecurityTeamsWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getUserRoleNames
(PerunSession sess, User user) Get all User's roles.static AuthzRoles
getUserRoles
(PerunSession sess, User user, boolean getAuthorizedGroupBasedRoles) Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups Returns also sponsorship and membership roles, which are not stored in DB as authzRoles but retrieved separately.getVosWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.static boolean
groupMatchesUserRolesFilter
(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types) Check if the given group passes the user's roles filter.static boolean
Returns true if principal has a role which should skip MFA checkstatic boolean
hasRole
(PerunPrincipal perunPrincipal, String role) Returns true if the perunPrincipal has requested role.static boolean
isAnyObjectMfaCritical
(PerunSession sess, List<Object> objects) Returns true if any of the objects is marked as mfaCriticalObject in its attribute.static boolean
isAuthorized
(PerunSession sess, String role) Deprecated.static boolean
isAuthorized
(PerunSession sess, String role, PerunBean complementaryObject) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo) static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key) static boolean
isAuthorizedForGroup
(PerunSession sess, String policy, Integer groupId, Integer voId) static boolean
isFacilityAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is facility admin.static boolean
isGroupAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is group admin.isGroupLastAdminInFacilities
(PerunSession sess, Group group, List<Facility> facilities) Checks the facilities and returns those in which group is the last adminisGroupLastAdminInVos
(PerunSession sess, Group group, List<Vo> vos) Checks the vos and return those in which group is the last admin.static boolean
isMfaAuthorizedForAttribute
(PerunSession sess, AttributeDefinition attrDef, AttributeAction actionType, List<Object> objects) Checks authorization for attribute according to MFA rules.static boolean
isPerunAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is perun admin.static boolean
isPerunObserver
(PerunSession sess) Returns true if the perun principal inside the perun session is Perun Observer.static boolean
isResourceAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is resource admin.static boolean
isSecurityAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is security admin.static boolean
Returns true if the perun principal inside the perun session is top group creator.isUserLastAdminInFacilities
(PerunSession sess, User user, List<Facility> facilities) Checks the facilities and returns those in which user is the last adminisUserLastAdminInVos
(PerunSession sess, User user, List<Vo> vos) Checks the vos and return those in which user is the last admin.static boolean
isVoAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is vo admin.static boolean
isVoAdminOrObserver
(PerunSession sess, Vo vo) Returns true if perun principal is Vo admin or Vo observer of specific Vo.static boolean
isVoObserver
(PerunSession sess) Returns true if the perun principal inside the perun session is vo observer.static void
static void
logLastAdmin
(PerunSession sess, PerunBean complementaryObject) Checks whether removed admin user/group was the last admin of Vo/Facility, log an AuditEvent which will trigger a notification if this was the case.static void
makeUserPerunAdmin
(PerunSession sess, User user) Make user to be PERUNADMIN!static void
refreshAuthz
(PerunSession sess) Refresh authorization data inside session.static void
refreshMfa
(PerunSession sess) Checks if MFA is supported and if it was used by the user, then updates MFA flag in the session.static void
refreshSession
(PerunSession sess) Refresh all session data excluding Ext.static void
removeAdmin
(PerunSession sess, SecurityTeam securityTeam, Group group) static void
removeAdmin
(PerunSession sess, SecurityTeam securityTeam, User user) static void
removeAllAuthzForFacility
(PerunSession sess, Facility facility) static void
removeAllAuthzForGroup
(PerunSession sess, Group group) static void
removeAllAuthzForResource
(PerunSession sess, Resource resource) static void
removeAllAuthzForSecurityTeam
(PerunSession sess, SecurityTeam securityTeam) static void
removeAllAuthzForService
(PerunSession sess, Service service) static void
removeAllAuthzForVo
(PerunSession sess, Vo vo) static void
removeSpecificUserOwner
(PerunSession sess, User specificUser, User owner) Remove owner for a specific user.static boolean
roleExists
(String role) static boolean
selfAuthorizedForApplication
(PerunSession sess, Application app) static AuthzResolverImplApi
setAuthzResolverImpl
(AuthzResolverImplApi authzResolverImpl) static PerunBl
setPerunBl
(PerunBl perunBl) static void
setRole
(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) Set role for authorizedGroup and one complementary object.static void
setRole
(PerunSession sess, User user, PerunBean complementaryObject, String role) Set role for user and one complementary object.static boolean
someAdminExists
(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).toString()
static void
unsetRole
(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) Unset role for group and one complementary objectstatic void
unsetRole
(PerunSession sess, User user, PerunBean complementaryObject, String role) Unset role for user and one complementary object.
-
Constructor Details
-
AuthzResolverBlImpl
public AuthzResolverBlImpl()
-
-
Method Details
-
addAdmin
public static void addAdmin(PerunSession sess, SecurityTeam securityTeam, User user) throws AlreadyAdminException - Throws:
AlreadyAdminException
-
addAdmin
public static void addAdmin(PerunSession sess, SecurityTeam securityTeam, Group group) throws AlreadyAdminException - Throws:
AlreadyAdminException
-
addAllSubgroupsToAuthzRoles
public static AuthzRoles addAllSubgroupsToAuthzRoles(PerunSession sess, AuthzRoles authzRoles, String role) For the given role with association to "Group" add also all subgroups to authzRoles. If authzRoles is null, return empty AuthzRoles. If there is no role (given in parameter) or Group object for this role, return not changed authzRoles.- Parameters:
sess
- perun sessionauthzRoles
- authzRoles for some user- Returns:
- the same object authzRoles, which is given in parameter, but also with subgroups of groups for given role
-
addSpecificUserOwner
public static void addSpecificUserOwner(PerunSession sess, User specificUser, User owner) throws AlreadyAdminException Add owner for a specific user.- Parameters:
sess
- Principal's sessionowner
- of the specific userspecificUser
- for which will be the owner set- Throws:
AlreadyAdminException
-
authorized
public static boolean authorized(PerunSession sess, String policyDefinition, List<PerunBean> objects) throws PolicyNotExistsException Prepare necessary structures and resolve access rights for the session's principal.- Parameters:
sess
- perunSession which contains the principal.policyDefinition
- is a definition of a policy which will define authorization rules.objects
- as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)- Returns:
- true if the principal has particular rights, false otherwise.
- Throws:
PolicyNotExistsException
- when the given policyDefinition does not exist in the PerunPoliciesContainer.MfaPrivilegeException
- when the principal isn't authenticated with MFA but the policy definition requires it
-
authorizedToManageRole
public static boolean authorizedToManageRole(PerunSession sess, PerunBean object, String roleName) throws RoleManagementRulesNotExistsException Check whether the principal is authorized to manage the role on the object.- Parameters:
sess
- principal's perun sessionobject
- bounded with the roleroleName
- which will be managed- Returns:
- Throws:
RoleManagementRulesNotExistsException
- when the role does not have the management rules.
-
authorizedToReadRole
public static boolean authorizedToReadRole(PerunSession sess, PerunBean object, String roleName) throws RoleManagementRulesNotExistsException Check whether the principal is authorized to read the role on the object.- Parameters:
sess
- principal's perun sessionobject
- bounded with the roleroleName
- which will be managed- Returns:
- true if principal is authorized. False otherwise.
- Throws:
RoleManagementRulesNotExistsException
- when the role does not have the management rules.
-
filterNotAllowedAttributes
public static List<Attribute> filterNotAllowedAttributes(PerunSession sess, PerunBean bean, List<Attribute> attributes) From given attributes filter out the ones which are not allowed for the current principal.- Parameters:
sess
- sessionbean
- perun beanattributes
- attributes- Returns:
- list of attributes which can be accessed by current principal.
-
getAdminGroups
public static List<Group> getAdminGroups(PerunBean complementaryObject, String role) throws RoleCannotBeManagedException Get all authorizedGroups for complementary object and role.- Parameters:
complementaryObject
- for which we will get administrator groupsrole
- expected role to filter authorizedGroups by- Returns:
- list of authorizedGroups for complementary object and role
- Throws:
RoleCannotBeManagedException
-
getAdmins
public static List<User> getAdmins(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws RoleCannotBeManagedException Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.If onlyDirectAdmins is true, return only direct users of the complementary object for role.
- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will get administratorrole
- expected role to filter managers byonlyDirectAdmins
- if true, get only direct user administrators (if false, get both direct and indirect)- Returns:
- list of user administrators for complementary object and role.
- Throws:
RoleCannotBeManagedException
-
getAllPolicies
Return all loaded perun policies.- Returns:
- all loaded policies
-
getAllRolesManagementRules
Return all loaded roles management rules.- Returns:
- all roles management rules
-
getComplementaryObjectsForRole
Returns all complementary objects for defined role.- Parameters:
sess
- perun sessionrole
- to get object for- Returns:
- list of complementary objects
-
getComplementaryObjectsForRole
public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role, Class perunBeanClass) Returns only complementary objects for defined role which fits perunBeanClass class.- Parameters:
sess
- perun sessionrole
- to get object forperunBeanClass
- particular class ( Vo | Group | ... )- Returns:
- list of complementary objects
-
getFacilitiesWhereUserIsInRoles
public static List<Facility> getFacilitiesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
sess
- Perun sessionuser
- for who Facilities are retrievedroles
- for which Facilities are retrieved- Returns:
- List of Facilities
-
getGroupRoleNames
Get all Group's roles.- Parameters:
sess
- perun sessiongroup
- Group- Returns:
- list of roles.
-
getGroupRoles
Get all roles for a given group.- Parameters:
sess
- perun sessiongroup
- group- Returns:
- AuthzRoles object which contains all roles with perunbeans
- Throws:
InternalErrorException
-
getGroupsWhereUserIsInRoles
public static List<Group> getGroupsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.Method does not return subgroups of the fetched groups.
- Parameters:
sess
- Perun sessionuser
- for who Groups are retrievedroles
- for which Groups are retrieved- Returns:
- List of Groups
-
getLoggedUser
Returns user which is associated with credentials used to log-in to Perun.- Parameters:
sess
- perun session- Returns:
- currently logged user
-
getMembersWhereUserIsInRoles
public static List<Member> getMembersWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
sess
- Perun sessionuser
- for who Members are retrievedroles
- for which Members are retrieved- Returns:
- List of Members
-
getPerunPrincipal
Returns PerunPrincipal object associated with current session. It contains necessary information, including user identification, authorization and metadata. Each call of this method refresh the session including authorization data.- Parameters:
sess
- perun session- Returns:
- perunPrincipal object
- Throws:
InternalErrorException
- if the PerunSession is not valid.
-
getPrincipalRoleNames
Get all principal role names.- Parameters:
sess
- perun session- Returns:
- list of roles.
-
getResourcesWhereUserIsInRoles
public static List<Resource> getResourcesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
sess
- Perun sessionuser
- for who Resources are retrievedroles
- for which Resources are retrieved- Returns:
- List of Resources
-
getRichAdmins
public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, String role) throws RoleCannotBeManagedException Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role without any attributes.- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will get administratorrole
- expected role to filter managers by- Returns:
- list of richUser administrators for complementary object and role.
- Throws:
RoleCannotBeManagedException
-
getRichAdmins
public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) throws RoleCannotBeManagedException Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.If onlyDirectAdmins is true, return only direct users of the complementary object for role with specific attributes. If allUserAttributes is true, do not specify attributes through list and return them all in objects richUser. Ignoring list of specific attributes.
- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will get administratorspecificAttributes
- list of specified attributes which are needed in object richUserrole
- expected role to filter managers byonlyDirectAdmins
- if true, get only direct user administrators (if false, get both direct and indirect)allUserAttributes
- if true, get all possible user attributes and ignore list of specificAttributes (if false, get only specific attributes)- Returns:
- list of richUser administrators for complementary object and role with specified attributes.
- Throws:
RoleCannotBeManagedException
-
someAdminExists
public static boolean someAdminExists(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws RoleCannotBeManagedException Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will find administratorrole
- expected role to filter managers byonlyDirectAdmins
- if true, search only direct user admins (if false, search both direct and indirect)- Returns:
- true, if some user with required role exists, false otherwise.
- Throws:
RoleCannotBeManagedException
-
getRoleComplementaryObjectsWithAuthorizedGroups
public static Map<String,Map<String, getRoleComplementaryObjectsWithAuthorizedGroupsMap<Integer, List<Group>>>> (PerunSession sess, User user) Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. together with list of authorized groups where user is member: Map< RoleName, Map< BeanName, Map< BeanID, List>>> - Parameters:
user
-- Returns:
- Map<String, Map < String, Map < Integer, List < Group>>>> roles with map of complementary objects with associated authorized groups
-
getRoleIdByName
Return id of the role by its name.- Parameters:
name
- - name of the role- Returns:
- - id of the role
-
getRolesObtainedFromAuthorizedGroupMemberships
public static AuthzRoles getRolesObtainedFromAuthorizedGroupMemberships(PerunSession sess, User user) Returns user's roles resulting from being a VALID member of authorized groups.- Parameters:
sess
- perun sessionuser
- user- Returns:
- AuthzRoles object which contains roles with perunbeans
- Throws:
InternalErrorException
-
getRolesWhichCanWorkWithAttribute
@Deprecated public static Map<String,Set<ActionType>> getRolesWhichCanWorkWithAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef) throws AttributeNotExistsException, ActionTypeNotExistsException Deprecated.Return map of roles, with allowed actions, which are authorized for doing "action" on "attribute".- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work with- Returns:
- map of roles with allowed action types
- Throws:
AttributeNotExistsException
ActionTypeNotExistsException
-
getSecurityTeamsWhereUserIsInRoles
public static List<SecurityTeam> getSecurityTeamsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
sess
- Perun sessionuser
- for who SecurityTeams are retrievedroles
- for which SecurityTeams are retrieved- Returns:
- List of SecurityTeams
-
getUserRoleNames
Get all User's roles. Does not include membership and sponsorship role.- Parameters:
sess
- perun sessionuser
- User- Returns:
- list of roles.
-
getUserRoles
public static AuthzRoles getUserRoles(PerunSession sess, User user, boolean getAuthorizedGroupBasedRoles) Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups Returns also sponsorship and membership roles, which are not stored in DB as authzRoles but retrieved separately.- Parameters:
sess
- perun sessionuser
- usergetAuthorizedGroupBasedRoles
- include roles based on membership in authorized groups- Returns:
- AuthzRoles object which contains all roles with perunbeans
- Throws:
InternalErrorException
-
getVosWhereUserIsInRoles
Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.- Parameters:
sess
- Perun sessionuser
- for who Vos are retrievedroles
- for which Vos are retrieved- Returns:
- List of Vos
-
groupMatchesUserRolesFilter
public static boolean groupMatchesUserRolesFilter(PerunSession sess, User user, Group group, List<String> roles, List<RoleAssignmentType> types) Check if the given group passes the user's roles filter.- Parameters:
sess
- sessionuser
- usergroup
- grouproles
- list of selected roles (if empty, then return groups by all roles)types
- list of selected types of roles (if empty, then return by roles of all types)- Returns:
- list of groups
-
hasMFASkippableRole
public static boolean hasMFASkippableRole(PerunSession sess) throws RoleManagementRulesNotExistsException Returns true if principal has a role which should skip MFA check- Parameters:
sess
- principal's perun session- Returns:
- true if principal has system role
- Throws:
RoleManagementRulesNotExistsException
- when the role does not have the management rules.
-
hasRole
Returns true if the perunPrincipal has requested role.- Parameters:
perunPrincipal
- acting person for whom the role is checkedrole
- role to be checked
-
isAnyObjectMfaCritical
Returns true if any of the objects is marked as mfaCriticalObject in its attribute. Not usable for entityless attributes!- Parameters:
sess
- sessionobjects
- objects to be checked- Returns:
- if any object is critical
-
isAuthorized
@Deprecated public static boolean isAuthorized(PerunSession sess, String role, PerunBean complementaryObject) Deprecated.Checks if the principal is authorized.- Parameters:
sess
- perunSessionrole
- required rolecomplementaryObject
- object which specifies particular action of the role (e.g. group)- Returns:
- true if the principal authorized, false otherwise
- Throws:
InternalErrorException
- if something goes wrong
-
isAuthorized
Deprecated.Checks if the principal is authorized.- Parameters:
sess
- perunSessionrole
- required role- Returns:
- true if the principal authorized, false otherwise
- Throws:
InternalErrorException
- if something goes wrong
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues) throws WrongAttributeAssignmentException Deprecated. -
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key) Deprecated. -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues) throws InternalErrorException, AttributeNotExistsException, WrongAttributeAssignmentException -
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key) throws InternalErrorException, AttributeNotExistsException -
isAuthorizedForGroup
public static boolean isAuthorizedForGroup(PerunSession sess, String policy, Integer groupId, Integer voId) -
isFacilityAdmin
Returns true if the perun principal inside the perun session is facility admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is facility admin.
-
isGroupAdmin
Returns true if the perun principal inside the perun session is group admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is group admin.
-
isGroupLastAdminInFacilities
public static List<Facility> isGroupLastAdminInFacilities(PerunSession sess, Group group, List<Facility> facilities) Checks the facilities and returns those in which group is the last admin- Parameters:
sess
- sessgroup
- groupfacilities
- facilities to check- Returns:
- facilities in which the user is last admin
-
isGroupLastAdminInVos
Checks the vos and return those in which group is the last admin.- Parameters:
sess
- sessgroup
- groupvos
- vos to check- Returns:
- vos in which the user is last admin
-
isMfaAuthorizedForAttribute
public static boolean isMfaAuthorizedForAttribute(PerunSession sess, AttributeDefinition attrDef, AttributeAction actionType, List<Object> objects) Checks authorization for attribute according to MFA rules. Returns false if attribute action is marked as critical, attribute's object is marked as critical and principal is not authorized by MFA and hasn't got a system role. If MFA is globally disabled for whole instance, returns true.- Parameters:
sess
- sessionattrDef
- attribute definitionactionType
- type of action (READ / WRITE)objects
- objects related to the attribute- Returns:
- true if MFA requirements are met, false otherwise
-
isPerunAdmin
Returns true if the perun principal inside the perun session is perun admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is perun admin.
-
isPerunObserver
Returns true if the perun principal inside the perun session is Perun Observer.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is top group creator.
-
isResourceAdmin
Returns true if the perun principal inside the perun session is resource admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is resource admin.
-
isSecurityAdmin
Returns true if the perun principal inside the perun session is security admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is security admin.
-
isTopGroupCreator
Returns true if the perun principal inside the perun session is top group creator.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is top group creator.
-
isUserLastAdminInFacilities
public static List<Facility> isUserLastAdminInFacilities(PerunSession sess, User user, List<Facility> facilities) Checks the facilities and returns those in which user is the last admin- Parameters:
sess
- sessuser
- userfacilities
- facilities to check- Returns:
- facilities in which the user is last admin
-
isUserLastAdminInVos
Checks the vos and return those in which user is the last admin.- Parameters:
sess
- sessuser
- uservos
- vos to check- Returns:
- vos in which the user is last admin
-
isVoAdmin
Returns true if the perun principal inside the perun session is vo admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is vo admin
-
isVoAdminOrObserver
Returns true if perun principal is Vo admin or Vo observer of specific Vo.- Parameters:
sess
- - perun sessionvo
- -specific vo- Returns:
- bolean
-
isVoObserver
Returns true if the perun principal inside the perun session is vo observer.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is vo observer
-
loadAuthorizationComponents
public static void loadAuthorizationComponents() -
makeUserPerunAdmin
Make user to be PERUNADMIN!- Parameters:
sess
- PerunSession with authorizationuser
- which will get role "PERUNADMIN" in the system- Throws:
InternalErrorException
- When implementation failsAlreadyAdminException
- When user is already perun admin
-
refreshAuthz
Refresh authorization data inside session.Fill in proper roles and their relative entities (vos, groups, ....). User itself or ext source data is NOT updated.
- Parameters:
sess
- perun session to refresh authz for
-
refreshMfa
Checks if MFA is supported and if it was used by the user, then updates MFA flag in the session.- Parameters:
sess
- PerunSession- Throws:
MFAuthenticationException
- when MFA is not supported or can't be verified
-
refreshSession
Refresh all session data excluding Ext. Source and additional information.This method update user in session (try to find user by ext. source data). Then it updates authorization data in session.
- Parameters:
sess
- Perun session to refresh data for
-
removeAdmin
public static void removeAdmin(PerunSession sess, SecurityTeam securityTeam, User user) throws UserNotAdminException - Throws:
UserNotAdminException
-
removeAdmin
public static void removeAdmin(PerunSession sess, SecurityTeam securityTeam, Group group) throws GroupNotAdminException - Throws:
GroupNotAdminException
-
removeAllAuthzForFacility
-
removeAllAuthzForGroup
-
removeAllAuthzForResource
-
removeAllAuthzForSecurityTeam
-
removeAllAuthzForService
-
removeAllAuthzForVo
-
removeSpecificUserOwner
public static void removeSpecificUserOwner(PerunSession sess, User specificUser, User owner) throws UserNotAdminException Remove owner for a specific user.- Parameters:
sess
- Principal's sessionowner
- of the specific userspecificUser
- from which will be the owner unset- Throws:
UserNotAdminException
-
roleExists
-
selfAuthorizedForApplication
-
setAuthzResolverImpl
-
setPerunBl
-
setRole
public static void setRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for user and one complementary object.If complementary object is wrong for the role, throw an exception.
- Parameters:
sess
- perun sessionuser
- the user for setting rolerole
- role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | SECURITYADMIN | RESOURCESELFSERVICE | RESOURCEADMIN | SERVICEACCOUNTCREATOR )complementaryObject
- object for which role will be set- Throws:
AlreadyAdminException
RoleCannotBeManagedException
RoleCannotBeSetException
-
setRole
public static void setRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for authorizedGroup and one complementary object.If complementary object is wrong for the role, throw an exception.
- Parameters:
sess
- perun sessionauthorizedGroup
- the group for setting rolerole
- role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN )complementaryObject
- object for which role will be set- Throws:
AlreadyAdminException
RoleCannotBeManagedException
RoleCannotBeSetException
-
unsetRole
public static void unsetRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws UserNotAdminException, RoleCannotBeManagedException Unset role for user and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionuser
- the user for unsetting rolerole
- role of user in a session ( PERUNADMIN | PERUNADMINBA | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN | SERVICEACCOUNTCREATOR)complementaryObject
- object for which role will be unset- Throws:
UserNotAdminException
RoleCannotBeManagedException
-
unsetRole
public static void unsetRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws GroupNotAdminException, RoleCannotBeManagedException Unset role for group and one complementary objectIf some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionauthorizedGroup
- the group for unsetting rolerole
- role of user in a session ( PERUNADMIN | VOADMIN | GROUPADMIN | SELF | FACILITYADMIN | VOOBSERVER | TOPGROUPCREATOR | RESOURCESELFSERVICE | RESOURCEADMIN )complementaryObject
- object for which role will be unset- Throws:
GroupNotAdminException
RoleCannotBeManagedException
-
logLastAdmin
Checks whether removed admin user/group was the last admin of Vo/Facility, log an AuditEvent which will trigger a notification if this was the case.- Parameters:
sess
- sessioncomplementaryObject
- Vo/Facility object
-
toString
-