/*
###############################################################################
# #
# Copyright (C) 2011-2016 OpenMEAP, Inc. #
# Credits to Jonathan Schang & Rob Thacher #
# #
# Released under the LGPLv3 #
# #
# OpenMEAP is free software: you can redistribute it and/or modify #
# it under the terms of the GNU Lesser General Public License as published #
# by the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# OpenMEAP is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU Lesser General Public License for more details. #
# #
# You should have received a copy of the GNU Lesser General Public License #
# along with OpenMEAP. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
*/
package com.openmeap;
import java.util.Arrays;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import com.openmeap.model.dto.Application;
import com.openmeap.model.dto.ApplicationVersion;
import com.openmeap.model.dto.Deployment;
import com.openmeap.model.dto.GlobalSettings;
/**
* Request-scoped implementation of the Authorizer interface
* @author schang
*/
public class AuthorizerImpl implements Authorizer {
/**
* Role may login and poke about, but that's about it.
*/
private static String USER_ROLE = "openmeap-user";
/**
* Role may do anything
*/
private static String ADMIN_ROLE = "openmeap-admin";
/**
* Role may do anything with the applications
*/
private static String APP_MODIFY_ROLE = "openmeap-application-admin";
/**
* Role may create/delete/modify any application's versions
*/
private static String VER_ADMIN_ROLE = "openmeap-version-admin";
/**
* Role may modify existing versions only
*/
private static String VER_MODIFY_ROLE = "openmeap-version-modifier";
private HttpServletRequest request;
public Boolean may(Action action, Object object) {
// the admin may do anything
if( request.isUserInRole(ADMIN_ROLE) ) {
return Boolean.TRUE;
}
if( Application.class.isAssignableFrom(object.getClass()) ) {
return mayApplication(action,(Application)object);
} else if( ApplicationVersion.class.isAssignableFrom(object.getClass()) ) {
return mayAppVersion(action,(ApplicationVersion)object);
} else if( Deployment.class.isAssignableFrom(object.getClass()) ) {
return mayDeployment(action,(Deployment)object);
} else if( GlobalSettings.class.isAssignableFrom(object.getClass()) ) {
return Boolean.FALSE;
}
return Boolean.FALSE;
}
private Boolean isUserOrRoleInList(String userList) {
List<String> rolesUsers = Arrays.asList(userList.trim().split("\\s+"));
String userName = request.getUserPrincipal().getName();
if( rolesUsers.contains(userName) ) {
return Boolean.TRUE;
}
for( String roleOrUser : rolesUsers ) {
if( request.isUserInRole(roleOrUser) ) {
return Boolean.TRUE;
}
}
return Boolean.FALSE;
}
private Boolean mayApplication(Action action, Application app) {
if( app!=null && app.getAdmins()!=null
&& request.getUserPrincipal()!=null && isUserOrRoleInList(app.getAdmins()) ) {
return Boolean.TRUE;
}
if( request.isUserInRole(APP_MODIFY_ROLE) && action == Action.MODIFY ) {
return Boolean.TRUE;
}
return Boolean.FALSE;
}
private Boolean mayAppVersion(Action action, ApplicationVersion appVer) {
Application app = appVer!=null && appVer.getApplication()!=null ? appVer.getApplication() : null;
if( app!=null && app.getVersionAdmins()!=null
&& request.getUserPrincipal()!=null && isUserOrRoleInList(app.getVersionAdmins()) ) {
return Boolean.TRUE;
}
if( request.isUserInRole(VER_ADMIN_ROLE) ) {
return Boolean.TRUE;
}
if( request.isUserInRole(VER_MODIFY_ROLE) && action == Action.MODIFY ) {
return Boolean.TRUE;
}
return Boolean.FALSE;
}
private Boolean mayDeployment(Action action, Deployment deployment) {
Application app = deployment.getApplication();
if( app!=null && app.getAdmins()!=null
&& request.getUserPrincipal()!=null
&& isUserOrRoleInList(app.getAdmins()) ) {
return Boolean.TRUE;
}
if( request.isUserInRole(APP_MODIFY_ROLE) ) {
return Boolean.TRUE;
}
return Boolean.FALSE;
}
public HttpServletRequest getRequest() {
return request;
}
public void setRequest(HttpServletRequest request) {
this.request = request;
}
}