UsernameConsumersPermission.java example

Explorer
candlepin-master
/**
 * Copyright (c) 2009 - 2012 Red Hat, Inc.
 *
 * This software is licensed to you under the GNU General Public License,
 * version 2 (GPLv2). There is NO WARRANTY for this software, express or
 * implied, including the implied warranties of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
 * along with this software; if not, see
 * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
 *
 * Red Hat trademarks are not licensed under GPLv2. No permission is
 * granted to use or replicate Red Hat trademarks that are incorporated
 * in this software or its documentation.
 */
package org.candlepin.auth.permissions;

import org.candlepin.auth.Access;
import org.candlepin.auth.SubResource;
import org.candlepin.model.Consumer;
import org.candlepin.model.Entitlement;
import org.candlepin.model.Owner;
import org.candlepin.model.User;

import org.hibernate.criterion.Criterion;
import org.hibernate.criterion.Restrictions;

import java.io.Serializable;

/**
 * A permission allowing a user access to consumers in their org only if they were the ones
 * to register them, as determined by the username on the consumer.
 *
 * Assumes the user has full access to those consumers including creation, update,
 * and deletion.
 *
 * Allows the user to create and manage entitlements for the consumer as well.
 */
public class UsernameConsumersPermission implements Permission, Serializable {
    private static final long serialVersionUID = 571612156736570455L;

    private final User user;
    private final Owner owner;

    public UsernameConsumersPermission(User u, Owner o) {
        this.user = u;
        this.owner = o;
    }


    @Override
    public boolean canAccess(Object target, SubResource subResource, Access required) {

        // Implied full access to the relevant Consumers:
        if (target.getClass().equals(Consumer.class)) {
            return ((Consumer) target).getOwner().getKey().equals(owner.getKey()) &&
                ((Consumer) target).getUsername().equals(user.getUsername()) &&
                Access.ALL.provides(required);
        }

        // TODO: Should this be broken out into two typed permissions, one for Consumer,
        // one for Owner + subresource of consumers?

        // Implied create access to the owner's consumers collection, which includes
        // read as well:
        if (target.getClass().equals(Owner.class) &&
            subResource.equals(SubResource.CONSUMERS) &&
            Access.CREATE.provides(required)) {
            return true;
        }

        // Must allow the user to manage their system's entitlements.
        if (target.getClass().equals(Entitlement.class)) {
            Entitlement ent = (Entitlement) target;
            if (ent.getConsumer().getUsername().equals(user.getUsername()) &&
                ent.getOwner().getKey().equals(owner.getKey())) {
                return true;
            }
        }

        return false;
    }

    @Override
    public Criterion getCriteriaRestrictions(Class entityClass) {
        if (entityClass.equals(Consumer.class)) {
            return Restrictions.eq("username", user.getUsername());
        }
        return null;
    }

    @Override
    public Owner getOwner() {
        return owner;
    }

    public String getUsername() {
        return user.getUsername();
    }

}