RoleChecker.java

/**
 *  Licensed to the Apache Software Foundation (ASF) under one or more
 *  contributor license agreements.  See the NOTICE file distributed with
 *  this work for additional information regarding copyright ownership.
 *  The ASF licenses this file to You under the Apache License, Version 2.0
 *  (the "License"); you may not use this file except in compliance with
 *  the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package org.apache.felix.useradmin.impl;

import java.util.ArrayList;
import java.util.List;

import org.osgi.service.useradmin.Group;
import org.osgi.service.useradmin.Role;

/**
 * Helper class to check for implied role memberships.
 */
final class RoleChecker {

    /**
     * Verifies whether the given role is implied by the memberships of the given user.
     * 
     * @param user the user to check the roles for, cannot be <code>null</code>;
     * @param impliedRole the implied role to check for, cannot be <code>null</code>.
     * @return <code>true</code> if the given user has the implied role, <code>false</code> otherwise.
     */
    public boolean isImpliedBy(Role role, Role impliedRole) {
        if (role instanceof Group) {
            return isGroupImpliedBy((Group) role, impliedRole, new ArrayList());
        } else /* if ((role instanceof User) || (role instanceof Role)) */ {
            return isRoleImpliedBy(role, impliedRole);
        }
    }

    /**
     * Verifies whether the given group is implied by the given role.
     * 
     * @param group the group to check, cannot be <code>null</code>;
     * @param impliedRole the implied role to check for, cannot be <code>null</code>;
     * @param seenGroups a list of all seen groups, used for detecting cycles in groups, cannot be <code>null</code>.
     * @return <code>true</code> if the given group has the implied role, <code>false</code> otherwise.
     */
    private boolean isGroupImpliedBy(Group group, Role impliedRole, List seenGroups) {
        Role[] basicRoles = group.getMembers();
        Role[] requiredRoles = group.getRequiredMembers();

        boolean isImplied = true;
        
        // Check whether all required roles are implied...
        for (int i = 0; (requiredRoles != null) && isImplied && (i < requiredRoles.length); i++) {
            Role requiredRole = requiredRoles[i];
            if (seenGroups.contains(requiredRole)) {
                // Found a cycle between groups; always yield false!
                return false;
            }
            
            if (requiredRole instanceof Group) {
                seenGroups.add(requiredRole);
                isImplied = isGroupImpliedBy((Group) requiredRole, impliedRole, seenGroups);
            } else /* if ((requiredRole instanceof User) || (requiredRole instanceof Role)) */ {
                isImplied  = isRoleImpliedBy(requiredRole, impliedRole);
            }
        }

        // Required role is not implied by the given role; we can stop now...
        if (!isImplied) {
            return false;
        }

        // Ok; all required roles are implied, let's verify whether a least one basic role is implied...
        isImplied = false;

        // Check whether at least one basic role is implied...
        for (int i = 0; (basicRoles != null) && !isImplied && (i < basicRoles.length); i++) {
            Role basicRole = (Role) basicRoles[i];
            if (seenGroups.contains(basicRole)) {
                // Found a cycle between groups; always yield false!
                return false;
            }

            if (basicRole instanceof Group) {
                seenGroups.add(basicRole);
                isImplied = isGroupImpliedBy((Group) basicRole, impliedRole, seenGroups);
            } else /* if ((basicRole instanceof User) || (basicRole instanceof Role)) */ {
                isImplied = isRoleImpliedBy(basicRole, impliedRole);
            }
        }

        return isImplied;
    }

    /**
     * Verifies whether the given role is implied by the given role.
     * 
     * @param role the role to check, cannot be <code>null</code>;
     * @param impliedRole the implied role to check for, cannot be <code>null</code>;
     * @return <code>true</code> if the given role is implied by the given role, <code>false</code> otherwise.
     */
    private boolean isRoleImpliedBy(Role role, Role impliedRole) {
        return Role.USER_ANYONE.equals(role.getName()) || (impliedRole != null && impliedRole.getName().equals(role.getName()));
    }
}