/*
* (C) Copyright 2015 Nuxeo SA (http://nuxeo.com/) and others.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Contributors:
* Thomas Roger
*/
package org.nuxeo.ecm.permissions;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.core.api.security.ACE;
import org.nuxeo.ecm.core.api.security.ACL;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.tokenauth.service.TokenAuthenticationService;
import org.nuxeo.runtime.api.Framework;
/**
* @since 8.1
*/
public class TransientUserPermissionHelper {
private TransientUserPermissionHelper() {
// helper class
}
public static String acquireToken(String username, DocumentModel doc, String permission) {
if (NuxeoPrincipal.isTransientUsername(username)) {
TokenAuthenticationService tokenAuthenticationService = Framework.getService(TokenAuthenticationService.class);
return tokenAuthenticationService.acquireToken(username, doc.getRepositoryName(), doc.getId(), null,
permission);
}
return null;
}
public static void revokeToken(String username, DocumentModel doc) {
if (NuxeoPrincipal.isTransientUsername(username)) {
// check if the transient user has other ACE on the document
ACP acp = doc.getACP();
for (ACL acl : acp.getACLs()) {
if (ACL.INHERITED_ACL.equals(acl.getName())) {
continue;
}
for (ACE ace : acl) {
if (username.equals(ace.getUsername()) && !ace.isArchived()) {
// skip token removal
return;
}
}
}
TokenAuthenticationService tokenAuthenticationService = Framework.getService(TokenAuthenticationService.class);
String token = tokenAuthenticationService.getToken(username, doc.getRepositoryName(), doc.getId());
if (token != null) {
tokenAuthenticationService.revokeToken(token);
}
}
}
}