/*
* Copyright (c) 2006-2011 Nuxeo SA (http://nuxeo.com/) and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* Contributors:
* Anahide Tchertchian
* Florent Guillaume
*/
package org.eclipse.ecr.core.security;
import java.io.Serializable;
import java.security.Principal;
import java.util.Collection;
import org.eclipse.ecr.core.api.security.ACP;
import org.eclipse.ecr.core.api.security.Access;
import org.eclipse.ecr.core.model.Document;
import org.eclipse.ecr.core.query.sql.model.SQLQuery;
/**
* Service checking permissions for pluggable policies.
*
* @author Anahide Tchertchian
* @author Florent Guillaume
*/
public interface SecurityPolicyService extends Serializable {
/**
* Checks given permission for doc and principal.
* <p>
* The security service checks this service for a security access. This
* access is defined iterating over pluggable policies in a defined order.
* If access is not specified, security service applies its default policy.
*
* @param doc the document to check
* @param mergedAcp merged acp resolved for this document
* @param principal principal to check
* @param permission permission to check
* @param resolvedPermissions permissions or groups of permissions
* containing permission
* @param principalsToCheck principals (groups) to check for principal
* @return access: true, false, or nothing. When nothing is returned,
* following policies or default core security are applied.
*/
Access checkPermission(Document doc, ACP mergedAcp, Principal principal,
String permission, String[] resolvedPermissions,
String[] principalsToCheck);
void registerDescriptor(SecurityPolicyDescriptor descriptor);
void unregisterDescriptor(SecurityPolicyDescriptor descriptor);
/**
* Checks if any policy restricts the given permission.
* <p>
* If not, then no post-filtering on policies will be needed for query
* results.
*
* @return {@code true} if a policy restricts the permission
*/
boolean arePoliciesRestrictingPermission(String permission);
/**
* Checks if the policies can be expressed in a query for a given
* repository.
* <p>
* If not, then any query made will have to be post-filtered.
*
* @param repositoryName the target repository name.
* @return {@code true} if all policies can be expressed in a query
*/
boolean arePoliciesExpressibleInQuery(String repositoryName);
/**
* Get the transformers to apply the policies to a query for given
* repository.
*
* @param repositoryName the target repository name.
* @return the transformers.
*/
Collection<SQLQuery.Transformer> getPoliciesQueryTransformers(
String repositoryName);
}