UnifiedRepositoryConnectionAclService.java

/*!
 * Copyright 2010 - 2015 Pentaho Corporation.  All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */
package org.pentaho.di.repository.pur;

import java.util.ArrayList;
import java.util.EnumSet;
import java.util.List;

import org.pentaho.di.core.exception.KettleException;
import org.pentaho.di.repository.ObjectId;
import org.pentaho.di.repository.ObjectRecipient;
import org.pentaho.di.repository.ObjectRecipient.Type;
import org.pentaho.di.repository.pur.model.ObjectAce;
import org.pentaho.di.repository.pur.model.ObjectAcl;
import org.pentaho.di.repository.pur.model.RepositoryObjectAce;
import org.pentaho.di.repository.pur.model.RepositoryObjectAcl;
import org.pentaho.di.repository.pur.model.RepositoryObjectRecipient;
import org.pentaho.di.ui.repository.pur.services.IConnectionAclService;
import org.pentaho.platform.api.repository2.unified.IUnifiedRepository;
import org.pentaho.platform.api.repository2.unified.RepositoryFile;
import org.pentaho.platform.api.repository2.unified.RepositoryFileAce;
import org.pentaho.platform.api.repository2.unified.RepositoryFileAcl;
import org.pentaho.platform.api.repository2.unified.RepositoryFilePermission;
import org.pentaho.platform.api.repository2.unified.RepositoryFileSid;

public class UnifiedRepositoryConnectionAclService implements IConnectionAclService {
  private final IUnifiedRepository pur;

  public UnifiedRepositoryConnectionAclService( IUnifiedRepository pur ) {
    this.pur = pur;
  }

  @Override
  public ObjectAcl getAcl( ObjectId fileId, boolean forceParentInheriting ) throws KettleException {
    RepositoryFileAcl acl = null;
    try {
      acl = pur.getAcl( fileId.getId() );
    } catch ( Exception drfe ) {
      // The user does not have rights to view the acl information.
      throw new KettleException( drfe );
    }
    RepositoryFileSid sid = acl.getOwner();
    ObjectRecipient owner = new RepositoryObjectRecipient( sid.getName() );
    if ( sid.getType().equals( RepositoryFileSid.Type.USER ) ) {
      owner.setType( Type.USER );
    } else {
      owner.setType( Type.ROLE );
    }

    ObjectAcl objectAcl = new RepositoryObjectAcl( owner );
    List<RepositoryFileAce> aces;

    // This flag (forceParentInheriting) is here to allow us to query the acl AS IF 'inherit from parent'
    // were true, without committing the flag to the repository. We need this for state representation
    // while a user is changing the acl in the client dialogs.

    if ( forceParentInheriting ) {
      objectAcl.setEntriesInheriting( true );
      aces = pur.getEffectiveAces( acl.getId(), true );
    } else {
      objectAcl.setEntriesInheriting( acl.isEntriesInheriting() );
      aces = ( acl.isEntriesInheriting() ) ? pur.getEffectiveAces( acl.getId() ) : acl.getAces();
    }
    List<ObjectAce> objectAces = new ArrayList<ObjectAce>();
    for ( RepositoryFileAce ace : aces ) {
      EnumSet<RepositoryFilePermission> permissions = ace.getPermissions();
      EnumSet<RepositoryFilePermission> permissionSet = EnumSet.noneOf( RepositoryFilePermission.class );
      RepositoryFileSid aceSid = ace.getSid();
      ObjectRecipient recipient = new RepositoryObjectRecipient( aceSid.getName() );
      if ( aceSid.getType().equals( RepositoryFileSid.Type.USER ) ) {
        recipient.setType( Type.USER );
      } else {
        recipient.setType( Type.ROLE );
      }
      permissionSet.addAll( permissions );

      objectAces.add( new RepositoryObjectAce( recipient, permissionSet ) );

    }
    objectAcl.setAces( objectAces );
    return objectAcl;
  }

  @Override
  public void setAcl( ObjectId fileId, ObjectAcl objectAcl ) throws KettleException {
    try {
      RepositoryFileAcl acl = pur.getAcl( fileId.getId() );
      RepositoryFileAcl.Builder newAclBuilder =
          new RepositoryFileAcl.Builder( acl ).entriesInheriting( objectAcl.isEntriesInheriting() ).clearAces();
      if ( !objectAcl.isEntriesInheriting() ) {
        List<ObjectAce> aces = objectAcl.getAces();
        for ( ObjectAce objectAce : aces ) {

          EnumSet<RepositoryFilePermission> permissions = objectAce.getPermissions();
          EnumSet<RepositoryFilePermission> permissionSet = EnumSet.noneOf( RepositoryFilePermission.class );
          ObjectRecipient recipient = objectAce.getRecipient();
          RepositoryFileSid sid;
          if ( recipient.getType().equals( Type.ROLE ) ) {
            sid = new RepositoryFileSid( recipient.getName(), RepositoryFileSid.Type.ROLE );
          } else {
            sid = new RepositoryFileSid( recipient.getName() );
          }
          if ( permissions != null ) {
            permissionSet.addAll( permissions );
          }
          newAclBuilder.ace( sid, permissionSet );
        }
      }
      pur.updateAcl( newAclBuilder.build() );
    } catch ( Exception drfe ) {
      // The user does not have rights to view or set the acl information.
      throw new KettleException( drfe );
    }
  }

  @Override
  public boolean hasAccess( ObjectId id, RepositoryFilePermission perm ) throws KettleException {
    RepositoryFile repositoryFile = pur.getFileById( id.getId() );
    return pur.hasAccess( repositoryFile.getPath(), EnumSet.of( perm ) );
  }

}