PolicyExtension.java

/**
 * Copyright (c) Codice Foundation
 * <p/>
 * This is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser
 * General Public License as published by the Free Software Foundation, either version 3 of the
 * License, or any later version.
 * <p/>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details. A copy of the GNU Lesser General Public License
 * is distributed along with this program and can be found at
 * <http://www.gnu.org/licenses/lgpl.html>.
 */
package ddf.security.policy.extension;

import ddf.security.permission.CollectionPermission;
import ddf.security.permission.KeyValueCollectionPermission;

/**
 * Extends the policy of the Java PDP realm. These objects can provide additional policy information that cannot be captured through the standard
 * match-all or match-one scenarios.
 */
public interface PolicyExtension {

    /**
     * Returns true if the subject collection can imply the two sets of KeyValueCollectionPermission objects.
     * This method should return any permissions that it was unable to imply. That should include any permissions
     * that the method does not understand. For example: if 10 match all permissions are passed into the method and
     * 2 of those permissions can be implied, then the method should return the remaining 8 match all permissions.
     *
     * Warning: not returning any permissions from this method will immediately grant access to every request and
     * bypass the rest of the PDP.
     *
     * @param subjectAllCollection
     * @param matchAllCollection
     * @return KeyValueCollectionPermission - set of permissions that can not be implied by this extension
     */
    KeyValueCollectionPermission isPermittedMatchAll(CollectionPermission subjectAllCollection,
            KeyValueCollectionPermission matchAllCollection);

    /**
     * Returns true if the subject collection can imply the two sets of KeyValueCollectionPermission objects.
     * This method should return any permissions that it was unable to imply. That should include any permissions
     * that the method does not understand. For example: if 10 match one permissions are passed into the method and
     * 2 of those permissions can be implied, then the method should return the remaining 8 match one permissions.
     *
     * Warning: not returning any permissions from this method will immediately grant access to every request and
     * bypass the rest of the PDP.
     *
     * @param subjectAllCollection
     * @param matchOneCollection
     * @return KeyValueCollectionPermission - set of permissions that can not be implied by this extension
     */
    KeyValueCollectionPermission isPermittedMatchOne(CollectionPermission subjectAllCollection,
            KeyValueCollectionPermission matchOneCollection);

}