PolicyService.java example

Explorer
openmicroscopy-master
/*
 * Copyright (C) 2015 University of Dundee & Open Microscopy Environment.
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

package ome.security.policy;

import java.util.Set;

import ome.conditions.SecurityViolation;
import ome.model.IObject;

/**
 * Internal service containing a number of configured {@link Policy} instances.
 * Each {@link Policy} is stored under a unique name, for which there may be
 * several other {@link Policy} instances. Consumers can either check whether
 * such a policy restriction is active via
 * {@link #isRestricted(String, IObject)} or let an exception be thrown by the
 * {@link Policy} itself via {@link #checkRestriction(String, IObject)}.
 * Further, the list of currently active restrictions can be provided in bulk to
 * clients via {@link #listActiveRestrictions(IObject)} so that restricted
 * operations need not be called only to have an exception thrown.
 */
public interface PolicyService {

    /**
     * Ask each configured {@link Policy} instance with the given name argument
     * if it considers the restriction active for the given {@link IObject}
     * argument. If any are active, return true.
     *
     * @param name
     *            non-null identifier of a class of {@link Policy} instances.
     * @param obj
     *            non-null "context" for this check.
     * @return true if any {@link Policy} returns true from
     *         {@link Policy#isRestricted(IObject)}.
     */
    boolean isRestricted(String name, IObject obj);

    /**
     * Give each configured {@link Policy} instance the chance to throw a
     * {@link SecurityViolation} from its
     * {@link Policy#checkRestriction(IObject)} method.
     *
     * @param name
     *            non-null identifier of a class of {@link Policy} instances.
     * @param obj
     *            non-null "context" for this check.
     */
    void checkRestriction(String name, IObject obj) throws SecurityViolation;

    /**
     * Return all configured identifier strings as would be passed as the first
     * argument to {@link #isRestricted(String, IObject)} or
     * {@link #checkRestriction(String, IObject)}.
     */
    Set<String> listAllRestrictions();

    /**
     * Return all identifier strings as would be passed as the first argument to
     * {@link #isRestricted(String, IObject)} or
     * {@link #checkRestriction(String, IObject)} <em>which</em> considers
     * itself active for the given argument.
     *
     * @param obj
     *            non-null context passed to each {@link Policy} instance.
     * @return a possibly empty string set of identifiers which should be
     *         returned to clients via
     *         {@link ome.model.internal.Permissions#copyExtendedRestrictions()}
     *         .
     */
    Set<String> listActiveRestrictions(IObject obj);

}