001/* 002 * Copyright 2020 Anyware Services 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.ametys.core.right; 017 018import java.util.Map; 019import java.util.Set; 020 021import org.ametys.core.group.GroupIdentity; 022import org.ametys.core.user.UserIdentity; 023 024/** 025 * This interface is for read-only profile assignments storage 026 */ 027public interface ProfileAssignmentStorage 028{ 029 /** Minimum priority. */ 030 public static final int MIN_PRIORITY = Integer.MAX_VALUE; 031 /** Maximum priority. */ 032 public static final int MAX_PRIORITY = 0; 033 034 /** 035 * Keys for method that can return profiles of anonymous or any connected user 036 */ 037 public enum AnonymousOrAnyConnectedKeys 038 { 039 /** Allowed profiles for anonymous */ 040 ANONYMOUS_ALLOWED, 041 /** Denied profiles for anonymous */ 042 ANONYMOUS_DENIED, 043 /** Allowed profiles for any connected users */ 044 ANYCONNECTEDUSER_ALLOWED, 045 /** Denied profiles for any connected users */ 046 ANYCONNECTEDUSER_DENIED 047 } 048 /** 049 * Keys for method that can return profiles of user or groups 050 */ 051 public enum UserOrGroup 052 { 053 /** Allowed profiles */ 054 ALLOWED, 055 /** Denied profiles */ 056 DENIED, 057 } 058 059 /* -------------- */ 060 /* HAS PERMISSION */ 061 /* -------------- */ 062 063 /** 064 * Returns some profiles that are matching if anonymous user has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 065 * @param rootContexts The root contexts to search rights for 066 * @param profileIds The ids of the profiles 067 * @return If the Set is empty, it means anonymous has no matching profile.<br> 068 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for anonymous AND it can contains some other profiles that were not in the given profiles 069 */ 070 public Set<String> hasAnonymousAnyAllowedProfile(Set< ? extends Object> rootContexts, Set<String> profileIds); 071 072 /** 073 * Returns some profiles that are matching if any connected user has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 074 * @param rootContexts The root contexts to search rights for 075 * @param profileIds The ids of the profiles 076 * @return If the Set is empty, it means the user has no matching profile.<br> 077 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for the user AND it can contains some other profiles that were not in the given profiles 078 */ 079 public Set<String> hasAnyConnectedAnyAllowedProfile(Set< ? extends Object> rootContexts, Set<String> profileIds); 080 081 /** 082 * Returns some profiles that are matching if user has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 083 * @param rootContexts The root contexts to search rights for 084 * @param user The user to test 085 * @param profileIds The ids of the profiles 086 * @return If the Set is empty, it means any connected user has no matching profile.<br> 087 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for anyconnected user AND it can contains some other profiles that were not in the given profiles 088 */ 089 public Set<String> hasUserAnyAllowedProfile(Set< ? extends Object> rootContexts, UserIdentity user, Set<String> profileIds); 090 091 /** 092 * Returns some profiles that are matching if group has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 093 * @param rootContexts The root contexts to search rights for 094 * @param groups The groups to test (a single group needs to match) 095 * @param profileIds The ids of the profiles 096 * @return If the Set is empty, it means the group has no matching profile.<br> 097 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for the group AND it can contains some other profiles that were not in the given profiles 098 */ 099 public Set<String> hasGroupAnyAllowedProfile(Set< ? extends Object> rootContexts, Set<GroupIdentity> groups, Set<String> profileIds); 100 101 /* -------------- */ 102 /* GET PERMISSION */ 103 /* -------------- */ 104 105 /** 106 * Gets the allowed profiles any connected user has on the given object 107 * @param object The object 108 * @return a map containing allowed/denied profiles that anonymous and any connected user has on the given object 109 */ 110 public Map<AnonymousOrAnyConnectedKeys, Set<String>> getProfilesForAnonymousAndAnyConnectedUser(Object object); 111 112 /** 113 * Gets the users that have allowed profiles assigned on the given object 114 * @param object The object to test 115 * @param user The user to get profiles for. Can be null to get profiles for all users that have rights 116 * @return The map of allowed users with their assigned allowed/denied profiles 117 */ 118 public Map<UserIdentity, Map<UserOrGroup, Set<String>>> getProfilesForUsers(Object object, UserIdentity user); 119 120 /** 121 * Gets the groups that have allowed profiles assigned on the given object 122 * @param object The object to test 123 * @param groups The group to get profiles for. Can be null to get profiles for all groups that have rights 124 * @return The map of allowed/denied groups with their assigned profiles 125 */ 126 public Map<GroupIdentity, Map<UserOrGroup, Set<String>>> getProfilesForGroups(Object object, Set<GroupIdentity> groups); 127 128 /* ------------------------------ */ 129 /* SUPPORT OF OBJECT AND PRIORITY */ 130 /* ------------------------------ */ 131 132 /** 133 * Returns true if this profile storage supports the given object, 134 * i.e. if it is able to retrieve the allowed users/groups on that object 135 * @param object The object to test 136 * @return true if this profile storage supports the given object 137 */ 138 public boolean isSupported(Object object); 139 140 /** 141 * Returns true if this profile storage supports the given object as a root context 142 * i.e. it can seek any permission under this object 143 * @param rootContext The object to start searching 144 * @return true if this profile storage support this a as root context to search in 145 */ 146 public boolean isRootContextSupported(Object rootContext); 147 148 /** 149 * Returns the priority of this profile storage 150 * The {@link ProfileAssignmentStorageExtensionPoint} will take the profile storage 151 * which supports the object with the highest priority to return the allowed/denied users/groups 152 * @return the priority of this profile storage 153 */ 154 public int getPriority(); 155 156 /* ----------- */ 157 /* INHERITANCE */ 158 /* ----------- */ 159 /** 160 * Returns true if the inheritance of permissions is disallowed on the given object 161 * @param object The object to test 162 * @return true if the inheritance of permissions is disallowed on the given object 163 */ 164 public boolean isInheritanceDisallowed(Object object); 165}