001/* 002 * Copyright 2020 Anyware Services 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016package org.ametys.core.right; 017 018import java.util.Map; 019import java.util.Set; 020 021import org.ametys.core.group.GroupIdentity; 022import org.ametys.core.user.UserIdentity; 023import org.ametys.runtime.plugin.component.Prioritizable; 024 025/** 026 * This interface is for read-only profile assignments storage 027 */ 028public interface ProfileAssignmentStorage extends Prioritizable 029{ 030 /** Minimum priority. */ 031 public static final int MIN_PRIORITY = Integer.MAX_VALUE; 032 /** Maximum priority. */ 033 public static final int MAX_PRIORITY = 0; 034 035 /** 036 * Keys for method that can return profiles of anonymous or any connected user 037 */ 038 public enum AnonymousOrAnyConnectedKeys 039 { 040 /** Allowed profiles for anonymous */ 041 ANONYMOUS_ALLOWED, 042 /** Denied profiles for anonymous */ 043 ANONYMOUS_DENIED, 044 /** Allowed profiles for any connected users */ 045 ANYCONNECTEDUSER_ALLOWED, 046 /** Denied profiles for any connected users */ 047 ANYCONNECTEDUSER_DENIED 048 } 049 /** 050 * Keys for method that can return profiles of user or groups 051 */ 052 public enum UserOrGroup 053 { 054 /** Allowed profiles */ 055 ALLOWED, 056 /** Denied profiles */ 057 DENIED, 058 } 059 060 /* -------------- */ 061 /* HAS PERMISSION */ 062 /* -------------- */ 063 064 /** 065 * Returns some profiles that are matching if anonymous user has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 066 * @param rootContexts The root contexts to search rights for 067 * @param profileIds The ids of the profiles 068 * @return If the Set is empty, it means anonymous has no matching profile.<br> 069 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for anonymous AND it can contains some other profiles that were not in the given profiles 070 */ 071 public Set<String> hasAnonymousAnyAllowedProfile(Set< ? extends Object> rootContexts, Set<String> profileIds); 072 073 /** 074 * Returns some profiles that are matching if any connected user has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 075 * @param rootContexts The root contexts to search rights for 076 * @param profileIds The ids of the profiles 077 * @return If the Set is empty, it means the user has no matching profile.<br> 078 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for the user AND it can contains some other profiles that were not in the given profiles 079 */ 080 public Set<String> hasAnyConnectedAnyAllowedProfile(Set< ? extends Object> rootContexts, Set<String> profileIds); 081 082 /** 083 * Returns some profiles that are matching if user has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 084 * @param rootContexts The root contexts to search rights for 085 * @param user The user to test 086 * @param profileIds The ids of the profiles 087 * @return If the Set is empty, it means any connected user has no matching profile.<br> 088 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for anyconnected user AND it can contains some other profiles that were not in the given profiles 089 */ 090 public Set<String> hasUserAnyAllowedProfile(Set< ? extends Object> rootContexts, UserIdentity user, Set<String> profileIds); 091 092 /** 093 * Returns some profiles that are matching if group has the allowed profile for any given root context (or any sub context), given some profiles.<br>Only supported objects are transmitted 094 * @param rootContexts The root contexts to search rights for 095 * @param groups The groups to test (a single group needs to match) 096 * @param profileIds The ids of the profiles 097 * @return If the Set is empty, it means the group has no matching profile.<br> 098 * If the Set is non empty, it contains at least one of the given profile BUT it may not contains all the matching profiles for the group AND it can contains some other profiles that were not in the given profiles 099 */ 100 public Set<String> hasGroupAnyAllowedProfile(Set< ? extends Object> rootContexts, Set<GroupIdentity> groups, Set<String> profileIds); 101 102 /* -------------- */ 103 /* GET PERMISSION */ 104 /* -------------- */ 105 106 /** 107 * Gets the allowed profiles any connected user has on the given object 108 * @param object The object 109 * @return a map containing allowed/denied profiles that anonymous and any connected user has on the given object 110 */ 111 public Map<AnonymousOrAnyConnectedKeys, Set<String>> getProfilesForAnonymousAndAnyConnectedUser(Object object); 112 113 /** 114 * Gets the users that have allowed profiles assigned on the given object 115 * @param object The object to test 116 * @param user The user to get profiles for. Can be null to get profiles for all users that have rights 117 * @return The map of allowed users with their assigned allowed/denied profiles 118 */ 119 public Map<UserIdentity, Map<UserOrGroup, Set<String>>> getProfilesForUsers(Object object, UserIdentity user); 120 121 /** 122 * Gets the groups that have allowed profiles assigned on the given object 123 * @param object The object to test 124 * @param groups The group to get profiles for. Can be null to get profiles for all groups that have rights 125 * @return The map of allowed/denied groups with their assigned profiles 126 */ 127 public Map<GroupIdentity, Map<UserOrGroup, Set<String>>> getProfilesForGroups(Object object, Set<GroupIdentity> groups); 128 129 /* ------------------------------ */ 130 /* SUPPORT OF OBJECT AND PRIORITY */ 131 /* ------------------------------ */ 132 133 /** 134 * Returns true if this profile storage supports the given object, 135 * i.e. if it is able to retrieve the allowed users/groups on that object 136 * @param object The object to test 137 * @return true if this profile storage supports the given object 138 */ 139 public boolean isSupported(Object object); 140 141 /** 142 * Returns true if this profile storage supports the given object as a root context 143 * i.e. it can seek any permission under this object 144 * @param rootContext The object to start searching 145 * @return true if this profile storage support this a as root context to search in 146 */ 147 public boolean isRootContextSupported(Object rootContext); 148 149 /* ----------- */ 150 /* INHERITANCE */ 151 /* ----------- */ 152 /** 153 * Returns true if the inheritance of permissions is disallowed on the given object 154 * @param object The object to test 155 * @return true if the inheritance of permissions is disallowed on the given object 156 */ 157 public boolean isInheritanceDisallowed(Object object); 158}