001/*
002 *  Copyright 2016 Anyware Services
003 *
004 *  Licensed under the Apache License, Version 2.0 (the "License");
005 *  you may not use this file except in compliance with the License.
006 *  You may obtain a copy of the License at
007 *
008 *      http://www.apache.org/licenses/LICENSE-2.0
009 *
010 *  Unless required by applicable law or agreed to in writing, software
011 *  distributed under the License is distributed on an "AS IS" BASIS,
012 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 *  See the License for the specific language governing permissions and
014 *  limitations under the License.
015 */
016package org.ametys.runtime.plugins.admin.rights;
017
018import java.util.Collections;
019import java.util.Map;
020import java.util.Set;
021import java.util.stream.Collectors;
022
023import org.apache.avalon.framework.service.ServiceException;
024import org.apache.avalon.framework.service.ServiceManager;
025import org.apache.avalon.framework.service.Serviceable;
026import org.apache.commons.lang3.StringUtils;
027
028import org.ametys.core.group.GroupIdentity;
029import org.ametys.core.right.AccessController;
030import org.ametys.core.right.RightsExtensionPoint;
031import org.ametys.core.user.UserIdentity;
032import org.ametys.core.user.UserManager;
033import org.ametys.core.user.population.UserPopulationDAO;
034
035/**
036 * Grant all rights to users from admin populations on admin context
037 */
038public class AdminAccessController implements AccessController, Serviceable
039{
040    /** The right context for administration area */
041    public static final String ADMIN_RIGHT_CONTEXT = "/admin";
042    /** The rights extension point */
043    protected RightsExtensionPoint _rightsExtensionPoint;
044    /** The user manager */
045    protected  UserManager _userManager;
046    
047    public void service(ServiceManager manager) throws ServiceException
048    {
049        _rightsExtensionPoint = (RightsExtensionPoint) manager.lookup(RightsExtensionPoint.ROLE);
050        _userManager = (UserManager) manager.lookup(UserManager.ROLE);
051    }
052    
053    public AccessResult getPermission(UserIdentity user, Set<GroupIdentity> userGroups, String rightId, Object object)
054    {
055        if (user != null && StringUtils.equals(user.getPopulationId(), UserPopulationDAO.ADMIN_POPULATION_ID))
056        {
057            return AccessResult.USER_ALLOWED;
058        }
059        else
060        {
061            return AccessResult.UNKNOWN;
062        }
063    }
064    
065    public AccessResult getReadAccessPermission(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
066    {
067        return getPermission(user, userGroups, null, object);
068    }
069
070    public Map<String, AccessResult> getPermissionByRight(UserIdentity user, Set<GroupIdentity> userGroups, Object object)
071    {
072        if (user != null && StringUtils.equals(user.getPopulationId(), UserPopulationDAO.ADMIN_POPULATION_ID))
073        {
074            return _rightsExtensionPoint.getExtensionsIds().stream().collect(Collectors.toMap(rightId -> rightId, rightId -> AccessResult.USER_ALLOWED));
075        }
076        else
077        {
078            return Collections.EMPTY_MAP;
079        }
080    }
081
082    public AccessResult getPermissionForAnonymous(String rightId, Object object)
083    {
084        return AccessResult.UNKNOWN;
085    }
086    
087
088    public AccessResult getReadAccessPermissionForAnonymous(Object object)
089    {
090        return AccessResult.UNKNOWN;
091    }
092
093    public AccessResult getPermissionForAnyConnectedUser(String rightId, Object object)
094    {
095        return AccessResult.UNKNOWN;
096    }
097
098    public AccessResult getReadAccessPermissionForAnyConnectedUser(Object object)
099    {
100        return AccessResult.UNKNOWN;
101    }
102
103    public Map<UserIdentity, AccessResult> getPermissionByUser(String rightId, Object object)
104    {
105        return _userManager.getUsers(UserPopulationDAO.ADMIN_POPULATION_ID).stream().collect(Collectors.toMap(user -> user.getIdentity(), user -> AccessResult.USER_ALLOWED));
106    }
107
108    public Map<UserIdentity, AccessResult> getReadAccessPermissionByUser(Object object)
109    {
110        return getPermissionByUser(null, object);
111    }
112
113    public Map<GroupIdentity, AccessResult> getPermissionByGroup(String rightId, Object object)
114    {
115        return Collections.EMPTY_MAP;
116    }
117
118    public Map<GroupIdentity, AccessResult> getReadAccessPermissionByGroup(Object object)
119    {
120        return Collections.EMPTY_MAP;
121    }
122    
123    public boolean hasUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups)
124    {
125        return hasUserAnyPermissionOnWorkspace(workspacesContexts, user, userGroups, null);
126    }
127
128    public boolean hasUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, UserIdentity user, Set<GroupIdentity> userGroups, String rightId)
129    {
130        return workspacesContexts.contains(ADMIN_RIGHT_CONTEXT) && StringUtils.equals(user.getPopulationId(), UserPopulationDAO.ADMIN_POPULATION_ID);
131    }
132    
133    public boolean hasAnonymousAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
134    {
135        return false;
136    }
137
138    public boolean hasAnonymousAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
139    {
140        return false;
141    }
142
143    public boolean hasAnyConnectedUserAnyReadAccessPermissionOnWorkspace(Set<Object> workspacesContexts)
144    {
145        return false;
146    }
147    
148    public boolean hasAnyConnectedUserAnyPermissionOnWorkspace(Set<Object> workspacesContexts, String rightId)
149    {
150        return false;
151    }
152    
153    public boolean isSupported(Object object)
154    {
155        if (object instanceof String)
156        {
157            String context = (String) object;
158            return ADMIN_RIGHT_CONTEXT.equals(context) || context.startsWith(ADMIN_RIGHT_CONTEXT + '/');
159        }
160        return false;
161    }
162}