Coverage Report

Coverage Report - org.kuali.rice.kew.doctype.service.impl.DocumentSecurityServiceImpl

Classes in this File

Line Coverage

Branch Coverage

Complexity

DocumentSecurityServiceImpl

0/100

0/74

7.875

 /*
  * Copyright 2007-2009 The Kuali Foundation
  * 
  * Licensed under the Educational Community License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  * 
  * http://www.opensource.org/licenses/ecl2.php
  * 
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.kuali.rice.kew.doctype.service.impl;
 
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 
 import org.apache.commons.lang.StringUtils;
 import org.kuali.rice.kew.docsearch.DocSearchDTO;
 import org.kuali.rice.kew.doctype.DocumentTypeSecurity;
 import org.kuali.rice.kew.doctype.SecurityAttribute;
 import org.kuali.rice.kew.doctype.SecuritySession;
 import org.kuali.rice.kew.doctype.bo.DocumentType;
 import org.kuali.rice.kew.doctype.service.DocumentSecurityService;
 import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
 import org.kuali.rice.kew.service.KEWServiceLocator;
 import org.kuali.rice.kew.user.UserUtils;
 import org.kuali.rice.kew.util.KEWConstants;
 import org.kuali.rice.kew.util.Utilities;
 import org.kuali.rice.kew.web.KeyValue;
 import org.kuali.rice.kew.web.session.Authentication;
 import org.kuali.rice.kew.web.session.UserSession;
 import org.kuali.rice.kim.bo.Group;
 import org.kuali.rice.kim.bo.Person;
 import org.kuali.rice.kim.bo.types.dto.AttributeSet;
 import org.kuali.rice.kim.service.KIMServiceLocator;
 
 
 public class DocumentSecurityServiceImpl implements DocumentSecurityService {
   public static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(DocumentSecurityServiceImpl.class);
 
   public boolean docSearchAuthorized(UserSession userSession, DocSearchDTO docCriteriaDTO, SecuritySession session) {
       return checkAuthorization(userSession, session, docCriteriaDTO.getDocTypeName(), docCriteriaDTO.getRouteHeaderId(), docCriteriaDTO.getInitiatorWorkflowId());
   }
 
   public boolean routeLogAuthorized(UserSession userSession, DocumentRouteHeaderValue routeHeader, SecuritySession session) {
       return checkAuthorization(userSession, session, routeHeader.getDocumentType().getName(), routeHeader.getRouteHeaderId(), routeHeader.getInitiatorWorkflowId());
   }
 
   protected boolean checkAuthorization(UserSession userSession, SecuritySession session, String documentTypeName, Long routeHeaderId, String initiatorPrincipalId) {
       DocumentTypeSecurity security = null;
       try {
           security = getDocumentTypeSecurity(userSession, documentTypeName, session);
           if (security == null || !security.isActive()) {
             // Security is not enabled for this doctype.  Everyone can see this doc.
             return true;
           }
           if (isAdmin(session)) {
               return true;
           }
           for (SecurityAttribute securityAttribute : security.getSecurityAttributes()) {
               Boolean authorized = securityAttribute.docSearchAuthorized(userSession.getPerson(), documentTypeName, routeHeaderId, initiatorPrincipalId);
               if (authorized != null) {
                   return authorized.booleanValue();
               }
           }
       } 
       catch (Exception e) {
           LOG.warn("Not able to retrieve DocumentTypeSecurity from remote system for doctype: " + documentTypeName, e);
           return false;
       }
       return checkStandardAuthorization(security, userSession, documentTypeName, routeHeaderId, initiatorPrincipalId, session);
   }
 
   protected boolean isAdmin(SecuritySession session) {
           if (session.getUserSession() == null) {
                   return false;
           }
           return KIMServiceLocator.getIdentityManagementService().isAuthorized(session.getUserSession().getPrincipalId(), KEWConstants.KEW_NAMESPACE,        KEWConstants.PermissionNames.UNRESTRICTED_DOCUMENT_SEARCH, new AttributeSet(), new AttributeSet());
   }
 
   protected boolean checkStandardAuthorization(DocumentTypeSecurity security, UserSession userSession, String docTypeName, Long documentId, String initiatorPrincipalId, SecuritySession session) {
         Person user = userSession.getPerson();
 
     LOG.debug("auth check user=" + user.getPrincipalId() +" docId=" + documentId);
 
     // Doc Initiator Authorization
     if (security.getInitiatorOk() != null && security.getInitiatorOk()) {
       boolean isInitiator = StringUtils.equals(initiatorPrincipalId, user.getPrincipalId());
       if (isInitiator) {
         return true;
       }
     }
 
     // Role authorization
     List<String> allowedRoles = security.getAllowedRoles();
     List<String> disallowedRoles = security.getDisallowedRoles();
     // only execute role security if they have it defined
     if ((allowedRoles != null && !allowedRoles.isEmpty()) ||
                     (disallowedRoles != null && !disallowedRoles.isEmpty())) {
             Boolean passesRoleSecurity = session.getPassesRoleSecurity().get(docTypeName);
             if (passesRoleSecurity != null) {
                     if (passesRoleSecurity) {
                             return true;
                     }
             } else {
                     passesRoleSecurity = isRoleAuthenticated(allowedRoles, disallowedRoles, userSession, session);
                     session.getPassesRoleSecurity().put(docTypeName, passesRoleSecurity);
                     if (passesRoleSecurity) {
                             return true;
                     }
             }
     }
 
     //  Workgroup Authorization
     List<Group> securityWorkgroups = security.getWorkgroups();
     if (securityWorkgroups != null) {
       for (Group securityWorkgroup : securityWorkgroups) {
         if (isWorkgroupAuthenticated(securityWorkgroup.getNamespaceCode(), securityWorkgroup.getGroupName(), session)) {
                 return true;
         }
       }
     }
 
     // Searchable Attribute Authorization
     Collection searchableAttributes = security.getSearchableAttributes();
     if (searchableAttributes != null) {
       for (Iterator iterator = searchableAttributes.iterator(); iterator.hasNext();) {
         KeyValue searchableAttr = (KeyValue) iterator.next();
         String attrName = searchableAttr.getkey();
         String idType = searchableAttr.getvalue();
         String idValue = UserUtils.getIdValue(idType, user);
         if (!StringUtils.isEmpty(idValue)) {
           if (KEWServiceLocator.getRouteHeaderService().hasSearchableAttributeValue(documentId, attrName, idValue)) {
             return true;
           }
         }
       }
     }
 
     // Route Log Authorization
     if (security.getRouteLogAuthenticatedOk() != null && security.getRouteLogAuthenticatedOk()) {
       boolean isInitiator = StringUtils.equals(initiatorPrincipalId, user.getPrincipalId());
       if (isInitiator) {
         return true;
       }
       boolean hasTakenAction = KEWServiceLocator.getActionTakenService().hasUserTakenAction(user.getPrincipalId(), documentId);
       if (hasTakenAction) {
         return true;
       }
       boolean hasRequest = KEWServiceLocator.getActionRequestService().doesPrincipalHaveRequest(user.getPrincipalId(), documentId);
       if (hasRequest) {
         return true;
       }
     }
 
     LOG.debug("user not authorized");
     return false;
   }
 
   protected DocumentTypeSecurity getDocumentTypeSecurity(UserSession userSession, String documentTypeName, SecuritySession session) {
       if (session == null) {
           session = new SecuritySession(userSession);
       }
           DocumentTypeSecurity security = session.getDocumentTypeSecurity().get(documentTypeName);
           if (security == null) {
                   DocumentType docType = KEWServiceLocator.getDocumentTypeService().findByName(documentTypeName);
                   security = docType.getDocumentTypeSecurity();
                   session.getDocumentTypeSecurity().put(documentTypeName, security);
           }
           return security;
   }
 
   protected boolean isWorkgroupAuthenticated(String namespace, String workgroupName, SecuritySession session) {
           String key = namespace.trim() + KEWConstants.KIM_GROUP_NAMESPACE_NAME_DELIMITER_CHARACTER + workgroupName.trim();
       Boolean existingAuth = session.getAuthenticatedWorkgroups().get(key);
           if (existingAuth != null) {
                   return existingAuth;
           }
           boolean memberOfGroup = session.getUserSession().isMemberOfGroupWithName(namespace, workgroupName);
           session.getAuthenticatedWorkgroups().put(key, memberOfGroup);
           return memberOfGroup;
   }
 
   protected boolean isRoleAuthenticated(List<String> allowedRoles, List<String> disallowedRoles, UserSession userSession, SecuritySession session) {
           boolean disallowed = false;
           boolean allowed = false;
           for (Iterator iterator = userSession.getAuthentications().iterator(); iterator.hasNext();) {
                   Authentication auth = (Authentication) iterator.next();
                   String role = auth.getAuthority();
                   if (disallowedRoles.contains(role)) {
                           disallowed = true;
                   }
                   if (allowedRoles.contains(role)) {
                           allowed = true;
                   }
           }
           if (allowed) {
                   // allowed takes precedence over disallowed
                   return true;
           } else if (disallowed) {
                   // we know that we haven't been allowed at this point, if we're disallowed than we're not authenticated
                   return false;
           } else if (allowedRoles.isEmpty()) {
                   // if allowedRoles is empty, that means that disallowed roles are not empty and we know because of the previous condition
                   // that the user has not been disallowed, therefore the user should be allowed if they aren't in the disallow set
                   return true;
           }
           return false;
   }
 
 }

1		/*
2		* Copyright 2007-2009 The Kuali Foundation
3		*
4		* Licensed under the Educational Community License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.opensource.org/licenses/ecl2.php
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16		package org.kuali.rice.kew.doctype.service.impl;
17
18		import java.util.Collection;
19		import java.util.Iterator;
20		import java.util.List;
21
22		import org.apache.commons.lang.StringUtils;
23		import org.kuali.rice.kew.docsearch.DocSearchDTO;
24		import org.kuali.rice.kew.doctype.DocumentTypeSecurity;
25		import org.kuali.rice.kew.doctype.SecurityAttribute;
26		import org.kuali.rice.kew.doctype.SecuritySession;
27		import org.kuali.rice.kew.doctype.bo.DocumentType;
28		import org.kuali.rice.kew.doctype.service.DocumentSecurityService;
29		import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
30		import org.kuali.rice.kew.service.KEWServiceLocator;
31		import org.kuali.rice.kew.user.UserUtils;
32		import org.kuali.rice.kew.util.KEWConstants;
33		import org.kuali.rice.kew.util.Utilities;
34		import org.kuali.rice.kew.web.KeyValue;
35		import org.kuali.rice.kew.web.session.Authentication;
36		import org.kuali.rice.kew.web.session.UserSession;
37		import org.kuali.rice.kim.bo.Group;
38		import org.kuali.rice.kim.bo.Person;
39		import org.kuali.rice.kim.bo.types.dto.AttributeSet;
40		import org.kuali.rice.kim.service.KIMServiceLocator;
41
42
43	0	public class DocumentSecurityServiceImpl implements DocumentSecurityService {
44	0	public static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(DocumentSecurityServiceImpl.class);
45
46		public boolean docSearchAuthorized(UserSession userSession, DocSearchDTO docCriteriaDTO, SecuritySession session) {
47	0	return checkAuthorization(userSession, session, docCriteriaDTO.getDocTypeName(), docCriteriaDTO.getRouteHeaderId(), docCriteriaDTO.getInitiatorWorkflowId());
48		}
49
50		public boolean routeLogAuthorized(UserSession userSession, DocumentRouteHeaderValue routeHeader, SecuritySession session) {
51	0	return checkAuthorization(userSession, session, routeHeader.getDocumentType().getName(), routeHeader.getRouteHeaderId(), routeHeader.getInitiatorWorkflowId());
52		}
53
54		protected boolean checkAuthorization(UserSession userSession, SecuritySession session, String documentTypeName, Long routeHeaderId, String initiatorPrincipalId) {
55	0	DocumentTypeSecurity security = null;
56		try {
57	0	security = getDocumentTypeSecurity(userSession, documentTypeName, session);
58	0	if (security == null \|\| !security.isActive()) {
59		// Security is not enabled for this doctype. Everyone can see this doc.
60	0	return true;
61		}
62	0	if (isAdmin(session)) {
63	0	return true;
64		}
65	0	for (SecurityAttribute securityAttribute : security.getSecurityAttributes()) {
66	0	Boolean authorized = securityAttribute.docSearchAuthorized(userSession.getPerson(), documentTypeName, routeHeaderId, initiatorPrincipalId);
67	0	if (authorized != null) {
68	0	return authorized.booleanValue();
69		}
70	0	}
71		}
72	0	catch (Exception e) {
73	0	LOG.warn("Not able to retrieve DocumentTypeSecurity from remote system for doctype: " + documentTypeName, e);
74	0	return false;
75	0	}
76	0	return checkStandardAuthorization(security, userSession, documentTypeName, routeHeaderId, initiatorPrincipalId, session);
77		}
78
79		protected boolean isAdmin(SecuritySession session) {
80	0	if (session.getUserSession() == null) {
81	0	return false;
82		}
83	0	return KIMServiceLocator.getIdentityManagementService().isAuthorized(session.getUserSession().getPrincipalId(), KEWConstants.KEW_NAMESPACE, KEWConstants.PermissionNames.UNRESTRICTED_DOCUMENT_SEARCH, new AttributeSet(), new AttributeSet());
84		}
85
86		protected boolean checkStandardAuthorization(DocumentTypeSecurity security, UserSession userSession, String docTypeName, Long documentId, String initiatorPrincipalId, SecuritySession session) {
87	0	Person user = userSession.getPerson();
88
89	0	LOG.debug("auth check user=" + user.getPrincipalId() +" docId=" + documentId);
90
91		// Doc Initiator Authorization
92	0	if (security.getInitiatorOk() != null && security.getInitiatorOk()) {
93	0	boolean isInitiator = StringUtils.equals(initiatorPrincipalId, user.getPrincipalId());
94	0	if (isInitiator) {
95	0	return true;
96		}
97		}
98
99		// Role authorization
100	0	List<String> allowedRoles = security.getAllowedRoles();
101	0	List<String> disallowedRoles = security.getDisallowedRoles();
102		// only execute role security if they have it defined
103	0	if ((allowedRoles != null && !allowedRoles.isEmpty()) \|\|
104		(disallowedRoles != null && !disallowedRoles.isEmpty())) {
105	0	Boolean passesRoleSecurity = session.getPassesRoleSecurity().get(docTypeName);
106	0	if (passesRoleSecurity != null) {
107	0	if (passesRoleSecurity) {
108	0	return true;
109		}
110		} else {
111	0	passesRoleSecurity = isRoleAuthenticated(allowedRoles, disallowedRoles, userSession, session);
112	0	session.getPassesRoleSecurity().put(docTypeName, passesRoleSecurity);
113	0	if (passesRoleSecurity) {
114	0	return true;
115		}
116		}
117		}
118
119		// Workgroup Authorization
120	0	List<Group> securityWorkgroups = security.getWorkgroups();
121	0	if (securityWorkgroups != null) {
122	0	for (Group securityWorkgroup : securityWorkgroups) {
123	0	if (isWorkgroupAuthenticated(securityWorkgroup.getNamespaceCode(), securityWorkgroup.getGroupName(), session)) {
124	0	return true;
125		}
126		}
127		}
128
129		// Searchable Attribute Authorization
130	0	Collection searchableAttributes = security.getSearchableAttributes();
131	0	if (searchableAttributes != null) {
132	0	for (Iterator iterator = searchableAttributes.iterator(); iterator.hasNext();) {
133	0	KeyValue searchableAttr = (KeyValue) iterator.next();
134	0	String attrName = searchableAttr.getkey();
135	0	String idType = searchableAttr.getvalue();
136	0	String idValue = UserUtils.getIdValue(idType, user);
137	0	if (!StringUtils.isEmpty(idValue)) {
138	0	if (KEWServiceLocator.getRouteHeaderService().hasSearchableAttributeValue(documentId, attrName, idValue)) {
139	0	return true;
140		}
141		}
142	0	}
143		}
144
145		// Route Log Authorization
146	0	if (security.getRouteLogAuthenticatedOk() != null && security.getRouteLogAuthenticatedOk()) {
147	0	boolean isInitiator = StringUtils.equals(initiatorPrincipalId, user.getPrincipalId());
148	0	if (isInitiator) {
149	0	return true;
150		}
151	0	boolean hasTakenAction = KEWServiceLocator.getActionTakenService().hasUserTakenAction(user.getPrincipalId(), documentId);
152	0	if (hasTakenAction) {
153	0	return true;
154		}
155	0	boolean hasRequest = KEWServiceLocator.getActionRequestService().doesPrincipalHaveRequest(user.getPrincipalId(), documentId);
156	0	if (hasRequest) {
157	0	return true;
158		}
159		}
160
161	0	LOG.debug("user not authorized");
162	0	return false;
163		}
164
165		protected DocumentTypeSecurity getDocumentTypeSecurity(UserSession userSession, String documentTypeName, SecuritySession session) {
166	0	if (session == null) {
167	0	session = new SecuritySession(userSession);
168		}
169	0	DocumentTypeSecurity security = session.getDocumentTypeSecurity().get(documentTypeName);
170	0	if (security == null) {
171	0	DocumentType docType = KEWServiceLocator.getDocumentTypeService().findByName(documentTypeName);
172	0	security = docType.getDocumentTypeSecurity();
173	0	session.getDocumentTypeSecurity().put(documentTypeName, security);
174		}
175	0	return security;
176		}
177
178		protected boolean isWorkgroupAuthenticated(String namespace, String workgroupName, SecuritySession session) {
179	0	String key = namespace.trim() + KEWConstants.KIM_GROUP_NAMESPACE_NAME_DELIMITER_CHARACTER + workgroupName.trim();
180	0	Boolean existingAuth = session.getAuthenticatedWorkgroups().get(key);
181	0	if (existingAuth != null) {
182	0	return existingAuth;
183		}
184	0	boolean memberOfGroup = session.getUserSession().isMemberOfGroupWithName(namespace, workgroupName);
185	0	session.getAuthenticatedWorkgroups().put(key, memberOfGroup);
186	0	return memberOfGroup;
187		}
188
189		protected boolean isRoleAuthenticated(List<String> allowedRoles, List<String> disallowedRoles, UserSession userSession, SecuritySession session) {
190	0	boolean disallowed = false;
191	0	boolean allowed = false;
192	0	for (Iterator iterator = userSession.getAuthentications().iterator(); iterator.hasNext();) {
193	0	Authentication auth = (Authentication) iterator.next();
194	0	String role = auth.getAuthority();
195	0	if (disallowedRoles.contains(role)) {
196	0	disallowed = true;
197		}
198	0	if (allowedRoles.contains(role)) {
199	0	allowed = true;
200		}
201	0	}
202	0	if (allowed) {
203		// allowed takes precedence over disallowed
204	0	return true;
205	0	} else if (disallowed) {
206		// we know that we haven't been allowed at this point, if we're disallowed than we're not authenticated
207	0	return false;
208	0	} else if (allowedRoles.isEmpty()) {
209		// if allowedRoles is empty, that means that disallowed roles are not empty and we know because of the previous condition
210		// that the user has not been disallowed, therefore the user should be allowed if they aren't in the disallow set
211	0	return true;
212		}
213	0	return false;
214		}
215
216		}