Coverage Report

Coverage Report - org.kuali.rice.kew.doctype.service.impl.DocumentTypePermissionServiceImpl

Classes in this File

Line Coverage

Branch Coverage

Complexity

DocumentTypePermissionServiceImpl

0/192

0/112

3.846

 /**
  * Copyright 2005-2011 The Kuali Foundation
  *
  * Licensed under the Educational Community License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.opensource.org/licenses/ecl2.php
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.kuali.rice.kew.doctype.service.impl;
 
 import org.apache.commons.lang.StringUtils;
 import org.kuali.rice.core.framework.services.CoreFrameworkServiceLocator;
 import org.kuali.rice.kew.doctype.DocumentTypePolicyEnum;
 import org.kuali.rice.kew.doctype.bo.DocumentType;
 import org.kuali.rice.kew.doctype.service.DocumentTypePermissionService;
 import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
 import org.kuali.rice.kew.api.KewApiConstants;
 import org.kuali.rice.kim.api.KimConstants;
 import org.kuali.rice.kim.api.group.GroupService;
 import org.kuali.rice.kim.api.permission.PermissionService;
 import org.kuali.rice.kim.api.services.KimApiServiceLocator;
 import org.kuali.rice.krad.datadictionary.DocumentEntry;
 import org.kuali.rice.krad.datadictionary.MaintenanceDocumentEntry;
 import org.kuali.rice.krad.document.Document;
 import org.kuali.rice.krad.document.MaintenanceDocument;
 import org.kuali.rice.krad.document.authorization.DocumentAuthorizerBase;
 import org.kuali.rice.krad.service.KRADServiceLocatorWeb;
 import org.kuali.rice.krad.util.KRADConstants;
 import org.kuali.rice.krad.util.KRADUtils;
 
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 /**
  * Implementation of the DocumentTypePermissionService. 
  * 
  * @author Kuali Rice Team (rice.collab@kuali.org)
  *
  */
 public class DocumentTypePermissionServiceImpl implements DocumentTypePermissionService {
         private static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(DocumentTypePermissionServiceImpl.class);
         
         public boolean canBlanketApprove(String principalId, DocumentType documentType, String documentStatus, String initiatorPrincipalId) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 validateDocumentStatus(documentStatus);
                 validatePrincipalId(initiatorPrincipalId);
                 final Boolean result;
                         if (documentType.isBlanketApproveGroupDefined()) {
                                 boolean initiatorAuthorized = true;
                                 if (documentType.getInitiatorMustBlanketApprovePolicy().getPolicyValue()) {
                                         initiatorAuthorized = executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
                                 }
                                 result = initiatorAuthorized && documentType.isBlanketApprover(principalId);
                         } else {                
                                 Map<String, String> permissionDetails = buildDocumentTypePermissionDetails(documentType);
                                 result = getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.BLANKET_APPROVE_PERMISSION, permissionDetails, new HashMap<String, String>());
                         }
                 return result;
         }
         
         public boolean canReceiveAdHocRequest(String principalId, DocumentType documentType, String actionRequestType) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 validateActionRequestType(actionRequestType);
                 final Boolean result;
 
                         Map<String, String> permissionDetails = buildDocumentTypeActionRequestPermissionDetails(documentType, actionRequestType);
                         if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails)) {
                                 result = getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails, new HashMap<String, String>());
                         } else {
                                 result = Boolean.TRUE;
                         }
                 return result;
         }
 
         public boolean canGroupReceiveAdHocRequest(String groupId, DocumentType documentType, String actionRequestType) {
                 validateGroupId(groupId);
                 validateDocumentType(documentType);
                 validateActionRequestType(actionRequestType);
                 
                 Boolean result = Boolean.TRUE;
                         Map<String, String> permissionDetails = buildDocumentTypeActionRequestPermissionDetails(documentType, actionRequestType);
                         if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails)) {
                                 List<String> principalIds = getGroupService().getMemberPrincipalIds(groupId);
                                 // if any member of the group is not allowed to receive the request, then the group may not receive it
                                 for (String principalId : principalIds) {
                                         if (!getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails, new HashMap<String, String>())) {
                                                 result = Boolean.FALSE;
                                                 break;
                                         }
                                 }
                         }
                 return result;
         }
         
         public boolean canAdministerRouting(String principalId, DocumentType documentType) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
 
                 final Boolean result;
         if (documentType.isSuperUserGroupDefined()) {
             result = documentType.isSuperUser(principalId);
         } else {
             Map<String, String> permissionDetails = buildDocumentTypePermissionDetails(documentType);
             result = getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.ADMINISTER_ROUTING_PERMISSION, permissionDetails, new HashMap<String, String>());
         }
                 return result;
         }
         
         public boolean canCancel(String principalId, String documentId, DocumentType documentType, List<String> routeNodeNames, String documentStatus, String initiatorPrincipalId) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 validateRouteNodeNames(routeNodeNames);
                 validateDocumentStatus(documentStatus);
                 validatePrincipalId(initiatorPrincipalId);
 
                         if (!documentType.isPolicyDefined(DocumentTypePolicyEnum.INITIATOR_MUST_CANCEL)) {
                                 List<Map<String, String>> permissionDetailList = buildDocumentTypePermissionDetails(documentType, routeNodeNames, documentStatus);
 
                 boolean foundAtLeastOnePermission = false;
                 // loop over permission details, only one of them needs to be authorized
                 for (Map<String, String> permissionDetails : permissionDetailList) {
                     Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType, documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
                     if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.CANCEL_PERMISSION, permissionDetails)) {
                                                 foundAtLeastOnePermission = true;
                                         if (getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.CANCEL_PERMISSION, permissionDetails, roleQualifiers)) {
                                                         return true;
                                                 }
                                         }
                                 }
                                 // if we found defined KIM permissions, but not of them have authorized this user, return false
                                 if (foundAtLeastOnePermission) {
                                         return false;
                                 }
                         }
                         
                         if (documentType.getInitiatorMustCancelPolicy().getPolicyValue()) {
                         return executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
                         } else {
                         return true;
                         }                        
         }
         
         public boolean canInitiate(String principalId, DocumentType documentType) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 
                 Map<String, String> permissionDetails = buildDocumentTypePermissionDetails(documentType);
                 if (useKimPermission(KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, KewApiConstants.INITIATE_PERMISSION, permissionDetails)) {
                         return getPermissionService().isAuthorizedByTemplateName(principalId, KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, KewApiConstants.INITIATE_PERMISSION, permissionDetails, new HashMap<String, String>());
     }
                 return true;
         }
 
         public boolean canRoute(String principalId, DocumentRouteHeaderValue documentRouteHeaderValue) {
                 return canRoute(principalId, documentRouteHeaderValue.getDocumentId(), documentRouteHeaderValue.getDocumentType(),
                                 documentRouteHeaderValue.getDocRouteStatus(), documentRouteHeaderValue.getInitiatorWorkflowId());
         }
         
         public boolean canRoute(String principalId,        String documentId, DocumentType documentType, String documentStatus, String initiatorPrincipalId) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 validateDocumentStatus(documentStatus);
                 validatePrincipalId(initiatorPrincipalId);
 
                 if (!documentType.isPolicyDefined(DocumentTypePolicyEnum.INITIATOR_MUST_ROUTE)) {
                         Map<String, String> permissionDetails = buildDocumentTypeDocumentStatusPermissionDetails(documentType, documentStatus);
                         Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType, documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
                         
                         if (LOG.isDebugEnabled()) {
                                 LOG.debug("Permission details values: " + permissionDetails);
                                 LOG.debug("Role qualifiers values: " + roleQualifiers);
                         }
                         if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.ROUTE_PERMISSION, permissionDetails)) {
                                 return getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.ROUTE_PERMISSION, permissionDetails, roleQualifiers);
                         }
                 }
 
                 if (documentType.getInitiatorMustRoutePolicy().getPolicyValue()) {
                         return executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
     }
                 return true;
         }
 
         public boolean canAddRouteLogMessage(String principalId, DocumentRouteHeaderValue documentRouteHeaderValue) {
                 return canAddRouteLogMessage(principalId, documentRouteHeaderValue.getDocumentId(),
                                 documentRouteHeaderValue.getDocumentType(), documentRouteHeaderValue.getDocRouteStatus(),
                                 documentRouteHeaderValue.getInitiatorWorkflowId());
         }
 
         public boolean canAddRouteLogMessage(String principalId, String documentId, DocumentType documentType,
                         String documentStatus, String initiatorPrincipalId) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 validateDocumentStatus(documentStatus);
                 validatePrincipalId(initiatorPrincipalId);
 
                 Map<String, String> permissionDetails = buildDocumentTypeDocumentStatusPermissionDetails(documentType, documentStatus);
                 Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType,
                                 documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
 
                 if (LOG.isDebugEnabled()) {
                         LOG.debug("Permission details values: " + permissionDetails);
                         LOG.debug("Role qualifiers values: " + roleQualifiers);
                 }
 
                 if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.ADD_MESSAGE_TO_ROUTE_LOG, permissionDetails)) {
                         return getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE,
                                         KewApiConstants.ADD_MESSAGE_TO_ROUTE_LOG, permissionDetails, roleQualifiers);
                 }
 
                 return false;
         }
 
         public boolean canSave(String principalId, String documentId, DocumentType documentType, List<String> routeNodeNames, String documentStatus, String initiatorPrincipalId) {
                 validatePrincipalId(principalId);
                 validateDocumentType(documentType);
                 validateRouteNodeNames(routeNodeNames);
                 validateDocumentStatus(documentStatus);
                 validatePrincipalId(initiatorPrincipalId);
 
                 if (!documentType.isPolicyDefined(DocumentTypePolicyEnum.INITIATOR_MUST_SAVE)) {
                         List<Map<String, String>> permissionDetailList = buildDocumentTypePermissionDetails(documentType, routeNodeNames, documentStatus);
 
             boolean foundAtLeastOnePermission = false;
             // loop over permission details, only one of them needs to be authorized
             for (Map<String, String> permissionDetails : permissionDetailList) {
                 Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType, documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
                 if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.SAVE_PERMISSION, permissionDetails)) {
                                         foundAtLeastOnePermission = true;
                                         if (getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.SAVE_PERMISSION, permissionDetails, roleQualifiers)) {
                                                 return true;
                                         }
                                 }
                         }
                         // if we found defined KIM permissions, but not of them have authorized this user, return false
                         if (foundAtLeastOnePermission) {
                                 return false;
                         }
                 }
 
                 if (documentType.getInitiatorMustSavePolicy().getPolicyValue()) {
                         return executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
     }
                 return true;
         }
 
         protected Map<String, String> buildDocumentTypePermissionDetails(DocumentType documentType) {
                 Map<String, String> details = new HashMap<String, String>();
                 details.put(KewApiConstants.DOCUMENT_TYPE_NAME_DETAIL, documentType.getName());
                 return details;
         }
         
         protected Map<String, String> buildDocumentTypeActionRequestPermissionDetails(DocumentType documentType, String actionRequestCode) {
                 Map<String, String> details = buildDocumentTypePermissionDetails(documentType);
                 if (!StringUtils.isBlank(actionRequestCode)) {
                         details.put(KewApiConstants.ACTION_REQUEST_CD_DETAIL, actionRequestCode);
                 }
                 return details;
         }
         
         protected Map<String, String> buildDocumentTypeDocumentStatusPermissionDetails(DocumentType documentType, String documentStatus) {
                 Map<String, String> details = buildDocumentTypePermissionDetails(documentType);
                 if (!StringUtils.isBlank(documentStatus)) {
                         details.put(KewApiConstants.DOCUMENT_STATUS_DETAIL, documentStatus);
                 }
                 return details;
         }
         
         protected Map<String, String> buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(DocumentType documentType, String documentStatus, String documentId, String routeNodeName) {
                 Map<String, String> qualifiers = new HashMap<String, String>();
                 qualifiers.put(KimConstants.AttributeConstants.DOCUMENT_NUMBER, documentId);
                 if (!StringUtils.isBlank(documentStatus)) {
                         qualifiers.put(KewApiConstants.DOCUMENT_STATUS_DETAIL, documentStatus);
                         if (KewApiConstants.ROUTE_HEADER_INITIATED_CD.equals(documentStatus) || KewApiConstants.ROUTE_HEADER_SAVED_CD.equals(documentStatus)) {
                                 qualifiers.put(KimConstants.AttributeConstants.ROUTE_NODE_NAME, DocumentAuthorizerBase.PRE_ROUTING_ROUTE_NAME);
                         }
                         else {
                                 qualifiers.put(KimConstants.AttributeConstants.ROUTE_NODE_NAME, routeNodeName);
                         }
                 }
                 qualifiers.put(KewApiConstants.DOCUMENT_TYPE_NAME_DETAIL, documentType.getName());
                 
                 DocumentEntry documentEntry = KRADServiceLocatorWeb.getDataDictionaryService().getDataDictionary().getDocumentEntry(documentType.getName());
                 if (documentEntry != null) {
                         Class<? extends Document> documentClass = documentEntry.getDocumentClass();
                         String namespaceCode;
                         if (MaintenanceDocument.class.isAssignableFrom(documentClass)) {
                                 MaintenanceDocumentEntry maintenanceDocumentEntry = (MaintenanceDocumentEntry) documentEntry;
                                 namespaceCode = KRADUtils.getNamespaceCode(maintenanceDocumentEntry.getDataObjectClass());
                         }
                         else {
                                 namespaceCode = KRADUtils.getNamespaceCode(documentClass);
                         }
                         qualifiers.put(KimConstants.AttributeConstants.NAMESPACE_CODE, namespaceCode);
                 }
                 
                 return qualifiers;
         }
         
         /**
          * This method generates the permission details for the given document.  Note that this has to match the required
          * data defined in krim_typ_attr_t for the krim_typ_t with 
          * srvc_nm='documentTypeAndNodeOrStatePermissionTypeService'.  
      * TODO: See KULRICE-3490, make assembly of permission details dynamic based on db config
          * 
          * @param documentType
          * @param routeNodeNames
          * @param documentStatus
          * @return
          */
         protected List<Map<String, String>> buildDocumentTypePermissionDetails(DocumentType documentType,
                         List<String> routeNodeNames, String documentStatus) {
                 List<Map<String, String>> detailList = new ArrayList<Map<String, String>>();
 
                 for (String routeNodeName : routeNodeNames) {
                         Map<String, String> details = buildDocumentTypePermissionDetails(documentType);
                         if (KewApiConstants.ROUTE_HEADER_INITIATED_CD.equals(documentStatus) ||
                                         KewApiConstants.ROUTE_HEADER_SAVED_CD.equals(documentStatus)) {
                                 details.put(KewApiConstants.ROUTE_NODE_NAME_DETAIL, DocumentAuthorizerBase.PRE_ROUTING_ROUTE_NAME);
                         } else if (!StringUtils.isBlank(routeNodeName)) {
                                 details.put(KewApiConstants.ROUTE_NODE_NAME_DETAIL, routeNodeName);
                         }
                         if (!StringUtils.isBlank(documentStatus)) {
                                 details.put(KewApiConstants.DOCUMENT_STATUS_DETAIL, documentStatus);
                         }
                         if (null != documentType) {
                                 details.put(KewApiConstants.DOCUMENT_TYPE_NAME_DETAIL, documentType.getName());
                         }
                         detailList.add(details);
                 }
                 return detailList;
         }
 
         
         protected boolean useKimPermission(String namespace, String permissionTemplateName, Map<String, String> permissionDetails) {
                 Boolean b =  CoreFrameworkServiceLocator.getParameterService().getParameterValueAsBoolean(KewApiConstants.KEW_NAMESPACE, KRADConstants.DetailTypes.ALL_DETAIL_TYPE, KewApiConstants.KIM_PRIORITY_ON_DOC_TYP_PERMS_IND);
                 if (b == null || b) {
                         return getPermissionService().isPermissionDefinedByTemplateName(namespace, permissionTemplateName,
                     permissionDetails);
                 }
                 return false;
         }
         
         private boolean executeInitiatorPolicyCheck(String principalId, String initiatorPrincipalId, String documentStatus) {
                 return principalId.equals(initiatorPrincipalId) || !(KewApiConstants.ROUTE_HEADER_SAVED_CD.equals(documentStatus) || KewApiConstants.ROUTE_HEADER_INITIATED_CD.equals(documentStatus));
         }
         
         private void validatePrincipalId(String principalId) {
                 if (StringUtils.isBlank(principalId)) {
                         throw new IllegalArgumentException("Invalid principal ID, value was empty");
                 }
         }
         
         private void validateGroupId(String groupId) {
                 if (StringUtils.isBlank(groupId)) {
                         throw new IllegalArgumentException("Invalid group ID, value was empty");
                 }
         }
         
         private void validateDocumentType(DocumentType documentType) {
                 if (documentType == null) {
                         throw new IllegalArgumentException("DocumentType cannot be null");
                 }
         }
         
         private void validateActionRequestType(String actionRequestType) {
                 if (StringUtils.isBlank(actionRequestType)) {
                         throw new IllegalArgumentException("Invalid action request type, value was empty");
                 }
                 if (!KewApiConstants.ACTION_REQUEST_CODES.containsKey(actionRequestType)) {
                         throw new IllegalArgumentException("Invalid action request type was given, value was: " + actionRequestType);
                 }
         }
         
         private void validateRouteNodeNames(List<String> routeNodeNames) {
                 if (routeNodeNames.isEmpty()) {
                     return;
                         //throw new IllegalArgumentException("List of route node names was empty.");
                 }
                 for (String routeNodeName : routeNodeNames) {
                         if (StringUtils.isBlank(routeNodeName)) {
                                 throw new IllegalArgumentException("List of route node names contained an invalid route node name, value was empty");
                         }
                 }
         }
         
         private void validateDocumentStatus(String documentStatus) {
                 if (StringUtils.isBlank(documentStatus)) {
                         throw new IllegalArgumentException("Invalid document status, value was empty");
                 }
                 if (!KewApiConstants.DOCUMENT_STATUSES.containsKey(documentStatus)) {
                         throw new IllegalArgumentException("Invalid document status was given, value was: " + documentStatus);
                 }
         }
         
         protected GroupService getGroupService() {
                 return KimApiServiceLocator.getGroupService();
         }
         
         protected PermissionService getPermissionService() {
                 return KimApiServiceLocator.getPermissionService();
         }
 
 }

1		/**
2		* Copyright 2005-2011 The Kuali Foundation
3		*
4		* Licensed under the Educational Community License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.opensource.org/licenses/ecl2.php
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16		package org.kuali.rice.kew.doctype.service.impl;
17
18		import org.apache.commons.lang.StringUtils;
19		import org.kuali.rice.core.framework.services.CoreFrameworkServiceLocator;
20		import org.kuali.rice.kew.doctype.DocumentTypePolicyEnum;
21		import org.kuali.rice.kew.doctype.bo.DocumentType;
22		import org.kuali.rice.kew.doctype.service.DocumentTypePermissionService;
23		import org.kuali.rice.kew.routeheader.DocumentRouteHeaderValue;
24		import org.kuali.rice.kew.api.KewApiConstants;
25		import org.kuali.rice.kim.api.KimConstants;
26		import org.kuali.rice.kim.api.group.GroupService;
27		import org.kuali.rice.kim.api.permission.PermissionService;
28		import org.kuali.rice.kim.api.services.KimApiServiceLocator;
29		import org.kuali.rice.krad.datadictionary.DocumentEntry;
30		import org.kuali.rice.krad.datadictionary.MaintenanceDocumentEntry;
31		import org.kuali.rice.krad.document.Document;
32		import org.kuali.rice.krad.document.MaintenanceDocument;
33		import org.kuali.rice.krad.document.authorization.DocumentAuthorizerBase;
34		import org.kuali.rice.krad.service.KRADServiceLocatorWeb;
35		import org.kuali.rice.krad.util.KRADConstants;
36		import org.kuali.rice.krad.util.KRADUtils;
37
38		import java.util.ArrayList;
39		import java.util.HashMap;
40		import java.util.List;
41		import java.util.Map;
42
43		/**
44		* Implementation of the DocumentTypePermissionService.
45		*
46		* @author Kuali Rice Team (rice.collab@kuali.org)
47		*
48		*/
49	0	public class DocumentTypePermissionServiceImpl implements DocumentTypePermissionService {
50	0	private static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(DocumentTypePermissionServiceImpl.class);
51
52		public boolean canBlanketApprove(String principalId, DocumentType documentType, String documentStatus, String initiatorPrincipalId) {
53	0	validatePrincipalId(principalId);
54	0	validateDocumentType(documentType);
55	0	validateDocumentStatus(documentStatus);
56	0	validatePrincipalId(initiatorPrincipalId);
57		final Boolean result;
58	0	if (documentType.isBlanketApproveGroupDefined()) {
59	0	boolean initiatorAuthorized = true;
60	0	if (documentType.getInitiatorMustBlanketApprovePolicy().getPolicyValue()) {
61	0	initiatorAuthorized = executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
62		}
63	0	result = initiatorAuthorized && documentType.isBlanketApprover(principalId);
64	0	} else {
65	0	Map<String, String> permissionDetails = buildDocumentTypePermissionDetails(documentType);
66	0	result = getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.BLANKET_APPROVE_PERMISSION, permissionDetails, new HashMap<String, String>());
67		}
68	0	return result;
69		}
70
71		public boolean canReceiveAdHocRequest(String principalId, DocumentType documentType, String actionRequestType) {
72	0	validatePrincipalId(principalId);
73	0	validateDocumentType(documentType);
74	0	validateActionRequestType(actionRequestType);
75		final Boolean result;
76
77	0	Map<String, String> permissionDetails = buildDocumentTypeActionRequestPermissionDetails(documentType, actionRequestType);
78	0	if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails)) {
79	0	result = getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails, new HashMap<String, String>());
80		} else {
81	0	result = Boolean.TRUE;
82		}
83	0	return result;
84		}
85
86		public boolean canGroupReceiveAdHocRequest(String groupId, DocumentType documentType, String actionRequestType) {
87	0	validateGroupId(groupId);
88	0	validateDocumentType(documentType);
89	0	validateActionRequestType(actionRequestType);
90
91	0	Boolean result = Boolean.TRUE;
92	0	Map<String, String> permissionDetails = buildDocumentTypeActionRequestPermissionDetails(documentType, actionRequestType);
93	0	if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails)) {
94	0	List<String> principalIds = getGroupService().getMemberPrincipalIds(groupId);
95		// if any member of the group is not allowed to receive the request, then the group may not receive it
96	0	for (String principalId : principalIds) {
97	0	if (!getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.AD_HOC_REVIEW_PERMISSION, permissionDetails, new HashMap<String, String>())) {
98	0	result = Boolean.FALSE;
99	0	break;
100		}
101		}
102		}
103	0	return result;
104		}
105
106		public boolean canAdministerRouting(String principalId, DocumentType documentType) {
107	0	validatePrincipalId(principalId);
108	0	validateDocumentType(documentType);
109
110		final Boolean result;
111	0	if (documentType.isSuperUserGroupDefined()) {
112	0	result = documentType.isSuperUser(principalId);
113		} else {
114	0	Map<String, String> permissionDetails = buildDocumentTypePermissionDetails(documentType);
115	0	result = getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.ADMINISTER_ROUTING_PERMISSION, permissionDetails, new HashMap<String, String>());
116		}
117	0	return result;
118		}
119
120		public boolean canCancel(String principalId, String documentId, DocumentType documentType, List<String> routeNodeNames, String documentStatus, String initiatorPrincipalId) {
121	0	validatePrincipalId(principalId);
122	0	validateDocumentType(documentType);
123	0	validateRouteNodeNames(routeNodeNames);
124	0	validateDocumentStatus(documentStatus);
125	0	validatePrincipalId(initiatorPrincipalId);
126
127	0	if (!documentType.isPolicyDefined(DocumentTypePolicyEnum.INITIATOR_MUST_CANCEL)) {
128	0	List<Map<String, String>> permissionDetailList = buildDocumentTypePermissionDetails(documentType, routeNodeNames, documentStatus);
129
130	0	boolean foundAtLeastOnePermission = false;
131		// loop over permission details, only one of them needs to be authorized
132	0	for (Map<String, String> permissionDetails : permissionDetailList) {
133	0	Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType, documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
134	0	if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.CANCEL_PERMISSION, permissionDetails)) {
135	0	foundAtLeastOnePermission = true;
136	0	if (getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.CANCEL_PERMISSION, permissionDetails, roleQualifiers)) {
137	0	return true;
138		}
139		}
140	0	}
141		// if we found defined KIM permissions, but not of them have authorized this user, return false
142	0	if (foundAtLeastOnePermission) {
143	0	return false;
144		}
145		}
146
147	0	if (documentType.getInitiatorMustCancelPolicy().getPolicyValue()) {
148	0	return executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
149		} else {
150	0	return true;
151		}
152		}
153
154		public boolean canInitiate(String principalId, DocumentType documentType) {
155	0	validatePrincipalId(principalId);
156	0	validateDocumentType(documentType);
157
158	0	Map<String, String> permissionDetails = buildDocumentTypePermissionDetails(documentType);
159	0	if (useKimPermission(KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, KewApiConstants.INITIATE_PERMISSION, permissionDetails)) {
160	0	return getPermissionService().isAuthorizedByTemplateName(principalId, KRADConstants.KUALI_RICE_SYSTEM_NAMESPACE, KewApiConstants.INITIATE_PERMISSION, permissionDetails, new HashMap<String, String>());
161		}
162	0	return true;
163		}
164
165		public boolean canRoute(String principalId, DocumentRouteHeaderValue documentRouteHeaderValue) {
166	0	return canRoute(principalId, documentRouteHeaderValue.getDocumentId(), documentRouteHeaderValue.getDocumentType(),
167		documentRouteHeaderValue.getDocRouteStatus(), documentRouteHeaderValue.getInitiatorWorkflowId());
168		}
169
170		public boolean canRoute(String principalId, String documentId, DocumentType documentType, String documentStatus, String initiatorPrincipalId) {
171	0	validatePrincipalId(principalId);
172	0	validateDocumentType(documentType);
173	0	validateDocumentStatus(documentStatus);
174	0	validatePrincipalId(initiatorPrincipalId);
175
176	0	if (!documentType.isPolicyDefined(DocumentTypePolicyEnum.INITIATOR_MUST_ROUTE)) {
177	0	Map<String, String> permissionDetails = buildDocumentTypeDocumentStatusPermissionDetails(documentType, documentStatus);
178	0	Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType, documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
179
180	0	if (LOG.isDebugEnabled()) {
181	0	LOG.debug("Permission details values: " + permissionDetails);
182	0	LOG.debug("Role qualifiers values: " + roleQualifiers);
183		}
184	0	if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.ROUTE_PERMISSION, permissionDetails)) {
185	0	return getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.ROUTE_PERMISSION, permissionDetails, roleQualifiers);
186		}
187		}
188
189	0	if (documentType.getInitiatorMustRoutePolicy().getPolicyValue()) {
190	0	return executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
191		}
192	0	return true;
193		}
194
195		public boolean canAddRouteLogMessage(String principalId, DocumentRouteHeaderValue documentRouteHeaderValue) {
196	0	return canAddRouteLogMessage(principalId, documentRouteHeaderValue.getDocumentId(),
197		documentRouteHeaderValue.getDocumentType(), documentRouteHeaderValue.getDocRouteStatus(),
198		documentRouteHeaderValue.getInitiatorWorkflowId());
199		}
200
201		public boolean canAddRouteLogMessage(String principalId, String documentId, DocumentType documentType,
202		String documentStatus, String initiatorPrincipalId) {
203	0	validatePrincipalId(principalId);
204	0	validateDocumentType(documentType);
205	0	validateDocumentStatus(documentStatus);
206	0	validatePrincipalId(initiatorPrincipalId);
207
208	0	Map<String, String> permissionDetails = buildDocumentTypeDocumentStatusPermissionDetails(documentType, documentStatus);
209	0	Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType,
210		documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
211
212	0	if (LOG.isDebugEnabled()) {
213	0	LOG.debug("Permission details values: " + permissionDetails);
214	0	LOG.debug("Role qualifiers values: " + roleQualifiers);
215		}
216
217	0	if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.ADD_MESSAGE_TO_ROUTE_LOG, permissionDetails)) {
218	0	return getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE,
219		KewApiConstants.ADD_MESSAGE_TO_ROUTE_LOG, permissionDetails, roleQualifiers);
220		}
221
222	0	return false;
223		}
224
225		public boolean canSave(String principalId, String documentId, DocumentType documentType, List<String> routeNodeNames, String documentStatus, String initiatorPrincipalId) {
226	0	validatePrincipalId(principalId);
227	0	validateDocumentType(documentType);
228	0	validateRouteNodeNames(routeNodeNames);
229	0	validateDocumentStatus(documentStatus);
230	0	validatePrincipalId(initiatorPrincipalId);
231
232	0	if (!documentType.isPolicyDefined(DocumentTypePolicyEnum.INITIATOR_MUST_SAVE)) {
233	0	List<Map<String, String>> permissionDetailList = buildDocumentTypePermissionDetails(documentType, routeNodeNames, documentStatus);
234
235	0	boolean foundAtLeastOnePermission = false;
236		// loop over permission details, only one of them needs to be authorized
237	0	for (Map<String, String> permissionDetails : permissionDetailList) {
238	0	Map<String, String> roleQualifiers = buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(documentType, documentStatus, documentId, permissionDetails.get(KewApiConstants.ROUTE_NODE_NAME_DETAIL));
239	0	if (useKimPermission(KewApiConstants.KEW_NAMESPACE, KewApiConstants.SAVE_PERMISSION, permissionDetails)) {
240	0	foundAtLeastOnePermission = true;
241	0	if (getPermissionService().isAuthorizedByTemplateName(principalId, KewApiConstants.KEW_NAMESPACE, KewApiConstants.SAVE_PERMISSION, permissionDetails, roleQualifiers)) {
242	0	return true;
243		}
244		}
245	0	}
246		// if we found defined KIM permissions, but not of them have authorized this user, return false
247	0	if (foundAtLeastOnePermission) {
248	0	return false;
249		}
250		}
251
252	0	if (documentType.getInitiatorMustSavePolicy().getPolicyValue()) {
253	0	return executeInitiatorPolicyCheck(principalId, initiatorPrincipalId, documentStatus);
254		}
255	0	return true;
256		}
257
258		protected Map<String, String> buildDocumentTypePermissionDetails(DocumentType documentType) {
259	0	Map<String, String> details = new HashMap<String, String>();
260	0	details.put(KewApiConstants.DOCUMENT_TYPE_NAME_DETAIL, documentType.getName());
261	0	return details;
262		}
263
264		protected Map<String, String> buildDocumentTypeActionRequestPermissionDetails(DocumentType documentType, String actionRequestCode) {
265	0	Map<String, String> details = buildDocumentTypePermissionDetails(documentType);
266	0	if (!StringUtils.isBlank(actionRequestCode)) {
267	0	details.put(KewApiConstants.ACTION_REQUEST_CD_DETAIL, actionRequestCode);
268		}
269	0	return details;
270		}
271
272		protected Map<String, String> buildDocumentTypeDocumentStatusPermissionDetails(DocumentType documentType, String documentStatus) {
273	0	Map<String, String> details = buildDocumentTypePermissionDetails(documentType);
274	0	if (!StringUtils.isBlank(documentStatus)) {
275	0	details.put(KewApiConstants.DOCUMENT_STATUS_DETAIL, documentStatus);
276		}
277	0	return details;
278		}
279
280		protected Map<String, String> buildDocumentIdRoleDocumentTypeDocumentStatusQualifiers(DocumentType documentType, String documentStatus, String documentId, String routeNodeName) {
281	0	Map<String, String> qualifiers = new HashMap<String, String>();
282	0	qualifiers.put(KimConstants.AttributeConstants.DOCUMENT_NUMBER, documentId);
283	0	if (!StringUtils.isBlank(documentStatus)) {
284	0	qualifiers.put(KewApiConstants.DOCUMENT_STATUS_DETAIL, documentStatus);
285	0	if (KewApiConstants.ROUTE_HEADER_INITIATED_CD.equals(documentStatus) \|\| KewApiConstants.ROUTE_HEADER_SAVED_CD.equals(documentStatus)) {
286	0	qualifiers.put(KimConstants.AttributeConstants.ROUTE_NODE_NAME, DocumentAuthorizerBase.PRE_ROUTING_ROUTE_NAME);
287		}
288		else {
289	0	qualifiers.put(KimConstants.AttributeConstants.ROUTE_NODE_NAME, routeNodeName);
290		}
291		}
292	0	qualifiers.put(KewApiConstants.DOCUMENT_TYPE_NAME_DETAIL, documentType.getName());
293
294	0	DocumentEntry documentEntry = KRADServiceLocatorWeb.getDataDictionaryService().getDataDictionary().getDocumentEntry(documentType.getName());
295	0	if (documentEntry != null) {
296	0	Class<? extends Document> documentClass = documentEntry.getDocumentClass();
297		String namespaceCode;
298	0	if (MaintenanceDocument.class.isAssignableFrom(documentClass)) {
299	0	MaintenanceDocumentEntry maintenanceDocumentEntry = (MaintenanceDocumentEntry) documentEntry;
300	0	namespaceCode = KRADUtils.getNamespaceCode(maintenanceDocumentEntry.getDataObjectClass());
301	0	}
302		else {
303	0	namespaceCode = KRADUtils.getNamespaceCode(documentClass);
304		}
305	0	qualifiers.put(KimConstants.AttributeConstants.NAMESPACE_CODE, namespaceCode);
306		}
307
308	0	return qualifiers;
309		}
310
311		/**
312		* This method generates the permission details for the given document. Note that this has to match the required
313		* data defined in krim_typ_attr_t for the krim_typ_t with
314		* srvc_nm='documentTypeAndNodeOrStatePermissionTypeService'.
315		* TODO: See KULRICE-3490, make assembly of permission details dynamic based on db config
316		*
317		* @param documentType
318		* @param routeNodeNames
319		* @param documentStatus
320		* @return
321		*/
322		protected List<Map<String, String>> buildDocumentTypePermissionDetails(DocumentType documentType,
323		List<String> routeNodeNames, String documentStatus) {
324	0	List<Map<String, String>> detailList = new ArrayList<Map<String, String>>();
325
326	0	for (String routeNodeName : routeNodeNames) {
327	0	Map<String, String> details = buildDocumentTypePermissionDetails(documentType);
328	0	if (KewApiConstants.ROUTE_HEADER_INITIATED_CD.equals(documentStatus) \|\|
329		KewApiConstants.ROUTE_HEADER_SAVED_CD.equals(documentStatus)) {
330	0	details.put(KewApiConstants.ROUTE_NODE_NAME_DETAIL, DocumentAuthorizerBase.PRE_ROUTING_ROUTE_NAME);
331	0	} else if (!StringUtils.isBlank(routeNodeName)) {
332	0	details.put(KewApiConstants.ROUTE_NODE_NAME_DETAIL, routeNodeName);
333		}
334	0	if (!StringUtils.isBlank(documentStatus)) {
335	0	details.put(KewApiConstants.DOCUMENT_STATUS_DETAIL, documentStatus);
336		}
337	0	if (null != documentType) {
338	0	details.put(KewApiConstants.DOCUMENT_TYPE_NAME_DETAIL, documentType.getName());
339		}
340	0	detailList.add(details);
341	0	}
342	0	return detailList;
343		}
344
345
346		protected boolean useKimPermission(String namespace, String permissionTemplateName, Map<String, String> permissionDetails) {
347	0	Boolean b = CoreFrameworkServiceLocator.getParameterService().getParameterValueAsBoolean(KewApiConstants.KEW_NAMESPACE, KRADConstants.DetailTypes.ALL_DETAIL_TYPE, KewApiConstants.KIM_PRIORITY_ON_DOC_TYP_PERMS_IND);
348	0	if (b == null \|\| b) {
349	0	return getPermissionService().isPermissionDefinedByTemplateName(namespace, permissionTemplateName,
350		permissionDetails);
351		}
352	0	return false;
353		}
354
355		private boolean executeInitiatorPolicyCheck(String principalId, String initiatorPrincipalId, String documentStatus) {
356	0	return principalId.equals(initiatorPrincipalId) \|\| !(KewApiConstants.ROUTE_HEADER_SAVED_CD.equals(documentStatus) \|\| KewApiConstants.ROUTE_HEADER_INITIATED_CD.equals(documentStatus));
357		}
358
359		private void validatePrincipalId(String principalId) {
360	0	if (StringUtils.isBlank(principalId)) {
361	0	throw new IllegalArgumentException("Invalid principal ID, value was empty");
362		}
363	0	}
364
365		private void validateGroupId(String groupId) {
366	0	if (StringUtils.isBlank(groupId)) {
367	0	throw new IllegalArgumentException("Invalid group ID, value was empty");
368		}
369	0	}
370
371		private void validateDocumentType(DocumentType documentType) {
372	0	if (documentType == null) {
373	0	throw new IllegalArgumentException("DocumentType cannot be null");
374		}
375	0	}
376
377		private void validateActionRequestType(String actionRequestType) {
378	0	if (StringUtils.isBlank(actionRequestType)) {
379	0	throw new IllegalArgumentException("Invalid action request type, value was empty");
380		}
381	0	if (!KewApiConstants.ACTION_REQUEST_CODES.containsKey(actionRequestType)) {
382	0	throw new IllegalArgumentException("Invalid action request type was given, value was: " + actionRequestType);
383		}
384	0	}
385
386		private void validateRouteNodeNames(List<String> routeNodeNames) {
387	0	if (routeNodeNames.isEmpty()) {
388	0	return;
389		//throw new IllegalArgumentException("List of route node names was empty.");
390		}
391	0	for (String routeNodeName : routeNodeNames) {
392	0	if (StringUtils.isBlank(routeNodeName)) {
393	0	throw new IllegalArgumentException("List of route node names contained an invalid route node name, value was empty");
394		}
395		}
396	0	}
397
398		private void validateDocumentStatus(String documentStatus) {
399	0	if (StringUtils.isBlank(documentStatus)) {
400	0	throw new IllegalArgumentException("Invalid document status, value was empty");
401		}
402	0	if (!KewApiConstants.DOCUMENT_STATUSES.containsKey(documentStatus)) {
403	0	throw new IllegalArgumentException("Invalid document status was given, value was: " + documentStatus);
404		}
405	0	}
406
407		protected GroupService getGroupService() {
408	0	return KimApiServiceLocator.getGroupService();
409		}
410
411		protected PermissionService getPermissionService() {
412	0	return KimApiServiceLocator.getPermissionService();
413		}
414
415		}