| Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
| PermissionService |
|
| 1.0;1 |
| 1 | /* | |
| 2 | * Copyright 2008 The Kuali Foundation | |
| 3 | * | |
| 4 | * Licensed under the Educational Community License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.opensource.org/licenses/ecl2.php | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package org.kuali.rice.kim.api.permission; | |
| 17 | ||
| 18 | import org.kuali.rice.core.api.exception.RiceIllegalArgumentException; | |
| 19 | import org.kuali.rice.core.api.exception.RiceIllegalStateException; | |
| 20 | import org.kuali.rice.core.api.mo.common.Attributes; | |
| 21 | import org.kuali.rice.core.util.jaxb.MapStringStringAdapter; | |
| 22 | import org.kuali.rice.kim.api.common.assignee.Assignee; | |
| 23 | import org.kuali.rice.kim.api.common.template.Template; | |
| 24 | import org.kuali.rice.kim.util.KimConstants; | |
| 25 | ||
| 26 | import javax.jws.WebMethod; | |
| 27 | import javax.jws.WebParam; | |
| 28 | import javax.jws.WebResult; | |
| 29 | import javax.jws.WebService; | |
| 30 | import javax.jws.soap.SOAPBinding; | |
| 31 | import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; | |
| 32 | ||
| 33 | import java.util.List; | |
| 34 | import java.util.Map; | |
| 35 | ||
| 36 | /** | |
| 37 | * This service provides operations for evaluating permissions and querying for permission data. | |
| 38 | * | |
| 39 | * <p>A permission is the ability to perform an action. All permissions have a permission template. | |
| 40 | * Both permissions and permission templates are uniquely identified by a namespace code plus a name. | |
| 41 | * The permission template defines the course-grained permission and specifies what additional | |
| 42 | * permission details need to be collected on permissions that use that template. For example, a | |
| 43 | * permission template might have a name of "Initiate Document" which requires a permission detail | |
| 44 | * specifying the document type that can be initiated. A permission created from the "Initiate Document" | |
| 45 | * template would define the name of the specific Document Type that can be initiated as a permission | |
| 46 | * detail. | |
| 47 | * | |
| 48 | * <p>The isAuthorized and isAuthorizedByTemplateName operations | |
| 49 | * on this service are used to execute authorization checks for a principal against a | |
| 50 | * permission. Permissions are always assigned to roles (never directly to a principal or | |
| 51 | * group). A particular principal will be authorized for a given permission if the permission | |
| 52 | * evaluates to true (according to the permission evaluation logic and based on any supplied | |
| 53 | * permission details) and that principal is assigned to a role which has been granted the permission. | |
| 54 | * | |
| 55 | * <p>The actual logic for how permission evaluation logic is defined and executed is dependent upon | |
| 56 | * the permission service implementation. However, it will typically be associated with the permission | |
| 57 | * template used on the permission. | |
| 58 | * | |
| 59 | * <p>This service provides read-only operations. For write operations, see | |
| 60 | * {@link PermissionUpdateService}. | |
| 61 | * | |
| 62 | * @see PermissionUpdateService | |
| 63 | * | |
| 64 | * @author Kuali Rice Team (rice.collab@kuali.org) | |
| 65 | */ | |
| 66 | @WebService(name = "PermissionService", targetNamespace = KimConstants.Namespaces.KIM_NAMESPACE_2_0) | |
| 67 | @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED) | |
| 68 | public interface PermissionService { | |
| 69 | ||
| 70 | /** | |
| 71 | * This will create a {@link Permission} exactly like the permission passed in. | |
| 72 | * | |
| 73 | * @param permission the permission to create | |
| 74 | * @return the id of the newly created object. will never be null. | |
| 75 | * @throws IllegalArgumentException if the permission is null | |
| 76 | * @throws IllegalStateException if the permission is already existing in the system | |
| 77 | */ | |
| 78 | @WebMethod(operationName="createPermission") | |
| 79 | @WebResult(name = "id") | |
| 80 | String createPermission(@WebParam(name = "permission") Permission permission) | |
| 81 | throws RiceIllegalArgumentException, RiceIllegalStateException; | |
| 82 | ||
| 83 | /** | |
| 84 | * This will update a {@link Permission}. | |
| 85 | * | |
| 86 | * @param permission the permission to update | |
| 87 | * @throws IllegalArgumentException if the permission is null | |
| 88 | * @throws IllegalStateException if the permission does not exist in the system | |
| 89 | */ | |
| 90 | @WebMethod(operationName="updatePermission") | |
| 91 | void updatePermission(@WebParam(name = "permission") Permission permission) | |
| 92 | throws RiceIllegalArgumentException, RiceIllegalStateException; | |
| 93 | ||
| 94 | // -------------------- | |
| 95 | // Authorization Checks | |
| 96 | // -------------------- | |
| 97 | ||
| 98 | /** | |
| 99 | * Checks whether the principal has been granted a permission matching the given details | |
| 100 | * without taking role qualifiers into account. | |
| 101 | * | |
| 102 | * This method should not be used for true authorization checks since a principal | |
| 103 | * may only have this permission within a given context. It could be used to | |
| 104 | * identify that the user would have some permissions within a certain area. | |
| 105 | * Later checks would identify exactly what permissions were granted. | |
| 106 | * | |
| 107 | * It can also be used when the client application KNOWS that this is a role which | |
| 108 | * is never qualified. | |
| 109 | */ | |
| 110 | @WebMethod(operationName = "hasPermission") | |
| 111 | @WebResult(name = "hasPermission") | |
| 112 | boolean hasPermission( @WebParam(name="principalId") String principalId, | |
| 113 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 114 | @WebParam(name="permissionName") String permissionName, | |
| 115 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 116 | ||
| 117 | ||
| 118 | /** | |
| 119 | * Checks whether the given qualified permission is granted to the principal given | |
| 120 | * the passed roleQualification. If no roleQualification is passed (null or empty) | |
| 121 | * then this method behaves the same as {@link #hasPermission(String, String, String, AttributeSet)}. | |
| 122 | * | |
| 123 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 124 | * exists on the principal's membership in that role, that is checked first through | |
| 125 | * the role's type service. Once it is determined that the principal has the role | |
| 126 | * in the given context (qualification), the permissions are examined. | |
| 127 | * | |
| 128 | * Each permission is checked against the permissionDetails. The PermissionTypeService | |
| 129 | * is called for each permission with the given permissionName to see if the | |
| 130 | * permissionDetails matches its details. | |
| 131 | */ | |
| 132 | @WebMethod(operationName = "isAuthorized") | |
| 133 | @WebResult(name = "isAuthorized") | |
| 134 | boolean isAuthorized( @WebParam(name="principalId") String principalId, | |
| 135 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 136 | @WebParam(name="permissionName") String permissionName, | |
| 137 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 138 | @WebParam(name="qualification") Attributes qualification ); | |
| 139 | ||
| 140 | /** | |
| 141 | * Checks whether the principal has been granted a permission matching the given details | |
| 142 | * without taking role qualifiers into account. | |
| 143 | * | |
| 144 | * This method should not be used for true authorization checks since a principal | |
| 145 | * may only have this permission within a given context. It could be used to | |
| 146 | * identify that the user would have some permissions within a certain area. | |
| 147 | * Later checks would identify exactly what permissions were granted. | |
| 148 | * | |
| 149 | * It can also be used when the client application KNOWS that this is a role which | |
| 150 | * is never qualified. | |
| 151 | */ | |
| 152 | @WebMethod(operationName = "hasPermissionByTemplateName") | |
| 153 | @WebResult(name = "hasPermission") | |
| 154 | boolean hasPermissionByTemplateName( @WebParam(name="principalId") String principalId, | |
| 155 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 156 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 157 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 158 | ||
| 159 | /** | |
| 160 | * Checks whether the given qualified permission is granted to the principal given | |
| 161 | * the passed roleQualification. If no roleQualification is passed (null or empty) | |
| 162 | * then this method behaves the same as {@link #hasPermission(String, String, String, AttributeSet)}. | |
| 163 | * | |
| 164 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 165 | * exists on the principal's membership in that role, that is checked first through | |
| 166 | * the role's type service. Once it is determined that the principal has the role | |
| 167 | * in the given context (qualification), the permissions are examined. | |
| 168 | * | |
| 169 | * Each permission is checked against the permissionDetails. The PermissionTypeService | |
| 170 | * is called for each permission with the given permissionName to see if the | |
| 171 | * permissionDetails matches its details. | |
| 172 | */ | |
| 173 | @WebMethod(operationName = "isAuthorizedByTemplateName") | |
| 174 | @WebResult(name = "isAuthorized") | |
| 175 | boolean isAuthorizedByTemplateName( @WebParam(name="principalId") String principalId, | |
| 176 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 177 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 178 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 179 | @WebParam(name="qualification") Attributes qualification ); | |
| 180 | ||
| 181 | ||
| 182 | /** | |
| 183 | * Get the list of principals/groups who have a given permission. This also returns delegates | |
| 184 | * for the given principals/groups who also have this permission given the context in the | |
| 185 | * qualification parameter. | |
| 186 | * | |
| 187 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 188 | * exists on the principal's membership in that role, that is checked first through | |
| 189 | * the role's type service. Once it is determined that the principal has the role | |
| 190 | * in the given context (qualification), the permissions are examined. | |
| 191 | * | |
| 192 | */ | |
| 193 | @WebMethod(operationName = "getPermissionAssignees") | |
| 194 | @WebResult(name = "permissionAssignees") | |
| 195 | List<Assignee> getPermissionAssignees( @WebParam(name="namespaceCode") String namespaceCode, | |
| 196 | @WebParam(name="permissionName") String permissionName, | |
| 197 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 198 | @WebParam(name="qualification") Attributes qualification ); | |
| 199 | ||
| 200 | /** | |
| 201 | * Get the list of principals/groups who have a given permission that match the given | |
| 202 | * permission template and permission details. This also returns delegates | |
| 203 | * for the given principals/groups who also have this permission given the context in the | |
| 204 | * qualification parameter. | |
| 205 | * | |
| 206 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 207 | * exists on the principal's membership in that role, that is checked first through | |
| 208 | * the role's type service. Once it is determined that the principal has the role | |
| 209 | * in the given context (qualification), the permissions are examined. | |
| 210 | * | |
| 211 | */ | |
| 212 | @WebMethod(operationName = "getPermissionAssigneesForTemplateName") | |
| 213 | @WebResult(name = "permissionAssigneesForTemplateName") | |
| 214 | List<Assignee> getPermissionAssigneesForTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 215 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 216 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 217 | @WebParam(name="qualification") Attributes qualification ); | |
| 218 | ||
| 219 | /** | |
| 220 | * Returns true if the given permission is defined on any Roles. | |
| 221 | */ | |
| 222 | @WebMethod(operationName = "isPermissionDefined") | |
| 223 | @WebResult(name = "isPermissionDefined") | |
| 224 | boolean isPermissionDefined( @WebParam(name="namespaceCode") String namespaceCode, | |
| 225 | @WebParam(name="permissionName") String permissionName, | |
| 226 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 227 | ||
| 228 | /** | |
| 229 | * Returns true if the given permission template is defined on any Roles. | |
| 230 | */ | |
| 231 | @WebMethod(operationName = "isPermissionDefinedForTemplateName") | |
| 232 | @WebResult(name = "isPermissionDefinedForTemplateName") | |
| 233 | boolean isPermissionDefinedForTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 234 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 235 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 236 | ||
| 237 | /** | |
| 238 | * Returns permissions (with their details) that are granted to the principal given | |
| 239 | * the passed qualification. If no qualification is passed (null or empty) | |
| 240 | * then this method does not check any qualifications on the roles. | |
| 241 | * | |
| 242 | * All permissions with the given name are checked against the permissionDetails. | |
| 243 | * The PermissionTypeService is called for each permission to see if the | |
| 244 | * permissionDetails matches its details. | |
| 245 | * | |
| 246 | * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. | |
| 247 | * This forms a way to provide a wildcard to obtain multiple permissions in one call. | |
| 248 | * | |
| 249 | * After the permissions are determined, the roles that hold those permissions are determined. | |
| 250 | * Each role that matches between the principal and the permission objects is checked for | |
| 251 | * qualifications. If a qualifier | |
| 252 | * exists on the principal's membership in that role, that is checked through | |
| 253 | * the role's type service. | |
| 254 | * | |
| 255 | */ | |
| 256 | @WebMethod(operationName = "getAuthorizedPermissions") | |
| 257 | @WebResult(name = "authorizedPermissions") | |
| 258 | List<Permission> getAuthorizedPermissions( @WebParam(name="principalId") String principalId, | |
| 259 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 260 | @WebParam(name="permissionName") String permissionName, | |
| 261 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 262 | @WebParam(name="qualification") Attributes qualification ); | |
| 263 | ||
| 264 | /** | |
| 265 | * Returns permissions (with their details) that are granted to the principal given | |
| 266 | * the passed qualification. If no qualification is passed (null or empty) | |
| 267 | * then this method does not check any qualifications on the roles. | |
| 268 | * | |
| 269 | * All permissions with the given name are checked against the permissionDetails. | |
| 270 | * The PermissionTypeService is called for each permission to see if the | |
| 271 | * permissionDetails matches its details. | |
| 272 | * | |
| 273 | * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. | |
| 274 | * This forms a way to provide a wildcard to obtain multiple permissions in one call. | |
| 275 | * | |
| 276 | * After the permissions are determined, the roles that hold those permissions are determined. | |
| 277 | * Each role that matches between the principal and the permission objects is checked for | |
| 278 | * qualifications. If a qualifier | |
| 279 | * exists on the principal's membership in that role, that is checked through | |
| 280 | * the role's type service. | |
| 281 | * | |
| 282 | */ | |
| 283 | @WebMethod(operationName = "getAuthorizedPermissionsByTemplateName") | |
| 284 | @WebResult(name = "authorizedPermissions") | |
| 285 | List<Permission> getAuthorizedPermissionsByTemplateName( @WebParam(name="principalId") String principalId, | |
| 286 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 287 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 288 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 289 | @WebParam(name="qualification") Attributes qualification ); | |
| 290 | ||
| 291 | // -------------------- | |
| 292 | // Permission Data | |
| 293 | // -------------------- | |
| 294 | ||
| 295 | /** | |
| 296 | * Get the permission object with the given ID. | |
| 297 | */ | |
| 298 | @WebMethod(operationName = "getPermission") | |
| 299 | @WebResult(name = "permission") | |
| 300 | Permission getPermission( @WebParam(name="permissionId") String permissionId ); | |
| 301 | ||
| 302 | /** | |
| 303 | * Return the permission object for the given unique combination of namespace, | |
| 304 | * component and permission template name. | |
| 305 | */ | |
| 306 | @WebMethod(operationName = "getPermissionsByTemplateName") | |
| 307 | @WebResult(name = "permissions") | |
| 308 | List<Permission> getPermissionsByTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 309 | @WebParam(name="permissionTemplateName") String permissionTemplateName ); | |
| 310 | ||
| 311 | /** | |
| 312 | * Return the permission object for the given unique combination of namespace, | |
| 313 | * component and permission name. | |
| 314 | */ | |
| 315 | @WebMethod(operationName = "getPermissionsByName") | |
| 316 | @WebResult(name = "permissions") | |
| 317 | List<Permission> getPermissionsByName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 318 | @WebParam(name="permissionName") String permissionName ); | |
| 319 | ||
| 320 | /** | |
| 321 | * | |
| 322 | * Return the Permission Template given the Template ID. | |
| 323 | * | |
| 324 | * @param permissionTemplateId | |
| 325 | * @return PermissionTemplate | |
| 326 | */ | |
| 327 | @WebMethod(operationName = "getPermissionTemplate") | |
| 328 | @WebResult(name = "permissionTemplate") | |
| 329 | Template getPermissionTemplate( @WebParam(name="permissionTemplateId") String permissionTemplateId ); | |
| 330 | ||
| 331 | /** | |
| 332 | * | |
| 333 | * Return the Permission Template given the Template Name and Namespace Code. | |
| 334 | * | |
| 335 | * @param namespaceCode, permissionTemplateName | |
| 336 | * @return PermissionTemplate | |
| 337 | */ | |
| 338 | @WebMethod(operationName = "getPermissionTemplateByName") | |
| 339 | @WebResult(name = "permissionTemplate") | |
| 340 | Template getPermissionTemplateByName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 341 | @WebParam(name="permissionTemplateName") String permissionTemplateName ); | |
| 342 | ||
| 343 | /** | |
| 344 | * | |
| 345 | * Return all Permission Templates. | |
| 346 | * | |
| 347 | * @param namespaceCode, permissionTemplateName | |
| 348 | * @return PermissionTemplate | |
| 349 | */ | |
| 350 | @WebMethod(operationName = "getAllTemplates") | |
| 351 | @WebResult(name = "permissionTemplates") | |
| 352 | public List<Template> getAllTemplates(); | |
| 353 | ||
| 354 | /** | |
| 355 | * Search for permissions using arbitrary search criteria. JavaBeans property syntax | |
| 356 | * should be used to reference the properties. | |
| 357 | * | |
| 358 | * If the searchCriteria parameter is null or empty, an empty list will be returned. | |
| 359 | */ | |
| 360 | @WebMethod(operationName = "lookupPermissions") | |
| 361 | @WebResult(name = "lookupPermissions") | |
| 362 | List<Permission> lookupPermissions( @WebParam(name="searchCriteria") @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) Map<String,String> searchCriteria, | |
| 363 | @WebParam(name="unbounded") boolean unbounded); | |
| 364 | ||
| 365 | /** | |
| 366 | * Get the role IDs for the given permission. | |
| 367 | */ | |
| 368 | @WebMethod(operationName = "getRoleIdsForPermission") | |
| 369 | @WebResult(name = "roleIdsForPermission") | |
| 370 | List<String> getRoleIdsForPermission( @WebParam(name="namespaceCode") String namespaceCode, | |
| 371 | @WebParam(name="permissionName") String permissionName, | |
| 372 | @WebParam(name="permissionDetails") Attributes permissionDetails); | |
| 373 | ||
| 374 | /** | |
| 375 | * Get the role IDs for the given list of permissions. | |
| 376 | */ | |
| 377 | @WebMethod(operationName = "getRoleIdsForPermissions") | |
| 378 | @WebResult(name = "roleIdsForPermissions") | |
| 379 | List<String> getRoleIdsForPermissions( @WebParam(name="permissions") List<Permission> permissions ); | |
| 380 | ||
| 381 | /** | |
| 382 | * Returns the label of the permission detail for the given permissionId, kimType and attributeName. | |
| 383 | */ | |
| 384 | @WebMethod(operationName = "getPermissionDetailLabel") | |
| 385 | @WebResult(name = "permissionDetailLabel") | |
| 386 | public String getPermissionDetailLabel( String permissionId, String kimTypeId, String attributeName); | |
| 387 | ||
| 388 | /** | |
| 389 | * Get the role IDs for the given permission. | |
| 390 | */ | |
| 391 | @WebMethod(operationName = "getRoleIdsForPermissionId") | |
| 392 | @WebResult(name = "roleIdsForPermissionId") | |
| 393 | List<String> getRoleIdsForPermissionId(@WebParam(name = "permissionId") String permissionId); | |
| 394 | ||
| 395 | /** | |
| 396 | * Return the permission object for the given unique combination of namespace, component and permission name. Inactive | |
| 397 | * permissions are also returned | |
| 398 | */ | |
| 399 | @WebMethod(operationName = "getPermissionsByNameIncludingInactive") | |
| 400 | @WebResult(name = "permissionsIncludingInactive") | |
| 401 | List<Permission> getPermissionsByNameIncludingInactive(@WebParam(name = "namespaceCode") String namespaceCode, @WebParam(name = "permissionName") String permissionName); | |
| 402 | } |