| Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
| PermissionService |
|
| 1.0;1 |
| 1 | /* | |
| 2 | * Copyright 2008 The Kuali Foundation | |
| 3 | * | |
| 4 | * Licensed under the Educational Community License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.opensource.org/licenses/ecl2.php | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package org.kuali.rice.kim.service; | |
| 17 | ||
| 18 | import java.util.List; | |
| 19 | import java.util.Map; | |
| 20 | ||
| 21 | import javax.jws.WebParam; | |
| 22 | import javax.jws.WebService; | |
| 23 | import javax.jws.soap.SOAPBinding; | |
| 24 | import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; | |
| 25 | ||
| 26 | import org.kuali.rice.core.util.AttributeSet; | |
| 27 | import org.kuali.rice.core.util.jaxb.AttributeSetAdapter; | |
| 28 | import org.kuali.rice.core.util.jaxb.MapStringStringAdapter; | |
| 29 | import org.kuali.rice.kim.bo.role.dto.KimPermissionInfo; | |
| 30 | import org.kuali.rice.kim.bo.role.dto.KimPermissionTemplateInfo; | |
| 31 | import org.kuali.rice.kim.bo.role.dto.PermissionAssigneeInfo; | |
| 32 | import org.kuali.rice.kim.util.KIMWebServiceConstants; | |
| 33 | ||
| 34 | /** | |
| 35 | * This service provides operations for evaluating permissions and querying for permission data. | |
| 36 | * | |
| 37 | * <p>A permission is the ability to perform an action. All permissions have a permission template. | |
| 38 | * Both permissions and permission templates are uniquely identified by a namespace code plus a name. | |
| 39 | * The permission template defines the course-grained permission and specifies what additional | |
| 40 | * permission details need to be collected on permissions that use that template. For example, a | |
| 41 | * permission template might have a name of "Initiate Document" which requires a permission detail | |
| 42 | * specifying the document type that can be initiated. A permission created from the "Initiate Document" | |
| 43 | * template would define the name of the specific Document Type that can be initiated as a permission | |
| 44 | * detail. | |
| 45 | * | |
| 46 | * <p>The isAuthorized and isAuthorizedByTemplateName operations | |
| 47 | * on this service are used to execute authorization checks for a principal against a | |
| 48 | * permission. Permissions are always assigned to roles (never directly to a principal or | |
| 49 | * group). A particular principal will be authorized for a given permission if the permission | |
| 50 | * evaluates to true (according to the permission evaluation logic and based on any supplied | |
| 51 | * permission details) and that principal is assigned to a role which has been granted the permission. | |
| 52 | * | |
| 53 | * <p>The actual logic for how permission evaluation logic is defined and executed is dependent upon | |
| 54 | * the permission service implementation. However, it will typically be associated with the permission | |
| 55 | * template used on the permission. | |
| 56 | * | |
| 57 | * <p>This service provides read-only operations. For write operations, see | |
| 58 | * {@link PermissionUpdateService}. | |
| 59 | * | |
| 60 | * @see PermissionUpdateService | |
| 61 | * | |
| 62 | * @author Kuali Rice Team (rice.collab@kuali.org) | |
| 63 | */ | |
| 64 | @WebService(name = KIMWebServiceConstants.PermissionService.WEB_SERVICE_NAME, targetNamespace = KIMWebServiceConstants.MODULE_TARGET_NAMESPACE) | |
| 65 | @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED) | |
| 66 | public interface PermissionService { | |
| 67 | ||
| 68 | // -------------------- | |
| 69 | // Authorization Checks | |
| 70 | // -------------------- | |
| 71 | ||
| 72 | /** | |
| 73 | * Checks whether the principal has been granted a permission matching the given details | |
| 74 | * without taking role qualifiers into account. | |
| 75 | * | |
| 76 | * This method should not be used for true authorization checks since a principal | |
| 77 | * may only have this permission within a given context. It could be used to | |
| 78 | * identify that the user would have some permissions within a certain area. | |
| 79 | * Later checks would identify exactly what permissions were granted. | |
| 80 | * | |
| 81 | * It can also be used when the client application KNOWS that this is a role which | |
| 82 | * is never qualified. | |
| 83 | */ | |
| 84 | boolean hasPermission( @WebParam(name="principalId") String principalId, | |
| 85 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 86 | @WebParam(name="permissionName") String permissionName, | |
| 87 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails ); | |
| 88 | ||
| 89 | /** | |
| 90 | * Checks whether the given qualified permission is granted to the principal given | |
| 91 | * the passed roleQualification. If no roleQualification is passed (null or empty) | |
| 92 | * then this method behaves the same as {@link #hasPermission(String, String, String, AttributeSet)}. | |
| 93 | * | |
| 94 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 95 | * exists on the principal's membership in that role, that is checked first through | |
| 96 | * the role's type service. Once it is determined that the principal has the role | |
| 97 | * in the given context (qualification), the permissions are examined. | |
| 98 | * | |
| 99 | * Each permission is checked against the permissionDetails. The KimPermissionTypeService | |
| 100 | * is called for each permission with the given permissionName to see if the | |
| 101 | * permissionDetails matches its details. | |
| 102 | */ | |
| 103 | boolean isAuthorized( @WebParam(name="principalId") String principalId, | |
| 104 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 105 | @WebParam(name="permissionName") String permissionName, | |
| 106 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails, | |
| 107 | @WebParam(name="qualification") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet qualification ); | |
| 108 | ||
| 109 | /** | |
| 110 | * Checks whether the principal has been granted a permission matching the given details | |
| 111 | * without taking role qualifiers into account. | |
| 112 | * | |
| 113 | * This method should not be used for true authorization checks since a principal | |
| 114 | * may only have this permission within a given context. It could be used to | |
| 115 | * identify that the user would have some permissions within a certain area. | |
| 116 | * Later checks would identify exactly what permissions were granted. | |
| 117 | * | |
| 118 | * It can also be used when the client application KNOWS that this is a role which | |
| 119 | * is never qualified. | |
| 120 | */ | |
| 121 | boolean hasPermissionByTemplateName( @WebParam(name="principalId") String principalId, | |
| 122 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 123 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 124 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails ); | |
| 125 | ||
| 126 | /** | |
| 127 | * Checks whether the given qualified permission is granted to the principal given | |
| 128 | * the passed roleQualification. If no roleQualification is passed (null or empty) | |
| 129 | * then this method behaves the same as {@link #hasPermission(String, String, String, AttributeSet)}. | |
| 130 | * | |
| 131 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 132 | * exists on the principal's membership in that role, that is checked first through | |
| 133 | * the role's type service. Once it is determined that the principal has the role | |
| 134 | * in the given context (qualification), the permissions are examined. | |
| 135 | * | |
| 136 | * Each permission is checked against the permissionDetails. The KimPermissionTypeService | |
| 137 | * is called for each permission with the given permissionName to see if the | |
| 138 | * permissionDetails matches its details. | |
| 139 | */ | |
| 140 | boolean isAuthorizedByTemplateName( @WebParam(name="principalId") String principalId, | |
| 141 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 142 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 143 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails, | |
| 144 | @WebParam(name="qualification") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet qualification ); | |
| 145 | ||
| 146 | ||
| 147 | /** | |
| 148 | * Get the list of principals/groups who have a given permission. This also returns delegates | |
| 149 | * for the given principals/groups who also have this permission given the context in the | |
| 150 | * qualification parameter. | |
| 151 | * | |
| 152 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 153 | * exists on the principal's membership in that role, that is checked first through | |
| 154 | * the role's type service. Once it is determined that the principal has the role | |
| 155 | * in the given context (qualification), the permissions are examined. | |
| 156 | * | |
| 157 | */ | |
| 158 | List<PermissionAssigneeInfo> getPermissionAssignees( @WebParam(name="namespaceCode") String namespaceCode, | |
| 159 | @WebParam(name="permissionName") String permissionName, | |
| 160 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails, | |
| 161 | @WebParam(name="qualification") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet qualification ); | |
| 162 | ||
| 163 | /** | |
| 164 | * Get the list of principals/groups who have a given permission that match the given | |
| 165 | * permission template and permission details. This also returns delegates | |
| 166 | * for the given principals/groups who also have this permission given the context in the | |
| 167 | * qualification parameter. | |
| 168 | * | |
| 169 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 170 | * exists on the principal's membership in that role, that is checked first through | |
| 171 | * the role's type service. Once it is determined that the principal has the role | |
| 172 | * in the given context (qualification), the permissions are examined. | |
| 173 | * | |
| 174 | */ | |
| 175 | List<PermissionAssigneeInfo> getPermissionAssigneesForTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 176 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 177 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails, | |
| 178 | @WebParam(name="qualification") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet qualification ); | |
| 179 | ||
| 180 | /** | |
| 181 | * Returns true if the given permission is defined on any Roles. | |
| 182 | */ | |
| 183 | boolean isPermissionDefined( @WebParam(name="namespaceCode") String namespaceCode, | |
| 184 | @WebParam(name="permissionName") String permissionName, | |
| 185 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails ); | |
| 186 | ||
| 187 | /** | |
| 188 | * Returns true if the given permission template is defined on any Roles. | |
| 189 | */ | |
| 190 | boolean isPermissionDefinedForTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 191 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 192 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails ); | |
| 193 | ||
| 194 | /** | |
| 195 | * Returns permissions (with their details) that are granted to the principal given | |
| 196 | * the passed qualification. If no qualification is passed (null or empty) | |
| 197 | * then this method does not check any qualifications on the roles. | |
| 198 | * | |
| 199 | * All permissions with the given name are checked against the permissionDetails. | |
| 200 | * The KimPermissionTypeService is called for each permission to see if the | |
| 201 | * permissionDetails matches its details. | |
| 202 | * | |
| 203 | * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. | |
| 204 | * This forms a way to provide a wildcard to obtain multiple permissions in one call. | |
| 205 | * | |
| 206 | * After the permissions are determined, the roles that hold those permissions are determined. | |
| 207 | * Each role that matches between the principal and the permission objects is checked for | |
| 208 | * qualifications. If a qualifier | |
| 209 | * exists on the principal's membership in that role, that is checked through | |
| 210 | * the role's type service. | |
| 211 | * | |
| 212 | */ | |
| 213 | List<KimPermissionInfo> getAuthorizedPermissions( @WebParam(name="principalId") String principalId, | |
| 214 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 215 | @WebParam(name="permissionName") String permissionName, | |
| 216 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails, | |
| 217 | @WebParam(name="qualification") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet qualification ); | |
| 218 | ||
| 219 | /** | |
| 220 | * Returns permissions (with their details) that are granted to the principal given | |
| 221 | * the passed qualification. If no qualification is passed (null or empty) | |
| 222 | * then this method does not check any qualifications on the roles. | |
| 223 | * | |
| 224 | * All permissions with the given name are checked against the permissionDetails. | |
| 225 | * The KimPermissionTypeService is called for each permission to see if the | |
| 226 | * permissionDetails matches its details. | |
| 227 | * | |
| 228 | * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. | |
| 229 | * This forms a way to provide a wildcard to obtain multiple permissions in one call. | |
| 230 | * | |
| 231 | * After the permissions are determined, the roles that hold those permissions are determined. | |
| 232 | * Each role that matches between the principal and the permission objects is checked for | |
| 233 | * qualifications. If a qualifier | |
| 234 | * exists on the principal's membership in that role, that is checked through | |
| 235 | * the role's type service. | |
| 236 | * | |
| 237 | */ | |
| 238 | List<KimPermissionInfo> getAuthorizedPermissionsByTemplateName( @WebParam(name="principalId") String principalId, | |
| 239 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 240 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 241 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails, | |
| 242 | @WebParam(name="qualification") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet qualification ); | |
| 243 | ||
| 244 | // -------------------- | |
| 245 | // Permission Data | |
| 246 | // -------------------- | |
| 247 | ||
| 248 | /** | |
| 249 | * Get the permission object with the given ID. | |
| 250 | */ | |
| 251 | KimPermissionInfo getPermission( @WebParam(name="permissionId") String permissionId ); | |
| 252 | ||
| 253 | /** | |
| 254 | * Return the permission object for the given unique combination of namespace, | |
| 255 | * component and permission template name. | |
| 256 | */ | |
| 257 | List<KimPermissionInfo> getPermissionsByTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 258 | @WebParam(name="permissionTemplateName") String permissionTemplateName ); | |
| 259 | ||
| 260 | /** | |
| 261 | * Return the permission object for the given unique combination of namespace, | |
| 262 | * component and permission name. | |
| 263 | */ | |
| 264 | List<KimPermissionInfo> getPermissionsByName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 265 | @WebParam(name="permissionName") String permissionName ); | |
| 266 | ||
| 267 | KimPermissionTemplateInfo getPermissionTemplate( @WebParam(name="permissionTemplateId") String permissionTemplateId ); | |
| 268 | ||
| 269 | KimPermissionTemplateInfo getPermissionTemplateByName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 270 | @WebParam(name="permissionTemplateName") String permissionTemplateName ); | |
| 271 | public List<KimPermissionTemplateInfo> getAllTemplates(); | |
| 272 | /** | |
| 273 | * Search for permissions using arbitrary search criteria. JavaBeans property syntax | |
| 274 | * should be used to reference the properties. | |
| 275 | * | |
| 276 | * If the searchCriteria parameter is null or empty, an empty list will be returned. | |
| 277 | */ | |
| 278 | List<KimPermissionInfo> lookupPermissions( @WebParam(name="searchCriteria") @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) Map<String,String> searchCriteria, | |
| 279 | @WebParam(name="unbounded") boolean unbounded); | |
| 280 | ||
| 281 | /** | |
| 282 | * Get the role IDs for the given permission. | |
| 283 | */ | |
| 284 | List<String> getRoleIdsForPermission( @WebParam(name="namespaceCode") String namespaceCode, | |
| 285 | @WebParam(name="permissionName") String permissionName, | |
| 286 | @WebParam(name="permissionDetails") @XmlJavaTypeAdapter(value = AttributeSetAdapter.class) AttributeSet permissionDetails); | |
| 287 | ||
| 288 | /** | |
| 289 | * Get the role IDs for the given list of permissions. | |
| 290 | */ | |
| 291 | List<String> getRoleIdsForPermissions( @WebParam(name="permissions") List<KimPermissionInfo> permissions ); | |
| 292 | ||
| 293 | /** | |
| 294 | * Returns the label of the permission detail for the given permissionId, kimType and attributeName. | |
| 295 | */ | |
| 296 | public String getPermissionDetailLabel( String permissionId, String kimTypeId, String attributeName); | |
| 297 | ||
| 298 | /** | |
| 299 | * Get the role IDs for the given permission. | |
| 300 | */ | |
| 301 | List<String> getRoleIdsForPermissionId(@WebParam(name = "permissionId") String permissionId); | |
| 302 | ||
| 303 | /** | |
| 304 | * Return the permission object for the given unique combination of namespace, component and permission name. Inactive | |
| 305 | * permissions are also returned | |
| 306 | */ | |
| 307 | List<KimPermissionInfo> getPermissionsByNameIncludingInactive(@WebParam(name = "namespaceCode") String namespaceCode, @WebParam(name = "permissionName") String permissionName); | |
| 308 | } |