| Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
| PermissionService |
|
| 1.0;1 |
| 1 | /* | |
| 2 | * Copyright 2008 The Kuali Foundation | |
| 3 | * | |
| 4 | * Licensed under the Educational Community License, Version 2.0 (the "License"); | |
| 5 | * you may not use this file except in compliance with the License. | |
| 6 | * You may obtain a copy of the License at | |
| 7 | * | |
| 8 | * http://www.opensource.org/licenses/ecl2.php | |
| 9 | * | |
| 10 | * Unless required by applicable law or agreed to in writing, software | |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, | |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| 13 | * See the License for the specific language governing permissions and | |
| 14 | * limitations under the License. | |
| 15 | */ | |
| 16 | package org.kuali.rice.kim.api.permission; | |
| 17 | ||
| 18 | import org.kuali.rice.core.api.mo.common.Attributes; | |
| 19 | import org.kuali.rice.core.util.jaxb.AttributeSetAdapter; | |
| 20 | import org.kuali.rice.core.util.jaxb.ImmutableListAdapter; | |
| 21 | import org.kuali.rice.core.util.jaxb.MapStringStringAdapter; | |
| 22 | import org.kuali.rice.kim.api.common.assignee.Assignee; | |
| 23 | import org.kuali.rice.kim.api.common.template.Template; | |
| 24 | import org.kuali.rice.kim.util.KimConstants; | |
| 25 | ||
| 26 | import javax.jws.WebMethod; | |
| 27 | import javax.jws.WebParam; | |
| 28 | import javax.jws.WebResult; | |
| 29 | import javax.jws.WebService; | |
| 30 | import javax.jws.soap.SOAPBinding; | |
| 31 | import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; | |
| 32 | ||
| 33 | import java.util.HashMap; | |
| 34 | import java.util.List; | |
| 35 | import java.util.Map; | |
| 36 | ||
| 37 | /** | |
| 38 | * This service provides operations for evaluating permissions and querying for permission data. | |
| 39 | * | |
| 40 | * <p>A permission is the ability to perform an action. All permissions have a permission template. | |
| 41 | * Both permissions and permission templates are uniquely identified by a namespace code plus a name. | |
| 42 | * The permission template defines the course-grained permission and specifies what additional | |
| 43 | * permission details need to be collected on permissions that use that template. For example, a | |
| 44 | * permission template might have a name of "Initiate Document" which requires a permission detail | |
| 45 | * specifying the document type that can be initiated. A permission created from the "Initiate Document" | |
| 46 | * template would define the name of the specific Document Type that can be initiated as a permission | |
| 47 | * detail. | |
| 48 | * | |
| 49 | * <p>The isAuthorized and isAuthorizedByTemplateName operations | |
| 50 | * on this service are used to execute authorization checks for a principal against a | |
| 51 | * permission. Permissions are always assigned to roles (never directly to a principal or | |
| 52 | * group). A particular principal will be authorized for a given permission if the permission | |
| 53 | * evaluates to true (according to the permission evaluation logic and based on any supplied | |
| 54 | * permission details) and that principal is assigned to a role which has been granted the permission. | |
| 55 | * | |
| 56 | * <p>The actual logic for how permission evaluation logic is defined and executed is dependent upon | |
| 57 | * the permission service implementation. However, it will typically be associated with the permission | |
| 58 | * template used on the permission. | |
| 59 | * | |
| 60 | * <p>This service provides read-only operations. For write operations, see | |
| 61 | * {@link PermissionUpdateService}. | |
| 62 | * | |
| 63 | * @see PermissionUpdateService | |
| 64 | * | |
| 65 | * @author Kuali Rice Team (rice.collab@kuali.org) | |
| 66 | */ | |
| 67 | @WebService(name = "PermissionService", targetNamespace = KimConstants.Namespaces.KIM_NAMESPACE_2_0) | |
| 68 | @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, use = SOAPBinding.Use.LITERAL, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED) | |
| 69 | public interface PermissionService { | |
| 70 | ||
| 71 | // -------------------- | |
| 72 | // Authorization Checks | |
| 73 | // -------------------- | |
| 74 | ||
| 75 | /** | |
| 76 | * Checks whether the principal has been granted a permission matching the given details | |
| 77 | * without taking role qualifiers into account. | |
| 78 | * | |
| 79 | * This method should not be used for true authorization checks since a principal | |
| 80 | * may only have this permission within a given context. It could be used to | |
| 81 | * identify that the user would have some permissions within a certain area. | |
| 82 | * Later checks would identify exactly what permissions were granted. | |
| 83 | * | |
| 84 | * It can also be used when the client application KNOWS that this is a role which | |
| 85 | * is never qualified. | |
| 86 | */ | |
| 87 | @WebMethod(operationName = "hasPermission") | |
| 88 | @WebResult(name = "hasPermission") | |
| 89 | boolean hasPermission( @WebParam(name="principalId") String principalId, | |
| 90 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 91 | @WebParam(name="permissionName") String permissionName, | |
| 92 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 93 | ||
| 94 | ||
| 95 | /** | |
| 96 | * Checks whether the given qualified permission is granted to the principal given | |
| 97 | * the passed roleQualification. If no roleQualification is passed (null or empty) | |
| 98 | * then this method behaves the same as {@link #hasPermission(String, String, String, AttributeSet)}. | |
| 99 | * | |
| 100 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 101 | * exists on the principal's membership in that role, that is checked first through | |
| 102 | * the role's type service. Once it is determined that the principal has the role | |
| 103 | * in the given context (qualification), the permissions are examined. | |
| 104 | * | |
| 105 | * Each permission is checked against the permissionDetails. The PermissionTypeService | |
| 106 | * is called for each permission with the given permissionName to see if the | |
| 107 | * permissionDetails matches its details. | |
| 108 | */ | |
| 109 | @WebMethod(operationName = "isAuthorized") | |
| 110 | @WebResult(name = "isAuthorized") | |
| 111 | boolean isAuthorized( @WebParam(name="principalId") String principalId, | |
| 112 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 113 | @WebParam(name="permissionName") String permissionName, | |
| 114 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 115 | @WebParam(name="qualification") Attributes qualification ); | |
| 116 | ||
| 117 | /** | |
| 118 | * Checks whether the principal has been granted a permission matching the given details | |
| 119 | * without taking role qualifiers into account. | |
| 120 | * | |
| 121 | * This method should not be used for true authorization checks since a principal | |
| 122 | * may only have this permission within a given context. It could be used to | |
| 123 | * identify that the user would have some permissions within a certain area. | |
| 124 | * Later checks would identify exactly what permissions were granted. | |
| 125 | * | |
| 126 | * It can also be used when the client application KNOWS that this is a role which | |
| 127 | * is never qualified. | |
| 128 | */ | |
| 129 | @WebMethod(operationName = "hasPermissionByTemplateName") | |
| 130 | @WebResult(name = "hasPermission") | |
| 131 | boolean hasPermissionByTemplateName( @WebParam(name="principalId") String principalId, | |
| 132 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 133 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 134 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 135 | ||
| 136 | /** | |
| 137 | * Checks whether the given qualified permission is granted to the principal given | |
| 138 | * the passed roleQualification. If no roleQualification is passed (null or empty) | |
| 139 | * then this method behaves the same as {@link #hasPermission(String, String, String, AttributeSet)}. | |
| 140 | * | |
| 141 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 142 | * exists on the principal's membership in that role, that is checked first through | |
| 143 | * the role's type service. Once it is determined that the principal has the role | |
| 144 | * in the given context (qualification), the permissions are examined. | |
| 145 | * | |
| 146 | * Each permission is checked against the permissionDetails. The PermissionTypeService | |
| 147 | * is called for each permission with the given permissionName to see if the | |
| 148 | * permissionDetails matches its details. | |
| 149 | */ | |
| 150 | @WebMethod(operationName = "isAuthorizedByTemplateName") | |
| 151 | @WebResult(name = "isAuthorized") | |
| 152 | boolean isAuthorizedByTemplateName( @WebParam(name="principalId") String principalId, | |
| 153 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 154 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 155 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 156 | @WebParam(name="qualification") Attributes qualification ); | |
| 157 | ||
| 158 | ||
| 159 | /** | |
| 160 | * Get the list of principals/groups who have a given permission. This also returns delegates | |
| 161 | * for the given principals/groups who also have this permission given the context in the | |
| 162 | * qualification parameter. | |
| 163 | * | |
| 164 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 165 | * exists on the principal's membership in that role, that is checked first through | |
| 166 | * the role's type service. Once it is determined that the principal has the role | |
| 167 | * in the given context (qualification), the permissions are examined. | |
| 168 | * | |
| 169 | */ | |
| 170 | @WebMethod(operationName = "getPermissionAssignees") | |
| 171 | @WebResult(name = "permissionAssignees") | |
| 172 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 173 | List<Assignee> getPermissionAssignees( @WebParam(name="namespaceCode") String namespaceCode, | |
| 174 | @WebParam(name="permissionName") String permissionName, | |
| 175 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 176 | @WebParam(name="qualification") Attributes qualification ); | |
| 177 | ||
| 178 | /** | |
| 179 | * Get the list of principals/groups who have a given permission that match the given | |
| 180 | * permission template and permission details. This also returns delegates | |
| 181 | * for the given principals/groups who also have this permission given the context in the | |
| 182 | * qualification parameter. | |
| 183 | * | |
| 184 | * Each role assigned to the principal is checked for qualifications. If a qualifier | |
| 185 | * exists on the principal's membership in that role, that is checked first through | |
| 186 | * the role's type service. Once it is determined that the principal has the role | |
| 187 | * in the given context (qualification), the permissions are examined. | |
| 188 | * | |
| 189 | */ | |
| 190 | @WebMethod(operationName = "getPermissionAssigneesForTemplateName") | |
| 191 | @WebResult(name = "permissionAssigneesForTemplateName") | |
| 192 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 193 | List<Assignee> getPermissionAssigneesForTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 194 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 195 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 196 | @WebParam(name="qualification") Attributes qualification ); | |
| 197 | ||
| 198 | /** | |
| 199 | * Returns true if the given permission is defined on any Roles. | |
| 200 | */ | |
| 201 | @WebMethod(operationName = "isPermissionDefined") | |
| 202 | @WebResult(name = "isPermissionDefined") | |
| 203 | boolean isPermissionDefined( @WebParam(name="namespaceCode") String namespaceCode, | |
| 204 | @WebParam(name="permissionName") String permissionName, | |
| 205 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 206 | ||
| 207 | /** | |
| 208 | * Returns true if the given permission template is defined on any Roles. | |
| 209 | */ | |
| 210 | @WebMethod(operationName = "isPermissionDefinedForTemplateName") | |
| 211 | @WebResult(name = "isPermissionDefinedForTemplateName") | |
| 212 | boolean isPermissionDefinedForTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 213 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 214 | @WebParam(name="permissionDetails") Attributes permissionDetails ); | |
| 215 | ||
| 216 | /** | |
| 217 | * Returns permissions (with their details) that are granted to the principal given | |
| 218 | * the passed qualification. If no qualification is passed (null or empty) | |
| 219 | * then this method does not check any qualifications on the roles. | |
| 220 | * | |
| 221 | * All permissions with the given name are checked against the permissionDetails. | |
| 222 | * The PermissionTypeService is called for each permission to see if the | |
| 223 | * permissionDetails matches its details. | |
| 224 | * | |
| 225 | * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. | |
| 226 | * This forms a way to provide a wildcard to obtain multiple permissions in one call. | |
| 227 | * | |
| 228 | * After the permissions are determined, the roles that hold those permissions are determined. | |
| 229 | * Each role that matches between the principal and the permission objects is checked for | |
| 230 | * qualifications. If a qualifier | |
| 231 | * exists on the principal's membership in that role, that is checked through | |
| 232 | * the role's type service. | |
| 233 | * | |
| 234 | */ | |
| 235 | @WebMethod(operationName = "getAuthorizedPermissions") | |
| 236 | @WebResult(name = "authorizedPermissions") | |
| 237 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 238 | List<Permission> getAuthorizedPermissions( @WebParam(name="principalId") String principalId, | |
| 239 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 240 | @WebParam(name="permissionName") String permissionName, | |
| 241 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 242 | @WebParam(name="qualification") Attributes qualification ); | |
| 243 | ||
| 244 | /** | |
| 245 | * Returns permissions (with their details) that are granted to the principal given | |
| 246 | * the passed qualification. If no qualification is passed (null or empty) | |
| 247 | * then this method does not check any qualifications on the roles. | |
| 248 | * | |
| 249 | * All permissions with the given name are checked against the permissionDetails. | |
| 250 | * The PermissionTypeService is called for each permission to see if the | |
| 251 | * permissionDetails matches its details. | |
| 252 | * | |
| 253 | * An asterisk (*) as a value in any permissionDetails key-value pair will match any value. | |
| 254 | * This forms a way to provide a wildcard to obtain multiple permissions in one call. | |
| 255 | * | |
| 256 | * After the permissions are determined, the roles that hold those permissions are determined. | |
| 257 | * Each role that matches between the principal and the permission objects is checked for | |
| 258 | * qualifications. If a qualifier | |
| 259 | * exists on the principal's membership in that role, that is checked through | |
| 260 | * the role's type service. | |
| 261 | * | |
| 262 | */ | |
| 263 | @WebMethod(operationName = "getAuthorizedPermissionsByTemplateName") | |
| 264 | @WebResult(name = "authorizedPermissions") | |
| 265 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 266 | List<Permission> getAuthorizedPermissionsByTemplateName( @WebParam(name="principalId") String principalId, | |
| 267 | @WebParam(name="namespaceCode") String namespaceCode, | |
| 268 | @WebParam(name="permissionTemplateName") String permissionTemplateName, | |
| 269 | @WebParam(name="permissionDetails") Attributes permissionDetails, | |
| 270 | @WebParam(name="qualification") Attributes qualification ); | |
| 271 | ||
| 272 | // -------------------- | |
| 273 | // Permission Data | |
| 274 | // -------------------- | |
| 275 | ||
| 276 | /** | |
| 277 | * Get the permission object with the given ID. | |
| 278 | */ | |
| 279 | @WebMethod(operationName = "getPermission") | |
| 280 | @WebResult(name = "permission") | |
| 281 | Permission getPermission( @WebParam(name="permissionId") String permissionId ); | |
| 282 | ||
| 283 | /** | |
| 284 | * Return the permission object for the given unique combination of namespace, | |
| 285 | * component and permission template name. | |
| 286 | */ | |
| 287 | @WebMethod(operationName = "getPermissionsByTemplateName") | |
| 288 | @WebResult(name = "permissions") | |
| 289 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 290 | List<Permission> getPermissionsByTemplateName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 291 | @WebParam(name="permissionTemplateName") String permissionTemplateName ); | |
| 292 | ||
| 293 | /** | |
| 294 | * Return the permission object for the given unique combination of namespace, | |
| 295 | * component and permission name. | |
| 296 | */ | |
| 297 | @WebMethod(operationName = "getPermissionsByName") | |
| 298 | @WebResult(name = "permissions") | |
| 299 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 300 | List<Permission> getPermissionsByName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 301 | @WebParam(name="permissionName") String permissionName ); | |
| 302 | ||
| 303 | /** | |
| 304 | * | |
| 305 | * Return the Permission Template given the Template ID. | |
| 306 | * | |
| 307 | * @param permissionTemplateId | |
| 308 | * @return PermissionTemplate | |
| 309 | */ | |
| 310 | @WebMethod(operationName = "getPermissionTemplate") | |
| 311 | @WebResult(name = "permissionTemplate") | |
| 312 | Template getPermissionTemplate( @WebParam(name="permissionTemplateId") String permissionTemplateId ); | |
| 313 | ||
| 314 | /** | |
| 315 | * | |
| 316 | * Return the Permission Template given the Template Name and Namespace Code. | |
| 317 | * | |
| 318 | * @param namespaceCode, permissionTemplateName | |
| 319 | * @return PermissionTemplate | |
| 320 | */ | |
| 321 | @WebMethod(operationName = "getPermissionTemplateByName") | |
| 322 | @WebResult(name = "permissionTemplate") | |
| 323 | Template getPermissionTemplateByName( @WebParam(name="namespaceCode") String namespaceCode, | |
| 324 | @WebParam(name="permissionTemplateName") String permissionTemplateName ); | |
| 325 | ||
| 326 | /** | |
| 327 | * | |
| 328 | * Return all Permission Templates. | |
| 329 | * | |
| 330 | * @param namespaceCode, permissionTemplateName | |
| 331 | * @return PermissionTemplate | |
| 332 | */ | |
| 333 | @WebMethod(operationName = "getAllTemplates") | |
| 334 | @WebResult(name = "permissionTemplates") | |
| 335 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 336 | public List<Template> getAllTemplates(); | |
| 337 | ||
| 338 | /** | |
| 339 | * Search for permissions using arbitrary search criteria. JavaBeans property syntax | |
| 340 | * should be used to reference the properties. | |
| 341 | * | |
| 342 | * If the searchCriteria parameter is null or empty, an empty list will be returned. | |
| 343 | */ | |
| 344 | @WebMethod(operationName = "lookupPermissions") | |
| 345 | @WebResult(name = "lookupPermissions") | |
| 346 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 347 | List<Permission> lookupPermissions( @WebParam(name="searchCriteria") @XmlJavaTypeAdapter(value = MapStringStringAdapter.class) Map<String,String> searchCriteria, | |
| 348 | @WebParam(name="unbounded") boolean unbounded); | |
| 349 | ||
| 350 | /** | |
| 351 | * Get the role IDs for the given permission. | |
| 352 | */ | |
| 353 | @WebMethod(operationName = "getRoleIdsForPermission") | |
| 354 | @WebResult(name = "roleIdsForPermission") | |
| 355 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 356 | List<String> getRoleIdsForPermission( @WebParam(name="namespaceCode") String namespaceCode, | |
| 357 | @WebParam(name="permissionName") String permissionName, | |
| 358 | @WebParam(name="permissionDetails") Attributes permissionDetails); | |
| 359 | ||
| 360 | /** | |
| 361 | * Get the role IDs for the given list of permissions. | |
| 362 | */ | |
| 363 | @WebMethod(operationName = "getRoleIdsForPermissions") | |
| 364 | @WebResult(name = "roleIdsForPermissions") | |
| 365 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 366 | List<String> getRoleIdsForPermissions( @WebParam(name="permissions") List<Permission> permissions ); | |
| 367 | ||
| 368 | /** | |
| 369 | * Returns the label of the permission detail for the given permissionId, kimType and attributeName. | |
| 370 | */ | |
| 371 | @WebMethod(operationName = "getPermissionDetailLabel") | |
| 372 | @WebResult(name = "permissionDetailLabel") | |
| 373 | public String getPermissionDetailLabel( String permissionId, String kimTypeId, String attributeName); | |
| 374 | ||
| 375 | /** | |
| 376 | * Get the role IDs for the given permission. | |
| 377 | */ | |
| 378 | @WebMethod(operationName = "getRoleIdsForPermissionId") | |
| 379 | @WebResult(name = "roleIdsForPermissionId") | |
| 380 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 381 | List<String> getRoleIdsForPermissionId(@WebParam(name = "permissionId") String permissionId); | |
| 382 | ||
| 383 | /** | |
| 384 | * Return the permission object for the given unique combination of namespace, component and permission name. Inactive | |
| 385 | * permissions are also returned | |
| 386 | */ | |
| 387 | @WebMethod(operationName = "getPermissionsByNameIncludingInactive") | |
| 388 | @WebResult(name = "permissionsIncludingInactive") | |
| 389 | @XmlJavaTypeAdapter(value = ImmutableListAdapter.class) | |
| 390 | List<Permission> getPermissionsByNameIncludingInactive(@WebParam(name = "namespaceCode") String namespaceCode, @WebParam(name = "permissionName") String permissionName); | |
| 391 | } |