edu.internet2.middleware.grouper.privs

Class PrivilegeHelper

java.lang.Object

edu.internet2.middleware.grouper.privs.PrivilegeHelper

public class PrivilegeHelper
extends Object

Privilege helper class.

TODO 20070823 Relocate these methods once I figure out the best home for them.

Since:

1.2.1

Version:

$Id: PrivilegeHelper.java,v 1.12 2009-09-28 05:06:46 mchyzer Exp $

Constructor Summary

Constructors

Constructor and Description
PrivilegeHelper()

Method Summary

Modifier and Type	Method and Description
static boolean	canAdmin(GrouperSession s, Group g, Subject subj)
static boolean	canAttrAdmin(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrDefAttrRead(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrDefAttrUpdate(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrOptin(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrOptout(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrRead(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrUpdate(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canAttrView(GrouperSession s, AttributeDef attributeDef, Subject subj)
static boolean	canCopyStems(Subject subject) Is this user allowed to copy stems?
static boolean	canCreate(GrouperSession s, Stem ns, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canGroupAttrRead(GrouperSession s, Group group, Subject subj)
static boolean	canGroupAttrUpdate(GrouperSession s, Group group, Subject subj)
static boolean	canMoveStems(Subject subject) Is this user allowed to move stems?
static boolean	canOptin(GrouperSession s, Group g, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canOptout(GrouperSession s, Group g, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canRead(GrouperSession s, Group g, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canRenameStems(Subject subject) Is this user allowed to rename stems?
static boolean	canStem(GrouperSession s, Stem ns, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canStem(Stem ns, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canStemAdmin(GrouperSession s, Stem ns, Subject subj)
static boolean	canStemAdmin(Stem ns, Subject subj)
static boolean	canStemAttrRead(GrouperSession s, Stem stem, Subject subj)
static boolean	canStemAttrUpdate(GrouperSession s, Stem stem, Subject subj)
static boolean	canUpdate(GrouperSession s, Group g, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canView(GrouperSession s, Group g, Subject subj) TODO 20070823 find a real home for this and/or add tests
static boolean	canViewAttributeAssign(GrouperSession grouperSession, AttributeAssign attributeAssign, boolean checkUnderlyingIfAssignmentOnAssignment) see if the attribute assigns are viewable
static Set<AttributeAssign>	canViewAttributeAssigns(GrouperSession grouperSession, Collection<AttributeAssign> inputAttributeAssigns, boolean checkUnderlyingIfAssignmentOnAssignment) see if the attribute assigns are viewable
static Set<AttributeDef>	canViewAttributeDefs(GrouperSession s, Collection<AttributeDef> inputAttributeDefs) TODO 20070823 find a real home for this and/or add tests
static Set	canViewGroups(GrouperSession s, Set candidates) TODO 20070823 find a real home for this and/or add tests
static boolean	canViewMembers(GrouperSession grouperSession, Group group, Field field)
static boolean	canViewMembership(GrouperSession grouperSession, Membership membership)
static Set<Membership>	canViewMemberships(GrouperSession grouperSession, Collection<Membership> inputMemberships)
static Set<PermissionEntry>	canViewPermissions(GrouperSession grouperSession, Collection<PermissionEntry> inputPermissionEntries) see if the attribute assigns are viewable
static Set<PITAttributeAssign>	canViewPITAttributeAssigns(GrouperSession grouperSession, Collection<PITAttributeAssign> inputPITAttributeAssigns, boolean checkUnderlyingIfAssignmentOnAssignment) see if the pit attribute assigns are viewable
static void	dispatch(GrouperSession s, AttributeDef attributeDef, Subject subj, Privilege priv) TODO 20070823 find a real home for this and/or add tests
static void	dispatch(GrouperSession s, Group g, Subject subj, Privilege priv) TODO 20070823 find a real home for this and/or add tests
static void	dispatch(GrouperSession s, Stem ns, Subject subj, Privilege priv) TODO 20070823 find a real home for this and/or add tests
static Collection<String>	fieldIdsFromPrivileges(Collection<Privilege> privileges) convert a collection of privileges to a collection of fieldIds
static void	flushCache() flush all privilege caches
static Privilege[]	getAccessPrivileges(Privilege[] privileges) TODO 20070824 add tests
static Privilege[]	getAttributeDefPrivileges(Privilege[] privileges) TODO 20070824 add tests
static Privilege[]	getNamingPrivileges(Privilege[] privileges) TODO 20070824 add tests
static boolean	hasImmediatePrivilege(AttributeDef attributeDef, Subject subject, Privilege privilege) see if an attributeDef has an immediate privilege
static boolean	hasImmediatePrivilege(Group group, Subject subject, Privilege privilege) see if a group has an immediate privilege
static boolean	hasImmediatePrivilege(Stem stem, Subject subject, Privilege privilege) see if a stem has an immediate privilege
static boolean	hasPrivilege(GrouperSession s, AttributeDef attributeDef, Subject subj, Set<Privilege> privInSet)
static boolean	hasPrivilege(GrouperSession s, Group g, Subject subj, Set<Privilege> privInSet)
static boolean	hasPrivilege(GrouperSession s, Stem stem, Subject subj, Set<Privilege> privInSet)
static boolean	isRoot(GrouperSession s) TODO 20070823 find a real home for this and/or add tests
static boolean	isSystemSubject(Subject subject) see if system subject
static boolean	isWheel(GrouperSession s) TODO 20070823 find a real home for this and/or add tests
static boolean	isWheelOrRoot(Subject subject) see if a subject is wheel or root
static boolean	isWheelOrRootOrReadonlyRoot(Subject subject) see if a subject is wheel or root or readonly root
static boolean	isWheelOrRootOrViewonlyRoot(Subject subject) see if a subject is wheel or root or viewonly root (or readonly)
static void	main(String[] args)
static void	resolveSubjects(Collection<GrouperPrivilege> grouperPrivileges, boolean resolveAllAlways) resolve subjects in one batch
static void	wheelMemberCacheClear() clear cache on this jvm when adjusting wheel members

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PrivilegeHelper

public PrivilegeHelper()

Method Detail

main

public static void main(String[] args)

fieldIdsFromPrivileges

public static Collection<String> fieldIdsFromPrivileges(Collection<Privilege> privileges)

convert a collection of privileges to a collection of fieldIds

Parameters:

privileges -

Returns:

the field

hasImmediatePrivilege

public static boolean hasImmediatePrivilege(Group group,
                                            Subject subject,
                                            Privilege privilege)

see if a group has an immediate privilege

Parameters:

group -

subject -

privilege -

Returns:

true if has immediate privilege, false if not

flushCache

public static void flushCache()

flush all privilege caches

resolveSubjects

public static void resolveSubjects(Collection<GrouperPrivilege> grouperPrivileges,
                                   boolean resolveAllAlways)

resolve subjects in one batch

Parameters:

grouperPrivileges -

resolveAllAlways - true to always resolve all no matter how many, false if there are more than 2000 or however many (e.g. for UI)

canAdmin

public static boolean canAdmin(GrouperSession s,
                               Group g,
                               Subject subj)

Parameters:

s -

g -

subj -

Returns:

admin

Since:

1.2.1

canAttrAdmin

public static boolean canAttrAdmin(GrouperSession s,
                                   AttributeDef attributeDef,
                                   Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

admin

canAttrRead

public static boolean canAttrRead(GrouperSession s,
                                  AttributeDef attributeDef,
                                  Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

admin

canAttrView

public static boolean canAttrView(GrouperSession s,
                                  AttributeDef attributeDef,
                                  Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

admin

canGroupAttrRead

public static boolean canGroupAttrRead(GrouperSession s,
                                       Group group,
                                       Subject subj)

Parameters:

s -

group -

subj -

Returns:

true if allowed

canGroupAttrUpdate

public static boolean canGroupAttrUpdate(GrouperSession s,
                                         Group group,
                                         Subject subj)

Parameters:

s -

group -

subj -

Returns:

true if allowed

canAttrDefAttrRead

public static boolean canAttrDefAttrRead(GrouperSession s,
                                         AttributeDef attributeDef,
                                         Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

true if allowed

canAttrDefAttrUpdate

public static boolean canAttrDefAttrUpdate(GrouperSession s,
                                           AttributeDef attributeDef,
                                           Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

true if allowed

canStemAttrRead

public static boolean canStemAttrRead(GrouperSession s,
                                      Stem stem,
                                      Subject subj)

Parameters:

s -

stem -

subj -

Returns:

true if allowed

canStemAttrUpdate

public static boolean canStemAttrUpdate(GrouperSession s,
                                        Stem stem,
                                        Subject subj)

Parameters:

s -

stem -

subj -

Returns:

true if allowed

canAttrUpdate

public static boolean canAttrUpdate(GrouperSession s,
                                    AttributeDef attributeDef,
                                    Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

admin

canAttrOptin

public static boolean canAttrOptin(GrouperSession s,
                                   AttributeDef attributeDef,
                                   Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

admin

canAttrOptout

public static boolean canAttrOptout(GrouperSession s,
                                    AttributeDef attributeDef,
                                    Subject subj)

Parameters:

s -

attributeDef -

subj -

Returns:

admin

canCreate

public static boolean canCreate(GrouperSession s,
                                Stem ns,
                                Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

ns -

subj -

Returns:

can create

Since:

1.2.1

canOptin

public static boolean canOptin(GrouperSession s,
                               Group g,
                               Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

g -

subj -

Returns:

can

Since:

1.2.1

hasPrivilege

public static boolean hasPrivilege(GrouperSession s,
                                   Stem stem,
                                   Subject subj,
                                   Set<Privilege> privInSet)

Parameters:

s -

stem -

subj -

privInSet -

Returns:

if has privilege

hasPrivilege

public static boolean hasPrivilege(GrouperSession s,
                                   Group g,
                                   Subject subj,
                                   Set<Privilege> privInSet)

Parameters:

s -

g -

subj -

privInSet -

Returns:

if has privilege

canOptout

public static boolean canOptout(GrouperSession s,
                                Group g,
                                Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

g -

subj -

Returns:

can optout

Since:

1.2.1

canRead

public static boolean canRead(GrouperSession s,
                              Group g,
                              Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

g -

subj -

Returns:

can read

Since:

1.2.1

canStem

public static boolean canStem(Stem ns,
                              Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

ns -

subj -

Returns:

can stem

Since:

1.2.1

canStemAdmin

public static boolean canStemAdmin(Stem ns,
                                   Subject subj)

Parameters:

ns -

subj -

Returns:

can stem admin

canStem

public static boolean canStem(GrouperSession s,
                              Stem ns,
                              Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

ns -

subj -

Returns:

can stem

Since:

1.2.1

canStemAdmin

public static boolean canStemAdmin(GrouperSession s,
                                   Stem ns,
                                   Subject subj)

Parameters:

s -

ns -

subj -

Returns:

can stem admin

canUpdate

public static boolean canUpdate(GrouperSession s,
                                Group g,
                                Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

g -

subj -

Returns:

can update

Since:

1.2.1

canView

public static boolean canView(GrouperSession s,
                              Group g,
                              Subject subj)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

g -

subj -

Returns:

can view

Since:

1.2.1

canViewGroups

public static Set canViewGroups(GrouperSession s,
                                Set candidates)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

candidates -

Returns:

can view

Since:

1.2.1

canViewMembership

public static boolean canViewMembership(GrouperSession grouperSession,
                                        Membership membership)

Parameters:

grouperSession -

membership -

Returns:

true if ok, false if not

canViewMemberships

public static Set<Membership> canViewMemberships(GrouperSession grouperSession,
                                                 Collection<Membership> inputMemberships)

Parameters:

grouperSession -

inputMemberships -

Returns:

filtered memberships

canViewMembers

public static boolean canViewMembers(GrouperSession grouperSession,
                                     Group group,
                                     Field field)

Parameters:

grouperSession -

group -

field -

Returns:

true or false

dispatch

public static void dispatch(GrouperSession s,
                            Group g,
                            Subject subj,
                            Privilege priv)
                     throws InsufficientPrivilegeException,
                            SchemaException

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

g -

subj -

priv -

Throws:

InsufficientPrivilegeException

SchemaException

dispatch

public static void dispatch(GrouperSession s,
                            Stem ns,
                            Subject subj,
                            Privilege priv)
                     throws InsufficientPrivilegeException,
                            SchemaException

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

ns -

subj -

priv -

Throws:

InsufficientPrivilegeException

SchemaException

dispatch

public static void dispatch(GrouperSession s,
                            AttributeDef attributeDef,
                            Subject subj,
                            Privilege priv)
                     throws InsufficientPrivilegeException,
                            SchemaException

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

attributeDef -

subj -

priv -

Throws:

InsufficientPrivilegeException

SchemaException

getAccessPrivileges

public static Privilege[] getAccessPrivileges(Privilege[] privileges)

TODO 20070824 add tests

Parameters:

privileges -

Returns:

Given an array of privileges return an array of access privileges.

Since:

1.2.1

getAttributeDefPrivileges

public static Privilege[] getAttributeDefPrivileges(Privilege[] privileges)

TODO 20070824 add tests

Parameters:

privileges -

Returns:

Given an array of privileges return an array of access privileges.

Since:

1.2.1

getNamingPrivileges

public static Privilege[] getNamingPrivileges(Privilege[] privileges)

TODO 20070824 add tests

Parameters:

privileges -

Returns:

Given an array of privileges return an array of naming privileges.

Since:

1.2.1

isRoot

public static boolean isRoot(GrouperSession s)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

Returns:

is root

isSystemSubject

public static boolean isSystemSubject(Subject subject)

see if system subject

Parameters:

subject -

Returns:

true if grouper system

isWheel

public static boolean isWheel(GrouperSession s)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

Returns:

is wheel

isWheelOrRootOrViewonlyRoot

public static boolean isWheelOrRootOrViewonlyRoot(Subject subject)

see if a subject is wheel or root or viewonly root (or readonly)

Parameters:

subject -

Returns:

true or false

isWheelOrRootOrReadonlyRoot

public static boolean isWheelOrRootOrReadonlyRoot(Subject subject)

see if a subject is wheel or root or readonly root

Parameters:

subject -

Returns:

true or false

wheelMemberCacheClear

public static void wheelMemberCacheClear()

clear cache on this jvm when adjusting wheel members

isWheelOrRoot

public static boolean isWheelOrRoot(Subject subject)

see if a subject is wheel or root

Parameters:

subject -

Returns:

true or false

canMoveStems

public static boolean canMoveStems(Subject subject)

Is this user allowed to move stems?

Parameters:

subject -

Returns:

boolean

canCopyStems

public static boolean canCopyStems(Subject subject)

Is this user allowed to copy stems?

Parameters:

subject -

Returns:

boolean

canRenameStems

public static boolean canRenameStems(Subject subject)

Is this user allowed to rename stems?

Parameters:

subject -

Returns:

boolean

hasPrivilege

public static boolean hasPrivilege(GrouperSession s,
                                   AttributeDef attributeDef,
                                   Subject subj,
                                   Set<Privilege> privInSet)

Parameters:

s -

attributeDef -

subj -

privInSet -

Returns:

if has privilege

canViewAttributeDefs

public static Set<AttributeDef> canViewAttributeDefs(GrouperSession s,
                                                     Collection<AttributeDef> inputAttributeDefs)

TODO 20070823 find a real home for this and/or add tests

Parameters:

s -

inputAttributeDefs -

Returns:

filtered attributeDefs

canViewAttributeAssign

public static boolean canViewAttributeAssign(GrouperSession grouperSession,
                                             AttributeAssign attributeAssign,
                                             boolean checkUnderlyingIfAssignmentOnAssignment)

see if the attribute assigns are viewable

Parameters:

grouperSession -

attributeAssign -

checkUnderlyingIfAssignmentOnAssignment - if deep security check should take place on underlying assignments

Returns:

filtered memberships

canViewAttributeAssigns

public static Set<AttributeAssign> canViewAttributeAssigns(GrouperSession grouperSession,
                                                           Collection<AttributeAssign> inputAttributeAssigns,
                                                           boolean checkUnderlyingIfAssignmentOnAssignment)

see if the attribute assigns are viewable

Parameters:

grouperSession -

inputAttributeAssigns -

checkUnderlyingIfAssignmentOnAssignment - if deep security check should take place on underlying assignments

Returns:

filtered memberships

canViewPermissions

public static Set<PermissionEntry> canViewPermissions(GrouperSession grouperSession,
                                                      Collection<PermissionEntry> inputPermissionEntries)

see if the attribute assigns are viewable

Parameters:

grouperSession -

inputPermissionEntries -

Returns:

filtered memberships

canViewPITAttributeAssigns

public static Set<PITAttributeAssign> canViewPITAttributeAssigns(GrouperSession grouperSession,
                                                                 Collection<PITAttributeAssign> inputPITAttributeAssigns,
                                                                 boolean checkUnderlyingIfAssignmentOnAssignment)

see if the pit attribute assigns are viewable

Parameters:

grouperSession -

inputPITAttributeAssigns -

checkUnderlyingIfAssignmentOnAssignment - if deep security check should take place on underlying assignments

Returns:

filtered pit attribute assignments

hasImmediatePrivilege

public static boolean hasImmediatePrivilege(Stem stem,
                                            Subject subject,
                                            Privilege privilege)

see if a stem has an immediate privilege

Parameters:

stem -

subject -

privilege -

Returns:

true if has immediate privilege, false if not

hasImmediatePrivilege

public static boolean hasImmediatePrivilege(AttributeDef attributeDef,
                                            Subject subject,
                                            Privilege privilege)

see if an attributeDef has an immediate privilege

Parameters:

attributeDef -

subject -

privilege -

Returns:

true if has immediate privilege, false if not