Package edu.internet2.middleware.grouper.privs

Class ValidatingAccessResolver

java.lang.Object

edu.internet2.middleware.grouper.privs.AccessResolverDecorator

edu.internet2.middleware.grouper.privs.ValidatingAccessResolver

All Implemented Interfaces:

AccessResolver

public class ValidatingAccessResolver
extends AccessResolverDecorator

Decorator that provides parameter validation for AccessResolver.

Since:

1.2.1

Version:

$Id: ValidatingAccessResolver.java,v 1.13 2009-09-21 06:14:26 mchyzer Exp $

Constructor Summary

Constructors

Constructor	Description
ValidatingAccessResolver(AccessResolver resolver)

Method Summary

Modifier and Type	Method	Description
void	flushCache()	flush cache if caching resolver
Set<Group>	getGroupsWhereSubjectDoesntHavePrivilege(String stemId, Stem.Scope scope, Subject subject, Privilege privilege, boolean considerAllSubject, String sqlLikeString)	find the groups which do not have a certain privilege
Set<Group>	getGroupsWhereSubjectHasPrivilege(Subject subject, Privilege privilege)	Get all groups where subject has privilege.
Set<AccessPrivilege>	getPrivileges(Group group, Subject subject)	Get all privileges subject has on group.
Set<Stem>	getStemsWhereGroupThatSubjectHasPrivilege(Subject subject, Privilege privilege)	Get all stems which have groups where subject has privilege.
Set<Subject>	getSubjectsWithPrivilege(Group group, Privilege privilege)	Get all subjects with privilege on group.
void	grantPrivilege(Group group, Subject subject, Privilege privilege, String uuid)	Grant privilege to subject on group.
boolean	hasPrivilege(Group group, Subject subject, Privilege privilege)	Check whether subject has privilege on group.
boolean	hqlFilterGroupsNotWithPrivWhereClause(Subject subject, HqlQuery hqlQuery, StringBuilder hql, String groupColumn, Privilege privilege, boolean considerAllSubject)	for a group query, check to make sure the subject cant see the records
boolean	hqlFilterGroupsWhereClause(Subject subject, HqlQuery hqlQuery, StringBuilder hql, String groupColumn, Set<Privilege> privInSet)	for a group query, check to make sure the subject can see the records (if filtering HQL, you can do the postHqlFilterGroups instead if you like)
Set<Group>	postHqlFilterGroups(Set<Group> groups, Subject subject, Set<Privilege> privInSet)	after HQL is run, filter groups.
Set<Membership>	postHqlFilterMemberships(Subject subject, Set<Membership> memberships)	filter memberships for things the subject can see
Set<Stem>	postHqlFilterStemsWithGroups(Set<Stem> stems, Subject subject, Set<Privilege> inPrivSet)	after HQL is run, filter stems that have groups with privs.
void	privilegeCopy(Group g1, Group g2, Privilege priv)	Copies privileges for subjects that have the specified privilege on g1 to g2.
void	privilegeCopy(Subject subj1, Subject subj2, Privilege priv)	Copies privileges of type priv on any subject for the given Subject subj1 to the given Subject subj2.
Set<PrivilegeSubjectContainer>	retrievePrivileges(Group group, Set<Privilege> privileges, MembershipType membershipType, QueryPaging queryPaging, Set<Member> additionalMembers)	get a list of privilege subjects, there are no results with the same subject
void	revokeAllPrivilegesForSubject(Subject subject)	Revoke all access privileges that this subject has.
void	revokePrivilege(Group group, Privilege privilege)	Revoke privilege from all subjects on group.
void	revokePrivilege(Group group, Subject subject, Privilege privilege)	Revoke privilege from subject on group.

Methods inherited from class edu.internet2.middleware.grouper.privs.AccessResolverDecorator

getDecoratedResolver, getGrouperSession, getGroupsWhereSubjectDoesHavePrivilege, hqlFilterGroupsWithPrivWhereClause, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ValidatingAccessResolver

public ValidatingAccessResolver(AccessResolver resolver)

Parameters:

resolver -

Since:

1.2.1

Method Details

flushCache

public void flushCache()

Description copied from interface: AccessResolver

flush cache if caching resolver

Specified by:

flushCache in interface AccessResolver

Overrides:

flushCache in class AccessResolverDecorator

See Also:

• AccessResolver.flushCache()

getGroupsWhereSubjectHasPrivilege

public Set<Group> getGroupsWhereSubjectHasPrivilege(Subject subject,
 Privilege privilege)
                                             throws IllegalArgumentException

Description copied from interface: AccessResolver

Get all groups where subject has privilege.

Specified by:

getGroupsWhereSubjectHasPrivilege in interface AccessResolver

Overrides:

getGroupsWhereSubjectHasPrivilege in class AccessResolverDecorator

Returns:

the set

Throws:

IllegalArgumentException - if any parameter is null.

Since:

1.2.1

See Also:

• AccessResolver.getGroupsWhereSubjectHasPrivilege(Subject, Privilege)

getGroupsWhereSubjectDoesntHavePrivilege

public Set<Group> getGroupsWhereSubjectDoesntHavePrivilege(String stemId,
 Stem.Scope scope,
 Subject subject,
 Privilege privilege,
 boolean considerAllSubject,
 String sqlLikeString)
                                                    throws IllegalArgumentException

Description copied from interface: AccessResolver

find the groups which do not have a certain privilege

Specified by:

getGroupsWhereSubjectDoesntHavePrivilege in interface AccessResolver

Overrides:

getGroupsWhereSubjectDoesntHavePrivilege in class AccessResolverDecorator

Returns:

the groups

Throws:

IllegalArgumentException

See Also:

• AccessResolver.getGroupsWhereSubjectDoesntHavePrivilege(String, Scope, Subject, Privilege, boolean, String)

getStemsWhereGroupThatSubjectHasPrivilege

public Set<Stem> getStemsWhereGroupThatSubjectHasPrivilege(Subject subject,
 Privilege privilege)
                                                    throws IllegalArgumentException

Description copied from interface: AccessResolver

Get all stems which have groups where subject has privilege.

Specified by:

getStemsWhereGroupThatSubjectHasPrivilege in interface AccessResolver

Overrides:

getStemsWhereGroupThatSubjectHasPrivilege in class AccessResolverDecorator

Returns:

the set

Throws:

IllegalArgumentException - if any parameter is null.

See Also:

• AccessResolverDecorator.getStemsWhereGroupThatSubjectHasPrivilege(edu.internet2.middleware.subject.Subject, edu.internet2.middleware.grouper.privs.Privilege)

getPrivileges

public Set<AccessPrivilege> getPrivileges(Group group,
 Subject subject)
                                   throws IllegalArgumentException

Description copied from interface: AccessResolver

Get all privileges subject has on group.

Specified by:

getPrivileges in interface AccessResolver

Overrides:

getPrivileges in class AccessResolverDecorator

Returns:

the set

Throws:

IllegalArgumentException - if any parameter is null.

Since:

1.2.1

See Also:

• AccessResolver.getPrivileges(Group, Subject)

getSubjectsWithPrivilege

public Set<Subject> getSubjectsWithPrivilege(Group group,
 Privilege privilege)
                                      throws IllegalArgumentException

Description copied from interface: AccessResolver

Get all subjects with privilege on group.

Specified by:

getSubjectsWithPrivilege in interface AccessResolver

Overrides:

getSubjectsWithPrivilege in class AccessResolverDecorator

Returns:

the set

Throws:

IllegalArgumentException - if any parameter is null.

Since:

1.2.1

See Also:

• AccessResolver.getSubjectsWithPrivilege(Group, Privilege)

grantPrivilege

public void grantPrivilege(Group group,
 Subject subject,
 Privilege privilege,
 String uuid)
                    throws IllegalArgumentException,
UnableToPerformException

Description copied from interface: AccessResolver

Grant privilege to subject on group.

Specified by:

grantPrivilege in interface AccessResolver

Overrides:

grantPrivilege in class AccessResolverDecorator

uuid - send uuid if known, else null

Throws:

IllegalArgumentException - if any parameter is null.

UnableToPerformException - if the privilege could not be granted.

Since:

1.2.1

See Also:

• AccessResolver.grantPrivilege(Group, Subject, Privilege, String)

hasPrivilege

public boolean hasPrivilege(Group group,
 Subject subject,
 Privilege privilege)
                     throws IllegalArgumentException

Description copied from interface: AccessResolver

Check whether subject has privilege on group.

Specified by:

hasPrivilege in interface AccessResolver

Overrides:

hasPrivilege in class AccessResolverDecorator

Returns:

boolean

Throws:

IllegalArgumentException - if any parameter is null.

Since:

1.2.1

See Also:

• AccessResolver.hasPrivilege(Group, Subject, Privilege)

revokePrivilege

public void revokePrivilege(Group group,
 Privilege privilege)
                     throws IllegalArgumentException,
UnableToPerformException

Description copied from interface: AccessResolver

Revoke privilege from all subjects on group.

Specified by:

revokePrivilege in interface AccessResolver

Overrides:

revokePrivilege in class AccessResolverDecorator

Throws:

IllegalArgumentException - if any parameter is null.

UnableToPerformException - if the privilege could not be revoked.

Since:

1.2.1

See Also:

• AccessResolver.revokePrivilege(Group, Privilege)

postHqlFilterGroups

public Set<Group> postHqlFilterGroups(Set<Group> groups,
 Subject subject,
 Set<Privilege> privInSet)

Description copied from interface: AccessResolver

after HQL is run, filter groups. If you are filtering in HQL, then dont filter here

Specified by:

postHqlFilterGroups in interface AccessResolver

Overrides:

postHqlFilterGroups in class AccessResolverDecorator

subject - which needs view access to the groups

privInSet - find a privilege which is in this set (e.g. for view, send all access privs). There are pre-canned sets in AccessAdapter

Returns:

the set of filtered groups

See Also:

• AccessResolver.postHqlFilterGroups(java.util.Set, edu.internet2.middleware.subject.Subject, java.util.Set)

postHqlFilterStemsWithGroups

public Set<Stem> postHqlFilterStemsWithGroups(Set<Stem> stems,
 Subject subject,
 Set<Privilege> inPrivSet)

Description copied from interface: AccessResolver

after HQL is run, filter stems that have groups with privs. If you are filtering HQL, then dont filter here.

Specified by:

postHqlFilterStemsWithGroups in interface AccessResolver

Overrides:

postHqlFilterStemsWithGroups in class AccessResolverDecorator

Returns:

the set of filtered stems

See Also:

• AccessResolver.postHqlFilterStemsWithGroups(java.util.Set, edu.internet2.middleware.subject.Subject, java.util.Set)

revokePrivilege

public void revokePrivilege(Group group,
 Subject subject,
 Privilege privilege)
                     throws IllegalArgumentException,
UnableToPerformException

Description copied from interface: AccessResolver

Revoke privilege from subject on group.

Specified by:

revokePrivilege in interface AccessResolver

Overrides:

revokePrivilege in class AccessResolverDecorator

Throws:

IllegalArgumentException - if any parameter is null.

UnableToPerformException - if the privilege could not be revoked.

Since:

1.2.1

See Also:

• AccessResolver.revokePrivilege(Group, Subject, Privilege)

privilegeCopy

public void privilegeCopy(Group g1,
 Group g2,
 Privilege priv)
                   throws IllegalArgumentException,
UnableToPerformException

Description copied from interface: AccessResolver

Copies privileges for subjects that have the specified privilege on g1 to g2.

Specified by:

privilegeCopy in interface AccessResolver

Overrides:

privilegeCopy in class AccessResolverDecorator

Throws:

IllegalArgumentException

UnableToPerformException

See Also:

• AccessResolver.privilegeCopy(edu.internet2.middleware.grouper.Group, edu.internet2.middleware.grouper.Group, edu.internet2.middleware.grouper.privs.Privilege)

privilegeCopy

public void privilegeCopy(Subject subj1,
 Subject subj2,
 Privilege priv)
                   throws IllegalArgumentException,
UnableToPerformException

Description copied from interface: AccessResolver

Copies privileges of type priv on any subject for the given Subject subj1 to the given Subject subj2. For instance, if subj1 has ADMIN privilege to Group x, this method will result with subj2 having ADMIN privilege to Group x.

Specified by:

privilegeCopy in interface AccessResolver

Overrides:

privilegeCopy in class AccessResolverDecorator

Throws:

IllegalArgumentException

UnableToPerformException

See Also:

• AccessResolver.privilegeCopy(edu.internet2.middleware.subject.Subject, edu.internet2.middleware.subject.Subject, edu.internet2.middleware.grouper.privs.Privilege)

hqlFilterGroupsWhereClause

public boolean hqlFilterGroupsWhereClause(Subject subject,
 HqlQuery hqlQuery,
 StringBuilder hql,
 String groupColumn,
 Set<Privilege> privInSet)

Description copied from interface: AccessResolver

for a group query, check to make sure the subject can see the records (if filtering HQL, you can do the postHqlFilterGroups instead if you like)

Specified by:

hqlFilterGroupsWhereClause in interface AccessResolver

Overrides:

hqlFilterGroupsWhereClause in class AccessResolverDecorator

Parameters:

subject - which needs view access to the groups

hql - the select and current from part

groupColumn - is the name of the group column to join to

privInSet - find a privilege which is in this set (e.g. for view, send all access privs)

Returns:

if the statement was changed

See Also:

• AccessResolver.hqlFilterGroupsWhereClause(edu.internet2.middleware.subject.Subject, edu.internet2.middleware.grouper.hibernate.HqlQuery, java.lang.StringBuilder, String, Set)

hqlFilterGroupsNotWithPrivWhereClause

public boolean hqlFilterGroupsNotWithPrivWhereClause(Subject subject,
 HqlQuery hqlQuery,
 StringBuilder hql,
 String groupColumn,
 Privilege privilege,
 boolean considerAllSubject)

Description copied from interface: AccessResolver

for a group query, check to make sure the subject cant see the records

Specified by:

hqlFilterGroupsNotWithPrivWhereClause in interface AccessResolver

Overrides:

hqlFilterGroupsNotWithPrivWhereClause in class AccessResolverDecorator

Parameters:

subject - which needs view access to the groups

hql - the select and current from part

groupColumn - is the name of the group column to join to

privilege - find a privilege which is in this set (e.g. for view, send all access privs)

considerAllSubject - if true, then consider GrouperAll when seeign if subject has priv, else do not

Returns:

if the statement was changed

See Also:

• edu.internet2.middleware.grouper.privs.AccessResolver#hqlFilterGroupsWhereClause(edu.internet2.middleware.subject.Subject, edu.internet2.middleware.grouper.hibernate.HqlQuery, java.lang.StringBuilder, String, Privilege, boolean)

postHqlFilterMemberships

public Set<Membership> postHqlFilterMemberships(Subject subject,
 Set<Membership> memberships)

Description copied from interface: AccessResolver

filter memberships for things the subject can see

Specified by:

postHqlFilterMemberships in interface AccessResolver

Overrides:

postHqlFilterMemberships in class AccessResolverDecorator

Returns:

the memberships

See Also:

• AccessResolver.postHqlFilterMemberships(edu.internet2.middleware.subject.Subject, java.util.Set)

revokeAllPrivilegesForSubject

public void revokeAllPrivilegesForSubject(Subject subject)

Description copied from interface: AccessResolver

Revoke all access privileges that this subject has.

Specified by:

revokeAllPrivilegesForSubject in interface AccessResolver

Overrides:

revokeAllPrivilegesForSubject in class AccessResolverDecorator

See Also:

• AccessResolver.revokeAllPrivilegesForSubject(edu.internet2.middleware.subject.Subject)

retrievePrivileges

public Set<PrivilegeSubjectContainer> retrievePrivileges(Group group,
 Set<Privilege> privileges,
 MembershipType membershipType,
 QueryPaging queryPaging,
 Set<Member> additionalMembers)

Description copied from interface: AccessResolver

get a list of privilege subjects, there are no results with the same subject

Specified by:

retrievePrivileges in interface AccessResolver

Overrides:

retrievePrivileges in class AccessResolverDecorator

Parameters:

group - to search on

privileges - if blank, get all

membershipType - if immediate, effective, or blank for all

queryPaging - if a certain page should be returned, based on subject

additionalMembers - additional members to query that the user is finding or adding

Returns:

the privilege subject combinations

See Also:

• AccessResolverDecorator.retrievePrivileges(Group, java.util.Set, edu.internet2.middleware.grouper.membership.MembershipType, edu.internet2.middleware.grouper.internal.dao.QueryPaging, java.util.Set)