Package edu.internet2.middleware.grouper.rules

Class RuleApi

java.lang.Object
edu.internet2.middleware.grouper.rules.RuleApi
public class RuleApi extends Object
helper methods to assign rules to objects without having to deal with attributes note, you can use this from gsh too

  • Constructor Details

    • RuleApi

      public RuleApi()

  • Method Details

    • reassignGroupPrivilegesIfFromGroup

      public static AttributeAssign reassignGroupPrivilegesIfFromGroup(Subject actAs, Stem ruleStem, Stem.Scope stemScope)
      normalize privileges if the user who creates a group is in a group which has create privilegs on the stem
      Parameters:
      actAs -
      ruleStem -
      stemScope -
      Returns:
      the attribute assignment

    • reassignAttributeDefPrivilegesIfFromGroup

      public static AttributeAssign reassignAttributeDefPrivilegesIfFromGroup(Subject actAs, Stem ruleStem, Stem.Scope stemScope)
      normalize privileges if the user who creates a group is in a group which has create privilegs on the stem
      Parameters:
      actAs -
      ruleStem -
      stemScope -
      Returns:
      the attribute assignment

    • vetoMembershipIfNotInGroupInFolder

      public static AttributeAssign vetoMembershipIfNotInGroupInFolder(Subject actAs, Group ruleGroup, Stem mustBeInGroupInFolder, Stem.Scope stemScope, String vetoKey, String vetoMessage)
      Parameters:
      actAs -
      ruleGroup -
      mustBeInGroupInFolder -
      stemScope -
      vetoKey -
      vetoMessage -
      Returns:
      the assignment in case there are edits

    • vetoSubjectAssignInFolderIfNotInGroup

      public static AttributeAssign vetoSubjectAssignInFolderIfNotInGroup(Subject actAs, Stem ruleStem, Group mustBeInGroup, boolean allowAll, String sourceId, Stem.Scope stemScope, String vetoKey, String vetoMessage)
      add a rule on a stem saying that all subject use in the folder must be in a certain group. note, the first rule found will be used
      Parameters:
      actAs -
      ruleStem -
      mustBeInGroup - if blank and not allowAll, then restrict all
      allowAll - if mustBeIn is blank and allowAll, then allow all (to override a restriction in ancestor folders)
      sourceId - optional (recommended), to constraint this to subjects from certain sources
      stemScope -
      vetoKey -
      vetoMessage -
      Returns:
      the assignment in case there are edits

    • vetoMembershipIfNotInGroup

      public static AttributeAssign vetoMembershipIfNotInGroup(Subject actAs, Group ruleGroup, Group mustBeInGroup, String vetoKey, String vetoMessage)
      Parameters:
      actAs -
      ruleGroup -
      mustBeInGroup -
      vetoKey -
      vetoMessage -
      Returns:
      the assignment in case there are edits

    • vetoMembershipIfTooManyMembers

      public static AttributeAssign vetoMembershipIfTooManyMembers(Subject actAs, Group ruleGroup, Group groupToCheckMemberSize, int maxMembers, String sources, String vetoKey, String vetoMessage)
      Parameters:
      actAs -
      ruleGroup -
      groupToCheckMemberSize - null if ruleGroup, else the parent group to check members
      maxMembers - number of members that are the max of owner
      sources - comma separate sourceIds if checking source of members. e.g. source with your people
      vetoKey -
      vetoMessage -
      Returns:
      the assignment in case there are edits

    • inheritAttributeDefPrivileges

      @Deprecated public static AttributeAssign inheritAttributeDefPrivileges(Subject actAs, Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges)
      Deprecated.
      use the method without actAs inheritAttributeDefPrivileges(Stem stem, Scope stemScope, Subject subjectToAssign, Set privileges
      make sure stem privileges are inherited in a attributeDef
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      Returns:
      the assignment in case there are edits

    • inheritAttributeDefPrivileges

      public static AttributeAssign inheritAttributeDefPrivileges(Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges)
      make sure stem privileges are inherited in a attributeDef
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      Returns:
      the assignment in case there are edits

    • inheritFolderPrivileges

      @Deprecated public static AttributeAssign inheritFolderPrivileges(Subject actAs, Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges)
      Deprecated.
      use the method without actAs
      make sure stem privileges are inherited in a stem
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      Returns:
      the assignment in case there are edits

    • inheritFolderPrivileges

      public static AttributeAssign inheritFolderPrivileges(Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges)
      make sure stem privileges are inherited in a stem
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      Returns:
      the assignment in case there are edits

    • inheritGroupPrivileges

      @Deprecated public static AttributeAssign inheritGroupPrivileges(Subject actAs, Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges)
      Deprecated.
      use the non actAs method inheritGroupPrivileges(Stem stem, Scope stemScope, Subject subjectToAssign, Set privileges)
      make sure group privileges are inherited in a stem
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      Returns:
      the assignment in case there are edits

    • inheritGroupPrivileges

      public static AttributeAssign inheritGroupPrivileges(Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges)
      make sure group privileges are inherited in a stem
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      Returns:
      the assignment in case there are edits

    • removePrivilegesIfNotAssignedByRule

      public static int removePrivilegesIfNotAssignedByRule(boolean actAsRoot, Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges, String sqlLikeString)
      remove group privileges are inherited in a stem
      Parameters:
      actAsRoot -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      sqlLikeString -
      Returns:
      the number removed

    • hasInheritedPrivilege

      public static boolean hasInheritedPrivilege(GrouperObject grouperObject, Subject subject, Privilege privilege, boolean considerInGroup)
      see if there is an inherited privilege
      Parameters:
      grouperObject -
      subject -
      privilege -
      considerInGroup - if allow the subject to be in a group which has an inherited privilege
      Returns:
      true if so, or false if not

    • hasInheritedPrivilege

      public static boolean hasInheritedPrivilege(Map<MultiKey,Set<RuleDefinition>> inheritedRulesCacheByStemIdSubjectPrivilege, GrouperObject grouperObject, Subject subject, Privilege privilege, boolean considerInGroup)
      see if there is an inherited privilege
      Parameters:
      inheritedRulesCacheByStemIdSubjectPrivilege -
      grouperObject -
      subject -
      privilege -
      considerInGroup - if allow the subject to be in a group which has an inherited privilege
      Returns:
      true if so, or false if not

    • inheritGroupPrivileges

      @Deprecated public static AttributeAssign inheritGroupPrivileges(Subject actAs, Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges, String sqlLikeString)
      Deprecated.
      use the method without actAs inheritGroupPrivileges(Stem stem, Scope stemScope, Subject subjectToAssign, Set privileges, String sqlLikeString)
      make sure group privileges are inherited in a stem
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      sqlLikeString -
      Returns:
      the assignment in case there are edits

    • inheritGroupPrivileges

      public static AttributeAssign inheritGroupPrivileges(Stem stem, Stem.Scope stemScope, Subject subjectToAssign, Set<Privilege> privileges, String sqlLikeString)
      make sure group privileges are inherited in a stem
      Parameters:
      actAs -
      stem -
      stemScope - ONE or SUB
      subjectToAssign -
      privileges - can use Privilege.getInstances() to convert from string
      sqlLikeString -
      Returns:
      the assignment in case there are edits

    • groupIntersectionWithFolder

      public static AttributeAssign groupIntersectionWithFolder(Subject actAs, Group ruleGroup, Stem folder, Stem.Scope stemScope)
      if a member is removed from a folder, and has no more memberships in any group in the folder, then remove from the group
      Parameters:
      actAs -
      ruleGroup -
      folder -
      stemScope -
      Returns:
      the assignment in case there are edits

    • groupIntersection

      public static AttributeAssign groupIntersection(Subject actAs, Group ruleGroup, Group mustBeInGroup)
      put a rule on the rule group which says that if the user is not in the mustBeInGroup, then remove from ruleGroup
      Parameters:
      actAs -
      ruleGroup -
      mustBeInGroup -
      Returns:
      the assignment in case there are edits

    • groupIntersection

      public static AttributeAssign groupIntersection(Subject actAs, Group ruleGroup, Group mustBeInGroup, int daysInFutureForDisabledDate)
      put a rule on the rule group which says that if the user is not in the mustBeInGroup, then add an end date to the membership in the rule group X days in the future
      Parameters:
      actAs -
      ruleGroup -
      mustBeInGroup -
      daysInFutureForDisabledDate -
      Returns:
      the assignment in case there are edits

    • groupDefaultDisabledDate

      public static AttributeAssign groupDefaultDisabledDate(Subject actAs, Group ruleGroup, int daysInFutureForDisabledDate)
      put a rule on the rule group which says that by default memberships get a disabled date X days in the future
      Parameters:
      actAs -
      ruleGroup -
      mustBeInGroup -
      daysInFutureForDisabledDate -
      Returns:
      the assignment in case there are edits

    • rulesToString

      public static String rulesToString()
      Returns:
      the string

    • rulesToString

      public static String rulesToString(AttributeAssignable attributeAssignable)
      Parameters:
      attributeAssignable -
      Returns:
      the string

    • runRulesForOwner

      public static int runRulesForOwner(AttributeAssignable attributeAssignable)
      run rules for an attribute assignable
      Parameters:
      attributeAssignable -
      Returns:
      the number of rules ran (note, if not valid or not daemonable then dont run, then that doesnt count)

    • permissionGroupIntersection

      public static AttributeAssign permissionGroupIntersection(Subject actAs, AttributeDef permissionToAssignRule, Group mustBeInGroup, int daysInFutureToDisable)
      put a rule on an attribute def so that if a user comes out of a group, the user will have disabled dates from a role which has permissions or removed assignments directly to the user
      Parameters:
      actAs -
      permissionToAssignRule -
      mustBeInGroup -
      daysInFutureToDisable -
      Returns:
      the assignment in case there are edits

    • permissionGroupIntersection

      public static AttributeAssign permissionGroupIntersection(Subject actAs, AttributeDef permissionToAssignRule, Group mustBeInGroup)
      put a rule on an attribute def so that if a user comes out of a group, the user will be removed from a role which has permissions or removed assignments directly to the user
      Parameters:
      actAs -
      permissionToAssignRule -
      mustBeInGroup -
      Returns:
      the assignment in case there are edits

    • permissionFolderIntersection

      public static AttributeAssign permissionFolderIntersection(Subject actAs, AttributeDef permissionToAssignRule, Stem mustBeInGroupInFolder, Stem.Scope stemScope)
      Parameters:
      actAs -
      permissionToAssignRule -
      mustBeInGroupInFolder -
      stemScope -
      Returns:
      the assignment in case there are edits

    • vetoPermissionIfNotInGroup

      public static AttributeAssign vetoPermissionIfNotInGroup(Subject actAs, AttributeDef permissionDef, Group mustBeInGroup, String vetoKey, String vetoMessage)
      veto a direct permission assignment if not in group
      Parameters:
      actAs -
      permissionDef -
      mustBeInGroup -
      vetoKey -
      vetoMessage -
      Returns:
      the assignment in case there are edits

    • emailOnFlattenedMembershipRemove

      public static AttributeAssign emailOnFlattenedMembershipRemove(Subject actAsSubject, Group ruleGroup, String emailToValue, String emailSubjectValue, String emailBodyValue)
      Parameters:
      ruleGroup -
      actAsSubject -
      emailToValue - e.g. "a@b.c, ${safeSubject.emailAddress}"
      emailSubjectValue - e.g. "You will be removed from group: ${groupDisplayExtension}"
      emailBodyValue - e.g. "template: testEmailGroupBodyFlattenedRemove"
      Returns:
      the assignment in case there are edits

    • emailOnFlattenedMembershipAddFromStem

      public static AttributeAssign emailOnFlattenedMembershipAddFromStem(Subject actAsSubject, Stem ruleStem, Stem.Scope stemScope, String emailToValue, String emailSubjectValue, String emailBodyValue)
      Parameters:
      actAsSubject -
      ruleStem -
      stemScope -
      emailToValue -
      emailSubjectValue -
      emailBodyValue -
      Returns:
      the assignment in case there are edits

    • emailOnFlattenedMembershipRemoveFromStem

      public static AttributeAssign emailOnFlattenedMembershipRemoveFromStem(Subject actAsSubject, Stem ruleStem, Stem.Scope stemScope, String emailToValue, String emailSubjectValue, String emailBodyValue)
      Parameters:
      actAsSubject -
      ruleStem -
      stemScope -
      emailToValue -
      emailSubjectValue -
      emailBodyValue -
      Returns:
      the assignment to tweak it

    • emailOnFlattenedMembershipAdd

      public static AttributeAssign emailOnFlattenedMembershipAdd(Subject actAsSubject, Group ruleGroup, String emailToValue, String emailSubjectValue, String emailBodyValue)
      Parameters:
      ruleGroup -
      actAsSubject -
      emailToValue - e.g. "a@b.c, ${safeSubject.emailAddress}"
      emailSubjectValue - e.g. "You were added to group: ${groupDisplayExtension}"
      emailBodyValue - e.g. "template: testEmailGroupBodyFlattenedAdd"
      Returns:
      the assignment to tweak it

    • emailOnFlattenedDisabledDate

      public static AttributeAssign emailOnFlattenedDisabledDate(Subject actAsSubject, Group ruleGroup, Integer daysInFutureDisabledDateMin, Integer daysInFutureDisabledDateMax, String emailToValue, String emailSubjectValue, String emailBodyValue)
      send emails via daemon on impending disabled memberships
      Parameters:
      actAsSubject -
      ruleGroup -
      daysInFutureDisabledDateMin -
      daysInFutureDisabledDateMax -
      emailToValue -
      emailSubjectValue -
      emailBodyValue -
      Returns:
      the attribute assign for customizing

    • emailOnFlattenedPermissionDisabledDate

      public static AttributeAssign emailOnFlattenedPermissionDisabledDate(Subject actAsSubject, AttributeDef permissionDef, Integer daysInFutureDisabledDateMin, Integer daysInFutureDisabledDateMax, String emailToValue, String emailSubjectValue, String emailBodyValue)
      Parameters:
      actAsSubject -
      permissionDef -
      daysInFutureDisabledDateMin -
      daysInFutureDisabledDateMax -
      emailToValue -
      emailSubjectValue -
      emailBodyValue -
      Returns:
      attribute assign for customizing

    • reassignStemPrivilegesIfFromGroup

      public static AttributeAssign reassignStemPrivilegesIfFromGroup(Subject actAs, Stem ruleStem, Stem.Scope stemScope)
      normalize privileges if the user who creates a stem is in a group which has create privileges on the stem
      Parameters:
      actAs -
      ruleStem -
      stemScope -
      Returns:
      the attribute assignment