RestSecurityServiceImpl.java

/*
 * Copyright (C) 2003-2014 eXo Platform SAS.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
  
package org.exoplatform.calendar.ws.common;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;

import org.exoplatform.container.component.BaseComponentPlugin;
import org.exoplatform.container.xml.InitParams;
import org.exoplatform.container.xml.PropertiesParam;
import org.exoplatform.container.xml.Property;
import org.exoplatform.portal.config.UserACL;

public class RestSecurityServiceImpl implements RestSecurityService {

  private PermissionConfig config = new PermissionConfig();

  private UserACL userACL;

  public static String NOBODY = "NOBODY";

  public RestSecurityServiceImpl(UserACL userACL) {
    this.userACL = userACL;
  }

  public boolean hasPermission(String requestPath) {
    if (requestPath != null) {      
      for (Set<String> permissions : config.getPermission(requestPath)) {
        boolean hasPermission = false;
        
        for (String per : permissions) {
          //Remove nobody permission checking after upgrading to gatein 3.7.x
          per = NOBODY.equalsIgnoreCase(per) ? null : per;          
          if (userACL.hasPermission(per)) {
            hasPermission = true;
            break;
          }
        }
        
        //user don't have permission to access a fragment will
        //not be allowed to access the whole path
        if (permissions.size() > 0 && !hasPermission) {
          return false;
        }
      }
    }

    //
    return true;
  }

  public void addPermission(PermissionPlugin config) {
    Map<String, String> perConfig = config.getConfig();
    for (Entry<String, String> c : perConfig.entrySet()) {      
      addPermission(c.getKey(), c.getValue());
    }
  }
  
  public void addPermission(String path, String permission) {
    synchronized (config) {
      config.addConfig(path, permission);
    }
  }
  
  public static class PermissionConfig {
    private Map<String, PermissionConfig> childs = new HashMap<String, PermissionConfig>();
    private Set<String> permission = new HashSet<String>();
    
    public List<Set<String>> getPermission(String path) {
      List<String> fragments = getFragments(path);
      
      List<Set<String>> result = new LinkedList<Set<String>>();
      result.add(this.permission);

      PermissionConfig current = this;
      for (String fragment : fragments) {
        current = current.childs.get(fragment);        
        if (current != null) {
          result.add(current.permission);
        } else {
          break;
        }
      }
      return result;
    }
    
    public void addConfig(String path, String permission) {      
      List<String> fragments = getFragments(path);
      PermissionConfig current = this;
      
      for (String fragment : fragments) {        
        PermissionConfig child = current.childs.get(fragment);
        if (child != null) {
          current  = child; 
        } else {
          child = new PermissionConfig();
          current.childs.put(fragment, child);
          current = child;
        }
      }
      for (String per : permission.split(",")) {
        per = per.trim();
        if (!per.isEmpty()) {
          current.permission.add(per);
        }
      }
    }
    
    private List<String> getFragments(String path) {
      List<String> fragments = new LinkedList<String>();
      
      if (path != null) {
        String[] tmp = path.split("/");
        for (String s : tmp) {
          s = s.trim();
          if (!s.isEmpty()) {
            fragments.add(s);
          }
        }        
      }
      return fragments;      
    }
  }

  /**
   * The permission follow pattern: membershipType:groupId. For example: *:/platform/administrators <br>
   */
  public static class PermissionPlugin extends BaseComponentPlugin {
    private Map<String, String> config = new HashMap<String, String>();
    
    public PermissionPlugin(InitParams params) {
      if (params != null) {
        @SuppressWarnings("unchecked")
        Iterator<PropertiesParam> iter = params.getPropertiesParamIterator();
        while (iter.hasNext()) {
          PropertiesParam param = iter.next();
          Iterator<Property> props = param.getPropertyIterator();
          while (props.hasNext()) {
            Property permission = props.next();
            config.put(permission.getName().trim(), permission.getValue().trim());
          }
        }
      }
    }
    
    public Map<String, String> getConfig() {
      return config;
    }
  }
}