Package org.opencastproject.security.api

Class AccessControlUtil

java.lang.Object

org.opencastproject.security.api.AccessControlUtil

public final class AccessControlUtil
extends Object

Provides common functions helpful in dealing with AccessControlLists.

Method Summary

Modifier and Type	Method	Description
static AccessControlList	acl(Either<AccessControlEntry,List<AccessControlEntry>>... entries)	Constructor function for ACLs.
static Checksum	calculateChecksum(AccessControlList acl)	Calculate an MD5 checksum for an AccessControlList.
static Either<AccessControlEntry,List<AccessControlEntry>>	entries(String role, Tuple<String,Boolean>... actions)	Create a list of access control entries for a given role.
static Either<AccessControlEntry,List<AccessControlEntry>>	entry(String role, String action, boolean allow)	Create a single access control entry.
static boolean	equals(AccessControlList a, AccessControlList b)	Define equality on AccessControlLists.
static AccessControlList	extendAcl(AccessControlList acl, String role, String action, boolean allow)	Extends an access control list with an access control entry
static boolean	isAuthorized(AccessControlList acl, User user, Organization org, Object action)	Determines whether the AccessControlList permits a user to perform an action.
static boolean	isAuthorized(AccessControlList acl, User user, Organization org, Object action, String mediaPackageId)	Determines whether the AccessControlList permits a user to perform an action.
static boolean	isAuthorizedAll(AccessControlList acl, User user, Organization org, Object... actions)	Returns true only if all actions are authorized.
static boolean	isAuthorizedOne(AccessControlList acl, User user, Organization org, Object... actions)	Returns true if at least one action is authorized.
static boolean	isProhibitedAll(AccessControlList acl, User user, Organization org, Object... actions)	Returns true if all actions are prohibited.
static boolean	isProhibitedOne(AccessControlList acl, User user, Organization org, Object... actions)	Returns true if at least one action is prohibited.
static AccessControlList	reduceAcl(AccessControlList acl, String role, String action)	Reduces an access control list by an access control entry

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

isAuthorized

public static boolean isAuthorized(AccessControlList acl,
 User user,
 Organization org,
 Object action)

Determines whether the AccessControlList permits a user to perform an action. There are three ways a user can be allowed to perform an action:

1. They have the superuser role
2. They have their local organization's admin role
3. They have a role listed in the series ACL, with write permission

Parameters:

acl - the AccessControlList

user - the user

org - the organization

action - The action to perform. action may be an arbitrary object. The authorization check is done on the string representation of the object (#toString()). This allows to group actions as enums and use them without converting them to a string manually. See Permissions.Action.

Returns:

whether this action should be allowed

Throws:

IllegalArgumentException - if any of the arguments are null

isAuthorized

public static boolean isAuthorized(AccessControlList acl,
 User user,
 Organization org,
 Object action,
 String mediaPackageId)

Determines whether the AccessControlList permits a user to perform an action. There are three ways a user can be allowed to perform an action:

1. They have the superuser role
2. They have their local organization's admin role
3. They have a role listed in the series ACL, with write permission

Parameters:

acl - the AccessControlList

user - the user

org - the organization

action - The action to perform. action may be an arbitrary object. The authorization check is done on the string representation of the object (#toString()). This allows to group actions as enums and use them without converting them to a string manually. See Permissions.Action.

mediaPackageId - Only required if episodeRoleId is true.

Returns:

whether this action should be allowed

Throws:

IllegalArgumentException - if any of the arguments are null

isAuthorizedAll

public static boolean isAuthorizedAll(AccessControlList acl,
 User user,
 Organization org,
 Object... actions)

Returns true only if all actions are authorized.

See Also:

• isAuthorized(AccessControlList, User, Organization, Object)

isAuthorizedOne

public static boolean isAuthorizedOne(AccessControlList acl,
 User user,
 Organization org,
 Object... actions)

Returns true if at least one action is authorized.

See Also:

• isAuthorized(AccessControlList, User, Organization, Object)

isProhibitedAll

public static boolean isProhibitedAll(AccessControlList acl,
 User user,
 Organization org,
 Object... actions)

Returns true if all actions are prohibited.

See Also:

• isAuthorized(AccessControlList, User, Organization, Object)

isProhibitedOne

public static boolean isProhibitedOne(AccessControlList acl,
 User user,
 Organization org,
 Object... actions)

Returns true if at least one action is prohibited.

See Also:

• isAuthorized(AccessControlList, User, Organization, Object)

extendAcl

public static AccessControlList extendAcl(AccessControlList acl,
 String role,
 String action,
 boolean allow)

Extends an access control list with an access control entry

Parameters:

acl - the access control list to extend

role - the access control entry role

action - the access control entry action

allow - whether this access control entry role is allowed to take this action

Returns:

the extended access control list or the same if already contained

reduceAcl

public static AccessControlList reduceAcl(AccessControlList acl,
 String role,
 String action)

Reduces an access control list by an access control entry

Parameters:

acl - the access control list to reduce

role - the role of the access control entry to remove

action - the action of the access control entry to remove

Returns:

the reduced access control list or the same if already contained

acl

public static AccessControlList acl(Either<AccessControlEntry,List<AccessControlEntry>>... entries)

Constructor function for ACLs.

See Also:

• entry(String, String, boolean)
• entries(String, org.opencastproject.util.data.Tuple[])

entry

public static Either<AccessControlEntry,List<AccessControlEntry>> entry(String role,
 String action,
 boolean allow)

Create a single access control entry.

entries

public static Either<AccessControlEntry,List<AccessControlEntry>> entries(String role,
 Tuple<String,Boolean>... actions)

Create a list of access control entries for a given role.

equals

public static boolean equals(AccessControlList a,
 AccessControlList b)

Define equality on AccessControlLists. Two AccessControlLists are considered equal if they contain the exact same entries no matter in which order.

This has not been implemented in terms of #equals and #hashCode because the list of entries is not immutable and therefore not suitable to be put in a set.

calculateChecksum

public static Checksum calculateChecksum(AccessControlList acl)

Calculate an MD5 checksum for an AccessControlList.